Transcript Protecting WLANs from Worms and Viruses

Copyright Doug Klein, 2004.
This work is the intellectual property of the author. Permission is
granted for this material to be shared for non-commercial,
educational purposes, provided that this copyright statement
appears on the reproduced materials and notice is given that the
copying is by permission of the author. To disseminate otherwise
or to republish requires written permission from the author.
Virus and Worm Protection:
A Security Approach
Doug Klein
[email protected]
Vernier Networks
CTO
WiFi Market Timelines
Commitment
Acceptance
Denial
Convenience Dependence
Strategic
User Demands
The Transition to Strategic
Security
Accountability
• User authentication
• Usage accounting
• Role based access
• “Bad behavior”
• RF Encryption
• Privacy (HIPAA)
• Copyright liability
Who gets on ..
What are they doing ..
Services
• The 3 C’s
• Capacity
• Coverage
• Consistency
• Location capabilities
Is it what they want ..
Security and The Internet Connection
Problem: external connection to the Internet
Solution: protect the network with a firewall
Problem: traffic flowing through public Internet
Solution: put the traffic through an encrypted tunnel
attac
k
attac
k
Internet
attac
k
attac
k
Corporate Network
The Wireless Effect
Corporate Network
Internet
You need firewall and encryption here!
But remember that users move from here to here to here ..
The Blurry Edge!
802.11 and Security: Today
• The “killer app”
– Cable replacement!
– Incredible ROI for point implementations (e.g., the conference room)
• “Simple” security in original design: WEP
– Original market very vertically focused (e.g., retail, logistics)
– Concerns with export (historical federal restrictions)
• Ease of breaking in well documented
– “Shared secrets” like no secret at all
– Poor key implementation easy to crack
802.11 and Security: Tomorrow
It’s an evolutionary process
– WPA
• Announced WECA direction
• Expect products late 2003
• 802.1x authentication, TKIP/PEAP/LEAP support
– RADIUS directory services
– Stronger keying and encryption system
– 802.11i
• Full IEEE specification
• Superset of WPA
• Products in 2004?
802.11 and Security: Issues
• Standards
– WECA vs IEEE: who’s driving what?
– WPA: can a “temporary standard” work?
• Interoperability
– The world is not homogenous: how do I mix and match?
• Cal State Pomona: 34,000 possible users, only 100 compatible devices!
– In a world beyond PC’s, can I support the combinations?
• Extensions into the future
– WiFi as a mobility solution vs a cabling solution
• Can we support users moving around?
– Expectations driven from consumer adoption
• “I have it at home, I want it everywhere!”
Wireless and the End User
• The Consumer Impact
– First networking technology to explode in the consumer market first
– Recent CIO panel shows typical situation:
• Question: “Why are you deploying WLAN now?”
• Answer: “My CEO got it at home!”
•
End User Expectations
– It’s easy: poor understanding of the implications to the corporate
network
– If I’m untethered I should be able to roam seamlessly (ala cell phones)
• The Rogue Access Point
– It’s so “easy”
– Technical solutions difficult, policy still the best long term approach!
Security: A Layered Approach
• 802.11 as a “security system”
– Not its design point
– Something is usually better than nothing except when false
security leads to no security
• Is it turned on?
• Are the users participating: where are the motivation points?
• Are we actually seeing something else?
– Is 802.11 the problem or has it exposed a “dirty little secret”?
Wired Networking Today
…the Port is the Network
…and networking equipment was designed for static
ports. IT manages ports not users. 1 port = 1 user.
Wireless Networks
…the Air is the Network
…many different users access the same port.
Some Security Basics
• Authentication
– Who are you?
• Authorization
– Access Control
– Role Management
– What can you do?
• Encryption
– Who’s listening to your traffic?
Authentication
• Standard operating procedure for applications!
– We protect our servers, our file systems, our databases today
– The network is no longer “dumb plumbing”, it’s the most critical resource
we have!
• Authentication mechanisms
– How the user interacts with the system
– Captive portal, NT login, SmartCard, SecureID, 802.1x
• Authentication services
– How we keep track of authorized users
– LDAP, NT Domain, Kerboros, RADIUS
• Is network access the same as application access?
– Would you give guests network access but not server access?
– Will your users understand multiple logins?
Authorization
• The 802.11 model: Binary Access control
– Layer 2 technology limited to “yes” or “no” access
– Sufficient to solve the “parking lot problem”
• Security policies are more complicated than this
– We have different roles and rights for trusted users
– Examples: HR employees vs everyone else. Contractors vs full time.
Guests vs employees.
• Fixed location, wired systems implement these policies today
– VLANs have morphed into this
– They cannot deal with users connecting at multiple locations, much less
moving in real time
– Consider mobility as a consequence of wireless!
