Dual Homed Machines are the Juiciest Targets

It is easy for me to forget that just because I have taught a concept at one or two conferences, not everyone in the world has heard it. This was driven home with amazing clarity at the Hirschmann Critical Network Design Conference back in September when a participant asked me:

We use computers with two network cards as security between the control system and the business system. Is that a good idea?

Now while there is nothing wrong with two network cards in a computer (i.e. dual-homed computers), if you are doing it for redundancy purposes, you are sorely mistaken if you are thinking it is a security solution too.

In an ideally configured system, dual network interface cards (NICs) provide some minimal network separation. However, operating systems like Windows were never designed to isolate those two cards - in fact they are designed to interconnect them.

In most operating systems it is trivial to adjust the system so that the computer automatically forwards packets arriving on one network over to the other network, thereby circumventing any premise of network isolation. Software applications do this all the time, often without anyone knowing it is happening.

To make matters worse, if the dual-homed computer is compromised by a worm or virus, then both networks will immediately be compromised. For example, many process control incidents involving the Slammer worm back in 2003 were a result of dual-homed architectures – the worm infected the server via one NIC and then immediately started working on the computers located on the second NIC’s network. All of Stuxnet’s network attacks would transit a dual-homed computer.

The sad fact is that dual-homed servers are widely seen as easy targets by the hacking community. For example, the following guidance to testers (and hackers) on how to penetrate firewalled systems can be found on the web:

'How to get around the firewall? The juiciest targets are dual-homed machines -- that is, boxes with two NICs connected both to the DMZ and the internal net. In theory there should be none; in practice, users (well, power users and developers) frequently do this so they can get their work done more quickly.'

Of course, dual-homed computers can make good firewalls in their own right, but that is only if firewall software is the only software running. And dedicating an entire PC as a firewall is hard to justify, both in terms of cost and the resources needed to keep it fully patched and its anti-virus up-to-date. A real firewall from any of the firewall vendors is a far more cost effective solution.

The UK and US governments’ “Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks” wraps it up nicely:

“While dual-homed computers are useful for redundancy on the same network or on two networks within the same PCN system, their use as a segregation device is less than ideal. [Security = 1 Manageability = 2 Scalability = 1]" (1=Worst, 5= Best)

So if you are using dual-homed computers for security, it is time to start replacing them with a firewall. Let me know how well they have worked (or not worked) and the challenges you have with installing firewalls in existing dual-homed control architectures.

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

5

An excellent case study of a DCS virus infection (Sality) that was enabled by dual-homed machines can be found here:
http://tinyurl.com/29l7xm6

This is a good real-life example of why dual-homed computers can be dangerous from a security point of view. From my understanding of this particular event, it was complicated by the fact that OPC Classic was involved. OPC's need for wide-open TCP port ranges means that that a firewall that can specifically manage the OPC protocol is critical.

Of course I am a bit biased on this (since my team designed the OPC-aware Firewall), but it seems like the Tofino OPC Enforcer would have been a good alternative to the dual-homed PCs involved in this incident...

One can disable port forwarding on an ethernet port, but is this easy for applications to override?

Yes it is easy - since most worms (such as Stuxnet) escalate privilege to administrator, it is a simple write to the Registry for the malware.

But even if forwarding is not activated and the worm or hacker doesn't have admin privileges, we still have a basic problem if the malware can run an application on the dual-home computer, even as a user.

In Windows, applications typically have no restrictions on what interfaces they can use. For example, I can have IE8 using both my Wireless interface (so I can browse the Internet)and my wired interface (so I can connect to the PLC on my desk). The two interfaces aren't forwarded, but rather the application has control of both.

In other words, if an attacker or worm manages to get a program running on a dual-homed PC, he could configure the machine to forward traffic, but he/she/it doesn't really need to. It can just generate the traffic locally, and send it on both interfaces. Or it can act as its own forwarding engine – in fact a number of logging systems do exactly that.
The problem is really centred around the fact that PCs are designed to run arbitrary applications with unfettered access to all interfaces. Firewalls, whether it is Cisco ASA, a Juniper Netscreen or a Tofino Security Appliance, is locked to a very limited set of applications with very restricted interface access.

With enough patience, you can lock down any PC and make it a good firewall, but that is all it should be used for – using it as a file server, HMI, workstation or even print server is a bad idea. And that makes it an expensive firewall.

Yes i completely agree with the above post. Dual home machines are really worthful. So glad i have gone through your post. Very useful to me. as i have been looking forward for this information but found here. Keep sharing.

Add new comment