Presentation is loading. Please wait.

Presentation is loading. Please wait.

105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick

Published byDeirdre Ross Modified over 8 years ago

Similar presentations

Presentation on theme: "105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick"— Presentation transcript:

1 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com http://www.lumeta.com

2 2 of 105Pondering Perimeters: GFIRST Orlando Talk Outline A little personal history concerning perimeter defenses Outside: mapping the Internet A discussion of perimeter defenses Strong host security Mapping and understanding intranets The past and future of Microsoft host security: – my Dad’s computer Ned will show you some details of our product

3 3 of 105Pondering Perimeters: GFIRST Orlando A short bio regarding Internet perimeters Started at Bell Labs in December 1987 – Immediately took over postmaster and firewall duties Good way to learn the ropes, which was my intention

4 4 of 105Pondering Perimeters: GFIRST Orlando Morris worm hit on Nov 1988 Heard about it on NPR – Had a “sinking feeling” about it The home-made firewall worked – No fingerd – No sendmail (we rewrote the mailer) Intranet connection to Bellcore We got lucky Bell Labs had 1330 hosts Corporate HQ didn’t know or care

5 5 of 105Pondering Perimeters: GFIRST Orlando Action items Shut down the unprotected connection to Bellcore – What we now call a “routing leak” Redesign the firewall for much more capacity, and no “sinking feeling” – (VAX 750, load average of 15) Write a paper on it – “if you don’t write it up, you didn’t do the work”

6 6 of 105Pondering Perimeters: GFIRST Orlando Old gateway:

7 7 of 105Pondering Perimeters: GFIRST Orlando New gateway:

8 8 of 105Pondering Perimeters: GFIRST Orlando New gateway: (one referee’s suggestion)

9 9 of 105Pondering Perimeters: GFIRST Orlando “Design of a Secure Internet Gateway” – Anaheim Usenix, Jan 1990 My first real academic paper It was pretty good, I think It didn’t have much impact, except for two pieces: – Coined the work “proxy” in its current use (this was for a circuit level gateway Predated “socks by three years) – Coined the expression “crunchy outside and soft chewy center”

10 10 of 105Pondering Perimeters: GFIRST Orlando Why wasn’t the paper more influential? Because the hard part isn’t the firewall, it is the perimeter – I built a high security firewall for USSS from scratch in about 2 hours in Sept. 2001. I raised our firewall security from “low medium” to “high” – (that’s about as good as computer and network security measurement gets) The perimeter security was “dumb luck”, which we raised to “probably none”

11 11 of 105Pondering Perimeters: GFIRST Orlando Network and host security levels Dumb luck None Low Medium High = no “sinking feeling”

12 12 of 105Pondering Perimeters: GFIRST Orlando By 1996, AT&T’s intranet Firewall security: high, and sometimes quite a pain, which meant Perimeter security: dumb luck Trivestiture didn’t change the intranet configuration that much

13 13 of 105Pondering Perimeters: GFIRST Orlando Lucent now (1997) (sort of) We’d circled the wagons around Wyoming Allentown Murray Hill Columbus Holmdel SLIP PPP ISDN X.25 cable... Lucent - 130,000, 266K IP addresses, 3000 nets ann. Murray Hill The Internet ~200 business partners thousands of telecommuters

14 14 of 105Pondering Perimeters: GFIRST Orlando

15 15 of 105Pondering Perimeters: GFIRST Orlando Highlands forum, Annapolis, Dec 1996 A Rand corp. game to help brief a member of the new President’s Infrastructure Protection Commission Met Esther Dyson and Fred Cohen there – Personal assessment by intel profiler “Day after” scenario Gosh it would be great to figure out where these networks actually go

16 105 slides Perimeter Defenses have a long history

17 17 of 105Pondering Perimeters: GFIRST Orlando Lorton Prison

18 18 of 105Pondering Perimeters: GFIRST Orlando The Pretty Good Wall of China

19 19 of 105Pondering Perimeters: GFIRST Orlando

20 20 of 105Pondering Perimeters: GFIRST Orlando

21 21 of 105Pondering Perimeters: GFIRST Orlando

22 22 of 105Pondering Perimeters: GFIRST Orlando Perimeter Defense of the US Capitol Building

23 23 of 105Pondering Perimeters: GFIRST Orlando Flower pots

24 24 of 105Pondering Perimeters: GFIRST Orlando

25 25 of 105Pondering Perimeters: GFIRST Orlando Security doesn’t have to be ugly

