Download presentation
Presentation is loading. Please wait.
Published byBenedict Jefferson Modified over 8 years ago
1
110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp
2
110 slides Pondering and Patrolling Perimeters Bill Cheswick ches@lumeta.com http://www.lumeta.com
3
3 of 110Patrolling the Perimeter Talk Outline Outside: mapping the Internet A discussion of perimeter defenses Strong host security Mapping and understanding intranets The past and future of Microsoft host security: – my Dad’s computer
4
110 slides The Internet Mapping Project An experiment in exploring network connectivity
5
5 of 110Patrolling the Perimeter Motivations Highlands “day after” scenario Panix DOS attacks – a way to trace anonymous packets back! Visualization experiments Curiosity about size and growth of the Internet Databases for graph theorists, grad students, etc.
6
6 of 110Patrolling the Perimeter Methods - data collection Single reliable host connected at the company perimeter Daily full scan of Lucent Daily partial scan of Internet, monthly full scan One line of text per network scanned – Unix tools Use a light touch, so we don’t bother Internet denizens
7
7 of 110Patrolling the Perimeter Methods - network discovery (ND) Obtain master network list – network lists from Merit, RIPE, APNIC, etc. – BGP data or routing data from customers – hand-assembled list of Yugoslavia/Bosnia Run a traceroute-style scan towards each network Stop on error, completion, no data – Keep the natives happy
8
8 of 110Patrolling the Perimeter Intranet implications of Internet mapping High speed technique, able to handle the largest networks Light touch: “what are you going to do to my intranet?” Acquire and maintain databases of Internet network assignments and usage
9
9 of 110Patrolling the Perimeter Related Work See Martin Dodge’s cyber geography page MIDS - John Quarterman CAIDA - kc claffy Mercator “ Measuring ISP topologies with rocketfuel ” - 2002 – Spring, Mahajan, WetherallSpringMahajanWetherall Enter “internet map” in your search engine
10
10 of 110Patrolling the Perimeter TTL probes Used by traceroute and other tools Probes toward each target network with increasing TTL Probes are ICMP, UDP, TCP to port 80, 25, 139, etc. Some people block UDP, others ICMP
11
11 of 110Patrolling the Perimeter Advantages We don’t need access (I.e. SNMP) to the routers It’s very fast Standard Internet tool: it doesn’t break things Insignificant load on the routers Not likely to show up on IDS reports We can probe with many packet types
12
12 of 110Patrolling the Perimeter Limitations View is from scanning host only – Multiple scan sources gives a better view Outgoing paths only Level 3 (IP) only – ATM networks appear as a single node Not all routers respond – Some are silent – Others are “shy” (RFC 1123 compliant), limited to one response per second
13
13 of 110Patrolling the Perimeter Data collection complaints Australian parliament was the first to complain List of whiners (25 nets) On the Internet, these complaints are mostly a thing of the past – Internet background radiation predominates
14
14 of 110Patrolling the Perimeter Intranet uses of Don’t Scan list Hands off particular business partners Hands off especially sensitive networks – Hanging ATMs – 3B2s with broadcast storms – Wollongong software (!) on factory floor computers Intranet vs. ISP customer networks
15
15 of 110Patrolling the Perimeter Visualization goals make a map – show interesting features – debug our database and collection methods – hard to fold up geography doesn’t matter use colors to show further meaning
16
16 of 110Patrolling the Perimeter
17
110 slides Visualization of the layout algorithm Laying out the Internet graph
18
18 of 110Patrolling the Perimeter
19
110 slides Visualization of the layout algorithm Laying out an intranet
20
20 of 110Patrolling the Perimeter
21
21 of 110Patrolling the Perimeter A simplified map, for the Internet layouts Minimum distance spanning tree uses 80% of the data Much easier visualization Most of the links still valid Redundancy is in the middle
22
22 of 110Patrolling the Perimeter Colored by AS number
23
23 of 110Patrolling the Perimeter Map Coloring distance from test host IP address – shows communities Geographical (by TLD) ISPs future – timing, firewalls, LSRR blocks
24
24 of 110Patrolling the Perimeter Colored by IP address!
