Transcript Steve-Ches
Mapping the Internet and intranets Steve Branigan Hal Burch Bill Cheswick Bell Labs, Lucent Tech. Motivations • Work on DOS anonymous packet trace back - Internet tomography. • Highlands “day after” scenario • Curiosity about size and growth of the Internet • Same tools are useful for understanding any large network, including intranets The Project • Long term reliable collection of Internet and Lucent connectivity information – without annoying too many people • Attempt some simple visualizations of the data – movie of Internet growth! • Develop tools to probe intranets • Extended database for researchers Uses for the Internet data • topography studies • long-term routing studies • publicly available database (“open source”) for spooks • interesting database for graph theorists • combine with other mappers to make an actual map of the Internet Uses for intranet data • Map “inside” the security perimeter • Take a census of Lucent hosts • Discover hosts that have unauthorized access to both the intranet and the Internet – illegal connections – miss-configured firewalls – maybe miss-configured telecommuters Network scanning • Custom program • Concurrently scans towards 500 nets at once • Throttled to 100 packets/sec: can do much faster • Slow daily scan for host on destination network Limitations • My view of the Internet, not yours – radical shifts when our ISP situation changes • Outgoing paths only • Takes a while to collect alternating paths • Gentle mapping means missed endpoints – good v. evil Data collection complaints • Australian parliament was the first to complain • List of whiners (25 nets) • Military noticed immediately – Steve Northcutt – arrangements/warnings to DISA and CERT Visualization goals • make a map – show interesting features – debug our database and collection methods – hard to fold up • geography doesn’t matter • use colors to show further meaning Early layouts • Interesting art • tantalizing edges • interior shows ISPs (colored by IP address!) • can’t trace routes • can’t even find the probe host • • • • When data is inconvenient, throw some away minimum distance spanning tree connectivity, not actual paths we get more information out of it add other paths to show further information What kind of maps can we make? Current map coloring • distance from test host • IP address – shows communities • Geographical (by TLD) • ISPs • future – timing, firewalls, LSRR blocks By ISP By top level domain Yugoslavia Serbia and Bosnia Results - Internet database • 100,000 of the world’s most important routers • >150 routes to one destination! • Yugoslavia bombing of power infrastructure is apparent • Offers for other scan points – how to pick them? 12000 10000 8000 6000 4000 2000 0 Number of paths to a target 05 October, 1998 23 Distribution of path lengths Reached Not reached 8000 Number of nets 7000 6000 5000 4000 3000 2000 1000 0 Path length Recipe for good intranet security • Know what you have. • Then secure it. Some basic questions… • How large is the network address space for your network? • How many system are actually active on the network? • How much does the network change? What is an intranet • any network too large to control • hosts residing inside a firewall perimeter • business partner connections • corporate hosts outside of the firewall • DMZs Intranet mapping work • Apply the technology of Internet mapping to the intranet • See how far the network reaches. • Surprises? Firewall bypass case #1 ISP B Internet Bu router ISP A Corp. Firewall Intranet Our host census attempt • 266,000 hosts • complaints from business partners! Multi-home hosts • hosts having multiple network connections • dangerous when one is connected to the intranet, and the other is connected to the Internet Firewall bypass case #2 Internet Special system Corp. Firewall Intranet Hard to find today. • Vulnerability scanners are not finding these vulnerabilities. New products • list of web servers • list of mail servers Results: New Products! • Route rationalization (“routerat”) – discover network routes (user supplied?) – run frequently More new products! • Topology scan: traceroute scan information and analysis • Host census • Scan for perimeter violations. – spoofed through inside to outside – spoofed outside through inside New Products • List of web and mail servers • Detect route squatters • Networks susceptible to broadcast storms • Find unauthorized firewalls and internet connections • Miss-configured telecommuting and branch office hosts. New Products • Private address space use • Connections with business partners • Due diligence tool for joint ventures, mergers, divestitures, etc. Walking the perimeter • There is a large potential market for this • New tool to gain some control over an extensive network • Fits with a number of companies’ product lines • new Lucent venture How we scan • Via dialup, using RAS servers • Secure tunnel, if you prefer – IP/SEC – PPTP – others? Auditing Firewall Rules Over time, systems change but firewall rules may not... a b c d Internet allow web to a allow web to b allow web to c allow web to d allow mail to c Oops! Legacy rules can create today’s security holes. How Firewall Auditor Works Input Intranet definition + + Query list of services nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname pix1 fixup protocol ftp 21 fixup protocol http 80 nat (inside) 0 0 0 static (inside, outside) 135.104.45.176 135.104.45.176 netmask 255.255.255.240 outbound 1 deny 0 0 apply (inside) 1 outgoing_dest : RULE : OUT PASS http mh zero conduit permit tcp host 135.104.45.180 eq 80 135.104.0.0 255.255.224.0 conduit permit tcp host 135.104.45.180 eq 80 135.104.32.0 255.255.248.0 Sample firewall rules Analysis What service traffic from the Internet can get through the firewall rules to which intranet addresses? Output Query: Internet-> Inside : http Internet -> ecnes01 (ecnes01.inet.lucent.com) : http [Rule: 2 ] Internet -> ecnes02 (ecnes02.inet.lucent.com) : http [Rule: 4 ] bcs-test (sapient2-bh.sapient.com) -> galileo (oh0012espweb1.inet.lucent.com) : http [Rule: 7 ] bcs-test (sapient2-bh.sapient.com) -> voyager (voyager.inet.lucent.com) : http [Rule: 9 ]