26 26 of 105Pondering Perimeters: GFIRST Orlando

27 27 of 105Pondering Perimeters: GFIRST Orlando

28 28 of 105Pondering Perimeters: GFIRST Orlando

29 29 of 105Pondering Perimeters: GFIRST Orlando

30 30 of 105Pondering Perimeters: GFIRST Orlando Delta barriers

31 31 of 105Pondering Perimeters: GFIRST Orlando Edinburgh Castle

32 32 of 105Pondering Perimeters: GFIRST Orlando Warwick Castle

33 33 of 105Pondering Perimeters: GFIRST Orlando Heidelberg Castle started in the 1300s

34 34 of 105Pondering Perimeters: GFIRST Orlando

35 35 of 105Pondering Perimeters: GFIRST Orlando Berwick Castle

36 36 of 105Pondering Perimeters: GFIRST Orlando

37 37 of 105Pondering Perimeters: GFIRST Orlando

38 38 of 105Pondering Perimeters: GFIRST Orlando Parliament: entrance

39 39 of 105Pondering Perimeters: GFIRST Orlando Parliament: exit

40 40 of 105Pondering Perimeters: GFIRST Orlando Why use a perimeter defense? It is cheaper – A man’s home is his castle, but most people can’t afford the moat You can concentrate your equipment and your expertise in a few areas It is simpler, and simpler security is usually better – Easier to understand and audit – Easier to spot broken parts

41 41 of 105Pondering Perimeters: GFIRST Orlando What’s wrong with perimeter defenses They are useless against insider attacks They provide a false sense of security – You still need to toughen up the inside, at least some – You need to hire enough defenders They don’t scale well

42 105 slides Anything large enough to be called an ‘intranet’ is out of control

43 105 slides Project 1: Can we live without an intranet? Strong host security Mid 1990s

44 44 of 105Pondering Perimeters: GFIRST Orlando I can, but you probably can’t “Skinny-dipping” on the Internet since the mid 1990s The exposure focuses one clearly on the threats and proactive security It’s very convenient, for the services I dare to use Many important network services are difficult to harden

45 45 of 105Pondering Perimeters: GFIRST Orlando Skinny dipping rules Only minimal services are offered to the general public – Ssh – Web server (jailed Apache) – DNS (self chrooted) – SMTP (postfix, not sendmail) Children (like employees) and MSFT clients are untrustworthy Offer hardened local services at home, like SAMBA (chroot), POP3 (chroot) I’d like to offer other services, but they are hard to secure

46 46 of 105Pondering Perimeters: GFIRST Orlando Skinny dipping requires strong host security FreeBSD and Linux machines I am told that one can lock down an MSFT host, but there are hundreds of steps, and I don’t know how to do it. This isn’t just about operating systems: the most popular client applications are, in theory, very dangerous and, in practice, very dangerous. – Web browsers and mail readers have many dangerous features

47 47 of 105Pondering Perimeters: GFIRST Orlando Skinny dipping flaws Less defense in depth No protection from denial-of-service attacks

48 105 slides Project 2: The Internet Mapping Project An experiment in exploring network connectivity 1998

49 49 of 105Pondering Perimeters: GFIRST Orlando Methods - network discovery (ND) Obtain master network list – network lists from Merit, RIPE, APNIC, etc. – BGP data or routing data from customers – hand-assembled list of Yugoslavia/Bosnia Run a TTL-type (traceroute) scan towards each network Stop on error, completion, no data – Keep the natives happy

50 50 of 105Pondering Perimeters: GFIRST Orlando Methods - data collection Single reliable host connected at the company perimeter Daily full scan of Lucent Daily partial scan of Internet, monthly full scan One line of text per network scanned – Unix tools Use a light touch, so we don’t bother Internet denizens

51 51 of 105Pondering Perimeters: GFIRST Orlando TTL probes Used by traceroute and other tools Probes toward each target network with increasing TTL Probes are ICMP, UDP, TCP to port 80, 25, 139, etc. Some people block UDP, others ICMP

52 52 of 105Pondering Perimeters: GFIRST Orlando Intranet implications of Internet mapping High speed technique, able to handle the largest networks Light touch: “what are you going to do to my intranet?” Acquire and maintain databases of Internet network assignments and usage

53 53 of 105Pondering Perimeters: GFIRST Orlando Advantages We don’t need access (I.e. SNMP) to the routers It’s very fast Standard Internet tool: it doesn’t break things Insignificant load on the routers Not likely to show up on IDS reports We can probe with many packet types

