We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAnnis Jones
Modified over 4 years ago
Submarine Warfare: Perimeter defense without walls Dan Houser, CISSP, CISM
©Copyright 2004 – Daniel D. Houser Overview Classic firewall perspective Where firewalls fall short Changes in the security space Suggestions for improving network security Strategic vision Tactical focus Q&A This presentation is designed to be the visit through the looking glass… Thinking about perimeter security with a different perspective.
©Copyright 2004 – Daniel D. Houser Fortress mentality Network implementation of physical barriers Designed with overlapping, visible, impenetrable barriers Classic perimeter security Atlantic Wall
©Copyright 2004 – Daniel D. Houser Classic firewall/DMZ design External Throne Room Outer Courtyard Inner Courtyard
©Copyright 2004 – Daniel D. Houser Assumptions of the classic perimeter security model Attackers are outside trying to break in Attackers cannot breach the wall Attackers are identified by guards Guards are loyal All contact comes through single path Unfortunately, these are all wrong.
©Copyright 2004 – Daniel D. Houser Reality Most attackers are inside Attackers can breach the wall Guards can’t identify all attackers Guards can be subverted Communication over MANY paths
©Copyright 2004 – Daniel D. Houser Reality: Many communication paths Business partners Affiliates Subsidiaries Telecommuters On-site ConsultantsSupport Technicians Off-site Consultants ?? Spybots Spyware / Adware
©Copyright 2004 – Daniel D. Houser Red Queen race “You have to run faster and faster just to stay in the same place!” – The Red Queen, Alice in Wonderland Image courtesy www.rushlimbaugh.com
©Copyright 2004 – Daniel D. Houser Information courtesy CERT®/CC, Statistics 1988-2004, http://www.cert.org/stats/cert_stats.html Red Queen race
©Copyright 2004 – Daniel D. Houser Web Services Security is changing the rules: Outsourced authentication (federated) Extranet access to core systems RPC calls over HTTP using XML & SOAP Offshore services, data processing Highly connected networks Very tight business integration In short, there is no network perimeter Red Queen race
©Copyright 2004 – Daniel D. Houser New paradigms are needed We must migrate from ground-based warfare to a model that fits information warfare “He who does not learn from history is doomed to repeat it.” The Maginot Line was bypassed The Atlantic Wall was pierced and defeated The Great Wall provided only partial protection The Alamo fell to a massive attack
©Copyright 2004 – Daniel D. Houser New paradigm: Submarine warfare In submarine warfare Everyone is an enemy until proven otherwise All contacts are tracked and logged Hardened autonomous systems Rules of engagement govern all response Constant vigilance Identify Friend or Foe (IFF) becomes vital Hunter-killer units vital to protect strategic investments – offensive as well as defensive players Environment “listeners” for ASW and tracking Evade detection, hound and confuse the enemy
©Copyright 2004 – Daniel D. Houser How does submarine warfare translate into InfoWarfare? Harden all devices, not just DMZ Use of hardened kernels for all servers Harden all systems and run minimal services Minimal installations on desktops Dumb terminals where available Provide Office tools to knowledge workers only Strip unneeded capabilities from kiosks Remove the ability to install software Analyze traffic, not just headers Application-based firewalls XML Filtering
©Copyright 2004 – Daniel D. Houser How does Submarine Warfare translate into InfoWarfare? (2) Segregate boot camp from the theatre of operations VLAN development, test, DR & production Make change control your code firewall Only change control spans 2 security zones Production support segregated from source code Core network becomes the DMZ Since most attacks are from within, make cubicles a DMZ Create hardened subnets for accounting, HR, IT, operations Publish intranets in the DMZ
©Copyright 2004 – Daniel D. Houser Source: InformationSecurity Magazine, “Network Security: Submarine Warfare”, Dan Houser, 2003, http://tinyurl.com/nwk7 Network segmentation: Crunchy on the outside and the middle
©Copyright 2004 – Daniel D. Houser How does submarine warfare translate into InfoWarfare? (3) Heavy use of crypto for IFF functions Accelerators & HSM will be key technologies Require all packets to be signed (e.g. Kerberos) Certificate revocation for intrusion prevention Network PKI becomes mission critical at layer 2 Some early products emerging in this space (e.g. EndForce) Network IDS is key Analyzing packets for IFF analysis, heuristics ISP pre-filtered IDS Analog threat tagging Identifying and tracking intruders Isolating subnets with hostile traffic Revoke certificates for hostile servers Vectoring CIRT
©Copyright 2004 – Daniel D. Houser How does submarine warfare translate into InfoWarfare? (4) Tiger teams and internal search & seizure Businesses can’t afford rogue servers Zero tolerance policy for hacking Ethical hackers, capture the flag & war games: A&P Vulnerability assessment teams Drill and war games Red teams – capture the flag Blue teams – learn from red teams, patch vulnerabilities Highly trained staff becomes core competency Training Education Employee retention
©Copyright 2004 – Daniel D. Houser How does submarine warfare translate into InfoWarfare? (5) Confuse and harass attackers Make your real servers look bogus Save all.ASP code as.CGI files, perl as.ASP Configure responses from Apache that mimic IIS Open dummy NetBIOS ports on Unix servers Open bogus 21, 23, 25, 80 & 443 ports on all servers, with netcat listening on the bogus ports Call your database server “Firewall” Route bogus traffic to IDS network
©Copyright 2004 – Daniel D. Houser Internet attacks have changed… Photo Courtesy NASA
©Copyright 2004 – Daniel D. Houser Old school attack Lone interloper targets major firm Studies publicly available information Hangs out at local pub, befriends sales team Dumpster dives to obtain manuals, phone lists Uses war-dialer to find modems & remote hosts Uses social engineering to obtain passwords Dials up hosts, logs in, mayhem & mischief
