resolving vulnerability of first hop redundancy...

International Journal of Computer Trends and Technology (IJCTT) – volume 4 Issue 6–May 2013

ISSN: 2231-2803 http://www.ijcttjournal.org 567

Resolving Vulnerability Of First Hop Redundancy Protocol Using Md5 Authentication

Priyanka Dubey*1, Abha Sachdev*2 *Amity University, Noida, Uttar Pradesh, India

Abstract – Security issues are major constraints in computer networks. According to CSA 90% of attacks are from inside the network. Earlier the issue was mainly with WAN networks but now the scenarios have changed. With development in technology, attacks are now more concentrated within a LAN. Our paper will mine the vulnerabilities in LAN technology and specifically point the problem regarding FIRST HOP REDUNDANCY. Also, here we present an effective reform to the aforesaid problem through MD5 algorithm based authentication, comparing it with previously suggested solutions. The only aim is to have a more secure communication without affecting the efficiency of the network. Keywords: FHRP; HSRP; MD5; VRRP; DMZ.

I. INTRODUCTION

The networks are spreading vastly and becoming complex day by day. The security of networks is becoming a serious and foremost issue when we create or try to place one network into practical scenario. The security of data is the only concern with all corporates placing a network in or outside their premises. The networks are so much widespread that security can be breached at many levels i.e hosts, clients, gateways, routers, data transmission media etc. But extreme security issue lies with the system providing services to clients outside its network system eg: e-mail server, DNS servers etc. Here, we take a scenario from live computing environment, wherein the system or server connects to the outside world or network through a gateway system. Firstly we present an overview of the scenario with preliminary introduction to the protocols used and then point out the vulnerability with the existing solutions to it. Finally, a solution is presented in form of MD5 algorithm based authentication service such a reform is made to the vulnerability presented by existing solution itself i.e DMZ.

A First Hop Redundancy Protocol (FHRP) is a group of computer networking protocols which are designed to forward packets when the destination address is not in same LAN. These have following basic feature set:

They protect default gateway of a sub-network by providing backup routers in case of failure of any active gateway router. Automatically, the backup router takes over the address of previous UP router within few seconds such that network does not breaks down.

They have long or no service timeouts such that hosts will continuously send the traffic to same address as intended.

They adapt to changes very quickly in the network due to implementation of ICMP Router Discovery Protocol (IGRP).

These protocols are also used to protect the services operating on single IP address, not single routers. Types of First Hop Redundancy Protocols are:

Hot Standby Router Protocol (HSRP) -Cisco's initial, proprietary standard protocol wherein a group of routers share one single IP address and act as single entity in network. One of the routers in group does the forwarding while other routers are in standby mode and stay idle until main router enters failure state.[1]

International Journal of Computer Trends and Technology (IJCTT) – volume X Issue Y–Month 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 1568

Figure 1: HSRP outlay

Virtual Router Redundancy Protocol (VRRP) - An open standard protocol, setup under scope of IEEE. It does forwarding based upon std. multicast address format. Rest of the functionality is same as HSRP.[15]

Figure 2: VRRP outlay

Gateway Load Balancing Protocol (GLBP) – A more recent and automated protocol from Cisco which allows automatic selection of multiple gateways available to do forwarding to destination. It also provides automatic detection and re-routing in the event of failure of any gateway present in the network. This protocol does load balancing by efficient utilization of resources i.e Available Bandwidth without any input from the network administrator.

Figure 3: GBLP Outlay

NetScreen Redundancy Protocol (NSRP) - a Juniper Networks proprietary router redundancy protocol providing load balancing

Here we take only HSRP into account to display and present security issues of FHRP’s. HSRP is a cisco proprietary protocol which is used in layer 2 i.e. DATA LINK LAYER.

II. LITERATURE SURVEY

When studied initially, all of the protocols above present a very viable solution to the FHRP by giving standby router configuration to every gateway present at the firewall between the private network and the public computing system of Internet. But these gateway routers being the first hop in the private network expose themselves as an attacking unit for the attackers to initially aim for and breakthrough the firewall system available so as to seize the control of communication within that private network. The chances of attack are even high if there exists a server within the private network, which caters to continuous connection requests. Such a server could of e-mail, FTP, web, VoIP, DNS etc. which takes continuous requests exposing the IP addresses for the gateway and the server itself. This could lead to many attacks like



spoofing, sniffing, communication seizing, half handshake requests. [1]

Now, when we discuss the solutions to these problems, we come up with DMZ as a viable option. Also known as ‘Demilitarized Zone’, or perimeter network, it gives solution to most of the problems for security issues concerning and incoming from outer network beyond private network i.e Internet.

