Mapping the Internet and Intranets

Download Report

Transcript Mapping the Internet and Intranets

Internet Mapping, Columbia
1 of 137
Clear and Present
Dangers
Bill Cheswick
Lumeta Corp.
[email protected]
137 slides
Clear and Present
Dangers
Perimeter Leaks
Poor host security
137 slides
Mapping the
Internet and
Intranets
Bill Cheswick
[email protected]
http://www.cheswick.com
137 slides
Motivations
• Intranets are out of
control
– Always have been
• Highlands “day after”
scenario
• Internet tomography
• Curiosity about size
and growth of the
Internet
• Same tools are useful
• Panix DOS attacks
– a way to trace
anonymous packets
back!
for understanding any
large network,
including intranets
Internet Mapping, Columbia
5 of 137
Related Work
• See Martin Dodge’s cyber geography page
• MIDS - John Quarterman
• CAIDA - kc claffy
• Mercator
• “Measuring ISP topologies with
rocketfuel” - 2002
– Spring, Mahajan, Wetherall
• Enter “internet map” in your search engine
Internet Mapping, Columbia
6 of 137
The Goals
• Long term reliable
collection of Internet
and Lucent
connectivity
information
– without annoying
too many people
– movie of Internet
growth!
• Develop tools to probe
intranets
• Probe the distant
corners of the Internet
• Attempt some simple
visualizations of the
data
Internet Mapping, Columbia
7 of 137
Methods - data collection
• Single reliable host connected at the
company perimeter
• Daily full scan of Lucent
• Daily partial scan of Internet, monthly full
scan
• One line of text per network scanned
– Unix tools
Internet Mapping, Columbia
8 of 137
Methods - network scanning
• Obtain master network list
– network lists from Merit, RIPE, APNIC, etc.
– BGP data or routing data from customers
– hand-assembled list of Yugoslavia/Bosnia
• Run a traceroute-style scan towards each
network
• Stop on error, completion, no data
– Keep the natives happy
Internet Mapping, Columbia
9 of 137
TTL probes
• Used by traceroute and other tools
• Probes toward each target network with
increasing TTL
• Probes are ICMP, UDP, TCP to port 80, 25,
139, etc.
• Some people block UDP, others ICMP
Internet Mapping, Columbia
10 of 137
TTL probes
Hop 1
Hop 2
Hop 3
Router
Router
Router
IP
IP
IP
IP
Hardware
Hardware
Hardware
Hardware
Client
Application level
TCP/UDP
Hop 3
Hop 4
Server
Application level
Router
Router
IP
IP
IP
Hardware
Hardware
Hardware
Internet Mapping, Columbia
TCP/UDP
11 of 137
Send a packet with a TTL of
1…
Hop 1
Hop 2
Hop 3
Router
Router
Router
IP
IP
IP
IP
Hardware
Hardware
Hardware
Hardware
Client
Application level
TCP/UDP
Hop 3
Hop 4
Server
Application level
Router
Router
IP
IP
IP
Hardware
Hardware
Hardware
Internet Mapping, Columbia
TCP/UDP
12 of 137
…and we get the death notice
from the first hop
Hop 1
Hop 2
Hop 3
Router
Router
Router
IP
IP
IP
IP
Hardware
Hardware
Hardware
Hardware
Client
Application level
TCP/UDP
Hop 3
Hop 4
Server
Application level
Router
Router
IP
IP
IP
Hardware
Hardware
Hardware
Internet Mapping, Columbia
TCP/UDP
13 of 137
Send a packet with a TTL of
2…
Hop 1
Hop 2
Hop 3
Router
Router
Router
IP
IP
IP
IP
Hardware
Hardware
Hardware
Hardware
Client
Application level
TCP/UDP
Hop 3
Hop 4
Server
Application level
Router
Router
IP
IP
IP
Hardware
Hardware
Hardware
Internet Mapping, Columbia
TCP/UDP
14 of 137
… and so on …
Hop 1
Hop 2
Hop 3
Router
Router
Router
IP
IP
IP
IP
Hardware
Hardware
Hardware
Hardware
Client
Application level
TCP/UDP
Hop 3
Hop 4
Server
Application level
Router
Router
IP
IP
