Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Data Center Security Challenged by Configuration Issues

SAN FRANCISCO – RSA CONFERENCE 2014 – Not all security problems are caused by zero-day vulnerabilities; some are created accidentally.

SAN FRANCISCO – RSA CONFERENCE 2014 – Not all security problems are caused by zero-day vulnerabilities; some are created accidentally.

Data centers are not immune to this reality. According to Michael Cotton, chief security architect at Digital Defense, common configuration and network architecture issues not normally viewed as problematic could be abused by a skilled attacker to wreak havoc. He presented his findings on the issue at the RSA conference this week in San Francisco.

“I [highlighted] a few different vectors; one is the use of reconfiguration of MAC addresses to bring rogue interfaces live onto a management segment and the ability to extract segment passwords from some central management software through the use of a fake baseboard interface,” explained Cotton. “Attackers can then use the same mechanisms that datacenter operators use to quickly re-provision and reinstall systems through baseboard control; to instead shutdown and backdoor existing operating systems through offline modification to their hard drive partitions.”

Data centers, he added, are somewhat unique in that they have a “blessed” remote-access side channel vector that comes standard on all rackmount hardware known as the ‘out-of-band-management-agent’ or ‘baseboard-management-controller’. This controller typically handles tasks associated with physical access to a device and allows data center operators the ability to have a failsafe way to manage nodes regardless of what is going on with the primary operating system. Because of this, it is not limited by the security controls in place on the host operating system.

“These baseboards are typically placed on a special network segment known as the management network; so long as the integrity of the management network and its associated access control are maintained, everything is great and working as intended,” he said.

But when those controls break down, problems ensue.

“The main takeaway for data center security is to focus on locking down management network borders and shared-NIC VLAN pivot points with the same intensive focus that operators put in to locking down external network boundaries,” he said. “The reason this intensive focus is necessary is the management network not only has the ability to re-provision associated systems but to potentially backdoor them as well.”

Many hardware vendors have removed dedicated NIC cards as an option for low-to-mid range hardware because many datacenter operators now hook all networking up to the same physical network segments and use VLAN access mechanisms to establish which interfaces should be talking on which logical network segment, he added. It is not uncommon, he said, for situations to occur where organizations are not being careful with shared NIC interfaces and misconfigured shared NIC interfaces live on network segments they should not be talking on.

Advertisement. Scroll to continue reading.

“This means you can end up with ‘wrong-submit’ or ‘cloaked’ IP addresses which grant administrative access to machines through the baseboard but will not be detected during normal network audit procedures which only focus on auditing valid IP addresses,” he told SecurityWeek.

He recommended that organizations be diligent about ensuring shared NIC interfaces either have their baseboard NIC completely disabled or talking on a separate VLAN network segment then the main NIC.

“Establish strict internal VLAN firewall rules on your management network segments; ones that cannot be bypassed with the sorts of raw socket techniques that a skilled attacker may be able to use on an local network segment, [and] lock down central management controllers to not authenticate to boards which claim to support only straight-key password authentication,” he said.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.