III. DMZ

DMZ in a computer security could be defined as a sub-network which might be logical or even physical and contains those services of a private network which connect to untrusted hosts or clients outside the private network on frequent basis. What DMZ does is; addition of one more layer of security to any private network of an organisation, such that an external attacker has only access to that specific system or equipment such that it cannot connect through the private network. A DMZ is not a part of a private system; rather it’s a system or equipment residing outside the firewall of the private network such that it lies between the Internet and private network. Hence conforming to the name ‘Demilitarized zone’; an area between two nations wherein military action is not permitted.[3]

As already said the hosts which have a regular interaction with the network outside are the ones most compromised, provide a door to attackers to peep into private networks and do the damage. Thus, DMZ aims at putting that regularly accessed host outside the private network in a DMZ zone or a sub-network of their own in order to protect the rest of the network. Hosts of DMZ have a full connectivity to the outside network i.e Internet and to the hosts within the DMZ, but its communication is limited to very few hosts of the network inside i.e private network. This makes DMZ a viable solution plus it also allows it to service the requests from both inside and outside network, wherein an intermediate firewall controls the traffic between the DMZ and hosts inside the private network.[4]

A DMZ is a good solution and does the security rescue from all the external attacks, but fails when an attack generated is from private network system.

Another issue raised by a DMZ is that when any user of private network requires to access its services outside of its own network, for e.g.: from home, he/she needs to come through external network using the reverse proxy system configured over e-mail server in DMZ. The security is compromised at this stage as security here is provided as an application layer firewall which only focuses on specific shape of the traffic rather than controlling access to TCP or UDP ports which is more secure and implemented by a packet filter firewall.

IV. NEED OF A VIABLE SOLUTION

As already discovered that a DMZ can secure the network against attacks from outside but fails drastically when it comes to network attacks generated from inside of private network such as sniffing communication via a packet analyser or spoofing such as e-mail spoofing. Though DMZ is a good solution for securing LAN but there are various disadvantages such as:

DMZ configuration contains many firewalls for protection; therefore it’s a costly and less preferable solution.

This back to back configuration also leads to more complication in enterprise security picture as now we need to manage two firewalls.

And one worst of all disadvantage is if the hackers get enabled to penetrate into your private network through breakup of firewall, they will gain access to both private network as well as DMZ configuration.[4]



V. VIABLE SOLUTION USING MD5

As of low security and high deployment cost of DMZ, we propose solution based upon MD5 algorithm for resolving this security vulnerability presented by HSRP and other FHRP group protocols. The MD5 authentication is preferable and compatible as it generates hash functions for encrypting password. To enhance the security to a further level we only implement MD5 algorithm here as reverse engineering of hash functions is impossible or very costly when it comes to computation. Therefore we use MD5 as most appropriate and viable solution to problems presented by FHRP group of protocols.[2][13]

VI. RESULTS

Here we are going to discuss that how MD5 algorithm works on HSRP. To justify our solution we created a network where service provider is there surrounded by BHARTI and TCL. We are directly connected with these two firms. For communicating, in our LAN we created two routers here AMITY_CAMPUS_1 (active router) and AMITY_CAMPUS_2 (standby router). If our active router goes fail in any case, standby router will take the position of active router and will work properly as active router therefore no hindrance will occur due to failure of router.

Figure 4: Outlay Topology of Problem presented

But now if any attacker is already there in our LAN so he can pretend like active router and make idle to both routers active as well standby router. For saving from this critical scenario, we apply MD5 algorithm here. Now we are going to present the actual scenario with the help of some figures.

Figure 5: Solution to issue

This is the normal scenario where AMITY_CAMPUS_1 router is active router and this router is active because it’s priority is high which is 100 and next router which is AMITY_CAMPUS_2 is standby router because priority of this router is 90 as we can see in next figure which is given below.