54 54 of 105Pondering Perimeters: GFIRST Orlando Limitations View is from scanning host only – Multiple scan sources gives a better view Outgoing paths only Level 3 (IP) only – ATM networks appear as a single node Not all routers respond – Some are silent – Others are “shy” (RFC 1123 compliant), limited to one response per second

55 55 of 105Pondering Perimeters: GFIRST Orlando Data collection complaints Australian parliament was the first to complain List of whiners (25 nets) On the Internet, these complaints are mostly a thing of the past – Internet background radiation predominates

56 56 of 105Pondering Perimeters: GFIRST Orlando Visualization goals make a map – show interesting features – debug our database and collection methods geography doesn’t matter use colors to show further meaning

57 57 of 105Pondering Perimeters: GFIRST Orlando

58 105 slides Visualization of the layout algorithm Laying out the Internet graph

59 59 of 105Pondering Perimeters: GFIRST Orlando

60 60 of 105Pondering Perimeters: GFIRST Orlando

61 61 of 105Pondering Perimeters: GFIRST Orlando Colored by AS number

62 62 of 105Pondering Perimeters: GFIRST Orlando Map Coloring distance from test host IP address – shows communities Geographical (by TLD) ISPs future – timing, firewalls, LSRR blocks

63 63 of 105Pondering Perimeters: GFIRST Orlando Colored by IP address!

64 64 of 105Pondering Perimeters: GFIRST Orlando Colored by geography

65 65 of 105Pondering Perimeters: GFIRST Orlando Colored by ISP

66 66 of 105Pondering Perimeters: GFIRST Orlando Colored by distance from scanning host

67 67 of 105Pondering Perimeters: GFIRST Orlando

68 68 of 105Pondering Perimeters: GFIRST Orlando

69 105 slides Yugoslavia An unclassified peek at a new battlefield 1999

70 70 of 105Pondering Perimeters: GFIRST Orlando

71 105 slides Un film par Steve “Hollywood” Branigan...

72 72 of 105Pondering Perimeters: GFIRST Orlando

73 105 slides fin

74 105 slides Intranets: the rest of the Internet

75 75 of 105Pondering Perimeters: GFIRST Orlando

76 76 of 105Pondering Perimeters: GFIRST Orlando

77 77 of 105Pondering Perimeters: GFIRST Orlando

78 78 of 105Pondering Perimeters: GFIRST Orlando This was Supposed To be a VPN

79 79 of 105Pondering Perimeters: GFIRST Orlando

80 80 of 105Pondering Perimeters: GFIRST Orlando

81 81 of 105Pondering Perimeters: GFIRST Orlando Case studies: corp. networks Some intranet statistics

82 105 slides Project 3: Detecting perimeter leaks Lumeta’s Special Sauce 2000

83 83 of 105Pondering Perimeters: GFIRST Orlando Types of leaks Routing leaks – Internal routes are announced externally, and the packets are allowed to flow betwixt Host leaks – Simultaneously connected inside and out, probably without firewall-functionality – Not necessarily a dual-homed host “Please don’t call them leaks” – They aren’t always a Bad Thing

84 84 of 105Pondering Perimeters: GFIRST Orlando Routing leaks Easily seen on maps Shows up in our reports Generally easily fixed

85 85 of 105Pondering Perimeters: GFIRST Orlando Host leak detection Developed to find hosts that have access to both intranet and Internet Or across any privilege boundary Leaking hosts do not route between the networks Technology didn’t exist to find these

86 86 of 105Pondering Perimeters: GFIRST Orlando Possible host leaks Miss-configured telecommuters connecting remotely VPNs that are broken DMZ hosts with too much access Business partner networks Internet connections by rogue managers Modem links to ISPs

87 87 of 105Pondering Perimeters: GFIRST Orlando Leak Detection Prerequisites List of potential leakers: obtained by census Access to intranet Simultaneous availability of a “mitt”

88 88 of 105Pondering Perimeters: GFIRST Orlando Leak Detection Layout Internet intranet Mapping host A Test host B mitt D C Mapping host with address A is connected to the intranet Mitt with address D has Internet access Mapping host and mitt are currently the same host, with two interfaces

89 89 of 105Pondering Perimeters: GFIRST Orlando Leak Detection Internet intranet Mapping host A Test host B mitt D C Test host has known address B on the intranet It was found via census We are testing for unauthorized access to the Internet, possibly through a different address, C