25
25 of 110Patrolling the Perimeter Colored by geography
26
26 of 110Patrolling the Perimeter Colored by ISP
27
27 of 110Patrolling the Perimeter Colored by distance from scanning host
28
28 of 110Patrolling the Perimeter US military reached by ICMP ping
29
29 of 110Patrolling the Perimeter US military networks reached by UDP
30
30 of 110Patrolling the Perimeter
31
31 of 110Patrolling the Perimeter
32
110 slides Yugoslavia An unclassified peek at a new battlefield
33
33 of 110Patrolling the Perimeter
34
110 slides Un film par Steve “Hollywood” Branigan...
35
35 of 110Patrolling the Perimeter
36
110 slides fin
37
110 slides Perimeter defenses
38
38 of 110Patrolling the Perimeter Perimeter defenses are a traditional means of protecting an area without hardening each of the things in that area
39
39 of 110Patrolling the Perimeter Why use a perimeter defense? It is cheaper – A man’s home is his castle, but most people can’t afford the moat You can concentrate your equipment and your expertise in a few areas It is simpler, and simpler security is usually better – Easier to understand and audit – Easier to spot broken parts
40
40 of 110Patrolling the Perimeter Perimeter Defense of the US Capitol Building
41
41 of 110Patrolling the Perimeter Flower pots
42
42 of 110Patrolling the Perimeter
43
43 of 110Patrolling the Perimeter Security doesn’t have to be ugly
44
44 of 110Patrolling the Perimeter
45
45 of 110Patrolling the Perimeter
46
46 of 110Patrolling the Perimeter
47
47 of 110Patrolling the Perimeter
48
48 of 110Patrolling the Perimeter Delta barriers
49
49 of 110Patrolling the Perimeter Parliament: entrance
50
50 of 110Patrolling the Perimeter Parliament: exit
51
51 of 110Patrolling the Perimeter What’s wrong with perimeter defenses They are useless against insider attacks
52
52 of 110Patrolling the Perimeter Edinburgh Castle fell through a hole in its perimeter fell to siege in three years in 16th century – ran out of food and water Unsuccessful attack by Bonnie Prince Charlie in 1745 Devastated in 1544 by the Earl of Hertford
53
53 of 110Patrolling the Perimeter What’s wrong with perimeter defenses They are useless against insider attacks They provide a false sense of security – You still need to toughen up the inside, at least some – You need to hire enough defenders
54
54 of 110Patrolling the Perimeter
55
55 of 110Patrolling the Perimeter
56
56 of 110Patrolling the Perimeter What’s wrong with perimeter defenses They are useless against insider attacks They provide a false sense of security – You still need to toughen up the inside, at least some They don’t scale well
57
The Pretty Good Wall of China
58
58 of 110Patrolling the Perimeter
59
59 of 110Patrolling the Perimeter
60
60 of 110Patrolling the Perimeter
61
110 slides Can we live without an intranet? Strong host security
62
62 of 110Patrolling the Perimeter I can, but you probably can’t “Skinny-dipping” on the Internet since the mid 1990s The exposure focuses one clearly on the threats and proactive security It’s very convenient, for the services I dare to use Many important network services are difficult to harden
63
63 of 110Patrolling the Perimeter Skinny dipping rules Only minimal services are offered to the general public – Ssh – Web server (jailed Apache) – DNS (self chrooted) – SMTP (postfix, not sendmail) Children (like employees) and MSFT clients are untrustworthy Offer hardened local services at home, like SAMBA (chroot), POP3 (chroot) I’d like to offer other services, but they are hard to secure
64
64 of 110Patrolling the Perimeter Skinny dipping requires strong host security FreeBSD and Linux machines I am told that one can lock down an MSFT host, but there are hundreds of steps, and I don’t know how to do it. This isn’t just about operating systems: the most popular client applications are, in theory, very dangerous and, in practice, very dangerous. – Web browsers and mail readers have many dangerous features
65
65 of 110Patrolling the Perimeter Lately, I have been cheating Backup hosts are unreachable from the Internet (which is a perimeter defense of sorts), and do not trust the exposed hosts Public servers have lower privilege than my crown jewels This means I can experiment a bit more with the exposed hosts
66
66 of 110Patrolling the Perimeter Skinny dipping flaws Less depth to the defense
67
67 of 110Patrolling the Perimeter
68
68 of 110Patrolling the Perimeter Skinny dipping flaws Less defense in depth No protection from denial-of-service attacks
69
69 of 110Patrolling the Perimeter Hopes for Microsoft client security? I’ll talk about it at the end of the talk.
