An emerging network protocol that brings resiliency and performance boosts to mobility and the Internet of Things...
is invisible to most network security infrastructure.
MultiPath TCP (MPTCP) allows applications to use multiple IP addresses and network interfaces to send data over multiple paths. For instance, a smartphone could send application traffic over Wi-Fi, 4G and Bluetooth simultaneously. The subflows would be reassembled into the full application stream only at the destination server. Yet when traffic flows are fragmented in this way, network security can break.
"Application conversations can't be characterized in one or two packets," said Eric Hanselman, chief analyst for 451 Research. "More sophisticated attacks require the whole conversation to be monitored to sort out what's legitimate or not."
Catherine Pearce and Patrick Thomas, security consultants with mobile and cloud security services provider Neohapsis, highlighted MPTCP's danger during a presentation at the Black Hat USA conference last week. They revealed that network security infrastructure, which often looks for patterns in traffic to identify potential threats, can't recognize MPTCP traffic flows. Security systems simply see MPTCP subflows as regular TCP flows. Firewalls and other perimeter devices don't realize that they need to reassemble the various subflows in order to get the full picture of the application traffic, Thomas said in a recent interview.
"With MultiPath TCP, a perfectly normal client could say, 'I want to open 10 different TCP connections that are all part of one logical TCP connection.' It would simply fragment the traffic across all of those in such a way that there isn't enough information on any of those TCP channels for an intrusion detection system to recognize what the application layer is, or more precisely that it is malicious," he said. "If the intrusion detection is not aware that MPTCP exists and doesn't know how to collect all those TCP streams and reassemble what's going on, then it's blind to the application layer traffic."
Some of the basic assumptions that network security architecture makes about traffic are no longer true with MPTCP traffic. Today, when network security devices classify traffic, they assume that connections are based on IP addresses and ports and that those connections are bi-directional. "MPTCP changes all that," said Ryan Olson, director of Unit 42, the threat intelligence lab at firewall vendor Palo Alto Networks.
MPTCP threat is limited today
Very few systems support MPTCP today, so the potential danger from traffic using the protocol is low. The only known implementation is Apple's Siri application for iOS devices. Until Microsoft Windows or some major Linux distributions, for instance, start supporting it, enterprise networks will host very little MPTCP traffic. Still, network engineers should remain vigilant, because a hacker could easily install MPTCP on a compromised endpoint and exploit the network that hosts that device.
"If I'm doing a penetration test and I penetrate a system on a company's network, I can install MultiPath TCP on the system and talk to another system on the outside," said Neohapsis' Pearce. "I can do that and the system on the outside will probably have unfettered access to the one on the inside, no matter what controls you have in the middle. You can do this with encryption, too. This is another way you can hide traffic."
As MPTCP does get more broadly deployed, the threat could be significant. Network security devices could miss some of the subflows critical to understanding the nature of MPTCP traffic. Or they might capture all the subflows but fail to reassemble them and see the full context of the traffic.
"If you transfer an executable over [MPTCP], [a firewall] might see the beginning part of the executable over one link which might look completely benign," Olson said. "Whereas, the other half of the executable will be sent over another link. It might look completely malicious, but it might not appear to be an executable at all."
The first step in MPTCP security: Know it, Block it
Pearce and Thomas used Black Hat to expose MPTCP's dangers to get the industry talking about the issue. They think network operators need to find ways to lock the protocol down before it gets broadly implemented. "No one has been talking about [MPTCP] or looking at it, even though it's been developing at an unprecedented rate for a network protocol change," Pearce said.
Prevailing security policies, meantime, are also stumped by MPTCP. Because the protocol is backward compatible with TCP, network security devices can see the traffic. They simply don't recognize it as MPTCP traffic, meaning that they can't apply policies that are specific to MPTCP.
"We're currently in the process of identifying MPTCP with our AppID technology, so that when our customers see the traffic in their network, they will be able to classify it and -- if they want to -- block it," Palo Alto's Olson said. "If they block it, applications will by default go back to normal TCP and the traffic will route however it was designed to route without MPTCP in the first place.
"Another option is to use a VPN and force all the traffic through the VPN, which would then allow it to be inspected before it goes out," he said. "But then you lose the benefits of being able to push that traffic through multiple paths."
Even if those tactics close a security hole, they aren't necessarily a long-term solution. Blocking MPTCP traffic or forcing it to run over a VPN undermines the multipath characteristics that make the protocol useful. Ultimately, many end users and enterprises will want to take advantage of MPTCP's benefits.
"It solves some problems and provides some capabilities that are going to be particularly important in the vision that's coming off a very connected, very mobile future," Neohapsis' Thomas said.
The Internet of Things, in particular, will need to take advantage of heterogeneous connectivity, he said. Devices will be speaking over 3G, 4G, Bluetooth, Wi-Fi and any other radio connectivity that emerges. MPTCP is part of an effort to design "a network stack that can take advantage of any type of connectivity available so that you can do seamless roaming across them and not affect the applications. And also the applications built on top of it don't need to have all that much intelligence. They can be dumber and take full advantage of the intelligence that's built into the lower-level TCP," Thomas said.
The ultimate solution to MPTCP security: Assemble subflows and inspect
As for network security vendors, they will clearly need to move beyond blocking the protocol. That means suppliers will need to patch and re-architect their products so that they can properly inspect MPTCP traffic.
"I don't think it requires a completely new class of technology," Palo Alto's Olson said. "This is still network traffic. It's just that the traffic has a new layer on top of it that needs to be correlated for analysis. How that correlation happens will be the trick. I don't think it will be resolved immediately."
Assuring the security of MPTCP will always be a balancing act, Neohapsis' Pearce said. Network operators that want to realize the protocol's benefits will need to assess how network security vendors lock it down.
"Should we be losing efficiency purely for the sake of paranoia?" she asked. "Maybe in some environments that is a very good idea and the responsible thing to do. I don't know what the solutions are. I don't think anyone does. We just want to start the conversation and get people looking at this."
Finally, network security and monitoring tools will need to capture and aggregate traffic from multiple points in order to secure MPTCP traffic, said 451 Research's Hanselman.
"It's going to take time for various vendors to upgrade their software and deploy that software," he said. "In that window, you are going to have vulnerabilities to whatever the new traffic is. Like IPv6, any time you roll out something new, there is always going to be a way to abuse it."