IP
Hardware
Hardware
Hardware
Internet Mapping, Columbia
TCP/UDP
15 of 137
Advantages
• We don’t need access (I.e. SNMP) to the
routers
• It’s very fast
• Standard Internet tool: it doesn’t break
things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types
Internet Mapping, Columbia
16 of 137
Limitations
• Outgoing paths only
• Level 3 (IP) only
– ATM networks appear as a single node
– This distorts graphical analysis
• Not all routers respond
• Many routers limited to one response per
second
Internet Mapping, Columbia
17 of 137
Limitations
• View is from scanning host only
• Takes a while to collect alternating paths
• Gentle mapping means missed endpoints
• Imputes non-existent links
Internet Mapping, Columbia
18 of 137
The data can go either way
B
C
D
A
E
Internet Mapping, Columbia
F
19 of 137
The data can go either way
B
C
D
A
E
Internet Mapping, Columbia
F
20 of 137
But our test packets only go
part of the way
B
C
D
A
E
Internet Mapping, Columbia
F
21 of 137
We record the hop…
B
C
D
A
E
Internet Mapping, Columbia
F
22 of 137
The next probe happens to go
the other way
B
C
D
A
E
Internet Mapping, Columbia
F
23 of 137
…and we record the other
hop…
B
C
D
A
E
Internet Mapping, Columbia
F
24 of 137
We’ve imputed a link that
doesn’t exist
B
C
D
A
E
Internet Mapping, Columbia
F
25 of 137
Data collection complaints
• Australian parliament was the first to
complain
• List of whiners (25 nets)
• Military noticed immediately
– Steve Northcutt
– arrangements/warnings to DISA and CERT
• These complaints are mostly a thing of the
past
– Internet background radiation
predominates
Internet Mapping, Columbia
26 of 137
Visualization goals
• make a map
– show interesting features
– debug our database and collection
methods
– hard to fold up
• geography doesn’t matter
• use colors to show further meaning
Internet Mapping, Columbia
27 of 137
Internet Mapping, Columbia
28 of 137
Internet Mapping, Columbia
29 of 137
Infovis state-of-the-art in 1998
• 800 nodes was a huge graph
• We had 100,000 nodes
• Use spring-force simulation with lots of
empirical tweaks
• Each layout needed 20 hours of Pentium
time
Internet Mapping, Columbia
30 of 137
Internet Mapping, Columbia
31 of 137
Visualization of the
layout algorithm
Laying out the Internet graph
137 slides
Internet Mapping, Columbia
33 of 137
Visualization of the
layout algorithm
Laying out an intranet
137 slides
Internet Mapping, Columbia
35 of 137
A simplified map
• Minimum distance spanning tree uses 80%
of the data
• Much easier visualization
• Most of the links still valid
• Redundancy is in the middle
Internet Mapping, Columbia
36 of 137
Colored by
AS number
Internet Mapping, Columbia
37 of 137
Map Coloring
• distance from test host
• IP address
– shows communities
• Geographical (by TLD)
• ISPs
• future
– timing, firewalls, LSRR blocks
Internet Mapping, Columbia
38 of 137
Colored by IP address!
Internet Mapping, Columbia
39 of 137
Colored by geography
Internet Mapping, Columbia
40 of 137
Colored by ISP
Internet Mapping, Columbia
41 of 137
Colored by distance
from scanning host
Internet Mapping, Columbia
42 of 137
US military
reached by ICMP ping
Internet Mapping, Columbia
43 of 137
US military networks
reached by UDP
Internet Mapping, Columbia
44 of 137
Internet Mapping, Columbia
45 of 137
Internet Mapping, Columbia
46 of 137
Yugoslavia
An unclassified peek at a new
battlefield
137 slides
Internet Mapping, Columbia
48 of 137
Un film par Steve
“Hollywood”
Branigan...