Encryption
• Rule #1: what are you trying to protect vs not protect
– Do you really need to encrypt all the traffic?
• Web surfing not very proprietary
• Mfg/logistics traffic not interesting by itself - why bother
– Can you enforce application encryption?
• SSL web sites
• SSH style port forwarding
• Secure client-server applications
• Rule #2: encryption is expensive
– The algorithms are cpu intensive
• Expect 20% hit on AP performance, for example
– The interoperability is difficult and error prone
• Getting better, but prepare for operating difficulties
Security and Infrastructure
Is it more than an 802.11 problem?
• Closed
• Homogenous
• Secure
Edge Switch
Infrastructure Security
802.11 Security
Security Layer
The Wiring Closet
The Office Space
Security Layer
AP
AP
AP
• Open
• Heterogenous
• Insecure
Central System Control
• Authentication Integration
CORPORATE LAN
• Authorization/Rights Management
INTERNET
Distributed Edge Control
• VPN Termination
• Layer 3 Mobility Support
Authentication
Server
Viruses In WLAN Environments
Open Network
Enterprise Network
• Home Network
• Perimeter Security
• Public Network
• Virus Detection
• Visited Network
• Monitored Access
Insecure Network
Secure Network
Laptop
Laptop
About Sobig.f
•
A blended threat
– Mass-mailer
• Spreads via e-mail, using its own
SMTP engine
• Arrives as a PIF or SCR file
• Forges ‘From’ field to conceal its
origin
– Spreads using open network
shares
– Contacts list of remote NTP
servers and sends NTP packets
using TCP port 123
– At a specified time, sends data
from infected machines to remote
machines using UDP port 8998
About Welchia
• A worm that exploits multiple vulnerabilities, including:
– DCOM RPC vulnerability (described in Microsoft Security Bulletin
MS03-026) using TCP port 135. Specifically targets Windows XP
machines
– The WebDav vulnerability (described in Microsoft Security Bulletin
MS03-007) using TCP port 80. Specifically targets machines
running Microsoft IIS 5.0 (Win2k/NT/XP)
W32.Welchia.Worm does the following:
– Attempts to download the DCOM RPC patch from Microsoft's
Windows Update Web site, install it, and then reboot the computer.
– Checks for active machines to infect by sending an ICMP echo
request, or PING, which will result in increased ICMP traffic.
– Attempts to remove W32.Blaster.Worm.
Vernier Virus Filter – Maintain Network Health
Stops the Propagation of the
Virus to other devices
Effectively isolates infected
devices
CS 6500 Control Server
Stops DoS traffic at the
network Edge
Internet
AM 6500 Access Manager
Infected Laptop
Guest
Employees
Employee
AM 6500 Access Manager
Untrusted User
Employees
Vernier Virus Filter – Identify Infected Users
CS 6500 Control Server
User Name
Internet
MAC Address
Date
Matching Sessions
AM 6500 Access Manager
Infected Laptop
Guest
Employees
Employee
AM 6500 Access Manager
Untrusted User
Employees
Vernier Virus Filter – Quick Cleanup
Student
Infected Laptop
Role Based Policy
Groups
INFECTED
Redirect HTTP Traffic
Infected Laptop
Vernier Networks
Secures WLAN at PAC 10 University
“Using custom packet filtering
capabilities of the Vernier system,
we effectively halted the Welchia
worm spread at the WLAN gateway.”
Christopher Chin,
Network Exorcist
Needs
Solution
– Securing the network from untrusted users
– Identification of offensive behavior
– Roaming among campus buildings
– Multiple gateway approach
– Centralized control system for authentication and rights
– Distinct WLAN, one per building, VLAN’d back to
“gateway”
Benefits
– Centralized authentication services
– Consistent security policies
– Instant support for all users, all devices
UC Berkeley – The Attack of the Welchia Virus
Internet
X
X
X
Students
Students
Other Users
UC Berkeley – Halting the Spread of the Welchia Virus
Internet
Added
Virus
Filter
Students
Students
Other Users
The Results
Filter Applied Here
• Welchia related ICMP traffic was consuming majority of available
bandwidth
• Vernier was able to immediately block all undesirable traffic without
affecting normal usage
Security vs Connectivity
Appropriate Access
Closed
Open
Network Access
The security minded strategy:
The access minded strategy:
Closed systems with incremental services as needed
Open systems with incremental security as needed
The pendulum is swinging towards a security approach.
Modern worms and viruses are coming at us too fast - we’re
spending all of our time chasing them! A more rational model
of access through explicit permission is required!
Summary
• Security issues have moved into our networks
• Understanding trust models imperative in evaluating
solutions
• Access and connectivity needs demand solutions that
prevent or eliminate breaches without wholesale
reduction of services
Thank you!