SROC-08-MitigationStrategie.. - Network Startup Resource Center
Download
Report
Transcript SROC-08-MitigationStrategie.. - Network Startup Resource Center
Mitigation Strategies
Hervey Allen
Chris Evans
Phil Regnauld
September 3 – 4, 2009
Santiago, Chile
Overview
• Where Did We Start?
• Where We are Now…
• Survey of Additional Strategies
2
Where Did We Start?
• We started with a fairly simple, non-resilient
network
– One Gateway Router
• No ACLs or Monitoring
– One Nameserver
– One Non-Functional NOC
We Were “Blind”!
3
We Are Here!
• We now have a fairly simple network that
offers us some resiliency to cyber attacks
– One Gateway Router
• With ACLS & Monitoring
– One Nameserver
• Some Configuration Changes
– One Functional NOC
• Monitoring & Detection
We Can See!
4
We Are Here!
• The Things We Discussed:
– Have a Plan BEFORE Attacks Occur
– Various Monitoring Tools
– Configuration Control
– Secure Application Configurations
Tip of the Iceberg!
5
It’s a BIG World…
• There are things that we didn’t demonstrate
due to time or have the ability to add:
– Anycasting
– Additional Infrastructure
– In-Line Monitoring
– Active Defenses
But – Let’s Discuss!
“By The Way – Not Everything Is a Technical Solution!”
6
Mitigation Strategies
• Build a Contingency Plan
– Compare costs of disruption vs. recovery
– Establish plan of action for what you expect to be your
highest risks
– Concentrate on your business objectives & risk
• Risk is NOT threat – its an understanding of what’s important to
you, threats, vulnerabilities, controls, and impact
– Prioritize security implementations based on risk
• You probably don’t have the time or resources to implement
everything
• Good security is about multiple layers of protection
7
Mitigation Strategies
• Robust Architectures
– Anycasting
– Geographically Separated Name Servers
– NS on Both Sides of Satellite Links
– Diversity in hardware & software
– Over-provision where possible
• Bandwidth, servers, people!
8
Mitigation Strategies
• Anycasting
“Anycast is a network addressing and routing scheme
whereby data is routed to the "nearest" or "best" destination
as viewed by the routing topology.” – Wikipedia
199.7.83.0/24
AS20144
199.7.83.42
199.7.83.42
NS1
NS2
199.7.83.0/24
AS20144
9
Mitigation Strategies
• Anycasting
– Increased Capacity, Resiliency to Attack
– Outsourcing
• Instant Gratification, Perhaps Loss of Control
• What are you really getting? Ask Questions!
– Doing it In House
• Requires Expertise & Resources to Set it Up
10
Mitigation Strategies
• Real Time Monitoring
– Stratify your alerts (info, low, med, high, uh oh!)
– E-Mail, SMS, Pager notifications of priority alerts
– Select tools that work for you!
• Intrusion Detection
– Install & Monitor an IDS (e.g. SNORT)
– Where to install it? Inside or Outside?
– Feeling adventurous – put it in active mode!
11
A Brief Aside - SNORT
• The key to SNORT are its rules
• There are two kinds of rules
– Official Ruleset
– Paying users get them as they are released
– Registered users get them 5 days after release
– Unregistered users get them with SNORT releases
– Community Rules
– Publicly Available
• Rules are text based files that contain a signature (what to alert on)
and an action (how to alert)
View Alerts
Network
SNIFF
MySQL
SNORT
Alerts
1.1.1.1
BASE
Canx Alerts
1.1.1.2
1.1.1.3
13
A Brief Aside - SNORT
• The key to SNORT are its rules
• There are two kinds of rules
– Official Ruleset
– Paying users get them as they are released
– Registered users get them 5 days after release
– Unregistered users get them with SNORT releases
– Community Rules
– Publicly Available
• Rules are text based files that contain a signature (what to alert on)
and an action (how to alert)
Alert tcp any any -> $HOME_NET any
(flags:S; msg:”SYN packet”;)
14
A Brief Aside - SNORT
View Alerts By
Protocol
15
A Brief Aside - SNORT
View Recent Alerts
By Protocol
16
A Brief Aside - SNORT
View Recent Alerts
By IP
17
A Brief Aside - SNORT
View Recent Alerts
By Port
18
A Brief Aside - SNORT
View Portscans
19
A Brief Aside - SNORT
A Single Alert
20
A Brief Aside - SNORT
Alert Title
Links to Alert
Information
21
A Brief Aside - SNORT
Click for IP Analysis –
•
alerts SOURCED from this IP
•
alerts DESTINED for this IP
22
Mitigation Strategies
• Vulnerability Scanning
– Regularly scheduled scans – using an updated engine!