137 slides
Internet Mapping, Columbia
50 of 137
fin
137 slides
Routers in New York City
missing generator fuel
1400
# Routers
1300
1200
1100
1000
9/11 9/12 9/13 9/14 9/15 9/16 9/17 9/18 9/19 9/20 9/21 9/22
Date
Internet Mapping, Columbia
52 of 137
Intranets
137 slides
We partition our networks to
get out of the game
• Companies, governments, departments,
even families hide in enclaves to limit
connectivity to approved services
• These are called intranets
• The decentralized, cloud-like nature of
internets makes them hard to manage at a
central point
• My company explores the extent of intranets
and their interconnections with other
networks.
Internet Mapping, Columbia
54 of 137
Intranets: the rest
of the Internet
137 slides
Internet Mapping, Columbia
56 of 137
Internet Mapping, Columbia
57 of 137
Internet Mapping, Columbia
58 of 137
Internet Mapping, Columbia
59 of 137
Internet Mapping, Columbia
60 of 137
This was
Supposed
To be a
VPN
Internet Mapping, Columbia
61 of 137
Internet Mapping, Columbia
62 of 137
Internet Mapping, Columbia
63 of 137
Anything large
enough to be
called an
“intranet” is
out of control
137 slides
Case studies: corp. networks
Some intranet statistics
Intranet sizes (devices)
Corporate address space
% devices in unknown address space
Min
Max
7,900
365,000
81,000 745,000,000
0.01%
20.86%
% routers responding to "public"
% routers responding to other
0.14%
0.00%
75.50%
52.00%
0
0%
0%
176,000
79%
82%
Outbound host leaks on network
% devices with outbound ICMP leaks
% devices with outbound UDP leaks
Inbound UDP host leaks
% devices with inbound ICMP leaks
% devices with inbound UDP leaks
% hosts running Windows
Internet Mapping, Columbia
0
0%
0%
36%
5,800
11%
12%
84%
65 of 137
Leak Detection
mitt
D
Mapping host
A
• A sends packet to B,
with spoofed return
address of D
• If B can, it will reply
Internet
intranet
C
to D with a
response, possibly
through a different
interface
B
Test host
Internet Mapping, Columbia
66 of 137
Leak Detection
mitt
D
Mapping host
A
• Packet must be crafted
so the response won’t
be permitted through the
firewall
• A variety of packet types
Internet
intranet
and responses are used
• Either inside or outside
address may be
discovered
• Packet is labeled so we
C
B
know where it came from
Test host
Internet Mapping, Columbia
67 of 137
Existence proofs of intranet
leaks: the slammer worm
• It’s a pop-quiz on perimeter integrity
• The best run networks (e.g. spooks’ nets) do
not get these plagues
– Internal hosts may be susceptible
Internet Mapping, Columbia
68 of 137
Some Lumeta lessons
• Reporting is the really hard part
– Converting data to information
• “Tell me how we compare to other clients”
• Offering a service was good practice, for a
while
• The clients want a device
• We have >70 Fortune-200 companies and
government agencies as clients
• Need-to-have vs. want-to-have
Internet Mapping, Columbia
69 of 137
Honeyd – network emulation
• Anti-hacking tools by Niels Provos at
citi.umich.edu
• Can respond as one or more hosts
• I am configuring it to look like an entire
client’s network
• Useful for testing and debugging
• Product?
Internet Mapping, Columbia
70 of 137
History of the Project
• Started in August 1998 at Bell Labs
• April-June 1999: Yugoslavia mapping
• July 2000: first customer intranet scanned
• Sept. 2000: spun off Lumeta from
Lucent/Bell Labs
• June 2002: “B” round funding completed
• 2003: sales >$4MM
Internet Mapping, Columbia
71 of 137
Internet Mapping, Columbia
72 of 137
Mapping the
Internet and
Intranets
Bill Cheswick
[email protected]
http://www.cheswick.com
137 slides
My Dad’s Computer and the
Future of Internet Security
Bill Cheswick
[email protected]
http://www.lumeta.com
137 slides
Internet Mapping, Columbia
75 of 137
My Dad’s
computer
Skinny-dipping with Microsoft
137 slides
Case study:
My Dad’s computer
• Windows XP, plenty of horsepower, two
screens
• Applications:
– Email (Outlook)
– “Bridge:” a fancy stock market monitoring
system
– AIM
Internet Mapping, Columbia
77 of 137
Case study:
My Dad’s computer
• Cable access
• dynamic IP address
• no NAT
• no firewall
• outdated virus software
• no spyware checker
Internet Mapping, Columbia
78 of 137
This computer was a software
toxic waste dump
• It was burning a liter of oil every 500 km
• The popups seemed darned distracting to
me
Internet Mapping, Columbia
79 of 137
My Dad’s computer: what the repair
geek found
• Everything
• “Viruses I’ve never heard off”
• Constant popups
• Frequent blasts of multiple web pages, all
obscene
• Dad: why do I care? I am getting my work
done
Internet Mapping, Columbia
80 of 137
Dad’s computer: how did he get
in this mess?
