With the deployment of the Tavve ZoneRanger and it’s deep packet inspection, the NOC manager is now singing “How Deep is Your Love (analysis)?” while securely managing her DMZ devices. But what does deep packet analysis mean with respect to classic network management protocols, and how does its use maintain the security posture as required by Corporate Security Policies? The crack team of Tavve Engineers have spent decades understanding every aspect of each management protocol and then created software to verify that each packet exactly matched the protocol definition.
Per Alert (TA18-106A), “Network devices are ideal targets. … A malicious actor with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts. Organizations that use legacy, unencrypted protocols to manage hosts and services, make successful credential harvesting easy for these actors.”
This verification not only includes unsolicited management traffic like NetFlow, Syslog, and SNMP Traps packets but it will also analyze request/response protocols like ICMP and SNMP. The ZoneRanger matches every response with the corresponding outstanding request and if a response does not return within a reasonable amount of time as determined by the user, the response is considered suspect and is discarded. The ZoneRanger will also only return the first response which prevents replay attacks.
Individual packets are also inspected to ensure that they conform to the appropriate RFC. In order to ensure that a bad actor has not tampered with your management packet, any packet that does not comply with the RFC is discarded.
In addition to packet inspection the ZoneRanger provides additional checking of syslog messages to further enhance the security of syslog forwarding by requiring that the packets contain only printable characters. The determination of printable characters will be based on the format of the syslog message. For BSD or RFC 3164 formatted syslog messages, those syslog messages that only contain printable ASCII characters (Decimal 32 – Decimal 126) will be forwarded. For RFC 5424 formatted syslog messages, those syslog messages which only contain printable UTF-8 characters will be forwarded. Any syslog message that contains non-printable characters will be discarded.
Next time we’ll discuss Attack Surfaces. You’ll not want to miss it.