Pondering and Patrolling Network Perimeters

1
Pondering and Patrolling Network Perimeters

• Bill Cheswick
• ches_at_lumeta.com
• http//www.lumeta.com

2
Perimeter Defenses have a long history
3
(No Transcript)
4
(No Transcript)
5
Lorton Prison
6
(No Transcript)
7
Perimeter Defense of the US Capitol Building
8
Flower pots
9
(No Transcript)
10
Security doesnt have to be ugly
11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
Delta barriers
16
Why use a perimeter defense?

• It is cheaper
• A mans home is his castle, but most people cant
  afford the moat
• You can concentrate your equipment and your
  expertise in a few areas
• It is simpler, and simpler security is usually
  better
• Easier to understand and audit
• Easier to spot broken parts

17
Whats wrong with perimeter defenses

• They are useless against insider attacks
• They provide a false sense of security
• You still need to toughen up the inside, at least
  some
• You need to hire enough defenders
• They dont scale well

18
The Pretty Good Wall of China
19
(No Transcript)
20
Heidelberg Castlestarted in the 1300s
21
(No Transcript)
22
(No Transcript)
23
Perimeters need gateways

• Let the good stuff in and keep out the bad stuff
• This requires a bit of technology in any case
• Doors, gates, murder holes, etc.
• A place to focus your defenses

24
(No Transcript)
25
Parliament entrance
26
Parliament exit
27
One gate is not enough

• Too much infrastructure
• Low-budget gates
• Sally ports
• Postern gates

28
Warsaw gate
29
Edinburgh Castle
30
Postern gate (Sterling castle)
31
A short bio regarding Internet perimeters

• Started at Bell Labs in December 1987
• Immediately took over postmaster and firewall
  duties
• Good way to learn the ropes, which was my
  intention

32
Morris worm hit on Nov 1988

• Heard about it on NPR
• Had a sinking feeling about it
• The home-made firewall worked
• No fingerd
• No sendmail (we rewrote the mailer)
• Intranet connection to Bellcore
• We got lucky
• Bell Labs had 1330 hosts
• Corporate HQ didnt know or care

33
Action items

• Shut down the unprotected connection to Bellcore
• What we now call a routing leak
• Redesign the firewall for much more capacity, and
  no sinking feeling
• (VAX 750, load average of 15)
• Write a paper on it
• if you dont write it up, you didnt do the work

34
Old gateway
35
New gateway
36
New gateway(one referees suggestion)
37
Design of a Secure Internet Gateway Anaheim
Usenix, Jan 1990

• My first real academic paper
• It was pretty good, I think
• Coined the work proxy in its current use (this
  was for a circuit level gateway
• Predated socks by three years)
• Coined the expression crunchy outside and soft
  chewy center

38
(No Transcript)
39
Lucent now (1997) (sort of)Wed circled the
wagons around Wyoming
The Internet
Columbus
Murray Hill
Murray Hill
Holmdel
Allentown
SLIP PPP ISDN X.25 cable ...
Lucent - 130,000, 266K IP addresses, 3000 nets
ann.
thousands of telecommuters
200 business partners
40
Anything large enough to be called an intranet
is probably out of control

41
Controlling an intranet is hard, even if you care
a lot about it

• End-to-end philosophy is not helpful if you are
  the phone company
• New networks and hosts are easily connected
  without the knowledge and permission of the
  network owner
• Security scan tools are not helpful if you dont
  know where to point them
• This is not the fault of the network managers!
  They didnt have the right tools!

42
Highlands forum, Annapolis, Dec 1996

• A Rand corp. game to help brief a member of the
  new Presidents Infrastructure Protection
  Commission
• Met Esther Dyson and Fred Cohen there
• Personal assessment by intel profiler
• Day after scenario
• Gosh it would be great to figure out where these
  networks actually go

43
The Internet Mapping Project

• An experiment in exploring network connectivity
• 1997

44
Goals

• Consistent, reasonably thorough description of
  the important topology of the Internet
• A light touch, so Internet denizens wouldnt be
  angry (or even notice) me.
• Use a technology that doesnt require access to
  routers
• Traceroute-style probes are fast, informative,
  and recognized as harmless by most network
  administrators
• Clean up Lucents intranet

45
Methods - network discovery (ND)

• Obtain master network list
• network lists from Merit, RIPE, APNIC, etc.
• BGP data or routing data from customers
• hand-assembled list of Yugoslavia/Bosnia
• Run a TTL-type (traceroute) scan towards each
  network
• Stop on error, completion, no data
• Keep the natives happy

46
Advantages

• We dont need access (I.e. SNMP) to the routers
• Its very fast
• Standard Internet tool it doesnt break things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types

47
Limitations

• View is from scanning host only
• Multiple scan sources gives a better view
• Outgoing paths only
• Level 3 (IP) only
• ATM networks appear as a single node
• Not all routers respond
• Some are silent
• Others are shy (RFC 1123 compliant), limited to
  one response per second

48
Data collection complaints

• Australian parliament was the first to complain
• List of whiners (25 nets)
• On the Internet, these complaints are a thing of
  the past
• Internet background radiation predominates

49
Visualization goals

• make a map
• show interesting features
• debug our database and collection methods
• geography doesnt matter
• use colors to show further meaning

50
(No Transcript)
51
Visualization of the layout algorithm

• Laying out the Internet graph

52
(No Transcript)
53
(No Transcript)
54
Colored by AS number
55
Map Coloring

• distance from test host
• IP address
• shows communities
• Geographical (by TLD)
• ISPs
• future
• timing, firewalls, LSRR blocks

