1 / 100

Pondering and Patrolling Network Perimeters

Pondering and Patrolling Network Perimeters. Bill Cheswick ches@lumeta.com http://www.lumeta.com. Talk Outline. A little personal history concerning perimeter defenses Outside: mapping the Internet A discussion of perimeter defenses Strong host security Mapping and understanding intranets.

narena
Download Presentation

Pondering and Patrolling Network Perimeters

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pondering and Patrolling Network Perimeters Bill Cheswick ches@lumeta.com http://www.lumeta.com

  2. Talk Outline • A little personal history concerning perimeter defenses • Outside: mapping the Internet • A discussion of perimeter defenses • Strong host security • Mapping and understanding intranets

  3. A short bio regarding Internet perimeters • Started at Bell Labs in December 1987 • Immediately took over postmaster and firewall duties • Good way to learn the ropes, which was my intention

  4. Morris worm hit on Nov 1988 • Heard about it on NPR • Had a “sinking feeling” about it • The home-made firewall worked • No fingerd • No sendmail (we rewrote the mailer) • Intranet connection to Bellcore • We got lucky • Bell Labs had 1330 hosts • Corporate HQ didn’t know or care

  5. Action items • Shut down the unprotected connection to Bellcore • What we now call a “routing leak” • Redesign the firewall for much more capacity, and no “sinking feeling” • (VAX 750, load average of 15) • Write a paper on it • “if you don’t write it up, you didn’t do the work”

  6. Old gateway:

  7. New gateway:

  8. New gateway:(one referee’s suggestion)

  9. “Design of a Secure Internet Gateway” – Anaheim Usenix, Jan 1990 • My first real academic paper • It was pretty good, I think • It didn’t have much impact, except for two pieces: • Coined the work “proxy” in its current use (this was for a circuit level gateway • Predated socks by three years) • Coined the expression “crunchy outside and soft chewy center”

  10. By 1996, AT&T’s intranet • Firewall security: high, and sometimes quite a pain, which meant • Perimeter security: dumb luck • Trivestiture didn’t change the intranet configuration that much

  11. Lucent now (1997) (sort of)We’d circled the wagons around Wyoming The Internet Columbus Murray Hill Murray Hill Holmdel Allentown SLIP PPP ISDN X.25 cable ... Lucent - 130,000, 266K IP addresses, 3000 nets ann. thousands of telecommuters ~200 business partners

  12. Highlands forum, Annapolis, Dec 1996 • A Rand corp. game to help brief a member of the new President’s Infrastructure Protection Commission • Met Esther Dyson and Fred Cohen there • Personal assessment by intel profiler • “Day after” scenario • Gosh it would be great to figure out where these networks actually go

  13. Perimeter Defenses have a long history

  14. Lorton Prison

  15. The Pretty Good Wall of China

  16. Perimeter Defense of the US Capitol Building

  17. Flower pots

  18. Security doesn’t have to be ugly

  19. Delta barriers

  20. Edinburgh Castle

  21. Warwick Castle

  22. Heidelberg Castlestarted in the 1300s

  23. Parliament: entrance

  24. Parliament: exit

  25. Why use a perimeter defense? • It is cheaper • A man’s home is his castle, but most people can’t afford the moat • You can concentrate your equipment and your expertise in a few areas • It is simpler, and simpler security is usually better • Easier to understand and audit • Easier to spot broken parts

  26. What’s wrong with perimeter defenses • They are useless against insider attacks • They provide a false sense of security • You still need to toughen up the inside, at least some • You need to hire enough defenders • They don’t scale well

  27. Anything large enough to be called an ‘intranet’ is out of control

  28. Controlling an intranet is hard, even if you care a lot about it • End-to-end philosophy is not helpful if you are the phone company • New networks and hosts are easily connected without the knowledge and permission of the network owner • Security scan tools are not helpful if you don’t know where to point them

  29. Project 1:Can we live without an intranet? Strong host security Mid 1990s

  30. I can, but maybe you can’t • “Skinny-dipping” on the Internet since the mid 1990s • The exposure focuses one clearly on the threats and proactive security • It’s very convenient, for the services I dare to use • Many important network services are difficult to harden

  31. What you need to skinny dip • Secure client • Only enclave computers like my laptop have access • Secure communications (Κρυπτο) • AES is OK for “type 1” crypto – NSA • Secure server

  32. Skinny dipping rules • Only minimal services are offered to the general public • Ssh • Web server (jailed Apache) • DNS (self chrooted) • SMTP (postfix, not sendmail) • Children (like employees) and MSFT clients are untrustworthy • Offer hardened local services at home, like SAMBA (chroot), POP3 (chroot) • I’d like to offer other services, but they are hard to secure

  33. Skinny dipping requires strong host security • FreeBSD and Linux machines • I am told that one can lock down an MSFT host, but there are hundreds of steps, and I don’t know how to do it. • This isn’t just about operating systems: the most popular client applications are, in theory, very dangerous and, in practice, very dangerous. • Web browsers and mail readers have many dangerous features

  34. Skinny dipping flaws • Less defense in depth • No protection from denial-of-service attacks

  35. Project 2:The Internet Mapping Project An experiment in exploring network connectivity 1998

  36. Methods - network discovery (ND) Obtain master network list network lists from Merit, RIPE, APNIC, etc. BGP data or routing data from customers hand-assembled list of Yugoslavia/Bosnia Run a TTL-type (traceroute) scan towards each network Stop on error, completion, no data Keep the natives happy

  37. Methods - data collection Single reliable host connected at the company perimeter Daily full scan of Lucent Daily partial scan of Internet, monthly full scan One line of text per network scanned Unix tools Use a light touch, so we don’t bother Internet denizens

More Related