Defending your network identifying and patrolling your true network perimeter
Download
1 / 109

Defending Your Network: Identifying and Patrolling Your True Network Perimeter - PowerPoint PPT Presentation


  • 267 Views
  • Uploaded on

Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp Pondering and Patrolling Perimeters Bill Cheswick ches@lumeta.com http://www.lumeta.com Talk Outline Outside: mapping the Internet A discussion of perimeter defenses

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Defending Your Network: Identifying and Patrolling Your True Network Perimeter' - niveditha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Defending your network identifying and patrolling your true network perimeter l.jpg

Defending Your Network: Identifying and Patrolling Your True Network Perimeter

Bill Cheswick

Chief Scientist, Lumeta Corp


Pondering and patrolling perimeters l.jpg

Pondering and Patrolling Perimeters Network Perimeter

Bill Cheswick

ches@lumeta.com

http://www.lumeta.com


Talk outline l.jpg
Talk Outline Network Perimeter

  • Outside: mapping the Internet

  • A discussion of perimeter defenses

  • Strong host security

  • Mapping and understanding intranets

  • The past and future of Microsoft host security:

    • my Dad’s computer


The internet mapping project l.jpg

The Internet Mapping Project Network Perimeter

An experiment in exploring network connectivity


Motivations l.jpg

Highlands “day after” scenario Network Perimeter

Panix DOS attacks

a way to trace anonymous packets back!

Visualization experiments

Curiosity about size and growth of the Internet

Databases for graph theorists, grad students, etc.

Motivations


Methods data collection l.jpg
Methods - data collection Network Perimeter

Single reliable host connected at the company perimeter

Daily full scan of Lucent

Daily partial scan of Internet, monthly full scan

One line of text per network scanned

Unix tools

Use a light touch, so we don’t bother Internet denizens


Methods network discovery nd l.jpg
Methods - network discovery (ND) Network Perimeter

Obtain master network list

network lists from Merit, RIPE, APNIC, etc.

BGP data or routing data from customers

hand-assembled list of Yugoslavia/Bosnia

Run a traceroute-style scan towards each network

Stop on error, completion, no data

Keep the natives happy


Intranet implications of internet mapping l.jpg
Intranet implications of Internet mapping Network Perimeter

  • High speed technique, able to handle the largest networks

  • Light touch: “what are you going to do to my intranet?”

  • Acquire and maintain databases of Internet network assignments and usage


Related work l.jpg
Related Work Network Perimeter

  • See Martin Dodge’s cyber geography page

  • MIDS - John Quarterman

  • CAIDA - kc claffy

  • Mercator

  • “Measuring ISP topologies with rocketfuel” - 2002

    • Spring, Mahajan, Wetherall

  • Enter “internet map” in your search engine


Ttl probes l.jpg
TTL probes Network Perimeter

Used by traceroute and other tools

Probes toward each target network with increasing TTL

Probes are ICMP, UDP, TCP to port 80, 25, 139, etc.

Some people block UDP, others ICMP


Advantages l.jpg
Advantages Network Perimeter

  • We don’t need access (I.e. SNMP) to the routers

  • It’s very fast

  • Standard Internet tool: it doesn’t break things

  • Insignificant load on the routers

  • Not likely to show up on IDS reports

  • We can probe with many packet types


Limitations l.jpg
Limitations Network Perimeter

  • View is from scanning host only

    • Multiple scan sources gives a better view

  • Outgoing paths only

  • Level 3 (IP) only

    • ATM networks appear as a single node

  • Not all routers respond

    • Some are silent

    • Others are “shy” (RFC 1123 compliant), limited to one response per second


Data collection complaints l.jpg
Data collection complaints Network Perimeter

Australian parliament was the first to complain

List of whiners (25 nets)

On the Internet, these complaints are mostly a thing of the past

Internet background radiation predominates


Intranet uses of don t scan list l.jpg
Intranet uses of Don’t Scan list Network Perimeter

