Pondering and Patrolling Network Perimeters - PowerPoint PPT Presentation

About This Presentation
Title:

Pondering and Patrolling Network Perimeters

Description:

Pondering and Patrolling Network Perimeters – PowerPoint PPT presentation

Number of Views:72
Avg rating:3.0/5.0
Slides: 101
Provided by: billch
Category:

less

Transcript and Presenter's Notes

Title: Pondering and Patrolling Network Perimeters


1
Pondering and Patrolling Network Perimeters
  • Bill Cheswick
  • ches_at_lumeta.com
  • http//www.lumeta.com

2
Talk Outline
  • A little personal history concerning perimeter
    defenses
  • Outside mapping the Internet
  • A discussion of perimeter defenses
  • Strong host security
  • Mapping and understanding intranets

3
A short bio regarding Internet perimeters
  • Started at Bell Labs in December 1987
  • Immediately took over postmaster and firewall
    duties
  • Good way to learn the ropes, which was my
    intention

4
Morris worm hit on Nov 1988
  • Heard about it on NPR
  • Had a sinking feeling about it
  • The home-made firewall worked
  • No fingerd
  • No sendmail (we rewrote the mailer)
  • Intranet connection to Bellcore
  • We got lucky
  • Bell Labs had 1330 hosts
  • Corporate HQ didnt know or care

5
Action items
  • Shut down the unprotected connection to Bellcore
  • What we now call a routing leak
  • Redesign the firewall for much more capacity, and
    no sinking feeling
  • (VAX 750, load average of 15)
  • Write a paper on it
  • if you dont write it up, you didnt do the work

6
Old gateway
7
New gateway
8
New gateway(one referees suggestion)
9
Design of a Secure Internet Gateway Anaheim
Usenix, Jan 1990
  • My first real academic paper
  • It was pretty good, I think
  • It didnt have much impact, except for two
    pieces
  • Coined the work proxy in its current use (this
    was for a circuit level gateway
  • Predated socks by three years)
  • Coined the expression crunchy outside and soft
    chewy center

10
By 1996, ATTs intranet
  • Firewall security high, and sometimes quite a
    pain, which meant
  • Perimeter security dumb luck
  • Trivestiture didnt change the intranet
    configuration that much

11
Lucent now (1997) (sort of)Wed circled the
wagons around Wyoming
The Internet
Columbus
Murray Hill
Murray Hill
Holmdel
Allentown
SLIP PPP ISDN X.25 cable ...
Lucent - 130,000, 266K IP addresses, 3000 nets
ann.
thousands of telecommuters
200 business partners
12
(No Transcript)
13
Highlands forum, Annapolis, Dec 1996
  • A Rand corp. game to help brief a member of the
    new Presidents Infrastructure Protection
    Commission
  • Met Esther Dyson and Fred Cohen there
  • Personal assessment by intel profiler
  • Day after scenario
  • Gosh it would be great to figure out where these
    networks actually go

14
Perimeter Defenses have a long history
15
Lorton Prison
16
(No Transcript)
17
The Pretty Good Wall of China
18
(No Transcript)
19
(No Transcript)
20
Perimeter Defense of the US Capitol Building
21
Flower pots
22
(No Transcript)
23
Security doesnt have to be ugly
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
Delta barriers
29
Edinburgh Castle
30
Warwick Castle
31
Heidelberg Castlestarted in the 1300s
32
(No Transcript)
33
(No Transcript)
34
Parliament entrance
35
Parliament exit
36
Why use a perimeter defense?
  • It is cheaper
  • A mans home is his castle, but most people cant
    afford the moat
  • You can concentrate your equipment and your
    expertise in a few areas
  • It is simpler, and simpler security is usually
    better
  • Easier to understand and audit
  • Easier to spot broken parts

37
Whats wrong with perimeter defenses
  • They are useless against insider attacks
  • They provide a false sense of security
  • You still need to toughen up the inside, at least
    some
  • You need to hire enough defenders
  • They dont scale well

38
(No Transcript)
39
(No Transcript)
40
Anything large enough to be called an intranet
is out of control

41
Controlling an intranet is hard, even if you care
a lot about it
  • End-to-end philosophy is not helpful if you are
    the phone company
  • New networks and hosts are easily connected
    without the knowledge and permission of the
    network owner
  • Security scan tools are not helpful if you dont
    know where to point them

