Title: Pondering and Patrolling Network Perimeters
1Pondering and Patrolling Network Perimeters
- Bill Cheswick
- ches_at_lumeta.com
- http//www.lumeta.com
2Talk Outline
- A little personal history concerning perimeter
defenses - Outside mapping the Internet
- A discussion of perimeter defenses
- Strong host security
- Mapping and understanding intranets
3A short bio regarding Internet perimeters
- Started at Bell Labs in December 1987
- Immediately took over postmaster and firewall
duties - Good way to learn the ropes, which was my
intention
4Morris worm hit on Nov 1988
- Heard about it on NPR
- Had a sinking feeling about it
- The home-made firewall worked
- No fingerd
- No sendmail (we rewrote the mailer)
- Intranet connection to Bellcore
- We got lucky
- Bell Labs had 1330 hosts
- Corporate HQ didnt know or care
5Action items
- Shut down the unprotected connection to Bellcore
- What we now call a routing leak
- Redesign the firewall for much more capacity, and
no sinking feeling - (VAX 750, load average of 15)
- Write a paper on it
- if you dont write it up, you didnt do the work
6Old gateway
7New gateway
8New gateway(one referees suggestion)
9Design of a Secure Internet Gateway Anaheim
Usenix, Jan 1990
- My first real academic paper
- It was pretty good, I think
- It didnt have much impact, except for two
pieces - Coined the work proxy in its current use (this
was for a circuit level gateway - Predated socks by three years)
- Coined the expression crunchy outside and soft
chewy center
10By 1996, ATTs intranet
- Firewall security high, and sometimes quite a
pain, which meant - Perimeter security dumb luck
- Trivestiture didnt change the intranet
configuration that much
11Lucent now (1997) (sort of)Wed circled the
wagons around Wyoming
The Internet
Columbus
Murray Hill
Murray Hill
Holmdel
Allentown
SLIP PPP ISDN X.25 cable ...
Lucent - 130,000, 266K IP addresses, 3000 nets
ann.
thousands of telecommuters
200 business partners
12(No Transcript)
13Highlands forum, Annapolis, Dec 1996
- A Rand corp. game to help brief a member of the
new Presidents Infrastructure Protection
Commission - Met Esther Dyson and Fred Cohen there
- Personal assessment by intel profiler
- Day after scenario
- Gosh it would be great to figure out where these
networks actually go
14Perimeter Defenses have a long history
15Lorton Prison
16(No Transcript)
17The Pretty Good Wall of China
18(No Transcript)
19(No Transcript)
20Perimeter Defense of the US Capitol Building
21Flower pots
22(No Transcript)
23Security doesnt have to be ugly
24(No Transcript)
25(No Transcript)
26(No Transcript)
27(No Transcript)
28Delta barriers
29Edinburgh Castle
30Warwick Castle
31Heidelberg Castlestarted in the 1300s
32(No Transcript)
33(No Transcript)
34Parliament entrance
35Parliament exit
36Why use a perimeter defense?
- It is cheaper
- A mans home is his castle, but most people cant
afford the moat - You can concentrate your equipment and your
expertise in a few areas - It is simpler, and simpler security is usually
better - Easier to understand and audit
- Easier to spot broken parts
37Whats wrong with perimeter defenses
- They are useless against insider attacks
- They provide a false sense of security
- You still need to toughen up the inside, at least
some - You need to hire enough defenders
- They dont scale well
38(No Transcript)
39(No Transcript)
40Anything large enough to be called an intranet
is out of control
41Controlling an intranet is hard, even if you care
a lot about it
- End-to-end philosophy is not helpful if you are
the phone company - New networks and hosts are easily connected
without the knowledge and permission of the
network owner - Security scan tools are not helpful if you dont
know where to point them
42Project 1Can we live without an intranet?
- Strong host security
- Mid 1990s
43I can, but maybe you cant
- Skinny-dipping on the Internet since the mid
1990s - The exposure focuses one clearly on the threats
and proactive security - Its very convenient, for the services I dare to
use - Many important network services are difficult to
harden
44What you need to skinny dip
- Secure client
- Only enclave computers like my laptop have access
- Secure communications (???pt?)
- AES is OK for type 1 crypto NSA
- Secure server
45Skinny dipping rules
- Only minimal services are offered to the general
public - Ssh
- Web server (jailed Apache)
- DNS (self chrooted)
- SMTP (postfix, not sendmail)
- Children (like employees) and MSFT clients are
untrustworthy - Offer hardened local services at home, like SAMBA
(chroot), POP3 (chroot) - Id like to offer other services, but they are
hard to secure
46Skinny dipping requires strong host security
- FreeBSD and Linux machines
- I am told that one can lock down an MSFT host,
but there are hundreds of steps, and I dont know
how to do it. - This isnt just about operating systems the
most popular client applications are, in theory,
very dangerous and, in practice, very dangerous. - Web browsers and mail readers have many dangerous
features
47Skinny dipping flaws
- Less defense in depth
- No protection from denial-of-service attacks
48Project 2The Internet Mapping Project
- An experiment in exploring network connectivity
- 1998
49Methods - network discovery (ND)
- Obtain master network list
- network lists from Merit, RIPE, APNIC, etc.
