Presentation is loading. Please wait.

Presentation is loading. Please wait.

Submarine Warfare: Perimeter defense without walls Dan Houser, CISSP, CISM.

Similar presentations


Presentation on theme: "Submarine Warfare: Perimeter defense without walls Dan Houser, CISSP, CISM."— Presentation transcript:

1 Submarine Warfare: Perimeter defense without walls Dan Houser, CISSP, CISM

2 ©Copyright 2004 – Daniel D. Houser Overview Classic firewall perspective Where firewalls fall short Changes in the security space Suggestions for improving network security Strategic vision Tactical focus Q&A This presentation is designed to be the visit through the looking glass… Thinking about perimeter security with a different perspective.

3 ©Copyright 2004 – Daniel D. Houser Fortress mentality Network implementation of physical barriers Designed with overlapping, visible, impenetrable barriers Classic perimeter security Atlantic Wall

4 ©Copyright 2004 – Daniel D. Houser Classic firewall/DMZ design External Throne Room Outer Courtyard Inner Courtyard

5 ©Copyright 2004 – Daniel D. Houser Assumptions of the classic perimeter security model Attackers are outside trying to break in Attackers cannot breach the wall Attackers are identified by guards Guards are loyal All contact comes through single path Unfortunately, these are all wrong.

6 ©Copyright 2004 – Daniel D. Houser Reality Most attackers are inside Attackers can breach the wall Guards can’t identify all attackers Guards can be subverted Communication over MANY paths

7 ©Copyright 2004 – Daniel D. Houser Reality: Many communication paths Business partners Affiliates Subsidiaries Telecommuters On-site ConsultantsSupport Technicians Off-site Consultants ?? Spybots Spyware / Adware

8 ©Copyright 2004 – Daniel D. Houser Red Queen race “You have to run faster and faster just to stay in the same place!” – The Red Queen, Alice in Wonderland Image courtesy www.rushlimbaugh.com

9 ©Copyright 2004 – Daniel D. Houser Information courtesy CERT®/CC, Statistics 1988-2004, http://www.cert.org/stats/cert_stats.html Red Queen race

10 ©Copyright 2004 – Daniel D. Houser Web Services Security is changing the rules: Outsourced authentication (federated) Extranet access to core systems RPC calls over HTTP using XML & SOAP Offshore services, data processing Highly connected networks Very tight business integration In short, there is no network perimeter Red Queen race

11 ©Copyright 2004 – Daniel D. Houser New paradigms are needed We must migrate from ground-based warfare to a model that fits information warfare “He who does not learn from history is doomed to repeat it.” The Maginot Line was bypassed The Atlantic Wall was pierced and defeated The Great Wall provided only partial protection The Alamo fell to a massive attack

12 ©Copyright 2004 – Daniel D. Houser New paradigm: Submarine warfare In submarine warfare Everyone is an enemy until proven otherwise All contacts are tracked and logged Hardened autonomous systems Rules of engagement govern all response Constant vigilance Identify Friend or Foe (IFF) becomes vital Hunter-killer units vital to protect strategic investments – offensive as well as defensive players Environment “listeners” for ASW and tracking Evade detection, hound and confuse the enemy

13 ©Copyright 2004 – Daniel D. Houser How does submarine warfare translate into InfoWarfare? Harden all devices, not just DMZ Use of hardened kernels for all servers Harden all systems and run minimal services Minimal installations on desktops Dumb terminals where available Provide Office tools to knowledge workers only Strip unneeded capabilities from kiosks Remove the ability to install software Analyze traffic, not just headers Application-based firewalls XML Filtering

14 ©Copyright 2004 – Daniel D. Houser How does Submarine Warfare translate into InfoWarfare? (2) Segregate boot camp from the theatre of operations VLAN development, test, DR & production Make change control your code firewall Only change control spans 2 security zones Production support segregated from source code Core network becomes the DMZ Since most attacks are from within, make cubicles a DMZ Create hardened subnets for accounting, HR, IT, operations Publish intranets in the DMZ

