Presentation is loading. Please wait.

Presentation is loading. Please wait.

110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp.

Published byBenedict Jefferson Modified over 8 years ago

Similar presentations

Presentation on theme: "110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp."— Presentation transcript:

1 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp

2 110 slides Pondering and Patrolling Perimeters Bill Cheswick ches@lumeta.com http://www.lumeta.com

3 3 of 110Patrolling the Perimeter Talk Outline Outside: mapping the Internet A discussion of perimeter defenses Strong host security Mapping and understanding intranets The past and future of Microsoft host security: – my Dad’s computer

4 110 slides The Internet Mapping Project An experiment in exploring network connectivity

5 5 of 110Patrolling the Perimeter Motivations Highlands “day after” scenario Panix DOS attacks – a way to trace anonymous packets back! Visualization experiments Curiosity about size and growth of the Internet Databases for graph theorists, grad students, etc.

6 6 of 110Patrolling the Perimeter Methods - data collection Single reliable host connected at the company perimeter Daily full scan of Lucent Daily partial scan of Internet, monthly full scan One line of text per network scanned – Unix tools Use a light touch, so we don’t bother Internet denizens

7 7 of 110Patrolling the Perimeter Methods - network discovery (ND) Obtain master network list – network lists from Merit, RIPE, APNIC, etc. – BGP data or routing data from customers – hand-assembled list of Yugoslavia/Bosnia Run a traceroute-style scan towards each network Stop on error, completion, no data – Keep the natives happy

8 8 of 110Patrolling the Perimeter Intranet implications of Internet mapping High speed technique, able to handle the largest networks Light touch: “what are you going to do to my intranet?” Acquire and maintain databases of Internet network assignments and usage

9 9 of 110Patrolling the Perimeter Related Work See Martin Dodge’s cyber geography page MIDS - John Quarterman CAIDA - kc claffy Mercator “ Measuring ISP topologies with rocketfuel ” - 2002 – Spring, Mahajan, WetherallSpringMahajanWetherall Enter “internet map” in your search engine

10 10 of 110Patrolling the Perimeter TTL probes Used by traceroute and other tools Probes toward each target network with increasing TTL Probes are ICMP, UDP, TCP to port 80, 25, 139, etc. Some people block UDP, others ICMP

11 11 of 110Patrolling the Perimeter Advantages We don’t need access (I.e. SNMP) to the routers It’s very fast Standard Internet tool: it doesn’t break things Insignificant load on the routers Not likely to show up on IDS reports We can probe with many packet types

12 12 of 110Patrolling the Perimeter Limitations View is from scanning host only – Multiple scan sources gives a better view Outgoing paths only Level 3 (IP) only – ATM networks appear as a single node Not all routers respond – Some are silent – Others are “shy” (RFC 1123 compliant), limited to one response per second

13 13 of 110Patrolling the Perimeter Data collection complaints Australian parliament was the first to complain List of whiners (25 nets) On the Internet, these complaints are mostly a thing of the past – Internet background radiation predominates

14 14 of 110Patrolling the Perimeter Intranet uses of Don’t Scan list Hands off particular business partners Hands off especially sensitive networks – Hanging ATMs – 3B2s with broadcast storms – Wollongong software (!) on factory floor computers Intranet vs. ISP customer networks

15 15 of 110Patrolling the Perimeter Visualization goals make a map – show interesting features – debug our database and collection methods – hard to fold up geography doesn’t matter use colors to show further meaning

16 16 of 110Patrolling the Perimeter

17 110 slides Visualization of the layout algorithm Laying out the Internet graph

18 18 of 110Patrolling the Perimeter

19 110 slides Visualization of the layout algorithm Laying out an intranet

20 20 of 110Patrolling the Perimeter

21 21 of 110Patrolling the Perimeter A simplified map, for the Internet layouts Minimum distance spanning tree uses 80% of the data Much easier visualization Most of the links still valid Redundancy is in the middle

22 22 of 110Patrolling the Perimeter Colored by AS number

23 23 of 110Patrolling the Perimeter Map Coloring distance from test host IP address – shows communities Geographical (by TLD) ISPs future – timing, firewalls, LSRR blocks

24 24 of 110Patrolling the Perimeter Colored by IP address!

