102 slides Pondering and Patrolling Network Perimeters Bill Cheswick

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
 Australian Network Operators Group  Community for network operators who work with ISPs, content providers or other areas of the on-line industries.
Enabling IPv6 in Corporate Intranet Networks
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
100 slides Pondering and Patrolling Network Perimeters Bill Cheswick
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
By: Mike Yerina. Internet Regulation: The Internet Regulation is a very important part of the world today and without it there would be huge changes in.
Firewalls and Intrusion Detection Systems
1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
ISOC-Chicago 2001John Kristoff - DePaul University1 Journey to the Center of the Internet John Kristoff DePaul University.
Announcement r Project 2 Extension ? m Previous grade allocation: Projects 40% –Web client/server7% –TCP stack21% –IP routing12% Midterm 20% Final 20%
SM3121 Software Technology Mark Green School of Creative Media.
Department of Information Engineering 1 What is port number? OK, you know that in order to connect to Internet, each computer must have a unique address.
Ch 20 Q and A IS333, Spring 2015 Victor Norman. Universal Service Means every computer can talk “directly” with every other one. A message is not addressed.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
Computer Networks IGCSE ICT Section 4.
Ch. 31 Q and A IS 333 Spring 2015 Victor Norman. SNMP, MIBs, and ASN.1 SNMP defines the protocol used to send requests and get responses. MIBs are like.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Port Scanning.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
TUTORIAL # 2 INFORMATION SECURITY 493. LAB # 4 (ROUTING TABLE & FIREWALLS) Routing tables is an electronic table (file) or database type object It is.
Internet Addressing. When your computer is on the Internet, anything you do requires data to be transmitted and received. For example, when you visit.
120 slides Mapping the Internet and Intranets Steve Branigan, Hal Burch, Bill Cheswick
110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp.
October 15, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint SOEN321-Information-Systems Security Revision.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
CIS 450 – Network Security Chapter 3 – Information Gathering.
Internet and Intranet Fundamentals Class 9 Session A.
Definitions What is a network? A series of interconnected computers, linked together either via cabling or wirelessly. Often linked via a central server.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Understanding Networking Joe Cicero Northeast Wisconsin Technical College.
Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
FORESEC Academy FORESEC Academy Security Essentials (III)
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
NETWORK COMPONENTS Assignment #3. Hub A hub is used in a wired network to connect Ethernet cables from a number of devices together. The hub allows each.
Linux Networking and Security
105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick
Lecture 12 Page 1 CS 236 Online Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
The Intranet.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
41 slides Fun with FCC part 15 Home speaker system on (and that’s not easy in the NYC/PHL area)
What is the Internet? A world-wide computer network made up of tens of thousands of smaller networks. It’s the biggest network of all! So, what is a network?
Information Security 493. Lab # 4 (Routing table & firewalls) Routing tables is an electronic table (file) or database type object that is stored in a.
Role Of Network IDS in Network Perimeter Defense.
Ch. 23, 25 Q and A (NAT and UDP) Victor Norman IS333 Spring 2015.
Network Devices and Firewalls Lesson 14. It applies to our class…
SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Internet and Intranet.
Virtual Private Networks
Click to edit Master subtitle style
Introduction to Networking
Internet and Intranet.
New Solutions For Scaling The Internet Address Space
Firewalls Jiang Long Spring 2002.
Internet and Intranet.
Internet and Intranet.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Network Security in Academia: an Oxymoron?
Presentation transcript:

