AIRlok™ Invulnerable to Flaw that Could Crash the Internet

Share Article

In response to recent announcements by the US and UK governments that a flaw affecting the Internet’s “Transmission Control Protocol” (TCP) could be exploited by hackers to bring down the Internet, Lok Technology announces that its AIRlok(TM) Network Infrastructure Appliance is invulnerable to these threats. The AIRlok Appliance may be the solution for vulnerable networks that use popular routers and firewalls provided a number of networking equipment manufacturers including Cisco and Juniper Networks. The AIRlok, used to manage and secure wireless networks, including the increasingly popular Wi-Fi, has numerous built-in software and hardware-based defenses against TCP connection spoofing and hijacking.

In response to recent announcements by the US and UK governments that a flaw affecting the Internet’s “Transmission Control Protocol” (TCP) could be exploited by hackers to bring down the Internet, Lok Technology announces that its AIRlok(TM) Network Infrastructure Appliance is invulnerable to these threats. The AIRlok Appliance may be the solution for vulnerable networks that use popular routers and firewalls provided a number of networking equipment manufacturers including Cisco and Juniper Networks. The AIRlok, used to manage and secure wireless networks, including the increasingly popular Wi-Fi, has numerous built-in software and hardware-based defenses against TCP connection spoofing and hijacking.

On Tuesday, April 20, The US Department of Homeland Security’s U.S. Computer Emergency Response Team (US-CERT) along with England's National Infrastructure Security Coordination Centre (NISCC) announced that a computer researcher from Milwaukee had identified a method whereby hackers can trick personal computers and routers into shutting down by resetting the machines remotely in just matter of minutes. Previously researchers believed that such a feat would require calculations spanning 4 to 142 years. Cisco has issued advisories to warn that its IOS operating system used in many models of its popular router is vulnerable to this flaw. Juniper Networks has posted a security alert on its web site indicating that certain series of its routers as well as all NetScreen firewalls running ScreenOS earlier than release 5.0R6 are affected by this development.

Large-scale disruptions of the Internet could leave enterprises and government organizations without critical communication tools such as email and instant messaging.

Lok Technology launched its Internet infrastructure appliance, AIRlok, last autumn to meet the increasing demand from enterprises, telecom carriers and Internet Service Providers (ISPs) for more secure wireless (including Wi-Fi) and wireline networking. The AIRlok employs both software and hardware configurations that make the AIRlok one of the few network management solutions that can foil efforts by hackers to disrupt enterprise communications, e-commerce and government services that increasingly rely on the Internet. At the core the AIRlok’s defenses is the use of the OpenBSD operating system.

OpenBSD (http://www.openbsd.org) is an open source project that emphasizes correctness, security, standardization, and portability. OpenBSD’s focused security approach makes it the most secure operating system in the world. Simon Lok, Chief Scientist and Founder of Lok Technology states, “We run OpenBSD for this very reason. The developers of OpenBSD have a methodology that results in proactively secure systems.” The recently announced TCP vulnerability is only the latest in a series of examples of how the proactive approach of the OpenBSD team thwarts attack and exploitation methods years in advance of their coming.

A TCP sequence number exploit requires that the attacker correctly guess the initial sequence number (ISN) and/or subsequent sequence numbers. In technical terms, many vendors have chosen to employ predictable ISN generators despite the fact that numerous Requests for Comment (RFCs) regarding TCP clearly state the importance of randomized values for the ISN. These shortcuts change the nature of TCP sequence number exploits against their products from the range of the possible to the practical. In OpenBSD, the ISN is chosen using a cryptographically strong pseudo random number generator (PRNG) seeded from the kernel entropy pool, thereby thwarting predictability.

In addition, successful execution of a TCP sequence number attack requires that the attacker correctly provide the TCP 4-tuple (source address, destination address, source port, destination port). The UK NISCC release states “As the source port varies, additional work is generally called for on the part of the attacker.” Once again, many vendors have chosen to use very simple source port number generators. In OpenBSD, the source port is also chosen using a cryptographically strong PRNG.

Lok Technology takes an additional step by shipping a FIPS-140-1 certified hardware random number generator (HW-RNG) with every appliance. A driver developed by the OpenBSD team (in conjunction with Lok Technology support) feeds the kernel entropy pool with true entropy. This makes attacks against OpenBSD subsystems that depend on entropy (e.g. TCP sequence number exploits) even more impractical.

Both the NISCC and US-CERT advisories suggest that employing ingress and egress filtering as an important step towards mitigating the damage that can be caused by the TCP exploit. In conjunction with its 12 dynamic functions that manage and secure networks that support a few dozen to several thousand users, the AIRlok implements an intrusion protection system (IPS) and stateful firewall. By default, an AIRlok provides address spoofing prevention as well as automatic “blackholing” of devices that attempt to perform flooding attacks.

The AIRlok is currently distributed in the US and UK for use by telecommunications carriers, Internet Service Providers (ISPs), Wireless ISPs, and enterprises.

More information about the recent announcements by the US and UK governments can be found at:

US Homeland Security Computer Emergency Response Team http://www.us-cert.gov (Ref: US-CERT TA04-111A, UK NISCC 236929) along with previous TCP sequence number related vulnerabilities (e.g. CERT CA-2001-09)

U.K. National Infrastructure Security Coordination Centre http://www.niscc.gov.uk

About LokTek (http://www.loktechnology.com)

Lok Technology, Inc., a private company headquartered in Coral Gables, FL, develops and commercializes secure and trust computing appliances based on an open sourced and Ultra-Thin Client™ computing platform incorporating an integrated PKI. Solutions include the ultimate in secure e-mail and data storage solutions as well as the AIRlok(TM) network infrastructure appliance. The AIRlok Infrastructure Appliance provides network – wireless and wireline - infrastructure services across a broad range and is positioned to become the standard choice for managing and securing Wi-Fi networks. The 700 Series AIRlok Appliance can accommodate up to 50,000 simultaneous users from a pool of over 10 million account holders; the 300 Series AIRlok Appliance provides the same suite of integrated capabilities including routing, firewalls and billing for 300 simultaneous users with prices starting at $2,990. http://www.AIR-lok.com

# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

LeAnne M. Johnson
Visit website