  • Hands off particular business partners

  • Hands off especially sensitive networks

    • Hanging ATMs

    • 3B2s with broadcast storms

    • Wollongong software (!) on factory floor computers

  • Intranet vs. ISP customer networks


Visualization goals l.jpg
Visualization goals Network Perimeter

make a map

show interesting features

debug our database and collection methods

hard to fold up

geography doesn’t matter

use colors to show further meaning


Visualization of the layout algorithm l.jpg

Visualization of the layout algorithm Network Perimeter

Laying out the Internet graph


Visualization of the layout algorithm19 l.jpg

Visualization of the layout algorithm Network Perimeter

Laying out an intranet


A simplified map for the internet layouts l.jpg
A simplified map, for the Internet layouts Network Perimeter

  • Minimum distance spanning tree uses 80% of the data

  • Much easier visualization

  • Most of the links still valid

  • Redundancy is in the middle


Slide22 l.jpg

Colored by Network Perimeter

AS number


Map coloring l.jpg
Map Coloring Network Perimeter

distance from test host

IP address

shows communities

Geographical (by TLD)

ISPs

future

timing, firewalls, LSRR blocks


Slide24 l.jpg

Colored by IP address! Network Perimeter


Slide25 l.jpg

Colored by geography Network Perimeter


Slide26 l.jpg

Colored by ISP Network Perimeter


Slide27 l.jpg

Colored by distance Network Perimeter

from scanning host


Slide28 l.jpg

US military Network Perimeter

reached by ICMP ping


Slide29 l.jpg

US military networks Network Perimeter

reached by UDP


Yugoslavia l.jpg

Yugoslavia Network Perimeter

An unclassified peek at a new battlefield



Slide36 l.jpg

fin Network Perimeter


Perimeter defenses l.jpg

Perimeter defenses Network Perimeter


Slide38 l.jpg

Perimeter defenses are a traditional means of protecting an area without hardening each of the things in that area


Why use a perimeter defense l.jpg
Why use a perimeter defense? area without hardening each of the things in that area

  • It is cheaper

    • A man’s home is his castle, but most people can’t afford the moat

  • You can concentrate your equipment and your expertise in a few areas

  • It is simpler, and simpler security is usually better

    • Easier to understand and audit

    • Easier to spot broken parts


Perimeter defense of the us capitol building l.jpg
Perimeter Defense of the US Capitol Building area without hardening each of the things in that area


Flower pots l.jpg
Flower pots area without hardening each of the things in that area


Slide43 l.jpg

Security doesn’t have to be ugly area without hardening each of the things in that area


Slide48 l.jpg

Delta barriers area without hardening each of the things in that area


Slide49 l.jpg

Parliament: entrance area without hardening each of the things in that area


Slide50 l.jpg

Parliament: exit area without hardening each of the things in that area


What s wrong with perimeter defenses l.jpg
What’s wrong with perimeter defenses area without hardening each of the things in that area

  • They are useless against insider attacks


Edinburgh castle l.jpg

fell through a hole in its perimeter area without hardening each of the things in that area

fell to siege in three years in 16th century

ran out of food and water

Unsuccessful attack by Bonnie Prince Charlie in 1745

Devastated in 1544 by the Earl of Hertford

Edinburgh Castle


What s wrong with perimeter defenses53 l.jpg
What’s wrong with perimeter defenses area without hardening each of the things in that area

  • They are useless against insider attacks

  • They provide a false sense of security

    • You still need to toughen up the inside, at least some

    • You need to hire enough defenders


What s wrong with perimeter defenses56 l.jpg
What’s wrong with perimeter defenses area without hardening each of the things in that area

  • They are useless against insider attacks

  • They provide a false sense of security

    • You still need to toughen up the inside, at least some

  • They don’t scale well


Slide57 l.jpg

The Pretty Good area without hardening each of the things in that area

Wall of China


Can we live without an intranet l.jpg

Can we live without an intranet? area without hardening each of the things in that area