©Copyright 2004 – Daniel D. Houser “Modern” attack Lone interloper targets IP range Downloads script kiddy tools Scans IP range looking for vulnerable hosts Port scans hosts looking for exploitable services Uses exploit tool, mayhem & mischief Target selection now a target of opportunity… indiscriminate attack
©Copyright 2004 – Daniel D. Houser Worms hit 10,000 networks at once… Photo Courtesy The Weather Channel
©Copyright 2004 – Daniel D. Houser What we need is early warning Photo Courtesy NASA
©Copyright 2004 – Daniel D. Houser Hide in the open: Big freakin’ haystack Virtual honeynets + Intrusion Management Create server that emulates address range: 10.x.x.x Open tons of ports: 20, 21, 23, 25, 37, 42, 43, 49, 67, 68, 69, 80, 109, 110, 137-139, 389, 443, 666, 6667 Emulate good hosts: MS-Exchange, Solaris/Oracle, MS- SQL, RedHat/Apache/Tomcat, WinXP Pro Emulate bad boxes: botnet servers, Warez server, trojaned workstations, Win95 workstation, backdoor Honeyd likely tool, or at least a starting point
©Copyright 2004 – Daniel D. Houser Convert unused address space into decoy tripwire nets - 16,320,000 decoys to 200 "real" servers Stop swallowing packets: route unreachable hosts to the virtual honeynet 190,000 decoys per “real” server = 99.9995% detection Any hits are malicious – route to IDS / IPS Research attack profile. Block attackers for 1 hour, 2 hours, 24 hours, 1 week. You’ve gained breathing room to respond to real attacks Hide in the open: Big freakin’ haystack (2)
©Copyright 2004 – Daniel D. Houser
Hide in the open
©Copyright 2004 – Daniel D. Houser The fun has just begun… LaBrea: SYN/ACK, TCP Window size = 0 (wait) Load LaBrea to freeze a scan, run on random port Freezes Windows-based scanners up to 4 minutes Scanning 10,000 hosts takes 27 days. Detecting 100 unpublished hosts in Class A would take approximately 112 years" Disclaimer: This may be illegal in your municipality. I am not a lawyer. Talk to one.
©Copyright 2004 – Daniel D. Houser The fun has just begun… (2) Storm Surge Mode: active re-configuration Suppose your “standard” BFH net emulates: 25%Apache/Tomcat on RedHat 7 25%Microsoft SQL on Win2003 Server 25%Lotus Notes/Domino on Win2k Server 25%Oracle 9i on Solaris IDS from BFH telemetry notices big Win2k attack BFH configuration changes: 30%Microsoft SQL on Win2k Server 30%Exchange on Win2k Server 30%IIS on Win2k Server 10%Allocated among 30 other server/workstation images
©Copyright 2004 – Daniel D. Houser Virtual honeynets: Make legitimate servers look like bogus servers. Make all servers (fake & real) look identical Port-level routing: Web Server gets ICMP echo reply, 80, 443 All other ports go to BFH BFH in your internal network Malware outbreaks see your network with 16 million hosts Ability to detect worms while slowing spread by 600x If all Class A, B & C networks ran BFH, it would emulate 2,112,077,025 Internet-facing virtual hosts." Worms and script kiddies would be economically infeasible. The fun has just begun… (3)
©Copyright 2004 – Daniel D. Houser Where to get started? Switching models will take time… What do we do in the interim? Copyright FarWorks & Gary Larson
©Copyright 2004 – Daniel D. Houser Turning the tide: Resilient systems Server & desktop hardened images Security templates – lock down desktops Server-based authentication – PKI Host-based intrusion detection Centralized logging Out-of-band server management Eliminate single points of failure Honeypots / honeynets Camouflage and deception in DMZ
©Copyright 2004 – Daniel D. Houser Turning the tide: People Security is a people problem, not a technical problem Hire and train smart, security-minded people to run your networks and servers Reward security: Establish benchmarks & vulnerability metrics More than just uptime – include confidentiality & integrity Audit against the benchmarks Include security as major salary/bonus modifier Job descriptions must incorporate security objectives Train developers, architects & BAs on how to develop secure systems Equate security breaches & cracking tools like weapons or drugs in the workplace – a “zero tolerance” policy?
©Copyright 2004 – Daniel D. Houser Turning the tide: Process Assess risk & vulnerability: BIA Include security in feature sets & requirements Segregation of Developers, Testers & Production, and particularly Prod Support from source code Change management & access rights Certification & Accreditation Engage security team in charter & proposal phase Bake security into the systems lifecycle Require sponsor risk acceptance & authorization Embed accreditation into change control Include security in contract review and ROI Configuration Management security patch lists
©Copyright 2004 – Daniel D. Houser Summary Use firewalls, but as one of many tools Start network security with people, process and host security Think outside the box when developing security architectures Be prepared to dump your perimeter Focus on malleable networking Protect assets according to their value
©Copyright 2004 – Daniel D. Houser Q&A Copyright FarWorks & Gary Larson
©Copyright 2004 – Daniel D. Houser Contact information Dan Houser, CISSP, CISM, CCP firstname.lastname@example.org See Submarine Warfare article: http://tinyurl.com/nwk7
Computer Security II Lecturer – Lynn Ackler – Office – CSC 222 – Office Hours 9:00 – 10:00 M,W Course – CS 457 – CS 557.
FIREWALLS Chapter 11.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
System and Network Security Practices COEN 351 E-Commerce Security.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Intrusion Detection Systems and Practices
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Network Security Testing Techniques Presented By:- Sachin Vador.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Computer Security and Penetration Testing
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
© 2020 SlidePlayer.com Inc. All rights reserved.