Public Cloud Security Anti Spoofing Protection
By Orgad Kimchi-Oracle on Jun 14, 2013
This past week (9-Jun-2013) Oracle ISV Engineering participated in the IGT cloud meetup, the largest cloud community in Israel with 4,000 registered members.
During the meetup, ISV Engineering presented two presentations:
• Introduction to Oracle Cloud Infrastructure presented by Frederic Pariente
• Use case : Cloud Security Design and Implementation presented by me
In addition, there was a partner presentation from ECI Telecom
• Using Oracle Solaris11 Technologies for Building ECI R&D and Product Private Clouds presented by Mark Markman from ECI Telecom
The Solaris 11 feature that received the most attention from the audience was the new Solaris 11 network virtualization technology.
The Solaris 11 network virtualization allows us to build any physical network topology inside the Solaris operating system including virtual network cards (VNICs), virtual switches (vSwitch), and more sophisticated network components (e.g. load balancers, routers and fire-walls).
The benefits for using this technology are in reducing infrastructure cost since there is no need to invest in superfluous network equipment. In addition the infrastructure deployment is much faster, since all the network building blocks are based on software and not in hardware.
One of the key features of this network virtualization technology is the Data Link Protection. With this capability we can provide the flexibility that our partners need in a cloud environment and allow them root account access from inside the Solaris zone. Although we disabled their ability to create spoofing attack by sending outgoing packets with a different source IP or MAC address and packets which aren't types of IPv4, IPv6, and ARP.
The following example demonstrates how to enable this feature:
Create the virtual VNIC (in a further step, we will associate this VNIC with the Solaris zone):
# dladm create-vnic -l net0 vnic0
Setup the Solaris zone:
# zonecfg -z secure-zone
Use 'create' to begin configuring a new zone:
create: Using system default template 'SYSdefault'
zonecfg:secure-zone> set zonepath=/zones/secure-zone
zonecfg:secure-zone> add net
zonecfg:secure-zone:net> set physical=vnic0
Install the zone:
# zoneadm -z secure-zone install
Boot the zone: # zoneadm -z secure-zone boot
Log In to the zone:
# zlogin -C secure-zone
NOTE - During the zone setup select the vnic0 network interface and assign the 10.0.0.1 IP address.
From the global zone enable link protection on vnic0:
We can set different modes: ip-nospoof, dhcp-nospoof, mac-nospoof and restricted.
ip-nospoof: Any outgoing IP, ARP, or NDP packet must have an address field that matches either a DHCP-configured IP address or one of the addresses listed in the allowed-ips link property.
mac-nospoof: prevents the root user from changing the zone mac address. An outbound packet's source MAC address must match the datalink's configured MAC address.
dhcp-nospoof: prevents Client ID/DUID spoofing for DHCP.
restricted: only allows IPv4, IPv6 and ARP protocols. Using this protection type prevents the link from generating potentially harmful L2 control frames.
# dladm set-linkprop -p protection=mac-nospoof,restricted,ip-nospoof vnic0
Specify the 10.0.0.1 IP address as values for the allowed-ips property for the vnic0 link:
# dladm set-linkprop -p allowed-ips=10.0.0.1 vnic0
Verify the link protection property values:
# dladm show-linkprop -p protection,allowed-ips vnic0
LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
vnic0 protection rw mac-nospoof, -- mac-nospoof,
vnic0 allowed-ips rw 10.0.0.1 -- --
We can see that 10.0.0.1 is set as allowed ip address.
Log In to the zone
# zlogin secure-zone
After we login into the zone let's try to change the zone's ip address:
root@secure-zone:~# ifconfig vnic0 10.0.0.2
ifconfig:could not create address: Permission denied
As we can see we can't change the zone's ip address!
Optional - disable the link protection from the global zone:
# dladm reset-linkprop -p protection,allowed-ips vnic0
NOTE - we don't need to reboot the zone in order to disable this property.
Verify the change
# dladm show-linkprop -p protection,allowed-ips vnic0 LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
vnic0 protection rw -- -- mac-nospoof,
vnic0 allowed-ips rw -- -- --
As we can see we don't have restriction on the allowed-ips property.
Conclusion In this blog I demonstrated how we can leverage the Solaris 11 Data link protection in order to prevent spoofing attacks.