Title: Internet Security Successes: It
1Internet Security Successes Its Hard, but its
not Impossible
- Bill Cheswick
- Lumeta Corp.
2OrTheres a World of Hurt, but I dont have to
Share Your Pain
3Overview
- Introduction/overview
- Quick case studies of success
- A quick review of what works
- What my dad really needs
- Predications/advice
4Overview
5Good enough security is good enough
- There is no such thing as perfect security
- In security vs. convenience, convenience may
mean not losing a pair of large buildings - Even the policies on the highest security
networks are under review
6In lots of places, the Internet security appears
good enough
- Many business have engineered workable solutions
Fedex, Amazon, on-line banking - Insurance companies are starting to offer hacking
insurance - Still extremely expensive
- (Worried about a hurricane Andrew on the Internet)
7Some successes
- My dads Win XP machine
- My home networks
- SDSC
- Many Lumeta clients
- Intellink
8You can engineer reliable systems out of
unreliable parts
- Early calculator at Bell Labs
- Checked for invalid codes and retried the
computation - Redundancy and layers
- Defense in depth
- Somewhat simple tools are available
9Safe communications on an intranet
- Secure servers
- Secure communications
- Secure clients
10Secure servers
- The pros run the servers
- They can engineer what they want with the tools
they want - They choose the operating systems, network
configurations, etc. - There are many successful examples
- Fedex, Amazon, microsoft.com, whitehouse.gov
- There are many unsuccessful examples
11Secure communications
- We are in much better shape than during the
crypto wars of the mid 90s - In June 2003 NSA announced that AES was good
enough for type 1 encryption - When properly implemented, of course
- IP/sec, SSL, and even SSH protocol 2 seem to be
holding up - (formal methods for analyzing cryptographic
protocols sure would be nice.)
12Clients
- Thin clients (called terminals) are a rarity
- I miss my Hazeltine 1200 (sort of)
- Most clients are Windows boxes
- Way too much functionality
- One care engineer a thin client from Unix and
Linux systems - They are not thin enough jailing browsers
13Applications
- A virus will transport nicely from a secure
client to a secure server over an encrypted link - Applications should be as dumb as possible, but
no dumber - Email should never execute external programs
- Web servers should execute code from trustable
sources - Windows update, virus update
- Applications ought to be sandboxed
14Case Studies
15Case studyMy Dads computer
- Windows XP, plenty of horsepower, two screens
- Applications
- Email (Outlook)
- Bridge a fancy stock market monitoring system
- AIM
- Cable access, dynamic IP address, no NAT, no
firewall, outdated virus software, no spyware
checker
16This computer was a software toxic waste dump
- It was burning a quart of software every 300
miles - The popups seemed darned distracting to me
- But he thought it was fine
- Got his work done
- Didnt want a system administrator to break his
user interface somehow - Well get back to this later
17Case StudyMy home network
- Firewall free since the mid-90s
- Internet skinny-dipping
- Targeted attacks as well as random probes
- Three security levels
- Top security backup and support machines and
clients - Public servers, hardened, with sandboxed server
software - The kids Windows hosts, untrusted
18Case studies corp. networksSome intranet
statistics
19(No Transcript)
20(No Transcript)
21(No Transcript)
22(No Transcript)
23(No Transcript)
24This was Supposed To be a VPN
25(No Transcript)
26(No Transcript)
27Case studySDSC
- Educational and research environment
- Typically notoriously open environments
28SDSC Research institutions can get it right
- 6,000 users, 300 on site
- 5 petabytes of storage, several hundred terabytes
of disks - 10Gb Ethernet, lots of OC-192 connections
29Risk analysis
- Need to protect integrity and confidentiality of
data - Protect resources, including storage, bandwidth,
CPU cycles - Protect reputation for security
- Threats come from external hackers, clueless
users, and careless system administrators
30Approach
- Trusted networks may contain only reference
systems - Only reference systems are trusted
- Data is stored on file servers
- File servers are located on trusted networks
- No plaintext passwords used ssh and Kerberos
employed - Passwords are checked with cracklib before
acceptance - Root password is not given out on reference
systems. Sudo gives specific permissions
31Non-compliant systems
- Are installed in the outback, a dirty untrusted
network - Outback users, and their supervisors, sign
agreement that they are responsible for the hosts - Compromised outback hosts may be seized for
forensic analysis and possible evidence for
criminal cases
32Reference systems
- Available for Linux, Solaris, Irix, MacOS,
several Windows variants - Installed, patched, and local mods installed to
maximize security - Contains software to permit updates from the
central reference site upon reboot - Time-synchronized for proper logging, forensics
- Centralized logging keeps track of things
- Various network wrappers and routing limitations
to limit network access
33Results
- No successful intrusions in four years
34Case studysurmises about Intellink
- Read about this in Banfords book, Body of
Secrets - Uses Internet technology to make numerous highly
classified sources available to authorized
personnel - The following is mostly personal speculation
- It is a terrific thought experiment for an
Internet security person.
35Case studysurmises about Intellink
- Vetted client software
- OS browser underlying libraries and services
link ASN.1, X.509, SSL, etc. - Careful monitoring of the network usage
- Big mallet to dissuade misuse.