102 slides Pondering and Patrolling Network Perimeters Bill Cheswick

102 slides Perimeter Defenses have a long history

3 of 102Pondering Perimeters

4 of 102Pondering Perimeters

5 of 102Pondering Perimeters Lorton Prison

6 of 102Pondering Perimeters

7 of 102Pondering Perimeters Perimeter Defense of the US Capitol Building

8 of 102Pondering Perimeters Flower pots

9 of 102Pondering Perimeters

10 of 102Pondering Perimeters Security doesn’t have to be ugly

11 of 102Pondering Perimeters

12 of 102Pondering Perimeters

13 of 102Pondering Perimeters

14 of 102Pondering Perimeters

15 of 102Pondering Perimeters Delta barriers

16 of 102Pondering Perimeters Why use a perimeter defense? It is cheaper – A man’s home is his castle, but most people can’t afford the moat You can concentrate your equipment and your expertise in a few areas It is simpler, and simpler security is usually better – Easier to understand and audit – Easier to spot broken parts

17 of 102Pondering Perimeters What’s wrong with perimeter defenses They are useless against insider attacks They provide a false sense of security – You still need to toughen up the inside, at least some – You need to hire enough defenders They don’t scale well

18 of 102Pondering Perimeters The Pretty Good Wall of China

19 of 102Pondering Perimeters

20 of 102Pondering Perimeters Heidelberg Castle started in the 1300s

21 of 102Pondering Perimeters

22 of 102Pondering Perimeters

23 of 102Pondering Perimeters Perimeters need gateways Let the good stuff in and keep out the bad stuff This requires a bit of technology in any case – Doors, gates, murder holes, etc. A place to focus your defenses

24 of 102Pondering Perimeters

25 of 102Pondering Perimeters Parliament: entrance

26 of 102Pondering Perimeters Parliament: exit

27 of 102Pondering Perimeters One gate is not enough Too much infrastructure Low-budget gates – Sally ports – Postern gates

28 of 102Pondering Perimeters Warsaw gate

29 of 102Pondering Perimeters Edinburgh Castle

30 of 102Pondering Perimeters Postern gate (Sterling castle)

31 of 102Pondering Perimeters A short bio regarding Internet perimeters Started at Bell Labs in December 1987 – Immediately took over postmaster and firewall duties Good way to learn the ropes, which was my intention

32 of 102Pondering Perimeters Morris worm hit on Nov 1988 Heard about it on NPR – Had a “sinking feeling” about it The home-made firewall worked – No fingerd – No sendmail (we rewrote the mailer) Intranet connection to Bellcore We got lucky Bell Labs had 1330 hosts Corporate HQ didn’t know or care

33 of 102Pondering Perimeters Action items Shut down the unprotected connection to Bellcore – What we now call a “routing leak” Redesign the firewall for much more capacity, and no “sinking feeling” – (VAX 750, load average of 15) Write a paper on it – “if you don’t write it up, you didn’t do the work”

34 of 102Pondering Perimeters Old gateway:

35 of 102Pondering Perimeters New gateway:

36 of 102Pondering Perimeters New gateway: (one referee’s suggestion)

37 of 102Pondering Perimeters “Design of a Secure Internet Gateway” – Anaheim Usenix, Jan 1990 My first real academic paper It was pretty good, I think Coined the work “proxy” in its current use (this was for a circuit level gateway Predated socks by three years) Coined the expression “crunchy outside and soft chewy center”

38 of 102Pondering Perimeters

39 of 102Pondering Perimeters Lucent now (1997) (sort of) We’d circled the wagons around Wyoming Allentown Murray Hill Columbus Holmdel SLIP PPP ISDN X.25 cable... Lucent - 130,000, 266K IP addresses, 3000 nets ann. Murray Hill The Internet ~200 business partners thousands of telecommuters

102 slides Anything large enough to be called an ‘intranet’ is probably out of control

41 of 102Pondering Perimeters Controlling an intranet is hard, even if you care a lot about it End-to-end philosophy is not helpful if you are the phone company New networks and hosts are easily connected without the knowledge and permission of the network owner Security scan tools are not helpful if you don’t know where to point them This is not the fault of the network managers! They didn’t have the right tools!

