Network Endpoint Assessment IAB Tech Chat - PowerPoint PPT Presentation

1 / 36

About This Presentation

Title:

Network Endpoint Assessment IAB Tech Chat

Description:

Negative impact on voice/video applications. Typical Performance ... while limiting unnecessary restriction on the free movement of travellers. ... – PowerPoint PPT presentation

Number of Views:70

Avg rating:3.0/5.0

Slides: 37

Provided by: Bernar138

Category:

more less

Transcript and Presenter's Notes

Title: Network Endpoint Assessment IAB Tech Chat

1
Network Endpoint AssessmentIAB Tech Chat

July 26, 2006
Bernard Aboba

2
Outline

The Problem
Architectural Issues
Where do we go from here?

3
The Problem(From Insecurities at the Edge,
IETF 58)

The end isnt necessarily trustable
Authentication helpful but not sufficient
What you know/What you have -gt What you are
Composition of mechanisms valuable
(authentication whitelisting)
Weaker (but more efficient) authentication may be
more useful than strong (but expensive)
Sometimes the middle may have to take action to
protect the ends middle
Interactions with legal economic forces need to
be considered

4
From the NEA Charter

Assertion
An endpoint that is not compliant with
organizational security policy may be vulnerable
to known threats.
Goals
To address known vulnerabilities before a host is
exposed to attack.
To monitor compliance to an organizations
security policy.
(Optionally) to restrict access until an endpoint
has been updated to satisfy the security policy.

5
A Day in the Life of a Host
Work
Home
VPN
Host
Internet
Security Policy Server
Hotel
Customer Site
6
Some Observations

Internet hosts are increasingly mobile.
Hosts connect to many kinds of networks.
Examples home networks, hotel networks,
hotspots, corporate networks, customer networks,
etc.
Outside the workplace, access to network
connectivity is typically straightforward
(otherwise no one could figure it out).
You can get on the home network if you can get
close to the house (most home networks use little
more than WEP).
You can get on a hotspot or hotel network if you
pay a fee (or buy some coffee).
In these cases the operators typically dont
check if youre infected or insecure.
Corporate networks cater to an increasingly
diverse clientele.
Employees, contractors, partners, visitors, etc.
Hosts accessing the corporate network may not be
owned by the corporation (your home computer, a
partner or contractor computer)
Corporation may not have the right to demand that
the host comply with the corporate security
policy.

7
Some Questions

Is the problem only vulnerability to known
threats?
Host can be configured in an insecure fashion
Could be running version of software with
security holes
Can be running malicious software
Only a fraction of all malware is detectable by
commercial packages.
What organization sets the security policy?
The organization that owns the host?
The organization that the host is visiting?
Who monitors compliance to the policy?
Who is being protected from who?
Host protecting itself?
Home network protecting itself from the host?
Visited network protecting itself from the host?

8
Architectural Issues

"Zero Day" vs. "Known Threat" Approaches
Market failure and Internet Health
Transparency
Complexity
Efficiency
Lying client problem
Interface with external validators (IDS)
Dependence on (undocumented) EAP methods
Schema development
Modifications to existing security protocols

9
Zero Day vs. Known Threat Approaches

Malware capabilities are outstripping detection
technology.
Signatures only detect 25 of known malware
Increases to 50 after a 30 day lag
Increasingly sophisticated rootkits
Behavioral approaches offer some promise, but
they also restrict usage of new applications
(more on this later)
Reliable distribution of patches is a solvable
problem.
History of mass vaccination suggests that success
against known pathogens is likely in the
developed world.
The developing countries are another story.
Patching systems are becoming increasingly
reliable.
Automatic patching increasingly common.
Local caching provide access to patches in times
of connectivity disruption.
The real issue is the stability of the patches,
not distribution.
To first order, the major problem is zero day
vulnerabilities.
NEA most likely to be deployed in locations where
patch distribution is effective and security
software is widely distributed.
To some extent, interest in NEA has subsided as
automatic update has become the norm and patch
distribution software has improved.