25 25 of 110Patrolling the Perimeter Colored by geography

26 26 of 110Patrolling the Perimeter Colored by ISP

27 27 of 110Patrolling the Perimeter Colored by distance from scanning host

28 28 of 110Patrolling the Perimeter US military reached by ICMP ping

29 29 of 110Patrolling the Perimeter US military networks reached by UDP

30 30 of 110Patrolling the Perimeter

31 31 of 110Patrolling the Perimeter

32 110 slides Yugoslavia An unclassified peek at a new battlefield

33 33 of 110Patrolling the Perimeter

34 110 slides Un film par Steve “Hollywood” Branigan...

35 35 of 110Patrolling the Perimeter

36 110 slides fin

37 110 slides Perimeter defenses

38 38 of 110Patrolling the Perimeter Perimeter defenses are a traditional means of protecting an area without hardening each of the things in that area

39 39 of 110Patrolling the Perimeter Why use a perimeter defense? It is cheaper – A man’s home is his castle, but most people can’t afford the moat You can concentrate your equipment and your expertise in a few areas It is simpler, and simpler security is usually better – Easier to understand and audit – Easier to spot broken parts

40 40 of 110Patrolling the Perimeter Perimeter Defense of the US Capitol Building

41 41 of 110Patrolling the Perimeter Flower pots

42 42 of 110Patrolling the Perimeter

43 43 of 110Patrolling the Perimeter Security doesn’t have to be ugly

44 44 of 110Patrolling the Perimeter

45 45 of 110Patrolling the Perimeter

46 46 of 110Patrolling the Perimeter

47 47 of 110Patrolling the Perimeter

48 48 of 110Patrolling the Perimeter Delta barriers

49 49 of 110Patrolling the Perimeter Parliament: entrance

50 50 of 110Patrolling the Perimeter Parliament: exit

51 51 of 110Patrolling the Perimeter What’s wrong with perimeter defenses They are useless against insider attacks

52 52 of 110Patrolling the Perimeter Edinburgh Castle fell through a hole in its perimeter fell to siege in three years in 16th century – ran out of food and water Unsuccessful attack by Bonnie Prince Charlie in 1745 Devastated in 1544 by the Earl of Hertford

53 53 of 110Patrolling the Perimeter What’s wrong with perimeter defenses They are useless against insider attacks They provide a false sense of security – You still need to toughen up the inside, at least some – You need to hire enough defenders

54 54 of 110Patrolling the Perimeter

55 55 of 110Patrolling the Perimeter

56 56 of 110Patrolling the Perimeter What’s wrong with perimeter defenses They are useless against insider attacks They provide a false sense of security – You still need to toughen up the inside, at least some They don’t scale well

57 The Pretty Good Wall of China

58 58 of 110Patrolling the Perimeter

59 59 of 110Patrolling the Perimeter

60 60 of 110Patrolling the Perimeter

61 110 slides Can we live without an intranet? Strong host security

62 62 of 110Patrolling the Perimeter I can, but you probably can’t “Skinny-dipping” on the Internet since the mid 1990s The exposure focuses one clearly on the threats and proactive security It’s very convenient, for the services I dare to use Many important network services are difficult to harden

63 63 of 110Patrolling the Perimeter Skinny dipping rules Only minimal services are offered to the general public – Ssh – Web server (jailed Apache) – DNS (self chrooted) – SMTP (postfix, not sendmail) Children (like employees) and MSFT clients are untrustworthy Offer hardened local services at home, like SAMBA (chroot), POP3 (chroot) I’d like to offer other services, but they are hard to secure

64 64 of 110Patrolling the Perimeter Skinny dipping requires strong host security FreeBSD and Linux machines I am told that one can lock down an MSFT host, but there are hundreds of steps, and I don’t know how to do it. This isn’t just about operating systems: the most popular client applications are, in theory, very dangerous and, in practice, very dangerous. – Web browsers and mail readers have many dangerous features

65 65 of 110Patrolling the Perimeter Lately, I have been cheating Backup hosts are unreachable from the Internet (which is a perimeter defense of sorts), and do not trust the exposed hosts Public servers have lower privilege than my crown jewels This means I can experiment a bit more with the exposed hosts

66 66 of 110Patrolling the Perimeter Skinny dipping flaws Less depth to the defense

67 67 of 110Patrolling the Perimeter

68 68 of 110Patrolling the Perimeter Skinny dipping flaws Less defense in depth No protection from denial-of-service attacks

69 69 of 110Patrolling the Perimeter Hopes for Microsoft client security? I’ll talk about it at the end of the talk.