42 of 102Pondering Perimeters Highlands forum, Annapolis, Dec 1996 A Rand corp. game to help brief a member of the new President’s Infrastructure Protection Commission Met Esther Dyson and Fred Cohen there – Personal assessment by intel profiler “Day after” scenario Gosh it would be great to figure out where these networks actually go

102 slides The Internet Mapping Project An experiment in exploring network connectivity 1997

44 of 102Pondering Perimeters Goals Consistent, reasonably thorough description of the important topology of the Internet A light touch, so Internet denizens wouldn’t be angry (or even notice) me. Use a technology that doesn’t require access to routers – Traceroute-style probes are fast, informative, and recognized as harmless by most network administrators Clean up Lucent’s intranet

45 of 102Pondering Perimeters Methods - network discovery (ND) Obtain master network list – network lists from Merit, RIPE, APNIC, etc. – BGP data or routing data from customers – hand-assembled list of Yugoslavia/Bosnia Run a TTL-type (traceroute) scan towards each network Stop on error, completion, no data – Keep the natives happy

46 of 102Pondering Perimeters Advantages We don’t need access (I.e. SNMP) to the routers It’s very fast Standard Internet tool: it doesn’t break things Insignificant load on the routers Not likely to show up on IDS reports We can probe with many packet types

47 of 102Pondering Perimeters Limitations View is from scanning host only – Multiple scan sources gives a better view Outgoing paths only Level 3 (IP) only – ATM networks appear as a single node Not all routers respond – Some are silent – Others are “shy” (RFC 1123 compliant), limited to one response per second

48 of 102Pondering Perimeters Data collection complaints Australian parliament was the first to complain List of whiners (25 nets) On the Internet, these complaints are a thing of the past – Internet background radiation predominates

49 of 102Pondering Perimeters Visualization goals make a map – show interesting features – debug our database and collection methods geography doesn’t matter use colors to show further meaning

50 of 102Pondering Perimeters

102 slides Visualization of the layout algorithm Laying out the Internet graph

52 of 102Pondering Perimeters

53 of 102Pondering Perimeters

54 of 102Pondering Perimeters Colored by AS number

55 of 102Pondering Perimeters Map Coloring distance from test host IP address – shows communities Geographical (by TLD) ISPs future – timing, firewalls, LSRR blocks

56 of 102Pondering Perimeters Colored by IP address!

57 of 102Pondering Perimeters Colored by geography

58 of 102Pondering Perimeters Colored by ISP

59 of 102Pondering Perimeters Colored by distance from scanning host

60 of 102Pondering Perimeters

61 of 102Pondering Perimeters

102 slides Yugoslavia An unclassified peek at a new battlefield 1999

63 of 102Pondering Perimeters

102 slides Un film par Steve “Hollywood” Branigan...

65 of 102Pondering Perimeters

102 slides fin

102 slides Intranets: the rest of the Internet

68 of 102Pondering Perimeters

69 of 102Pondering Perimeters Lucent’s intranet Legacy links understood and removed Network list cleaned up M&A assistance

70 of 102Pondering Perimeters

71 of 102Pondering Perimeters This was Supposed To be a VPN

72 of 102Pondering Perimeters

73 of 102Pondering Perimeters

102 slides Perimeter leaks Lumeta’s “Special Sauce” 2000

75 of 102Pondering Perimeters Types of leaks Routing leaks – Internal routes are announced externally, and the packets are allowed to flow betwixt

76 of 102Pondering Perimeters

77 of 102Pondering Perimeters Types of leaks Host leaks – Simultaneously connected inside and out, probably without firewall-functionality – Not necessarily a dual-homed host

78 of 102Pondering Perimeters Possible host leaks Miss-configured telecommuters connecting remotely VPNs that are broken DMZ hosts with too much access Business partner networks Internet connections by rogue managers Modem links to ISPs

79 of 102Pondering Perimeters (get technical host leak description)

80 of 102Pondering Perimeters Leak Detection Layout Internet intranet Mapping host A Test host B mitt D C Mapping host with address A is connected to the intranet Mitt with address D has Internet access Mapping host and mitt are currently the same host, with two interfaces