10
Why Immunize?

Vaccines can protect against serious diseases.
Vaccine-preventable diseases are typically
contagious and can result in long term health
effects.
Benefits of vaccination outweigh the risks (and
costs).
Immunization protects others who cant get
vaccines. For these people the immunity of
others is their only protection.
Assumes that a large proportion of the population
can be vaccinated.
Immunization can rid the world of diseases (such
as smallpox).
Assumes that miscreants wont re-introduce the
disease.
BA If you dont vaccinate your child, we wont
let her attend school or we may fine you.
The problem with Internet hosts is that they
dont stay vaccinated.

Source Center for Disease Control, Parents
Guide to Childhood Immunizations, 2005
11
US Track Record of Vaccines

Diptheria once killed 10,000 people a year in the
US. Today it is virtually unheard of.
In 1962, 500,000 US cases of measles were
reported. In 1972 there were 32,000 cases and in
1982, 2000 cases. 2002 and 2003 combined saw
only 100 cases.
In the 1950s polio paralyzed thousands of
children. There has not been a case of wild virus
polio in the US since 1979.

Source Center for Disease Control, Parents
Guide to Childhood Immunizations, 2005
12
Vaccine-Preventable Diseases, US
Source CDC. Impact of vaccines universally
recommended for children US, 1900-1998. CDC.
Notice to Readers. Final 2003 Reports of
Notifiable Diseases. MMWR 2004 53(30)687
13
Track Record Outside of US

Measles still infects 23 million people per year
worldwide and kills 480,000.
Polio still common in some parts of the world.
Smallpox once killed millions of people per year.
In 1967, the World Health Organization (WHO)
undertook an intensive worldwide vaccination
campaign. By 1979, the disease had ceased to
exist.
Financial incentives may not exist for production
and distribution of vaccines in the developing
world.

14
0wnage Statistics(from Rob Thomas)
CURRENT WEEK'S DATA PREVIOUS
WEEK report UniqueIPs Change ASNs bogon
no-routes UniqueIPs ASNs --------
--------------------------------------------
----------------- Beagle 625768 - 5.8
6649 0 53 664479 6815 Blaster
39675 275.4 1695 36 42
10568 1024 Bots 625040 - 0.3 4138
0 86 626732 4190 Bruteforce
90 - 17.4 69 0 0
109 82 Dameware 874 27.4 195
0 0 686 190 Ddosreport
756 14.4 327 0 0 661
308 Defacement 3695 7.0 933 1
1 3453 930 Dipnet 165
0.6 112 0 2 164
112 Mailvir 29605 - 3.5 1851 0
5 30683 1913 Malwareurl 523
59.9 247 0 0 327
172 Mydoom 184 2.2 81 0
0 180 75 Nachi 17549 -
0.7 917 82 89 17673
911 Phatbot 27752 - 1.1 1537 0
0 28059 1555 Phishing 254
3.3 184 0 0 246
185 Proxy 30065 4.4 811 0
0 28807 760 Scanners 146882
209.2 2409 57 87 47498
1853 Sinit 143 - 16.4 86 0
0 171 92 Slammer 27447
19.4 1188 21 18 22978
1141 Spam 2900987 - 2.1 7307 0
400 2963194 7356 Spybot 138598
- 5.9 1556 0 6 147261
1547 Toxbot 1170555 5.8 2678 0
10 1106551 2697 TOTALS 5398676
1.7 9723 195 792 5309346 9739
Most of these infected hosts are probably
unmanaged.
15
Market Failure Internet Health

NEA architecture oriented toward developed
nations.
Assumes client software installation.
Depends on security vendors providing posture
collectors and posture validators
Assumes connectivity to remediation servers
(which may not be easily accessible)
Problem Market failures affecting world health
also apply to cyberhealth.
Little financial incentive for private sector to
protect (pirated) software in developing
countries
ISPs in developing countries less likely to
implement security measures (e.g. ingress
filtering)

16
One Internet

Cyberhealth is an Internet-wide problem
Hosts in developed nations cannot be safe as long
as high levels of infection persist in the
developing world.
Compromised hosts not only raise the level of
background radiation, they also serve as a
platform for other attacks.
ISPs that do not implement ingress filtering
enable DDOS attacks
Approaches to Internet health that leave
developing nations underserved cannot succeed in
the long term.
Ensuring cyberhealth in the developing world may
require a fundamentally different approach
Patch delivery system may need to optimize
bandwidth (e.g. out-of-band delivery)
Infections may propagate via out-of-band
mechanisms
Need for education as well as software delivery
Focus on patching of pirated as well as genuine
software

17
Transparency

NEA is a new breed of firewall technology with
implications for transparency.
Many of todays vulnerabilities are in
applications, not the operating system.
Not possible for the network to evaluate the
posture of unknown applications.
Behavioral software may need to be trained before
it can distinguish normal from abnormal
application behavior.
Who gets to decide what applications can be run?
The user?
The owner of the host?
The network to which the host connects?