Figure 6: Solution to issue (II)

Now we talk about an attacker, in initial state, it has no information about both routers active router as well as standby router. In that situation attacker would be unknown to whole scenario. As figure 7 will tell about the attacker when it is not activated.

Normally HSRP works in this way but suppose any attacker is there within network, it becomes active router when it activates and forces to active router to become standby router and now the attacker can fetch all access and information which is coming from outside the network. Attacker becomes active router by increasing its priority. Next figure 8 will tell about the actual scenario inside the LAN when attacker becomes active.[7]

Figure 7: Solution to issue (III)

Figure 8: Solution to issue (IV)

Now after acknowledgement of activation of attacker we will apply MD5 algorithm on active router as well as standby router, to secure from attacker. When we apply MD5 algorithm on active



router and standby router, both router start to pop up a message of “bad authentication from attacker”.

This scanario will be mentioned in figure.

Figure 9: Solution to issue (V)

VII. CONCLUSION

Finally we concluded after the overall study that MD5 algorithm is good solution for securing our LAN as it provides more security and reliability. And again as we know that reverse engineering of MD5 algorithm is too costly so this solution will be a unique solution.[11]

VIII. REFERENCES

[1] T. Li Juniper Networks, B. Cole Juniper Networks, P. Morton Cisco Systems, D. Li Cisco Systems, RFC 2281 March 1998.

[2] R. Rivest MIT Laboratory for Computer Science and RSA Data Security, Inc. RFC 1321, April 1992

[3] DMZ virtualization with Vmware infrastructure. [4] Eui -Gak Hwang,The DMZ and the Destiny of a Divided Korea, 2011,

Springer, ISBN 978-1-4419-6435-9 [5] United States Patent. Patent Number: 5,473,599. Standby Router

Protocol. Date of Patent: Dec. 5, 1995. [6] John Sullivan, Network Fault Tolerance System, May 2000. IEEE

conference [7] Jarvinen, K. ; Tommiska, M. ; Skytta, J.Hardware Implementation

Analysis of the MD5 Hash Algorithm, Jan. 2005, IEEE conference [8] Shiwei Chen Chenhui Jin, An Improved Collision Attack on MD5

Algorithm, 2008, Springer. ISBN 978-3-540-79498-1

[9] S. Chang, M. Dworkin, Workshop Report, The First Cryptographic Hash Workshop, Report prepared, NIST 2005.

[10] Zhao Yong-Xia ; Zhen Ge, Md5 research, April 2010, IEEE conference. [11] J. Black, M. Cochran, T. Highland: A Study of the MD5 Attacks: Insights

and Improvements, March 3, 2006, Springer. ISBN 978-3-540-36597-6. [12] Tao Xie and DengguoFeng. How to Find Weak Input Differences for

MD5 Collision Attacks, May 2009, IEEE conference. [13] ChristofPaar, Jan Pelzl, Bart Preneel (2010). Understanding

Cryptography: A Textbook for Students and ractitioners. Springer. p. 7. ISBN 3642041000.

[14] Priyanka Dubey, Shilpi Sharma, Abha Sachdev, Review of First Hop Redundancy Protocol and Their Functionalities. International Journal of Engineering Trends and Technology (IJETT) – Volume 4 Issue 5- May 2013.

[15] Knight, S., et. al. Virtual Router Redundancy Protocol. Request for Comment 2338, http://www.cis.ohio-state.edu/htbin/rfc/rfc2338.html.

[16] Stallings, William. Network and Internetwork Security: Principles and Practice. Englewood Cli_s, New Jersey, 1995, Prentice Hall.

[17] Stevens, W. Richard. TCP/IP Illustrated, Volume 1: The Protocols. Reading, Massachusetts, 1994, Addison-Wesley.

[18] Tanenbaum, Andrew S. Computer Networks: Third Edition. Upper Saddle River, New Jersey, 1996, Prentice Hall.

[19] Lewis, Chris. Cisco TCP/IP Routing Professional Reference. New York, New York,1998, McGraw-Hill.

[20] Maufer, Thomas A. Deploying IP Multicast in the Enterprise. Upper Saddle River, New Jersey, 1998, Prentice Hall.

[21] Using HSRP for Fault-Tolerant IP Routing. http://www.cisco.com/cpress/cc/td/cpress/ccie/ndcs978/nd2022.htm.

resolving vulnerability of first hop redundancy...

Documents