Strong host security


I can but you probably can t l.jpg
I can, but you probably can’t area without hardening each of the things in that area

  • “Skinny-dipping” on the Internet since the mid 1990s

  • The exposure focuses one clearly on the threats and proactive security

  • It’s very convenient, for the services I dare to use

  • Many important network services are difficult to harden


Skinny dipping rules l.jpg
Skinny dipping rules area without hardening each of the things in that area

  • Only minimal services are offered to the general public

    • Ssh

    • Web server (jailed Apache)

    • DNS (self chrooted)

    • SMTP (postfix, not sendmail)

  • Children (like employees) and MSFT clients are untrustworthy

  • Offer hardened local services at home, like SAMBA (chroot), POP3 (chroot)

  • I’d like to offer other services, but they are hard to secure


Skinny dipping requires strong host security l.jpg
Skinny dipping requires strong host security area without hardening each of the things in that area

  • FreeBSD and Linux machines

  • I am told that one can lock down an MSFT host, but there are hundreds of steps, and I don’t know how to do it.

  • This isn’t just about operating systems: the most popular client applications are, in theory, very dangerous and, in practice, very dangerous.

    • Web browsers and mail readers have many dangerous features


Lately i have been cheating l.jpg
Lately, I have been cheating area without hardening each of the things in that area

  • Backup hosts are unreachable from the Internet (which is a perimeter defense of sorts), and do not trust the exposed hosts

  • Public servers have lower privilege than my crown jewels

  • This means I can experiment a bit more with the exposed hosts


Skinny dipping flaws l.jpg
Skinny dipping flaws area without hardening each of the things in that area

  • Less depth to the defense


Skinny dipping flaws68 l.jpg
Skinny dipping flaws area without hardening each of the things in that area

  • Less defense in depth

  • No protection from denial-of-service attacks


Hopes for microsoft client security l.jpg
Hopes for Microsoft client security? area without hardening each of the things in that area

  • I’ll talk about it at the end of the talk.


Intranets l.jpg

Intranets area without hardening each of the things in that area

Networked perimeter defenses



Intranets have been out of control since they were invented l.jpg
Intranets have been out of control since they were invented out of control”

  • This is not the fault of network administrators

    • The technology is amenable to abuse

    • Decentralization was a design goal of the Internet

  • CIO and CSOs want centralized control of their network

  • The legacy information is lost with rapid employee turnover

  • M&A breaks carefully-planned networking


Perimeter security gives a false sense of security l.jpg
Perimeter security gives a false sense of security out of control”

  • “Crunchy outside, and a soft, chewy center”

    • Me

  • I think 40 hosts is about the most that I can control within a perimeter.

    • Others can probably do better

  • Internet worms are pop quizzes on perimeter security



History of the project and lumeta l.jpg
History of the Project and Lumeta out of control”

  • Started in August 1998 at Bell Labs

  • April-June 1999: Yugoslavia mapping

  • July 2000: first customer intranet scanned

  • Sept. 2000: spun off Lumeta from Lucent/Bell Labs

  • June 2002: “B” round funding completed

  • 2003: sales >$4MM

  • After three years of a service offering, we built IPSonar so you can run it yourself.


Slide81 l.jpg

This was out of control”

Supposed

To be a

VPN


This is useful but can we find hosts that have access across the perimeter l.jpg

This is useful, but out of control”can we find hosts that have access across the perimeter?


Leaks l.jpg
Leaks out of control”

  • We call the leaks shown in the maps “routing leaks”

  • Can we find hosts that don’t forward packets, but straddle the perimeter?