18
Customs Form
19
Customs Declarations

Threat level implied by inventory
Generally about possession, not intent.
I dont care what you intend to do with that
Egyptian antiquity, hand it over!
No effort to determine personal health or
desirability
Thats handled by immigration
Policies are applied at a rough level
No fruit, no animals.
Examination adds latency.
10 minutes 10 hours, depending on thoroughness.

20
Complexity

NEA involves many moving parts.
Client server software.
Upgrades to edge and distribution layer devices.
Integration with third party products
(anti-virus, anti-spyware, patching systems,
etc.)
NEA builds on technologies that have not yet been
widely deployed.
IEEE 802.11i/WPA2 widely supported, but not yet
widely deployed in enterprise or carriers.
IEEE 802.1X wired is rarely deployed needs to
be revised.
Interoperability testing still in its infancy.
WFA certifications dont test conformance, let
alone interoperability.
802.1X/EAP/EAP method testing still in its
infancy.
Little discussion of management and operations
issues.
IEEE 802.1X MIB rarely implemented.
No EAP MIB.
Reality check
No approach this complex has ever been deployed.
NEA was born before automatic upgrade became the
default on most operating systems (Windows,
RedHat, SuSE, etc.).
Majority of current sales involve turnkey
appliances built on open source platforms, with
no dependence on client software, operating
system or network infrastructure.
The Internet Only Just Works (Mark Handley)
simple solutions that just barely solve critical
problems usually win
http//www.cs.ucl.ac.uk/staff/M.Handley/papers/onl
y-just-works.pdf

21
NEA Architecture
22
NEA over EAP
Posture Layer
EAP TLV (33)
EAP TNC (38)
EAP FAST
EAP TTLSv0
PEAPv0
Method Layer
EAP APIs
EAP
EAP Layer
Transport APIs
Media Layer
PPP
802.3
802.5
802.11
23
Why Not Roll Your Own?

In 2004, IEEE 802 deployed an anti-malware
solution on the conference network in Vancouver.
The solution, developed by a contractor was
implemented in only a few weeks.
Elements
Open Access 802.11 network (no WPA/WPA2)
Transparent bridge with IDS, looking for
Many simultaneous TCP connections (gt30) opened
from one host
Large number of uncompleted TCP connections (e.g.
scanning)
High bandwidth usage
Violator traffic funneled to a Web proxy
displaying a warning message
No effort to remediate quarantined hosts.
Results
Little or no impact on non-infected hosts.
Attendee exodus to a nearby software store for
anti-Virus software.
Dramatic reduction in unwanted traffic during the
conference.

24
Efficiency

NEA raises efficiency concerns.
Involves repeated "posture exchange"
conversations before and after connection to the
network.
Posture information may be verbose.
Conversations may occur at multiple layers.
Repeated conversations are redundant and
unnecessary.
Kerberos enables ticket reuse without contacting
the KDC on each auth.
EAP is a very inefficient transport mechanism.
ACK/NAK protocol.
Minimum MTU of 1020 octets.
Potentially long RTT (500ms for transport
through multiple proxies)
RFC 3748 Use of EAP for other purposes, such
as bulk data transport, is NOT RECOMMENDED.
No discussion of performance requirements.
Negative impact on voice/video applications.