70
110 slides Intranets Networked perimeter defenses
71
110 slides “Anything large enough to be called an ‘intranet’ is out of control” - me
72
72 of 110Patrolling the Perimeter Intranets have been out of control since they were invented This is not the fault of network administrators – The technology is amenable to abuse – Decentralization was a design goal of the Internet CIO and CSOs want centralized control of their network The legacy information is lost with rapid employee turnover M&A breaks carefully-planned networking
73
73 of 110Patrolling the Perimeter Perimeter security gives a false sense of security “Crunchy outside, and a soft, chewy center” – Me I think 40 hosts is about the most that I can control within a perimeter. – Others can probably do better Internet worms are pop quizzes on perimeter security
74
110 slides Intranets: the rest of the Internet
75
75 of 110Patrolling the Perimeter History of the Project and Lumeta Started in August 1998 at Bell Labs April-June 1999: Yugoslavia mapping July 2000: first customer intranet scanned Sept. 2000: spun off Lumeta from Lucent/Bell Labs June 2002: “B” round funding completed 2003: sales >$4MM After three years of a service offering, we built IPSonar so you can run it yourself.
76
76 of 110Patrolling the Perimeter
77
77 of 110Patrolling the Perimeter
78
78 of 110Patrolling the Perimeter
79
79 of 110Patrolling the Perimeter
80
80 of 110Patrolling the Perimeter
81
81 of 110Patrolling the Perimeter This was Supposed To be a VPN
82
82 of 110Patrolling the Perimeter
83
83 of 110Patrolling the Perimeter
84
110 slides This is useful, but can we find hosts that have access across the perimeter?
85
85 of 110Patrolling the Perimeter Leaks We call the leaks shown in the maps “routing leaks” Can we find hosts that don’t forward packets, but straddle the perimeter? Yes: we call them “host leaks”, and detecting them is Lumeta’s “special sauce”
86
86 of 110Patrolling the Perimeter How to find host leaks Run a census with ICMP and/or UDP packets Test each machine to see if it can receive a probe from one network, and reply on another Not just dual-homed hosts DMZ hosts, business partner machines, misconfigured VPN access
87
87 of 110Patrolling the Perimeter Leak Detection Internet intranet Mapping host A Test host B mitt D C A sends packet to B, with spoofed return address of D If B can, it will reply to D with a response, possibly through a different interface
88
88 of 110Patrolling the Perimeter Leak Detection Internet intranet Mapping host A Test host B mitt D C Packet must be crafted so the response won’t be permitted through the firewall A variety of packet types and responses are used Either inside or outside address may be discovered Packet is labeled so we know where it came from
89
89 of 110Patrolling the Perimeter Leaks are not always bad Depends on the network policy Often, outgoing leaks are ok Sometimes our test packets get through, but not the services you are worrying about “Please don’t call them leaks” Until this test, there was no way for the CIO to detect them, good or bad Patent pending…
90
90 of 110Patrolling the Perimeter We developed lot of stuff Leak detection (that’s the special sauce) Route discovery Host enumeration and identification Server discovery Lots of reports…the hardest part Wireless base station discovery And more…ask the sales people The “zeroth step in network intelligence” – me
91
91 of 110Patrolling the Perimeter Case studies: corp. networks Some intranet statistics
92
92 of 110Patrolling the Perimeter Some Lumeta lessons Reporting is the really hard part – Converting data to information “Tell me how we compare to other clients” Offering a service was good practice, for a while We have >70 Fortune-200 companies and government agencies as clients Need-to-have vs. want-to-have
93
110 slides Microsoft client security It has been getting worse
94
94 of 110Patrolling the Perimeter Case study: My Dad’s computer Windows XP, plenty of horsepower, two screens Applications: – Email (Outlook) – “Bridge:” a fancy stock market monitoring system – AIM Cable access, dynamic IP address, no NAT, no firewall, outdated virus software, no spyware checker
95
