Network Insecurity: challenging conventional wisdom

1
Network Insecuritychallenging conventional
wisdom

• Terry GrayDirector, Networks Distributed
  Computing
• aka Chief Networking Pinhead
• 7 March 2002

2
UW Environment

• 1.5 B/yr enterpise (75 research/clinical)
• 55,000 machines
• Infinite variety and vintage of computers
• Incredibly complex/diverse org structure
• Relatively little centralized desktop mgt
• Every depts middle name is Autonomous
• CC provides core I.T. infrastructure
• Depts responsible for end-system support

3
Conventional Security Wisdom

• Popular Myth Good network security depends
  on...
• border firewalls
• border VPNs
• Unpopular Reality In a large, diverse
  organization such as UW, security is not achieved
  by either one.

4
Unconventional Security Wisdom

• If you think technology can solve your security
  problems, then you don't understand the problems
  and you don't understand the technology. Bruce
  Schneier
• Secrets and Lies

5
Grays Network Security Axioms

• Network security is maximizedwhen we assume
  there is no such thing.
• Firewalls are such a good ideaevery host should
  have one. Seriously.
• Remote access is fraught with periljust like
  local access.

6
Perimeter Protection Paradox

• Firewall perceived value is proportional to
  number of systems protected.
• Firewall effectiveness is inversely proportional
  to number of systems protected.
• Probability of compromised systems existing
• Lowest-common-denominator blocking policy

7
Security Elements

• Architectural
• Authentication Authorization
• Encryption
• Packet filtering
• Operational
• Prevention
• Detection
• Recovery
• Policy
• Risk Management
• Liability Management

8
Start with a Security PolicyNow theres an
idea...

• Define who can/cannot do what to whom...
• Identify and prioritize threats
• Identify assumptions, e.g.
• Security perimeters
• Trusted systems and infrastructure
• Hardware/software constraints
• Block threats or permit good apps?
• Minimize organizational distance between policy
  definition, configuration, and enforcement points

9
Network Risk Profile(notwithstanding recent SNMP
exploits)
10
Heroic (but futile) Endeavors

• Getting anyone to focus on policies first
• Getting any consensus on border blocking
• Patching old end-systems
• Pretending that clients are only clients
• Securing access to older network gear

11
Bad Ideas

• Departmental firewalls within the core.
• VPNs only between institution borders.
• Over-reliance on large-perimeter defenses...e.g.
  believing firewalls can substitute for good
  host/application administration...

12
Good Ideas

• Two-factor authentication
• End-to-End encryption IPSEC
• End-to-End encryption SSH/SSL/K5
• Proactive vulnerability probing
• Centralized desktop management service
• Latest OS versions (w/integral firewalls)
• Bulk email virus scanning
• Server sanctuaries
• Logical firewalls

13
Jury Still Out

• Intrusion Detection Systems
• DDoS trackers
• Thin Clients

14
When do VPNs make sense?

• E2E
• Whenever config cost is acceptably small
• Non-E2E
• When legacy apps cannot be accessed via secure
  protocols, e.g. SSH, SSL, K5.and
• When the tunnel end-points are very near the
  end-systems.

15
Where do firewalls make sense?

• Pervasively (But of course we have a firewall)
• For blocking spoofed source addresses
• Small perimeter/edge
• Cluster firewalls, e.g. server sanctuaries, labs
• OS-based and Personal firewalls
• Large perimeter/border
• Maybe to block an immediate attack?
• Maybe if there is widespread consensus to block
  certain ports? (Aye, and theres the rub)
• And then again, maybe not...

16
Fundamental Firewall Truths...

• Bad guys arent always "outside" the moat
• One persons security perimeter is anothers
  broken network
• Organization boundaries and filtering
  requirements constantly change
• Perimeter defenses always have holes

17
The Dark Side of Border Firewalls Its not just
that they dont solve the problem very well
large-perimeter firewalls have serious
unintended consequences

• Operational consequences
• Force artificial mapping between biz and net
  perimeters
• Catch 22 more port blocking -gt more port 80
  tunneling
• Cost more than you think to manage
• May inhibit legitimate activities
• Are a performance bottleneck
• Organizational consequences
• Give a false sense of security
• Encourage backdoors
• Separate policy configuration from best policy
  makers
• Increase tensions between security, network, and
  sys admins

18
Mitnicks Perspective

• "It's naive to assume that just installing a
  firewall is going to protect you from all
  potential security threats. That assumption
  creates a false sense of security, and having a
  false sense of security is worse than having no
  security at all."Kevin Mitnick
• eWeek 28 Sep 00

19
UWs Logical Firewall

• If edge and/or E2E protection isnt possible, and
  the pinheads running the net wont help
• Plugs into any network port
• Departmentally managed
• Opt-in deployment
• Doesnt interfere with network management
• Uses Network Address Translation (NAT)
• Intended for servers can be used for clients
• Web-based rules generator
• Gibraltar Linux foundation

20
Server Sanctuaries

• Cluster sensitive/critical servers together
• But dont forget geographic-diversity needs
• Then provide additional logical and physical
  security

21
Technical Priorities

• Application security (e.g. SSH, SSL, K5)
• Host security (patches, minimum svcs)
• Strong authentication (e.g. SecureID)
• Net security (VPNs, firewalling)

22
Policy Procedure

• Policy definition enforcement structure
• Education/awareness its everyones job
• Standards and documentation
• Adequate resources for system administration
• High-level support for policies
• Pro-active probing
• Security consulting services
• IDS and forensic services
• Virus scanning measures
• Acquiring/distributing tools, e.g.SSH

23
Worrisome Trends

• Increasing sophistication of attacks
• Increasing number of attacks
• Tunneling everything thru port 80
• Partially connected Internets
• Increasing complexity anddiagnostic difficulty

24
Conclusions

• Central network services think of as an ISP
• Conventional wisdom wont work in our world
• Border firewalls can actually be harmful
• We cant afford to settle for fake security
• There are no silver bullets
• System software is slowly getting better
• The hardest problems are non-technical
• Its still going to be a long, up-hill battle
• Dont forget disaster preparedness and recovery
  (e.g. High-Availability system design)

25
Resources

• http//staff.washington.edu/gray/papers/credo.html
  
• http//staff.washington.edu/corey/fw/
• http//staff.washington.edu/dittrich
• http//www.sans.org/