25
Typical Performance

Tunneled authentication with 30KB server
certificate chain 20 roundtrips.
Fast resume 2.5 roundtrips
Additional round-trips for 4KB posture exchange
3
Trans-oceanic RTT (2 hops via RADIUS proxy) 300
ms
Latency
Initial posture exchange (23 300 ms) 6.9
seconds
Posture exchange w/fast resume (5.5 300 ms)
1.65 seconds
Target VOIP handoff latency 50 ms

26
Lying Client Problem

Question
Why should we trust the clients assessment of
its own posture?
Answer
With a TPM, you can assume we have trusted
boot.
Question
What if we securely loaded a vulnerable version
of the OS?
Answer
Assume that the OS less likely to be compromised
(hypervisor, signed binaries, user mode drivers,
etc.)
Question
OK. But what about applications?
Answer
Only approved binaries will be allowed to run.
Question
Approved by who?

27
Vaccination Requirements(from http//www.who.int/
ith/countries/listg/en/index.html)

GABONYellow fever A yellow fever vaccination
certificate is required from all travellers over
1 year of age. Malaria Malaria
riskpredominantly due to P. falciparumexists
throughout the year in the whole country.
Resistance to chloroquine and sulfadoxinepyrimeth
amine reported.

Note The purpose of a vaccination certificate is
to protect the visitor from diseases endemic to
the visited country, not to protect the visited
country from diseases imported by the visitor.
A single vaccination certificate can satisfy
multiple countries.
28
Interface with External Validators

Realities
We cant trust the client.
We dont only care whether a host is conforming
to security policy, we also care about whether it
is running malware.
Security policy protects the host against the
network.
External validators may protect the network from
the host.
As malware grows more sophisticated, detecting it
is becoming more difficult.
In the early phases of an epidemic its useful to
keep abreast of the spread of a disease, even if
the nature of it is not well understood.
It may be easier to detect infection than to
identify the cause.
Understanding the scope of the problem may assist
in formulating an effective response.
It may be possible to reduce zero day damages
by quarantine of infected hosts.
Internet epidemics spread so quickly that
reduction may be modest at best.

29
International Health Regulation 2005(World
Health Organization)

The IHR(2005) aim at preventing the international
spread of diseases while limiting unnecessary
restriction on the free movement of travellers.
During public health emergencies of international
concern or in connection with specific public
health risks, measures affecting travel may be
recommended to avoid the international spread of
disease.
A number of specific provisions deal with health
information, basic examinations and vaccination
documentation, which may be required of a
traveller by States.
At the same time, States are required to treat
travellers with respect for their dignity, human
rights and fundamental freedoms and are assigned
a duty of care in the treatment of personal data
under the IHR(2005).

30
Quarantine
31
The Meaning of Quarantine

The term quarantine can mean many things
Isolation of people known to be ill.
Isolation of people potentially exposed to
disease.
Isolation of people who have not been vaccinated.
In NEA Quarantine may be applied to hosts that
do not match the visited network security policy.
Guests whose software cannot be modified.
Hosts who are not up to date and need to
remediate themselves.
Quarantined hosts are isolated from the network
(but perhaps not from each other) via VLAN or
filter policies.
This is analogous to herding unvaccinated
children into the school yard.
This is not the same as keeping sick children at
home isolated from each other.
Herding unvaccinated children together could
spark an epidemic, instead of preventing one.
May not have enough VLANs to isolate each host
Filters can more easily isolate hosts from each
other
For quarantine to be effective, it is necessary
to determine health, not just posture.

32
Dependence on Undocumented EAP Methods

Several NEA systems utilize tunneled EAP methods
EAP-FAST, PEAPv0, EAP-TTLSv0.
None of these methods has been published as an
RFC.
The quality of draft documentation may be less
than satisfactory.
This can lead to incomplete understanding/incomple
te assumptions
The EAP TNC specification states that it can be
run within PEAPv0 not true (only a single
authentication method is supported).
Problem can be fixed by encouraging publication
of independent submissions.

33
Schema Development

During the BOF, there was consensus that vendors
will need to document their schemas in order to
obtain an IANA allocation.
How will the IETF support ongoing NEA schema
development?
Will vendors actually document their schemas or
will they just self allocate IANA code points?
How will we review the vendor schemas?
Who will document the review guidelines?
Who will complete the reviews?
Some recent experiences
MIB Doctors Guidelines for Authors and
Reviewers of MIB Documents (RFC 4181)
EAP WG list and RFC 3748 review process (4
documents approved for publication in 5 years)
AAA Doctors RADEXT WG Design Guidelines work
item (18 months behind schedule)