42
Project 1Can we live without an intranet?
  • Strong host security
  • Mid 1990s

43
I can, but maybe you cant
  • Skinny-dipping on the Internet since the mid
    1990s
  • The exposure focuses one clearly on the threats
    and proactive security
  • Its very convenient, for the services I dare to
    use
  • Many important network services are difficult to
    harden

44
What you need to skinny dip
  • Secure client
  • Only enclave computers like my laptop have access
  • Secure communications (???pt?)
  • AES is OK for type 1 crypto NSA
  • Secure server

45
Skinny dipping rules
  • Only minimal services are offered to the general
    public
  • Ssh
  • Web server (jailed Apache)
  • DNS (self chrooted)
  • SMTP (postfix, not sendmail)
  • Children (like employees) and MSFT clients are
    untrustworthy
  • Offer hardened local services at home, like SAMBA
    (chroot), POP3 (chroot)
  • Id like to offer other services, but they are
    hard to secure

46
Skinny dipping requires strong host security
  • FreeBSD and Linux machines
  • I am told that one can lock down an MSFT host,
    but there are hundreds of steps, and I dont know
    how to do it.
  • This isnt just about operating systems the
    most popular client applications are, in theory,
    very dangerous and, in practice, very dangerous.
  • Web browsers and mail readers have many dangerous
    features

47
Skinny dipping flaws
  • Less defense in depth
  • No protection from denial-of-service attacks

48
Project 2The Internet Mapping Project
  • An experiment in exploring network connectivity
  • 1998

49
Methods - network discovery (ND)
  • Obtain master network list
  • network lists from Merit, RIPE, APNIC, etc.
  • BGP data or routing data from customers
  • hand-assembled list of Yugoslavia/Bosnia
  • Run a TTL-type (traceroute) scan towards each
    network
  • Stop on error, completion, no data
  • Keep the natives happy

50
Methods - data collection
  • Single reliable host connected at the company
    perimeter
  • Daily full scan of Lucent
  • Daily partial scan of Internet, monthly full scan
  • One line of text per network scanned
  • Unix tools
  • Use a light touch, so we dont bother Internet
    denizens

51
TTL probes
  • Used by traceroute and other tools
  • Probes toward each target network with increasing
    TTL
  • Probes are ICMP, UDP, TCP to port 80, 25, 139,
    etc.
  • Some people block UDP, others ICMP

52
Intranet implications of Internet mapping
  • High speed technique, able to handle the largest
    networks
  • Light touch what are you going to do to my
    intranet?
  • Acquire and maintain databases of Internet
    network assignments and usage

53
Advantages
  • We dont need access (I.e. SNMP) to the routers
  • Its very fast
  • Standard Internet tool it doesnt break things
  • Insignificant load on the routers
  • Not likely to show up on IDS reports
  • We can probe with many packet types

54
Limitations
  • View is from scanning host only
  • Multiple scan sources gives a better view
  • Outgoing paths only
  • Level 3 (IP) only
  • ATM networks appear as a single node
  • Not all routers respond
  • Some are silent
  • Others are shy (RFC 1123 compliant), limited to
    one response per second

55
Data collection complaints
  • Australian parliament was the first to complain
  • List of whiners (25 nets)
  • On the Internet, these complaints are a thing of
    the past
  • Internet background radiation predominates

56
Visualization goals
  • make a map
  • show interesting features
  • debug our database and collection methods
  • geography doesnt matter
  • use colors to show further meaning

57
(No Transcript)
58
Visualization of the layout algorithm
  • Laying out the Internet graph

59
(No Transcript)
60
(No Transcript)
61
Colored by AS number
62
Map Coloring
  • distance from test host
  • IP address
  • shows communities
  • Geographical (by TLD)
  • ISPs
  • future
  • timing, firewalls, LSRR blocks

63
Colored by IP address!
64
Colored by geography
65
Colored by ISP
66
Colored by distance from scanning host
67
(No Transcript)
68
(No Transcript)
69
Yugoslavia
  • An unclassified peek at a new battlefield
  • 1999