70 110 slides Intranets Networked perimeter defenses

71 110 slides “Anything large enough to be called an ‘intranet’ is out of control” - me

72 72 of 110Patrolling the Perimeter Intranets have been out of control since they were invented This is not the fault of network administrators – The technology is amenable to abuse – Decentralization was a design goal of the Internet CIO and CSOs want centralized control of their network The legacy information is lost with rapid employee turnover M&A breaks carefully-planned networking

73 73 of 110Patrolling the Perimeter Perimeter security gives a false sense of security “Crunchy outside, and a soft, chewy center” – Me I think 40 hosts is about the most that I can control within a perimeter. – Others can probably do better Internet worms are pop quizzes on perimeter security

74 110 slides Intranets: the rest of the Internet

75 75 of 110Patrolling the Perimeter History of the Project and Lumeta Started in August 1998 at Bell Labs April-June 1999: Yugoslavia mapping July 2000: first customer intranet scanned Sept. 2000: spun off Lumeta from Lucent/Bell Labs June 2002: “B” round funding completed 2003: sales >$4MM After three years of a service offering, we built IPSonar so you can run it yourself.

76 76 of 110Patrolling the Perimeter

77 77 of 110Patrolling the Perimeter

78 78 of 110Patrolling the Perimeter

79 79 of 110Patrolling the Perimeter

80 80 of 110Patrolling the Perimeter

81 81 of 110Patrolling the Perimeter This was Supposed To be a VPN

82 82 of 110Patrolling the Perimeter

83 83 of 110Patrolling the Perimeter

84 110 slides This is useful, but can we find hosts that have access across the perimeter?

85 85 of 110Patrolling the Perimeter Leaks We call the leaks shown in the maps “routing leaks” Can we find hosts that don’t forward packets, but straddle the perimeter? Yes: we call them “host leaks”, and detecting them is Lumeta’s “special sauce”

86 86 of 110Patrolling the Perimeter How to find host leaks Run a census with ICMP and/or UDP packets Test each machine to see if it can receive a probe from one network, and reply on another Not just dual-homed hosts DMZ hosts, business partner machines, misconfigured VPN access

87 87 of 110Patrolling the Perimeter Leak Detection Internet intranet Mapping host A Test host B mitt D C A sends packet to B, with spoofed return address of D If B can, it will reply to D with a response, possibly through a different interface

88 88 of 110Patrolling the Perimeter Leak Detection Internet intranet Mapping host A Test host B mitt D C Packet must be crafted so the response won’t be permitted through the firewall A variety of packet types and responses are used Either inside or outside address may be discovered Packet is labeled so we know where it came from

89 89 of 110Patrolling the Perimeter Leaks are not always bad Depends on the network policy Often, outgoing leaks are ok Sometimes our test packets get through, but not the services you are worrying about “Please don’t call them leaks” Until this test, there was no way for the CIO to detect them, good or bad Patent pending…

90 90 of 110Patrolling the Perimeter We developed lot of stuff Leak detection (that’s the special sauce) Route discovery Host enumeration and identification Server discovery Lots of reports…the hardest part Wireless base station discovery And more…ask the sales people The “zeroth step in network intelligence” – me

91 91 of 110Patrolling the Perimeter Case studies: corp. networks Some intranet statistics

92 92 of 110Patrolling the Perimeter Some Lumeta lessons Reporting is the really hard part – Converting data to information “Tell me how we compare to other clients” Offering a service was good practice, for a while We have >70 Fortune-200 companies and government agencies as clients Need-to-have vs. want-to-have

93 110 slides Microsoft client security It has been getting worse

94 94 of 110Patrolling the Perimeter Case study: My Dad’s computer Windows XP, plenty of horsepower, two screens Applications: – Email (Outlook) – “Bridge:” a fancy stock market monitoring system – AIM Cable access, dynamic IP address, no NAT, no firewall, outdated virus software, no spyware checker

95 95 of 110Patrolling the Perimeter This computer was a software toxic waste dump It was burning a quart of software every 300 miles The popups seemed darned distracting to me But he thought it was fine – Got his work done – Didn’t want a system administrator to break his user interface somehow

96 96 of 110Patrolling the Perimeter Microsoft’s Augean Stables 3000 oxen, 30 years, that’s roughly one oxen-day per line of code in Windows

97 97 of 110Patrolling the Perimeter Windows ME Active Connections - Win ME Proto Local Address Foreign Address State TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING TCP 223.223.223.10:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:31337 *:* UDP 0.0.0.0:162 *:* UDP 223.223.223.10:137 *:* UDP 223.223.223.10:138 *:*