95 of 110Patrolling the Perimeter This computer was a software toxic waste dump It was burning a quart of software every 300 miles The popups seemed darned distracting to me But he thought it was fine – Got his work done – Didn’t want a system administrator to break his user interface somehow
96
96 of 110Patrolling the Perimeter Microsoft’s Augean Stables 3000 oxen, 30 years, that’s roughly one oxen-day per line of code in Windows
97
97 of 110Patrolling the Perimeter Windows ME Active Connections - Win ME Proto Local Address Foreign Address State TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING TCP 223.223.223.10:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:31337 *:* UDP 0.0.0.0:162 *:* UDP 223.223.223.10:137 *:* UDP 223.223.223.10:138 *:*
98
98 of 110Patrolling the Perimeter Windows 2000 Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING TCP 0.0.0.0:1086 0.0.0.0:0 LISTENING TCP 0.0.0.0:6515 0.0.0.0:0 LISTENING TCP 127.0.0.1:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1038 *:* UDP 0.0.0.0:6514 *:* UDP 0.0.0.0:6515 *:* UDP 127.0.0.1:1108 *:* UDP 223.223.223.96:500 *:* UDP 223.223.223.96:4500 *:*
99
99 of 110Patrolling the Perimeter Windows XP, this laptop Proto Local Address Foreign Address State TCP ches-pc:epmap ches-pc:0 LISTENING TCP ches-pc:microsoft-ds ches-pc:0 LISTENING TCP ches-pc:1025 ches-pc:0 LISTENING TCP ches-pc:1036 ches-pc:0 LISTENING TCP ches-pc:3115 ches-pc:0 LISTENING TCP ches-pc:3118 ches-pc:0 LISTENING TCP ches-pc:3470 ches-pc:0 LISTENING TCP ches-pc:3477 ches-pc:0 LISTENING TCP ches-pc:5000 ches-pc:0 LISTENING TCP ches-pc:6515 ches-pc:0 LISTENING TCP ches-pc:netbios-ssn ches-pc:0 LISTENING TCP ches-pc:3001 ches-pc:0 LISTENING TCP ches-pc:3002 ches-pc:0 LISTENING TCP ches-pc:3003 ches-pc:0 LISTENING TCP ches-pc:5180 ches-pc:0 LISTENING UDP ches-pc:microsoft-ds *:* UDP ches-pc:isakmp *:* UDP ches-pc:1027 *:* UDP ches-pc:3008 *:* UDP ches-pc:3473 *:* UDP ches-pc:6514 *:* UDP ches-pc:6515 *:* UDP ches-pc:netbios-ns *:* UDP ches-pc:netbios-dgm *:* UDP ches-pc:1900 *:* UDP ches-pc:ntp *:* UDP ches-pc:1900 *:* UDP ches-pc:3471 *:*
100
100 of 110Patrolling the Perimeter FreeBSD partition, this laptop Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 *.22 *.* LISTEN tcp6 0 0 *.22 *.* LISTEN
101
101 of 110Patrolling the Perimeter Microsoft really means it about improving their security Their security commitment appears to be real It is a huge job Opposing forces are unclear to me It’s been a long time coming, and frustrating
102
102 of 110Patrolling the Perimeter Microsoft really means it about improving their security They need world-class sandboxes, many more layers in their security, and much safer defaults A Microsoft “terminal” will benefit millions of users
103
103 of 110Patrolling the Perimeter Windows OK Thin client implemented with Windows It would be fine for maybe half the Windows users – Students, consumers, many corporate and government users It would be reasonable to skinny dip with this client – Without firewall or virus checking software
104
104 of 110Patrolling the Perimeter Windows OK No network listeners – None of those services are needed, except admin access for centrally-administered hosts Default security settings, all available on the control panel security screen Security settings can be locked
105
105 of 110Patrolling the Perimeter Windows OK Reduce privileges in servers and all programs Sandbox programs – Belt and suspenders
106
106 of 110Patrolling the Perimeter Windows OK (cont) There should be nothing you can click on, in email or a web page, that can hurt your computer – No portable programs are executed ever, except… ActiveX from approved parties – MSFT and one or two others. List is lockable
107
107 of 110Patrolling the Perimeter Office OK No macros in Word or PowerPoint. No executable code in PowerPoint files The only macros allowed in Excel perform arithmetic. They cannot create files, etc.
108
108 of 110Patrolling the Perimeter Vulnerabilities in OK Buffer overflows in processing of data (not from the network) Stop adding new features and focus on bug fixes Programmers can clean up bugs, if they don’t have a moving target – It converges, to some extent
109
110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.