- BGP data or routing data from customers
- hand-assembled list of Yugoslavia/Bosnia
- Run a TTL-type (traceroute) scan towards each
network - Stop on error, completion, no data
- Keep the natives happy
50Methods - data collection
- Single reliable host connected at the company
perimeter - Daily full scan of Lucent
- Daily partial scan of Internet, monthly full scan
- One line of text per network scanned
- Unix tools
- Use a light touch, so we dont bother Internet
denizens
51TTL probes
- Used by traceroute and other tools
- Probes toward each target network with increasing
TTL - Probes are ICMP, UDP, TCP to port 80, 25, 139,
etc. - Some people block UDP, others ICMP
52Intranet implications of Internet mapping
- High speed technique, able to handle the largest
networks - Light touch what are you going to do to my
intranet? - Acquire and maintain databases of Internet
network assignments and usage
53Advantages
- We dont need access (I.e. SNMP) to the routers
- Its very fast
- Standard Internet tool it doesnt break things
- Insignificant load on the routers
- Not likely to show up on IDS reports
- We can probe with many packet types
54Limitations
- View is from scanning host only
- Multiple scan sources gives a better view
- Outgoing paths only
- Level 3 (IP) only
- ATM networks appear as a single node
- Not all routers respond
- Some are silent
- Others are shy (RFC 1123 compliant), limited to
one response per second
55Data collection complaints
- Australian parliament was the first to complain
- List of whiners (25 nets)
- On the Internet, these complaints are a thing of
the past - Internet background radiation predominates
56Visualization goals
- make a map
- show interesting features
- debug our database and collection methods
- geography doesnt matter
- use colors to show further meaning
57(No Transcript)
58Visualization of the layout algorithm
- Laying out the Internet graph
59(No Transcript)
60(No Transcript)
61Colored by AS number
62Map Coloring
- distance from test host
- IP address
- shows communities
- Geographical (by TLD)
- ISPs
- future
- timing, firewalls, LSRR blocks
63Colored by IP address!
64Colored by geography
65Colored by ISP
66Colored by distance from scanning host
67(No Transcript)
68(No Transcript)
69Yugoslavia
- An unclassified peek at a new battlefield
- 1999
70(No Transcript)
71Un film par Steve Hollywood Branigan...
72(No Transcript)
73fin
74Intranets the rest of the Internet
75(No Transcript)
76(No Transcript)
77(No Transcript)
78This was Supposed To be a VPN
79(No Transcript)
80(No Transcript)
81Case studies corp. networksSome intranet
statistics
82Project 3Detecting perimeter leaks
- Lumetas Special Sauce
- 2000
83Types of leaks
- Routing leaks
- Internal routes are announced externally, and the
packets are allowed to flow betwixt - Host leaks
- Simultaneously connected inside and out, probably
without firewall-functionality - Not necessarily a dual-homed host
- Please dont call them leaks
- They arent always a Bad Thing
84Possible host leaks
- Miss-configured telecommuters connecting remotely
- VPNs that are broken
- DMZ hosts with too much access
- Business partner networks
- Internet connections by rogue managers
- Modem links to ISPs
85Leak Detection Layout
Mapping host
mitt
- Mapping host with address A is connected to the
intranet - Mitt with address D has Internet access
- Mapping host and mitt are currently the same
host, with two interfaces
A
D
Internet
intranet
C
B
Test host
86Leak Detection
Mapping host
mitt
- Test host has known address B on the intranet
- It was found via census
- We are testing for unauthorized access to the
Internet, possibly through a different address, C
A
D
Internet
intranet
C
B
Test host
87Leak Detection
Mapping host
mitt
- A sends packet to B, with spoofed return address
of D - If B can, it will reply to D with a response,
possibly through a different interface
A
D
Internet
intranet
C
B
Test host
88Leak Detection
Mapping host
mitt
- Packet must be crafted so the response wont be
permitted through the firewall - A variety of packet types and responses are used
- Either inside or outside address may be
discovered - Packet is labeled so we know where it came from
A
D
Internet
intranet
C
B
Test host
89Inbound Leak Detection
Mapping host
mitt
- This direction is usually more important
- It all depends on the site policy
- so many leaks might be just fine.
A
D
Internet
intranet
C
B
Test host
90Inbound Leak Detection
Mapping host
mitt
A
D
Internet
intranet
C
B
Test host
91Leak results
- Found home web businesses
- At least two clients have tapped leaks
- One made front page news
- From the military the republic is a little
safer
92We developed lot of stuff
- Leak detection (thats the special sauce)
- Lots of reports the hardest part is converting
data to information - Route discovery TTL probes plus SNMP router
queries - Host enumeration and identification ping and
xprobe-style host identification - Server discovery SYN probes of popular TCP
ports - Wireless base station discovery xprobe, SNMP,
HTTP - And moreask the sales people
- The zeroth step in network intelligence
- me
93Whats next?
94(No Transcript)
95IPv6 deployment
- Has been 3 years away since 1993
- Widely deployed in the Far East, and in the new
cell phones - Europe is getting on board
- US Government mandate for 2005
- But what does IPv6 capable really mean?
- None of the three ISPs I am connected to at home
and work offer raw IPv6 feeds
96IPv6 address space
- /48s seem to be freely available
- Each US soldier will have one
- One for each home
- 80-bit host address is a hell of a hell of a
large space - 2 Avogadros Number
- Easy to hide hosts in that space
- Hard to administer hosts in that space
- Some interesting cryptographic and IP hopping
applications come to mind.
97Whats next?Skinny dipping with Microsoft
operating systems?
98XP SP2 Bill gets it
- a feature you dont use should not be a security
problem for you. - Security by design
- Too late for that, its all retrofitting now
- Security by default
- No network services on by default
- Security control panel
- Many things missing from it
- Speaker could not find ActiveX security settings
- There are a lot of details that remain to be seen.
99Pondering and Patrolling Network Perimeters
- Bill Cheswick
- ches_at_lumeta.com
- http//www.lumeta.com
100(No Transcript)