• Web application, operating system, third party application
scanners are all available…
• Patching Systems
– This is NOT a silver bullet – but keeps riff-raff out
– Use automatic updates where available
– Vulnerability scanning can tell you what’s missing – don’t
assume that because you “installed” it, it actually took
– Don’t forget 3rd party application updates (adobe, flash,
firefox, etc)
23
Mitigation Strategies
• Forensic Data Capture
– Capture the last say, 12 hours, of traffic to enable
you to do forensic analysis on what happened
after the fact
• Technical Configuration Guides
– Understand how your systems are configured and
be able to easily reproduce / rebuild them
– Most already exist, find them BEFORE you need
them in a hurry
24
Mitigation Strategies
• Data Escrow
– Keeping a copy of your zone and customer data in a
safe place
• Mutual Aid Agreements
–
–
–
–
Other ccTLDs, Universities, Governments
Secondary Hosts, Data Escrow, Tech Assistance
Temporary Manpower & Resources
Do you (would you) share data of an attack with
other ccTLDs?
25
Mitigation Strategies
• Cold, Warm, Hot & Mirrored Sites
– Secondary locations that can be stood up in case
of physical or cyber difficulties
DATA
D
A
C
DATA
DATA
B
26
Mitigation Strategies
• Bubba Net (Bubba = Friend, Net = Network)
– Establish your professional networks so you know
who to call when you need assistance
• Develop Professional Network of Stakeholders
– Governments, ISPs, Registrars, etc
• Awareness Briefings to Stakeholders
– Establish yourself as “critical infrastructure”
27
Mitigation Strategies
• End User / Customer Education
– Reduce Risk from Your Customers (e.g. phishing)
• Media / Public Relations
– Invite media in to discuss best methods of dealing
with them
– Build a communication plan so you know how to
respond for a given situation
28
Mitigation Strategies
• Internal Training & Awareness
– Train your administrators in defensive actions
– Forces you to establish procedures & policies!
• Exercise Defensive Actions
– You will only know your defensive capacity by
testing it!
– Simple walkthroughs to elaborate, hands-on,
multi-agency exercises
29
Mitigation Strategies
• Test Your Processes
– Two-factor authentication for customer
interaction
– Out of band communication (phone, fax, walk-in)
for customer validation
30
Notional ccTLD Architecture
Putting It All Together
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
31
Notional ccTLD Architecture
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
Registrant – Requests Assignment,
Updates, Removal
32
Notional ccTLD Architecture
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
Authentication for Registrant Requests
33
Notional ccTLD Architecture
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
Authorization for Internal
Registry Changes
34
Notional ccTLD Architecture
Offsite Backup for Entire Registry
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
35
Notional ccTLD Architecture
Registry – Publishes and Maintains
Assignments
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
36
Notional ccTLD Architecture
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
Alternate Registry Server and Database
37
Notional ccTLD Architecture
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
Country Localized DNS Servers
38
Notional ccTLD Architecture
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
Country Localized User
39
Notional ccTLD Architecture
Firewall
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
40
Notional ccTLD Architecture
Primary Global DNS
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
41
Notional ccTLD Architecture
Primary External Gateway
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
42
Notional ccTLD Architecture
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
Secondary Global DNS Server
Anycasting with Geographic Separation
43
Notional ccTLD Architecture
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
Secondary External Gateway
44
Notional ccTLD Architecture
NS3
Internal
NS1
External
Registrant
NS4
Internal
NS2
International
User
External
User
International User
45
Recommendations
Threat
Recommendations
Zone Transfer
Monitoring, DNS Server Configuration
Non-Authoritative
Spoofing
Monitoring, Communication
Port Scanning
Monitoring, Awareness of Other Parallel Attacks
Router Re-Config
Monitoring, Configuration Control, Administrative
VLANs
SSH Brute Force
Application Logging, Log Analysis, Secure Configuration
DDoS
Geographic Separation, Anycasting, Country Localized
and Global Server Separation
46
References
• Internet Society Workshop Resource Center
http://www.ccnog.org/
• ccTLD Best Practices
DNS Installation &
Configuration
Training
http://www.nsrc.org/netadmin/wenzel-cctld-bcp-02.html
• ICANN Country Code Name Support Org
http://ccnso.icann.org/
• ICANN Security & Stability Advisory Committee
http://www.icann.org/committees/security/
• DNS Security Reading Room
http://www.dnssec.net/dns-threats
47
QUESTIONS?
• Do you have any questions about …
– Mitigation Strategies
?
48