- Disconnection, firing, jail time
- Hardware encryption devices to enforce enclave
access
36What works
37What works
- Perimeter defenses work, if you know where your
perimeter is and watch it
38The Pretty Good Wall of China
39What workslayered defenses
40(No Transcript)
41What worksEnclaves
- Security has a lot to do with numbers
- I think 40 computers is about the limit for me
42What worksVirtual machines
- IBMs virus test farm a sea of Linux hosts
running target operating system inside vmware.
Disks reinitialized instantly using logging file
system. - Terminal for secret networks
- Virtual machines for different security levels
43What worksDefault to safety
- Dont expect users to understand and make the
right security moves - Make people work to reduce their security
- screw me command
44What works
- Dont let strangers run programs on your computer
- A stranger is anyone who isnt your system
administrator and the company he trusts - The mouse is used for cut and paste in my mailer.
Period. - Hence, no virus execution is possible
45What works simplicity
- ASCII (or Unicode) mail
- Twenty-year old email
- Telephone SMS version 1.0
46What works
47What my dad(and most of you)really needs
48My Dads computer what the repair geek found
- Everything
- Viruses Ive never heard off
- Constant popups
- Frequent blasts of multiple web pages, all
obscene - Dad why do I care? I am getting my work done
49Dads computer how did he get in this mess?
- He doesnt know what the popup security messages
mean - Email-born viruses
- Unsecured network services
- Executable code in web pages from unworthy sites
50Properties of Windows OK
- No network servers
- SMS access ok for managed hosts
- Nothing emailed must ever get executed
- Html processing ok, but no scripting, etc.
- Nothing from the web ever gets executed except
- ActiveX code from MSFT for updates
- Java and JavaScript truly sandboxed
- AIM, web, email saved files must stay in
non-executable sandbox
51Predictions
52More pain virus detection appears doomed to me
- Ultimately they do try to solve the halting
problem - Virus writers are getting very good
- Virus detectors have to resort to simulation
fingerprints arent good enough - Simulations are taking longer
- Best block is not be there
- Safe fail
53Microsofts Augean Stables
54Microsoft really means it about improving their
security
- Their security commitment appears to be real
- It is a huge job
- Opposing forces are unclear to me
- Its been a long time coming, and frustrating
55Windows XP, this laptop
Proto Local Address Foreign Address
State TCP ches-pcepmap
ches-pc0 LISTENING TCP
ches-pcmicrosoft-ds ches-pc0
LISTENING TCP ches-pc1025
ches-pc0 LISTENING TCP
ches-pc1036 ches-pc0
LISTENING TCP ches-pc3115
ches-pc0 LISTENING TCP
ches-pc3118 ches-pc0
LISTENING TCP ches-pc3470
ches-pc0 LISTENING TCP
ches-pc3477 ches-pc0
LISTENING TCP ches-pc5000
ches-pc0 LISTENING TCP
ches-pc6515 ches-pc0
LISTENING TCP ches-pcnetbios-ssn
ches-pc0 LISTENING TCP
ches-pc3001 ches-pc0
LISTENING TCP ches-pc3002
ches-pc0 LISTENING TCP
ches-pc3003 ches-pc0
LISTENING TCP ches-pc5180
ches-pc0 LISTENING UDP
ches-pcmicrosoft-ds
UDP ches-pcisakmp
UDP ches-pc1027
UDP ches-pc3008
UDP ches-pc3473
UDP ches-pc6514
UDP
ches-pc6515
UDP ches-pcnetbios-ns
UDP ches-pcnetbios-dgm
UDP ches-pc1900
UDP ches-pcntp
UDP ches-pc1900
UDP
ches-pc3471
56Windows 2000
Proto Local Address Foreign Address
State TCP 0.0.0.0135
0.0.0.00 LISTENING TCP
0.0.0.0445 0.0.0.00
LISTENING TCP 0.0.0.01029
0.0.0.00 LISTENING TCP
0.0.0.01036 0.0.0.00
LISTENING TCP 0.0.0.01078
0.0.0.00 LISTENING TCP
0.0.0.01080 0.0.0.00
LISTENING TCP 0.0.0.01086
0.0.0.00 LISTENING TCP
0.0.0.06515 0.0.0.00
LISTENING TCP 127.0.0.1139
0.0.0.00 LISTENING UDP
0.0.0.0445
UDP 0.0.0.01038
UDP 0.0.0.06514
UDP 0.0.0.06515
UDP 127.0.0.11108
UDP
223.223.223.96500
UDP 223.223.223.964500
57Windows ME
Active Connections - Win ME Proto Local
Address Foreign Address State
TCP 127.0.0.11032 0.0.0.00
LISTENING TCP 223.223.223.10139
0.0.0.00 LISTENING UDP
0.0.0.01025
UDP 0.0.0.01026
UDP 0.0.0.031337
UDP 0.0.0.0162
UDP 223.223.223.10137
UDP
223.223.223.10138
58FreeBSD partition, this laptop
Active Internet connections (including
servers) Proto Recv-Q Send-Q Local Address
Foreign Address (state) tcp4 0
0 .22 .
LISTEN tcp6 0 0 .22
. LISTEN
59Microsoft really means it about improving their
security
- They need world-class sandboxes, many more layers
in their security, and much safer defaults - A Microsoft terminal will benefit millions of
users
60Internet Security Successes Its Hard, but its
not Impossible
- Bill Cheswick
- Lumeta Corp.