98 98 of 110Patrolling the Perimeter Windows 2000 Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING TCP 0.0.0.0:1086 0.0.0.0:0 LISTENING TCP 0.0.0.0:6515 0.0.0.0:0 LISTENING TCP 127.0.0.1:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1038 *:* UDP 0.0.0.0:6514 *:* UDP 0.0.0.0:6515 *:* UDP 127.0.0.1:1108 *:* UDP 223.223.223.96:500 *:* UDP 223.223.223.96:4500 *:*

99 99 of 110Patrolling the Perimeter Windows XP, this laptop Proto Local Address Foreign Address State TCP ches-pc:epmap ches-pc:0 LISTENING TCP ches-pc:microsoft-ds ches-pc:0 LISTENING TCP ches-pc:1025 ches-pc:0 LISTENING TCP ches-pc:1036 ches-pc:0 LISTENING TCP ches-pc:3115 ches-pc:0 LISTENING TCP ches-pc:3118 ches-pc:0 LISTENING TCP ches-pc:3470 ches-pc:0 LISTENING TCP ches-pc:3477 ches-pc:0 LISTENING TCP ches-pc:5000 ches-pc:0 LISTENING TCP ches-pc:6515 ches-pc:0 LISTENING TCP ches-pc:netbios-ssn ches-pc:0 LISTENING TCP ches-pc:3001 ches-pc:0 LISTENING TCP ches-pc:3002 ches-pc:0 LISTENING TCP ches-pc:3003 ches-pc:0 LISTENING TCP ches-pc:5180 ches-pc:0 LISTENING UDP ches-pc:microsoft-ds *:* UDP ches-pc:isakmp *:* UDP ches-pc:1027 *:* UDP ches-pc:3008 *:* UDP ches-pc:3473 *:* UDP ches-pc:6514 *:* UDP ches-pc:6515 *:* UDP ches-pc:netbios-ns *:* UDP ches-pc:netbios-dgm *:* UDP ches-pc:1900 *:* UDP ches-pc:ntp *:* UDP ches-pc:1900 *:* UDP ches-pc:3471 *:*

100 100 of 110Patrolling the Perimeter FreeBSD partition, this laptop Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 *.22 *.* LISTEN tcp6 0 0 *.22 *.* LISTEN

101 101 of 110Patrolling the Perimeter Microsoft really means it about improving their security Their security commitment appears to be real It is a huge job Opposing forces are unclear to me It’s been a long time coming, and frustrating

102 102 of 110Patrolling the Perimeter Microsoft really means it about improving their security They need world-class sandboxes, many more layers in their security, and much safer defaults A Microsoft “terminal” will benefit millions of users

103 103 of 110Patrolling the Perimeter Windows OK Thin client implemented with Windows It would be fine for maybe half the Windows users – Students, consumers, many corporate and government users It would be reasonable to skinny dip with this client – Without firewall or virus checking software

104 104 of 110Patrolling the Perimeter Windows OK No network listeners – None of those services are needed, except admin access for centrally-administered hosts Default security settings, all available on the control panel security screen Security settings can be locked

105 105 of 110Patrolling the Perimeter Windows OK Reduce privileges in servers and all programs Sandbox programs – Belt and suspenders

106 106 of 110Patrolling the Perimeter Windows OK (cont) There should be nothing you can click on, in email or a web page, that can hurt your computer – No portable programs are executed ever, except… ActiveX from approved parties – MSFT and one or two others. List is lockable

107 107 of 110Patrolling the Perimeter Office OK No macros in Word or PowerPoint. No executable code in PowerPoint files The only macros allowed in Excel perform arithmetic. They cannot create files, etc.

108 108 of 110Patrolling the Perimeter Vulnerabilities in OK Buffer overflows in processing of data (not from the network) Stop adding new features and focus on bug fixes Programmers can clean up bugs, if they don’t have a moving target – It converges, to some extent

109 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp

Download ppt "110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick

1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Firewalls Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
102 slides Pondering and Patrolling Network Perimeters Bill Cheswick

102 slides Pondering and Patrolling Network Perimeters Bill Cheswick
INTERNET INFORMATION ACCESS How to avoid and eliminate common problems confronting usage of modern resources to access the Internet.

INTERNET INFORMATION ACCESS How to avoid and eliminate common problems confronting usage of modern resources to access the Internet.
100 slides Pondering and Patrolling Network Perimeters Bill Cheswick

100 slides Pondering and Patrolling Network Perimeters Bill Cheswick
How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.

How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.
Firewall Configuration Strategies

Firewall Configuration Strategies
Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.

Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.
1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.

1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Similar presentations

Ads by Google