81 of 102Pondering Perimeters Leak Detection Internet intranet Mapping host A Test host B mitt D C Test host has known address B on the intranet It was found via census We are testing for unauthorized access to the Internet, possibly through a different address, C

82 of 102Pondering Perimeters Leak Detection Internet intranet Mapping host A Test host B mitt D C A sends packet to B, with spoofed return address of D If B can, it will reply to D with a response, possibly through a different interface

83 of 102Pondering Perimeters Leak Detection Internet intranet Mapping host A Test host B mitt D C Packet must be crafted so the response won’t be permitted through the firewall A variety of packet types and responses are used Either inside or outside address may be discovered Packet is labeled so we know where it came from

84 of 102Pondering Perimeters Inbound Leak Detection Internet intranet Mapping host A Test host B mitt D C This direction is usually more important It all depends on the site policy… …so many leaks might be just fine.

85 of 102Pondering Perimeters Inbound Leak Detection Internet intranet Mapping host A Test host B mitt D C

102 slides Lumeta Sept 2000

87 of 102Pondering Perimeters Service offering Make sure everything works Our own experts ran it HTML report Map viewer (see below)

88 of 102Pondering Perimeters Early results Early adopters They want to run tests – Like testing a cruiser on a small lake – Surprisingly subtle…IDS misses it often That’s interesting to some clients Service offering, so we can fix up the software – Surprisingly robust, especially the mapping layout software No show-stopping intranets

89 of 102Pondering Perimeters Early results Maps and especially leak detection are popular, as expected

90 of 102Pondering Perimeters We developed lot of stuff Routing loops Routing errors Can load expensive lines

91 of 102Pondering Perimeters We developed lot of stuff Address space visualization Outliers Network usage at the class B level

92 of 102Pondering Perimeters Leak results Found home web businesses At least two clients have tapped leaks – One made front page news From the military: “the republic is a little safer” Please don’t call them leaks” – They aren’t always a Bad Thing

93 of 102Pondering Perimeters Case studies: corp. networks Some intranet statistics

94 of 102Pondering Perimeters

102 slides IPsonar 2003

96 of 102Pondering Perimeters We developed lot of stuff multi-protocol ND (by service) Are there some kinds of packets that penetrate farther than others? E.g. Pings blocked, UDP probes continue Can show firewall leaks

97 of 102Pondering Perimeters We developed lot of stuff service discovery The obvious service port scans We do it as gently as possible

98 of 102Pondering Perimeters We developed lot of stuff Perimeter map Where exactly are the edges of your network? Are there intranet sections reached through the Internet

99 of 102Pondering Perimeters We developed lot of stuff Lumeta Network Index Computes an index of your network security Objective measurement of security Clients can vary what’s important

100 of 102Pondering Perimeters We developed lot of stuff Route sources What routers announce routes that aren’t in our official list?

101 of 102Pondering Perimeters We developed lot of stuff Host enumeration and type Light-weight OS identification Not perfect, but very quick Non-intrusive. NOT nmap.

102 of 102Pondering Perimeters We developed lot of stuff Wireless base station detection A lot of people care about this No antennas are involved We look for network signatures of base stations – User-configurable You can find them from far away Rogue ones are much less likely to evade detection than properly-run ones

103 of 102Pondering Perimeters The zeroth step in network management You can’t secure what you don’t know Large investment in security stuff, now aim it correctly I don’t know how network managers run a large network without a tool like this – Legacy links are almost always there – Misconfigured DMZ hosts – Business partners – Personnel changes

102 slides What’s next? IPv

105 of 102Pondering Perimeters

106 of 102Pondering Perimeters IPv6 deployment Has been 3 years away since 1993 Widely deployed in the Far East, and in the new cell phones Europe is getting on board US Government mandate Karl Siil and Lumeta are trying to figure all this out….we will still have perimeter defenses

102 slides Pondering and Patrolling Network Perimeters Bill Cheswick

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.