  • Yes: we call them “host leaks”, and detecting them is Lumeta’s “special sauce”


How to find host leaks l.jpg
How to find host leaks out of control”

  • Run a census with ICMP and/or UDP packets

  • Test each machine to see if it can receive a probe from one network, and reply on another

  • Not just dual-homed hosts

  • DMZ hosts, business partner machines, misconfigured VPN access


Leak detection l.jpg

A out of control” sends packet to B, with spoofed return address of D

If B can, it will reply to D with a response, possibly through a different interface

Leak Detection

mitt

Mapping host

D

A

Internet

intranet

C

B

Test host


Leak detection88 l.jpg

Packet must be crafted so the response won’t be permitted through the firewall

A variety of packet types and responses are used

Either inside or outside address may be discovered

Packet is labeled so we know where it came from

Leak Detection

mitt

Mapping host

D

A

Internet

intranet

C

B

Test host


Leaks are not always bad l.jpg
Leaks are not always bad through the firewall

  • Depends on the network policy

  • Often, outgoing leaks are ok

  • Sometimes our test packets get through, but not the services you are worrying about

  • “Please don’t call them leaks”

  • Until this test, there was no way for the CIO to detect them, good or bad

  • Patent pending…


We developed lot of stuff l.jpg
We developed lot of stuff through the firewall

  • Leak detection (that’s the special sauce)

  • Route discovery

  • Host enumeration and identification

  • Server discovery

  • Lots of reports…the hardest part

  • Wireless base station discovery

  • And more…ask the sales people

  • The “zeroth step in network intelligence”

    • me


Case studies corp networks some intranet statistics l.jpg
Case studies: corp. networks through the firewallSome intranet statistics


Some lumeta lessons l.jpg
Some Lumeta lessons through the firewall

  • Reporting is the really hard part

    • Converting data to information

  • “Tell me how we compare to other clients”

  • Offering a service was good practice, for a while

  • We have >70 Fortune-200 companies and government agencies as clients

  • Need-to-have vs. want-to-have


Microsoft client security l.jpg

Microsoft client security through the firewall

It has been getting worse


Case study my dad s computer l.jpg
Case study: through the firewallMy Dad’s computer

  • Windows XP, plenty of horsepower, two screens

  • Applications:

    • Email (Outlook)

    • “Bridge:” a fancy stock market monitoring system

    • AIM

  • Cable access, dynamic IP address, no NAT, no firewall, outdated virus software, no spyware checker


This computer was a software toxic waste dump l.jpg
This computer was a software toxic waste dump through the firewall