15 ©Copyright 2004 – Daniel D. Houser Source: InformationSecurity Magazine, “Network Security: Submarine Warfare”, Dan Houser, 2003, http://tinyurl.com/nwk7 Network segmentation: Crunchy on the outside and the middle

16 ©Copyright 2004 – Daniel D. Houser How does submarine warfare translate into InfoWarfare? (3) Heavy use of crypto for IFF functions Accelerators & HSM will be key technologies Require all packets to be signed (e.g. Kerberos) Certificate revocation for intrusion prevention Network PKI becomes mission critical at layer 2 Some early products emerging in this space (e.g. EndForce) Network IDS is key Analyzing packets for IFF analysis, heuristics ISP pre-filtered IDS Analog threat tagging Identifying and tracking intruders Isolating subnets with hostile traffic Revoke certificates for hostile servers Vectoring CIRT

17 ©Copyright 2004 – Daniel D. Houser How does submarine warfare translate into InfoWarfare? (4) Tiger teams and internal search & seizure Businesses can’t afford rogue servers Zero tolerance policy for hacking Ethical hackers, capture the flag & war games: A&P Vulnerability assessment teams Drill and war games Red teams – capture the flag Blue teams – learn from red teams, patch vulnerabilities Highly trained staff becomes core competency Training Education Employee retention

18 ©Copyright 2004 – Daniel D. Houser How does submarine warfare translate into InfoWarfare? (5) Confuse and harass attackers Make your real servers look bogus Save all.ASP code as.CGI files, perl as.ASP Configure responses from Apache that mimic IIS Open dummy NetBIOS ports on Unix servers Open bogus 21, 23, 25, 80 & 443 ports on all servers, with netcat listening on the bogus ports Call your database server “Firewall” Route bogus traffic to IDS network

19 ©Copyright 2004 – Daniel D. Houser Internet attacks have changed… Photo Courtesy NASA

20 ©Copyright 2004 – Daniel D. Houser Old school attack Lone interloper targets major firm Studies publicly available information Hangs out at local pub, befriends sales team Dumpster dives to obtain manuals, phone lists Uses war-dialer to find modems & remote hosts Uses social engineering to obtain passwords Dials up hosts, logs in, mayhem & mischief

21 ©Copyright 2004 – Daniel D. Houser “Modern” attack Lone interloper targets IP range Downloads script kiddy tools Scans IP range looking for vulnerable hosts Port scans hosts looking for exploitable services Uses exploit tool, mayhem & mischief Target selection now a target of opportunity… indiscriminate attack

22 ©Copyright 2004 – Daniel D. Houser Worms hit 10,000 networks at once… Photo Courtesy The Weather Channel

23 ©Copyright 2004 – Daniel D. Houser What we need is early warning Photo Courtesy NASA

24 ©Copyright 2004 – Daniel D. Houser Hide in the open: Big freakin’ haystack Virtual honeynets + Intrusion Management Create server that emulates address range: 10.x.x.x Open tons of ports: 20, 21, 23, 25, 37, 42, 43, 49, 67, 68, 69, 80, 109, 110, 137-139, 389, 443, 666, 6667 Emulate good hosts: MS-Exchange, Solaris/Oracle, MS- SQL, RedHat/Apache/Tomcat, WinXP Pro Emulate bad boxes: botnet servers, Warez server, trojaned workstations, Win95 workstation, backdoor Honeyd likely tool, or at least a starting point

25 ©Copyright 2004 – Daniel D. Houser Convert unused address space into decoy tripwire nets - 16,320,000 decoys to 200 "real" servers Stop swallowing packets: route unreachable hosts to the virtual honeynet 190,000 decoys per “real” server = 99.9995% detection Any hits are malicious – route to IDS / IPS  Research attack profile.  Block attackers for 1 hour, 2 hours, 24 hours, 1 week. You’ve gained breathing room to respond to real attacks Hide in the open: Big freakin’ haystack (2)

