Penetration Testing: Re: RVP (RezendeVous Protocol)

[belka () att net]

I have reviewed Tibco and rendezvous.  I call it 
the "poor man's CORBA."  The RVP protocol is UDP and 
broadcasts throughout your network.  The RV listeners 
read all the UDP traffic looking for datagrams that 
pertain to them.  

My experience with TIBCO running on a switched network 
was that it wasn't very reliable.  It does work well on 
unswitched network.

Here is the rub, however.  Unswitched, the network is 
easy to sniff.  If you capture the udp packets, do some 
analysis, and -- viola -- start injecting your own 
spoofed packets, the RV listeners will respond.  

In the case of the network I was working on, that 
included requests for account information, to which the 
RV listeners responded.  The same for order taking, 
credit cards, etc.

This can be mitigated greatly by implementing very 
specific acls on the routers to route the datagrams to 
specific servers on specific segements.  This is labor 
and maintenance intensive.

The Tibco product is very sound and works very well 
under most conditions. It is, imho, vulnerable to 
attack.  I would be careful using it with sensitive 
information due to the connectionless protocol.  It is 
very well suited for broadcasting information and data, 
as long as you wouldn't shy from boradcasting the same 
information over your local AM station.  If that isn't 
acceptable, perhaps a different product with different 
operating methodology would be bettter.

Now, all that said, the experience I just stated is nine 
months old (1 Internet year).  Things change.  Milage 
may vary.  However, when I first looked into Tibco, the 
shop using it wasn't even blocking it at the WAN router 
and was blasting datagrams to the Internet in search of 
a sympathetic RV listener.  So, I may be a bit skewed in 
my opinion.  I liked Redezvous and the technology -- 
just not for credit card transactions.

Belka Xakepob

> Hi all,
>
> Has anyone in this list reviewed RezendeVous protocol and the security
> considerations relating to this protocol. I am on an assignment to review
> security implemented in a middleware product (TIBCO), which is using this
> protocol to communicate between various systems. I have been able to gather
> some information from: http://www.psl.cs.columbia.edu/papers/rvp-dd.html
> <http://www.psl.cs.columbia.edu/papers/rvp-dd.html> ,   which does not
> appear to be fully current. I couldn't find any RFC on this.  I would
> appreciate any help in this regard.
>
> Thanks and Regards.
>
> Brahma
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/