• He doesn’t know what the popup security
messages mean
• Email-born viruses
• Unsecured network services
• Executable code in web pages from
unworthy sites
Internet Mapping, Columbia
81 of 137
He is getting his work done
• Didn’t want a system administrator to mess
up his user interface settings
• Truly destructive attacks are rare
– They aren’t lucrative or much fun
– They are self-limiting
Internet Mapping, Columbia
82 of 137
Recently
• An alien G-rated screen saver for an X-rated
site appeared
• Changing the screen saver worked!
• The screen saver software removed in the
correct way!
• Still, this should never have happened
Internet Mapping, Columbia
83 of 137
Skinny Dipping on
the Internet
137 slides
I’ve been skinny dipping on the
Internet for years
• FreeBSD and Linux hosts
• Very few, very hardened network services
• Single-user hosts
• Dangerous services placed in sandboxes
• No known breakins
• No angst
Internet Mapping, Columbia
85 of 137
“Best block is not be there”
-Karate Kid
137 slides
Angst and the Morris Worm
• Did the worm get past my firewall?
• No. Why?
– Partly smart design
– Partly luck…removing fingerd
• Peace of mind comes from staying out of the
battle altogether
Internet Mapping, Columbia
87 of 137
“You’ve got to get
out of the game”
-Fred Grampp
137 slides
Can my Dad (and
millions like him)
get out of the
game?
137 slides
Arms Races
137 slides
Virus arms race
• Early on, detectors used viral signatures
• Virus encryption and recompilation (!) has
thwarted this
• Virus detectors now simulate the code,
looking for signature actions
• Virus writers now detect emulation and
behave differently
• Virus emulators are slowing down, even with
Moore’s Law.
Internet Mapping, Columbia
91 of 137
Virus arms race
• I suspect that virus writers are going to win the
detection battle, if they haven’t already
– Emulation may become too slow
– Even though we have the home-field advantage
– Will we know if an undetectable virus is released?
• Best defense is to get out of the game.
– Don’t run portable programs, or
– Improve our sandbox technology
• People who really care about this worry about Ken
Thompson’s attack
– Read and understand “On Trusting Trust”
Internet Mapping, Columbia
92 of 137
Getting out of the virus game
• Don’t execute roving programs of unknown
provenance
• Trusted Computing can fix the problem, in
theory
Internet Mapping, Columbia
93 of 137
Password sniffing and cracking
arms race
• Ethernet has always been sniffable
• WiFi is the new Ethernet
Internet Mapping, Columbia
94 of 137
Password sniffing and cracking
arms race
• Password cracking works 3% to 60% of the
time using offline dictionary attacks
– More, if the hashing is misdesigned (c.f.
Microsoft)
• This will never get better, so…
• We have to get out of the game
Internet Mapping, Columbia
95 of 137
Password sniffing and cracking
arms race
• This battle is mostly won, thanks to SSL,
IP/SEC, and VPNs.
• There are many successful businesses
using these techniques nicely.
Internet Mapping, Columbia
96 of 137
Password sniffing is not a
problem for Dad
• SSL fixes most of it
• AIM is interceptible
– Fixable…will it be?
Internet Mapping, Columbia
97 of 137
Authentication/Identification
Arms races
• Password/PIN selection vs. cracking
• Human-chosen passwords and PINs can be
ok if guessing is limited, and obvious
choices are suppressed
• Password cracking is getting better, thanks
to Moore’s Law and perhaps even botnets
Internet Mapping, Columbia
98 of 137
We don’t know how to leave the user in charge of
security decisions, safely.