26 ©Copyright 2004 – Daniel D. Houser

27 Hide in the open

28 ©Copyright 2004 – Daniel D. Houser The fun has just begun… LaBrea: SYN/ACK, TCP Window size = 0 (wait)  Load LaBrea to freeze a scan, run on random port  Freezes Windows-based scanners up to 4 minutes  Scanning 10,000 hosts takes 27 days.  Detecting 100 unpublished hosts in Class A would take approximately 112 years" Disclaimer: This may be illegal in your municipality. I am not a lawyer. Talk to one.

29 ©Copyright 2004 – Daniel D. Houser The fun has just begun… (2) Storm Surge Mode: active re-configuration Suppose your “standard” BFH net emulates: 25%Apache/Tomcat on RedHat 7 25%Microsoft SQL on Win2003 Server 25%Lotus Notes/Domino on Win2k Server 25%Oracle 9i on Solaris IDS from BFH telemetry notices big Win2k attack BFH configuration changes: 30%Microsoft SQL on Win2k Server 30%Exchange on Win2k Server 30%IIS on Win2k Server 10%Allocated among 30 other server/workstation images

30 ©Copyright 2004 – Daniel D. Houser Virtual honeynets: Make legitimate servers look like bogus servers. Make all servers (fake & real) look identical Port-level routing:  Web Server gets ICMP echo reply, 80, 443  All other ports go to BFH BFH in your internal network  Malware outbreaks see your network with 16 million hosts  Ability to detect worms while slowing spread by 600x If all Class A, B & C networks ran BFH, it would emulate 2,112,077,025 Internet-facing virtual hosts." Worms and script kiddies would be economically infeasible. The fun has just begun… (3)

31 ©Copyright 2004 – Daniel D. Houser Where to get started? Switching models will take time… What do we do in the interim? Copyright FarWorks & Gary Larson

32 ©Copyright 2004 – Daniel D. Houser Turning the tide: Resilient systems Server & desktop hardened images Security templates – lock down desktops Server-based authentication – PKI Host-based intrusion detection Centralized logging Out-of-band server management Eliminate single points of failure Honeypots / honeynets Camouflage and deception in DMZ

33 ©Copyright 2004 – Daniel D. Houser Turning the tide: People Security is a people problem, not a technical problem Hire and train smart, security-minded people to run your networks and servers Reward security: Establish benchmarks & vulnerability metrics More than just uptime – include confidentiality & integrity Audit against the benchmarks Include security as major salary/bonus modifier Job descriptions must incorporate security objectives Train developers, architects & BAs on how to develop secure systems Equate security breaches & cracking tools like weapons or drugs in the workplace – a “zero tolerance” policy?

34 ©Copyright 2004 – Daniel D. Houser Turning the tide: Process Assess risk & vulnerability: BIA Include security in feature sets & requirements Segregation of Developers, Testers & Production, and particularly Prod Support from source code Change management & access rights Certification & Accreditation Engage security team in charter & proposal phase Bake security into the systems lifecycle Require sponsor risk acceptance & authorization Embed accreditation into change control Include security in contract review and ROI Configuration Management  security patch lists

35 ©Copyright 2004 – Daniel D. Houser Summary Use firewalls, but as one of many tools Start network security with people, process and host security Think outside the box when developing security architectures Be prepared to dump your perimeter Focus on malleable networking Protect assets according to their value

36 ©Copyright 2004 – Daniel D. Houser Q&A Copyright FarWorks & Gary Larson

37 ©Copyright 2004 – Daniel D. Houser Contact information Dan Houser, CISSP, CISM, CCP dan.houser@gmail.com See Submarine Warfare article: http://tinyurl.com/nwk7


Download ppt "Submarine Warfare: Perimeter defense without walls Dan Houser, CISSP, CISM."

Similar presentations


Ads by Google