1 / 22

security in the post-Internet era

security in the post-Internet era. Terry Gray C&C all-hands meeting 09 March 2004. thesis. the Open Internet is history -- “get over it” destroyed by predictable reaction to recent attacks --but not without significant collateral damage

yoshi
Download Presentation

security in the post-Internet era

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. security in the post-Internet era Terry Gray C&C all-hands meeting 09 March 2004

  2. thesis • the Open Internet is history-- “get over it” • destroyed by predictable reaction to recent attacks--but not without significant collateral damage • replaced by the Indeterminate Internet--that most people haven’t and won’t notice • we can and must protect the needs of the few--while still supporting the needs of the many

  3. Internet metamorphosis • 1969: “one network” • 1983: “network of networks” • 199-: “balkanization” begins • 2003: “heat death” begins • 2004: paradigm lost?

  4. personal metamorphosis • 1988: “five anti-interoperable networks” !! • 2000: “network security credo” -manage those hosts! • 2000: “my first NAT” -hardly hurt a bit • 2002: S@LS planning -keeping the faith • 2003: “slammer” -intervention • 2003: “blaster” -wake • 2004: “mydoom” -groundhog day • 2005: “five anti-interoperable networks” ??

  5. grief counseling • coping with post-Internet intellectual trauma: • denial • anger • bargaining • depression • acceptance • I had not understood that all of these emotions can occursimultaneously!

  6. 1988: Five anti-interoperable networks 1994: Nebula shows network utility model viable 1998: Defined OSFA border blocking policy 2000: Published Network Security Credo 2000: Added source address spoof filters 2000: Proposed med ctr network zone 2000: Proposed server sanctuaries 2001: Ban clear-text passwords on C&C systems 2001: Proposed pervasive host firewalls 2001: Developed logical firewall solution 2002: Developed Project-172 solution 2003: Slammer, Blaster… death of the Internet 2003: Begin work on flex-net architecture UW network security chronology

  7. security-related trends • more life-critical applications • more wireless use • more VoIP (and soon, VoWLAN) • faster networks • class action lawsuits • RIAA subpoenas • SEC filings to include security info? • more sophisticated attacks • more spyware, encrypted backdoors • less sophisticated attackers • profit motive for attacks

  8. end of an era • gone: the open Internet (connection transparency) • going: autonomous unmanaged PCs • at risk: full digital convergence? • thenetwork utility model is dead • once hosts were all equally accessible • once network jacks were all the same (‘cept speed) • once all application ports were open • welcome to the indeterminate Internet • “Heisenberg/Einstein” networking... • uncertain and relativistic connectivity • you can make no assumptions about what should work

  9. how we lost it: inevitable trainwreck? • fundamental contradiction • networking is about connectivity • security is about isolation • conflicting roles and goals • vendors • networkers • security people • sys admins • oh yeah… and the users • insecurity = liability • liability trumps innovation • liability trumps operator concerns • liability trumps user concerns

  10. how we lost it: disconnects • failure of “computer security” • vendors gave customers what they wanted, not what they needed • responsibility/authority/accountability disconnects guaranteed failure • the network brought the trouble; the network should fix it • failure of networkers to understand what users wanted • not a completely open Internet! • importance of “unlisted numbers”

  11. observations • feedback loop: • closed nets encourage constrained apps • constrained apps encourage closed nets • thus: the Indeterminate Internet may become the Single-Port Internet • tunneling, encryption trends undermine perimeter defense effectiveness • isolation strategies are limited by how many devices you want on your desk. • blaster: triggered more perimeter defense, but showed futility of conventional perimeter defense

  12. consequences • more closed nets & VPNs (bug or feature?) • more tunneling -“firewall friendly” apps • more encryption (thanks to RIAA) • more collateral harm -attack + remedy • worse MTTR (complexity, broken tools) • constrained innovation (e.g. p2p, voip) • cost shifted from “guilty” to “innocent” • pressure to fix problem at border • pressure for private nets • pressure to make network topology match organization boundaries

  13. roads not taken • what if windows XP had shipped with its integral firewall turned on? • what if UW had mandated and funded positive desktop control? • too late… so what can we do now to “protect and serve” our constituency in the post-Internet era?

  14. bonus slides!

  15. networks = connectivity; security = isolation fault zone size vs. economy/simplicity reliability vs. complexity prevention vs. (fast) remediation security vs. supportability vs. functionality(conflicting admin, ops, user perspectives) differences in NetSec approaches relate to: Balancing priorities (security vs. ops vs. function) Local technical and institutional feasibility design tradeoffs

  16. design tradeoff examples • defense-in-depth conjecture(for N layers) • Security: MTTE (exploit)  N**2 • Functionality: MTTI (innovation)  N**2 • Supportability: MTTR (repair)  N**2 • Perimeter Protection Paradox(for D devices) • Firewall efficiency/value  D • Firewall effectiveness  1 / D • border blocking criteria (OSFA policy) • Threat can’t reasonably be addressed at edge • Won’t harm network (performance, stateless block) • Widespread consensus to do it • security by IP address

  17. goal: connection transparency importance: improves MTTR, innovation status: globally, dead… locally, ??? incompatible with perimeter security? NUM-preserving perimeter defense Logical Firewalls Project 172 foiled: security based on static IP addresses Requires all hosts be reconfigured preserving the network utility model

  18. Network isolation for critical services. Host integrity. (Make the OS is net-safe.) Host perimeter. (OS integrity; firewalling) Cluster/lab perimeter. Network zone perimeter. Real-time attack detection and containment. lines of defense

  19. parallel networks; more redundancy supportable (geographic) topology med ctr subnets = separate backbone zone perimeter, sanctuary, and end-point defense higher performance high-availability strategies Workstations spread across independent nets Redundant routers Dual-homed servers next-gen network architecture

  20. final metamorphosis • success then • transparent/open Internet (network utility model) • effective end-point security • success now? • nobody gets hurt, nobody goes to jail • “works fine, lasts a long time” • easy to diagnose/fix • flexible connection transparency choices • unfair cost-shifting avoided

  21. net reliability & host security are inextricably linked five 9s (5 min/yr) is hard (unless we only attach phones?) even host firewalls don’t guarantee safety perimeter firewalls may increase user confusion, MTTR perimeter firewalls won’t stop next-generation attacks it only takes one compromise inside to defeat a firewall Nebula existence proof: security in an open network DDOS attacks: defense-in-depth is a Good Thing controlling net devices is hard --hublets, wireless security via static IP configuration does not scale never underestimate non-technical barriers to progress lessons

  22. questions? comments?

More Related