Internet Mapping, Columbia
99 of 137
User education vs. user
deception
• We will continue losing this one
• Even experts sometimes don’t understand
the ramifications of choices they are offered
Internet Mapping, Columbia
100 of 137
Authentication arms race:
predictions
• USA needs two factor authentication for
social security number. (Something better
than MMN or birth date.)
• I don’t see this improving much, but a global
USB dongle would do it
• Don’t wait for world-wide PKI.
Internet Mapping, Columbia
101 of 137
Arms race (sort of)
hardware destruction
• IBM monochrome monitor
• Some more recent monitors
– Current ones?
• Hard drives? Beat the heads up?
• EEPROM write limits
– Viral attack on .cn and .kr PC
motherboards
– Other equipment
• Anything that requires a hardware on-site
service call
Internet Mapping, Columbia
102 of 137
Arms race (sort of)
hardware destruction
• Rendering the firmware useless
– This can be fixed (mostly) with a secure
trusted computing base.
Internet Mapping, Columbia
103 of 137
Software upgrade race:
literally a race
• Patches are analyzed to determine the
weakness
• Patch-to-exploit time is now down below 10
hours
– NB: spammers have incentive to do this
work
• Now the good guys are trying to obfuscate
code!
• Future difficult to say: dark side obscures
everything.
Internet Mapping, Columbia
104 of 137
Arms Races: deception
• Jails
– Cliff Stoll and SDInet
• Honeypots
– Honeynet
– honeyd
• The deception toolkit---Fred Cohen
Internet Mapping, Columbia
105 of 137
Microsoft client
security
It has been getting worse: can they
skinny-dip safely?
137 slides
Windows ME
Active Connections - Win ME
Proto
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
Local Address
127.0.0.1:1032
223.223.223.10:139
0.0.0.0:1025
0.0.0.0:1026
0.0.0.0:31337
0.0.0.0:162
223.223.223.10:137
223.223.223.10:138
Foreign Address
0.0.0.0:0
0.0.0.0:0
*:*
*:*
*:*
*:*
*:*
*:*
Internet Mapping, Columbia
State
LISTENING
LISTENING
107 of 137
Windows 2000
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
Local Address
0.0.0.0:135
0.0.0.0:445
0.0.0.0:1029
0.0.0.0:1036
0.0.0.0:1078
0.0.0.0:1080
0.0.0.0:1086
0.0.0.0:6515
127.0.0.1:139
0.0.0.0:445
0.0.0.0:1038
0.0.0.0:6514
0.0.0.0:6515
127.0.0.1:1108
223.223.223.96:500
223.223.223.96:4500
Foreign Address
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
*:*
*:*
*:*
*:*
*:*
*:*
*:*
Internet Mapping, Columbia
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
108 of 137
Windows XP, this laptop
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
Local Address
ches-pc:epmap
ches-pc:microsoft-ds
ches-pc:1025
ches-pc:1036
ches-pc:3115
ches-pc:3118
ches-pc:3470
ches-pc:3477
ches-pc:5000
ches-pc:6515
ches-pc:netbios-ssn
ches-pc:3001
ches-pc:3002
ches-pc:3003
ches-pc:5180
ches-pc:microsoft-ds
ches-pc:isakmp
ches-pc:1027
ches-pc:3008
ches-pc:3473
ches-pc:6514
ches-pc:6515
ches-pc:netbios-ns
ches-pc:netbios-dgm
ches-pc:1900
ches-pc:ntp
ches-pc:1900
ches-pc:3471
Foreign Address
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
Internet Mapping, Columbia
109 of 137
FreeBSD partition, this laptop
(getting out of the game)
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address
tcp4
0
0 *.22
tcp6
0
0 *.22
Internet Mapping, Columbia
110 of 137
It is easy to dump on
Microsoft, but many others
have made the same
mistakes before
137 slides
Default services
SGI workstation
ftp
stream tcp
telnet stream tcp
shell
stream tcp
login
stream tcp
