Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PXE security

Status
Not open for further replies.

LawnBoy

MIS
Mar 12, 2003
2,881
Just how safe is it for my workstations to be performing a PXE boot check on every boot?

Let's say that a rogue user set up another PXE server on my network, and had created a linux boot image that could write files to NTFS. I've just been rooted, haven't I?

Your thoughts/comments appreciated.
 
Yup, sounds possible. I would

A) secure my network.
B) secure my network.
&
C) secure my network.


It would be pretty hard for a user to do this and you not find out about it. PXE uses DHCP, if you sniff the packets you will see the workstation requesting an IP and two DHCP servers reply to the request. One being your true DHCP server, the other being the PXE server (special tweaks have to be done on servers running both). If a workstation got a thrid reply that conflicted with another, it would use the one it got first.

If the rogue PXE-DHCP server replied first and caused the PC to do it's bidding, then there is the issue of ensureing it gets a valid IP address.

It would be a very tricky hack to pull off, you can't just say this one PC will request, and the reply will go to only this PC (with out some fairly serious hacking).

Your looking at a failry high level of skillz needed to pull it off. If you have anyone that can in your organization, get them onto your team, or call the FBI to see if they are on the most wanted list.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Brent Schmidt Certified nut case [hippy]
Senior Network Engineer
Keep IT Simple
 
I'm not sure how hard it would really be. My local PXE server responds well before our remote DHCP server does, so the only conflict that could happen is between the two PXE replies. I'm thinking that if you booted several times you could connect to either one.

MAC lockdowns are not practical, too many PCs moving around too much.

 
Well, it's not tough to do, I now have a laptop that I can connect to a PXE enabled PC via crossover cable and hijack to my heart's content.

The answer to this is Boot Integrity Services. BIS allows a PXE server to generate a public key which is then entered into the NIC BIOS on the PC. Any image downloaded by the NIC must contain this key or the image is rejected, thus preventing the hijack scenario.

I don't see any info on BIS in the ZFD docs, or on Novell's forums. Anybody here dealt with BIS?
 
According to the Novell ZFD forum, BIS is not implemented.

We've decided to turn off the PXE server.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top