56
Colored by IP address!
57
Colored by geography
58
Colored by ISP
59
Colored by distance from scanning host
60
(No Transcript)
61
(No Transcript)
62
Yugoslavia

• An unclassified peek at a new battlefield
• 1999

63
(No Transcript)
64
Un film par Steve Hollywood Branigan...
65
(No Transcript)
66
fin
67
Intranets the rest of the Internet
68
(No Transcript)
69
Lucents intranet

• Legacy links understood and removed
• Network list cleaned up
• MA assistance

70
(No Transcript)
71
This was Supposed To be a VPN
72
(No Transcript)
73
(No Transcript)
74
Perimeter leaks

• Lumetas Special Sauce
• 2000

75
Types of leaks

• Routing leaks
• Internal routes are announced externally, and the
  packets are allowed to flow betwixt

76
(No Transcript)
77
Types of leaks

• Host leaks
• Simultaneously connected inside and out, probably
  without firewall-functionality
• Not necessarily a dual-homed host

78
Possible host leaks

• Miss-configured telecommuters connecting remotely
• VPNs that are broken
• DMZ hosts with too much access
• Business partner networks
• Internet connections by rogue managers
• Modem links to ISPs

79
(get technical host leak description)
80
Leak Detection Layout
Mapping host
mitt

• Mapping host with address A is connected to the
  intranet
• Mitt with address D has Internet access
• Mapping host and mitt are currently the same
  host, with two interfaces

A
D
Internet
intranet
C
B
Test host
81
Leak Detection
Mapping host
mitt

• Test host has known address B on the intranet
• It was found via census
• We are testing for unauthorized access to the
  Internet, possibly through a different address, C

A
D
Internet
intranet
C
B
Test host
82
Leak Detection
Mapping host
mitt

• A sends packet to B, with spoofed return address
  of D
• If B can, it will reply to D with a response,
  possibly through a different interface

A
D
Internet
intranet
C
B
Test host
83
Leak Detection
Mapping host
mitt

• Packet must be crafted so the response wont be
  permitted through the firewall
• A variety of packet types and responses are used
• Either inside or outside address may be
  discovered
• Packet is labeled so we know where it came from

A
D
Internet
intranet
C
B
Test host
84
Inbound Leak Detection
Mapping host
mitt

• This direction is usually more important
• It all depends on the site policy
• so many leaks might be just fine.

A
D
Internet
intranet
C
B
Test host
85
Inbound Leak Detection
Mapping host
mitt
A
D
Internet
intranet
C
B
Test host
86
Lumeta

• Sept 2000

87
Service offering

• Make sure everything works
• Our own experts ran it
• HTML report
• Map viewer (see below)

88
Early results

• Early adopters
• They want to run tests
• Like testing a cruiser on a small lake
• Surprisingly subtleIDS misses it often
• Thats interesting to some clients
• Service offering, so we can fix up the software
• Surprisingly robust, especially the mapping
  layout software
• No show-stopping intranets

89
Early results

• Maps and especially leak detection are popular,
  as expected

90
We developed lot of stuffRouting loops

• Routing errors
• Can load expensive lines

91
We developed lot of stuffAddress space
visualization

• Outliers
• Network usage at the class B level

92
Leak results

• Found home web businesses
• At least two clients have tapped leaks
• One made front page news
• From the military the republic is a little
  safer
• Please dont call them leaks
• They arent always a Bad Thing

93
Case studies corp. networksSome intranet
statistics
94
(No Transcript)
95
IPsonar

• 2003

96
We developed lot of stuffmulti-protocol ND (by
service)

• Are there some kinds of packets that penetrate
  farther than others?
• E.g. Pings blocked, UDP probes continue
• Can show firewall leaks

97
We developed lot of stuffservice discovery

• The obvious service port scans
• We do it as gently as possible

98
We developed lot of stuffPerimeter map

• Where exactly are the edges of your network?
• Are there intranet sections reached through the
  Internet

99
We developed lot of stuffLumeta Network Index

• Computes an index of your network security
• Objective measurement of security
• Clients can vary whats important

100
We developed lot of stuffRoute sources

• What routers announce routes that arent in our
  official list?

101
We developed lot of stuffHost enumeration and
type

• Light-weight OS identification
• Not perfect, but very quick
• Non-intrusive. NOT nmap.

102
We developed lot of stuffWireless base station
detection

• A lot of people care about this
• No antennas are involved
• We look for network signatures of base stations
• User-configurable
• You can find them from far away
• Rogue ones are much less likely to evade
  detection than properly-run ones

103
The zeroth step in network management

• You cant secure what you dont know
• Large investment in security stuff, now aim it
  correctly
• I dont know how network managers run a large
  network without a tool like this
• Legacy links are almost always there
• Misconfigured DMZ hosts
• Business partners
• Personnel changes

104
Whats next?

• IPv6
• 2005 3

105
(No Transcript)
106
IPv6 deployment

• Has been 3 years away since 1993
• Widely deployed in the Far East, and in the new
  cell phones
• Europe is getting on board
• US Government mandate
• Karl Siil and Lumeta are trying to figure all
  this out.we will still have perimeter defenses

107
Pondering and Patrolling Network Perimeters

• Bill Cheswick
• ches_at_lumeta.com
• http//www.lumeta.com