90 90 of 105Pondering Perimeters: GFIRST Orlando Leak Detection Internet intranet Mapping host A Test host B mitt D C A sends packet to B, with spoofed return address of D If B can, it will reply to D with a response, possibly through a different interface

91 91 of 105Pondering Perimeters: GFIRST Orlando Leak Detection Internet intranet Mapping host A Test host B mitt D C Packet must be crafted so the response won’t be permitted through the firewall A variety of packet types and responses are used Either inside or outside address may be discovered Packet is labeled so we know where it came from

92 92 of 105Pondering Perimeters: GFIRST Orlando Inbound Leak Detection Internet intranet Mapping host A Test host B mitt D C This direction is usually more important It all depends on the site policy… …so many leaks might be just fine.

93 93 of 105Pondering Perimeters: GFIRST Orlando Inbound Leak Detection Internet intranet Mapping host A Test host B mitt D C

94 94 of 105Pondering Perimeters: GFIRST Orlando Leak results Found home web businesses At least two clients have tapped leaks – One made front page news From the military: “the republic is a little safer”

95 95 of 105Pondering Perimeters: GFIRST Orlando We developed lot of stuff Leak detection (that’s the special sauce) Lots of reports: the hardest part is converting data to information Route discovery: TTL probes plus SNMP router queries Host enumeration and identification: ping and xprobe- style host identification Server discovery: SYN probes of popular TCP ports Wireless base station discovery: xprobe, SNMP, HTTP And more…ask the sales people The “zeroth step in network intelligence” – me

96 105 slides What’s next? IPv6 2005 + 3

97 97 of 105Pondering Perimeters: GFIRST Orlando

98 98 of 105Pondering Perimeters: GFIRST Orlando IPv6 deployment Has been 3 years away since 1993 Widely deployed in the Far East, and in the new cell phones Europe is getting on board US Government mandate for 2005 – But what does “IPv6 capable” really mean? None of the three ISPs I am connected to at home and work offer raw IPv6 feeds

99 99 of 105Pondering Perimeters: GFIRST Orlando IPv6 address space /48s seem to be freely available: – Each US soldier will have one – One for each home 80-bit host address is a hell of a hell of a large space Easy to hide hosts in that space Hard to administer hosts in that space Some interesting cryptographic and “IP hopping” applications come to mind.

100 100 of 105Pondering Perimeters: GFIRST Orlando IPv6 technical aspects Google-based research will lead you down recently abandoned dead ends – A6 came and went, AAAA is what to use – Link level addressing is deprecated – Use of bottom 128 – 48 = 80 bits not really settled Addresses aren’t as bad as you might think: – 2001:5bfe:16::1 (easy to grep!)

101 101 of 105Pondering Perimeters: GFIRST Orlando IPv6 IPv6 is available through IPv4/IPv6 tunnel brokers – www.hexago.com formerly freenet6.net www.hexago.com Not hard to set up on Unix hosts, then it Just Works

102 105 slides What’s next? Skinny dipping with Microsoft operating systems? 2062?

103 103 of 105Pondering Perimeters: GFIRST Orlando XP SP2: Bill gets it “a feature you don’t use should not be a security problem for you.” “Security by design” – Too late for that, its all retrofitting now “Security by default” – No network services on by default Security control panel – Many things missing from it – Speaker could not find ActiveX security settings There are a lot of details that remain to be seen.

104 105 slides Pondering and Patrolling Perimeters Bill Cheswick ches@lumeta.com http://www.lumeta.com

105 105 of 105Pondering Perimeters: GFIRST Orlando

Download ppt "105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick"

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick

1 of 75Mapping the Internet and Intranets. 75 slides Mapping the Internet and Intranets Bill Cheswick
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
102 slides Pondering and Patrolling Network Perimeters Bill Cheswick

102 slides Pondering and Patrolling Network Perimeters Bill Cheswick
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
100 slides Pondering and Patrolling Network Perimeters Bill Cheswick

100 slides Pondering and Patrolling Network Perimeters Bill Cheswick
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.

How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.

1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
ISOC-Chicago 2001John Kristoff - DePaul University1 Journey to the Center of the Internet John Kristoff +1 312 362-5878 DePaul University.

ISOC-Chicago 2001John Kristoff - DePaul University1 Journey to the Center of the Internet John Kristoff DePaul University.
Wi-Fi Structures.

Wi-Fi Structures.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google