IP aliases, effect on security?

ME dugan at passwall.com
Tue Feb 11 23:15:05 PST 2003 

Daniel Smith said:
> I'm setting up a server at home, to soon swap
> with a Cobalt I have @ Sonic.  It's running Debian w/2.4.18-bf2.4

Ahhh, I like Debian. :-D

> I'm adding a couple of IP aliases: eth0:1, eth0:2, etc.
> I am thinking that I will rerun Bastille, in order
> to write the firewall rules for additional IP addresses
> (and yep, I run interactive mode)
>
> In general, what security concerns are directly related
> to the use of IP aliasing?

It depends on how it is used. If you bind IP addresses from the same
exposed subnet, then the increased exposure is limited:

1) increased risk for "being found" on the exposed net as you have 3x more
IP than just one.

2) If you have services running on the box, then it takes more time to
verify the services use only the IP they should use and no others.

3) More...

If you are setting up multiple on IP on the same physical interface, but
the IP are on different subnets, and you are have one of the alias
interfaces meant to act as a member to a private network for NAT or
translation, then you really have some risks....

All traffic to/from the physical interface is effectively part of the same
collision domain. All repeaters attached to the interface will propogate
all traffic to/from the interface. This can cause a "bleeding" of private
network data through to all nodes who share the same collision domain as
the single NIC doing the IP aliasing.

Kind of like me in the middle of an auditorium with 4 different groups of
people in different corners of the room. I can turn toeach group and yell
out "hey all of you in that corner, anyone over there know who 'jay' is?"
And if I know who Jay is, then I can yell to Jay in the same corner and he
will listen. Of course, if anyone in that corner wants to be "promiscuous"
they can also listen to what you and jay yell to each other. (Normal
behaviors listed above in a single subnet on one collision domain.)

Now, if I am in aliased mode and effectively have IP addresses or presence
in each of the four groups, then when I yell to the same group above "Hey,
any of you know who 'jay' is?" the people in the other groups will ignore
the request because I am not facing them (using an alias to send the
message that has a presence in their subnet.) *However*, since all 4
groups (subnets) are sharing the same media and are part of the same
collision domain, anyone who wishes can grab the ethernet frames (hear
what I am yelling to one group) even though I am not facing them (sending
from the alias that is part of their subnet). This is one huge problem
with aliased interfaces when at least one alias contains an IP that is
meant to be private and not exposed is bound to an alias of an interface
that is meant to be exposed.

Sure it might be possible to use firewall rules to limit connections to
the different aliased logical copies of the same physical interface, but
that does not stop bleeding of ethernet frames between hosts on the
different subnets. Most hosts will ignore traffic not meant for their
subnet, but a rogue user on such a repeated network can listen to all
traffic on all 4 subnets.

Sorry for offering a simple analogy, as you probably dont need such an
example. I offer this for archiveto the list and to help people understand
this problem who might be lurking.

If this is not the kind of review you were looking for, please let us
know. We have many talented people on this list.

> Am I pretty much just mirroring
> firewall rules for a new IP address, or is there a lot
> more to consider?  The server will only be accepting
> ssh and http/s inbound...
>
> Free beers in exchange for any enlightenment here :-)

Really, I would want to know what problem you are trying to solve with
aliasing on a network interface.

Using modern ssh servers and ssl servers (latest patched all of the time)
makes sniffing a little useless. Sure data can be grabbed, and the whole
theorized keystroke speed analysis can be used, but that is the same for
other ssh too. However, http can be sniffed. Be careful of authentication
of type basic over the plaintext http. Of these, http connections are of
the greatest risk for being sniffed and used over all subnets of the
interface being aliasedif the interface is part of a repeated network.

HTH,
If you have further Q, please ask more! :-)

-ME
-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t at -(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html

More information about the talk mailing list