  • It was burning a quart of software every 300 miles

  • The popups seemed darned distracting to me

  • But he thought it was fine

    • Got his work done

    • Didn’t want a system administrator to break his user interface somehow


Microsoft s augean stables l.jpg
Microsoft’s Augean Stables through the firewall

  • 3000 oxen, 30 years, that’s roughly one oxen-day per line of code in Windows


Windows me l.jpg
Windows ME through the firewall

Active Connections - Win ME

Proto Local Address Foreign Address State

TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING

TCP 223.223.223.10:139 0.0.0.0:0 LISTENING

UDP 0.0.0.0:1025 *:*

UDP 0.0.0.0:1026 *:*

UDP 0.0.0.0:31337 *:*

UDP 0.0.0.0:162 *:*

UDP 223.223.223.10:137 *:*

UDP 223.223.223.10:138 *:*


Windows 2000 l.jpg
Windows 2000 through the firewall

Proto Local Address Foreign Address State

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING

TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING

TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING

TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING

TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING

TCP 0.0.0.0:1086 0.0.0.0:0 LISTENING

TCP 0.0.0.0:6515 0.0.0.0:0 LISTENING

TCP 127.0.0.1:139 0.0.0.0:0 LISTENING

UDP 0.0.0.0:445 *:*

UDP 0.0.0.0:1038 *:*

UDP 0.0.0.0:6514 *:*

UDP 0.0.0.0:6515 *:*

UDP 127.0.0.1:1108 *:*

UDP 223.223.223.96:500 *:*

UDP 223.223.223.96:4500 *:*


Windows xp this laptop l.jpg
Windows XP, this laptop through the firewall

Proto Local Address Foreign Address State

TCP ches-pc:epmap ches-pc:0 LISTENING

TCP ches-pc:microsoft-ds ches-pc:0 LISTENING

TCP ches-pc:1025 ches-pc:0 LISTENING

TCP ches-pc:1036 ches-pc:0 LISTENING

TCP ches-pc:3115 ches-pc:0 LISTENING

TCP ches-pc:3118 ches-pc:0 LISTENING

TCP ches-pc:3470 ches-pc:0 LISTENING

TCP ches-pc:3477 ches-pc:0 LISTENING

TCP ches-pc:5000 ches-pc:0 LISTENING

TCP ches-pc:6515 ches-pc:0 LISTENING

TCP ches-pc:netbios-ssn ches-pc:0 LISTENING

TCP ches-pc:3001 ches-pc:0 LISTENING

TCP ches-pc:3002 ches-pc:0 LISTENING

TCP ches-pc:3003 ches-pc:0 LISTENING

TCP ches-pc:5180 ches-pc:0 LISTENING

UDP ches-pc:microsoft-ds *:*

UDP ches-pc:isakmp *:*

UDP ches-pc:1027 *:*

UDP ches-pc:3008 *:*

UDP ches-pc:3473 *:*

UDP ches-pc:6514 *:*

UDP ches-pc:6515 *:*

UDP ches-pc:netbios-ns *:*

UDP ches-pc:netbios-dgm *:*

UDP ches-pc:1900 *:*

UDP ches-pc:ntp *:*

UDP ches-pc:1900 *:*

UDP ches-pc:3471 *:*


Freebsd partition this laptop l.jpg
FreeBSD partition, this laptop through the firewall

Active Internet connections (including servers)

Proto Recv-Q Send-Q Local Address Foreign Address (state)

tcp4 0 0 *.22 *.* LISTEN

tcp6 0 0 *.22 *.* LISTEN


Microsoft really means it about improving their security l.jpg
Microsoft really means it about improving their security through the firewall

  • Their security commitment appears to be real

  • It is a huge job

  • Opposing forces are unclear to me

  • It’s been a long time coming, and frustrating


Microsoft really means it about improving their security102 l.jpg
Microsoft really means it about improving their security through the firewall

  • They need world-class sandboxes, many more layers in their security, and much safer defaults

  • A Microsoft “terminal” will benefit millions of users


Windows ok l.jpg
Windows OK through the firewall

  • Thin client implemented with Windows

  • It would be fine for maybe half the Windows users

    • Students, consumers, many corporate and government users

  • It would be reasonable to skinny dip with this client

    • Without firewall or virus checking software


Windows ok104 l.jpg
Windows OK through the firewall

  • No network listeners

    • None of those services are needed, except admin access for centrally-administered hosts

  • Default security settings, all available on the control panel security screen

  • Security settings can be locked


Windows ok105 l.jpg
Windows OK through the firewall

  • Reduce privileges in servers and all programs

  • Sandbox programs

    • Belt and suspenders


Windows ok cont l.jpg
Windows OK (cont) through the firewall

  • There should be nothing you can click on, in email or a web page, that can hurt your computer

    • No portable programs are executed ever, except…

  • ActiveX from approved parties

    • MSFT and one or two others. List is lockable


Office ok l.jpg
Office OK through the firewall

  • No macros in Word or PowerPoint. No executable code in PowerPoint files

  • The only macros allowed in Excel perform arithmetic. They cannot create files, etc.


Vulnerabilities in ok l.jpg
Vulnerabilities in OK through the firewall

  • Buffer overflows in processing of data (not from the network)

  • Stop adding new features and focus on bug fixes

  • Programmers can clean up bugs, if they don’t have a moving target

    • It converges, to some extent


Defending your network identifying and patrolling your true network perimeter109 l.jpg

Defending Your Network: Identifying and Patrolling Your True Network Perimeter

Bill Cheswick

Chief Scientist, Lumeta Corp