70
(No Transcript)
71
Un film par Steve Hollywood Branigan...
72
(No Transcript)
73
fin
74
Intranets the rest of the Internet
75
(No Transcript)
76
(No Transcript)
77
(No Transcript)
78
This was Supposed To be a VPN
79
(No Transcript)
80
(No Transcript)
81
Case studies corp. networksSome intranet
statistics
82
Project 3Detecting perimeter leaks
  • Lumetas Special Sauce
  • 2000

83
Types of leaks
  • Routing leaks
  • Internal routes are announced externally, and the
    packets are allowed to flow betwixt
  • Host leaks
  • Simultaneously connected inside and out, probably
    without firewall-functionality
  • Not necessarily a dual-homed host
  • Please dont call them leaks
  • They arent always a Bad Thing

84
Possible host leaks
  • Miss-configured telecommuters connecting remotely
  • VPNs that are broken
  • DMZ hosts with too much access
  • Business partner networks
  • Internet connections by rogue managers
  • Modem links to ISPs

85
Leak Detection Layout
Mapping host
mitt
  • Mapping host with address A is connected to the
    intranet
  • Mitt with address D has Internet access
  • Mapping host and mitt are currently the same
    host, with two interfaces

A
D
Internet
intranet
C
B
Test host
86
Leak Detection
Mapping host
mitt
  • Test host has known address B on the intranet
  • It was found via census
  • We are testing for unauthorized access to the
    Internet, possibly through a different address, C

A
D
Internet
intranet
C
B
Test host
87
Leak Detection
Mapping host
mitt
  • A sends packet to B, with spoofed return address
    of D
  • If B can, it will reply to D with a response,
    possibly through a different interface

A
D
Internet
intranet
C
B
Test host
88
Leak Detection
Mapping host
mitt
  • Packet must be crafted so the response wont be
    permitted through the firewall
  • A variety of packet types and responses are used
  • Either inside or outside address may be
    discovered
  • Packet is labeled so we know where it came from

A
D
Internet
intranet
C
B
Test host
89
Inbound Leak Detection
Mapping host
mitt
  • This direction is usually more important
  • It all depends on the site policy
  • so many leaks might be just fine.

A
D
Internet
intranet
C
B
Test host
90
Inbound Leak Detection
Mapping host
mitt
A
D
Internet
intranet
C
B
Test host
91
Leak results
  • Found home web businesses
  • At least two clients have tapped leaks
  • One made front page news
  • From the military the republic is a little
    safer

92
We developed lot of stuff
  • Leak detection (thats the special sauce)
  • Lots of reports the hardest part is converting
    data to information
  • Route discovery TTL probes plus SNMP router
    queries
  • Host enumeration and identification ping and
    xprobe-style host identification
  • Server discovery SYN probes of popular TCP
    ports
  • Wireless base station discovery xprobe, SNMP,
    HTTP
  • And moreask the sales people
  • The zeroth step in network intelligence
  • me

93
Whats next?
  • IPv6
  • 2005 3

94
(No Transcript)
95
IPv6 deployment
  • Has been 3 years away since 1993
  • Widely deployed in the Far East, and in the new
    cell phones
  • Europe is getting on board
  • US Government mandate for 2005
  • But what does IPv6 capable really mean?
  • None of the three ISPs I am connected to at home
    and work offer raw IPv6 feeds

96
IPv6 address space
  • /48s seem to be freely available
  • Each US soldier will have one
  • One for each home
  • 80-bit host address is a hell of a hell of a
    large space
  • 2 Avogadros Number
  • Easy to hide hosts in that space
  • Hard to administer hosts in that space
  • Some interesting cryptographic and IP hopping
    applications come to mind.

97
Whats next?Skinny dipping with Microsoft
operating systems?
  • 2062?

98
XP SP2 Bill gets it
  • a feature you dont use should not be a security
    problem for you.
  • Security by design
  • Too late for that, its all retrofitting now
  • Security by default
  • No network services on by default
  • Security control panel
  • Many things missing from it
  • Speaker could not find ActiveX security settings
  • There are a lot of details that remain to be seen.

99
Pondering and Patrolling Network Perimeters
  • Bill Cheswick
  • ches_at_lumeta.com
  • http//www.lumeta.com

100
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com