exec
stream tcp
finger stream tcp
bootp
dgram
udp
tftp
dgram
udp
ntalk
dgram
udp
tcpmux stream tcp
echo
stream tcp
discard stream tcp
chargen stream tcp
daytime stream tcp
time
stream tcp
echo
dgram
udp
discard dgram
udp
chargen dgram
udp
daytime dgram
udp
time
dgram
udp
sgi-dgl stream tcp
uucp
stream tcp
nowait
nowait
nowait
nowait
nowait
nowait
wait
wait
wait
nowait
nowait
nowait
nowait
nowait
nowait
wait
wait
wait
wait
wait
nowait
nowait
root
/v/gate/ftpd
root
/usr/etc/telnetd
root
/usr/etc/rshd
root
/usr/etc/rlogind
root
/usr/etc/rexecd
guest
/usr/etc/fingerd
root
/usr/etc/bootp
guest
/usr/etc/tftpd
root
/usr/etc/talkd
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root/rcv dgld
root
/usr/lib/uucp/uucpd
Internet Mapping, Columbia
112 of 137
More default services
mountd/1
stream rpc/tcp wait/lc
mountd/1
dgram
rpc/udp wait/lc
sgi_mountd/1 stream rpc/tcp wait/lc
sgi_mountd/1 dgram rpc/udp wait/lc
rstatd/1-3 dgram
rpc/udp wait
walld/1
dgram
rpc/udp wait
rusersd/1
dgram
rpc/udp wait
rquotad/1
dgram
rpc/udp wait
sprayd/1
dgram
rpc/udp wait
bootparam/1 dgram
rpc/udp wait
sgi_videod/1 stream rpc/tcp wait
sgi_fam/1
stream rpc/tcp wait
sgi_snoopd/1 stream rpc/tcp wait
sgi_pcsd/1 dgram
rpc/udp wait
sgi_pod/1
stream rpc/tcp wait
tcpmux/sgi_scanner stream tcp nowait
tcpmux/sgi_printer stream tcp nowait
9fs
stream tcp
nowait
webproxy
stream tcp
nowait
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
Internet Mapping, Columbia
rpc.mountd
rpc.mountd
rpc.mountd
rpc.mountd
rpc.rstatd
rpc.rwalld
rpc.rusersd
rpc.rquotad
rpc.sprayd
rpc.bootparamd
?videod
?fam
?rpc.snoopd
?cvpcsd
?podd
?scan/net/scannerd
?print/printerd
/v/bin/u9fs u9fs
/usr/local/etc/webserv
113 of 137
Firewalls and
intranets try to
get us out of the
network services
vulnerability game
137 slides
Internet Mapping, Columbia
115 of 137
What my dad
(and most of you)
really needs
137 slides
Most of my Dad’s problems are
caused by weaknesses in
features he never uses or
needs.
137 slides
A proposal:
Windows OK
137 slides
Windows OK
• Thin client implemented with Windows
• It would be fine for maybe half the Windows
users
– Students, consumers, many corporate
and government users
• It would be reasonable to skinny dip with
this client
– Without firewall or virus checking
software
Internet Mapping, Columbia
119 of 137
Windows OK
• No network listeners
– None of those services are needed, except
admin access for centrally-administered
hosts
• Default security settings
• All security controls in one or two places
• Security settings can be locked
Internet Mapping, Columbia
120 of 137
Windows OK (cont)
• There should be nothing you can click on, in
email or a web page, that can hurt your
computer
– No portable programs are executed ever,
except…
• ActiveX from approved parties
– MSFT and one or two others. List is
lockable
Internet Mapping, Columbia
121 of 137
Windows OK
• Reduce privileges in servers and all
programs
• Sandbox programs
– Belt and suspenders
Internet Mapping, Columbia
122 of 137
Office OK
• No macros in Word or PowerPoint. No
executable code in PowerPoint files
• The only macros allowed in Excel perform
arithmetic. They cannot create files, etc.
Internet Mapping, Columbia
123 of 137
Vulnerabilities in OK
• Buffer overflows in processing of data (not
from the network)
• Stop adding new features and focus on bug
fixes
• Programmers can clean up bugs, if they
don’t have a moving target
– It converges, to some extent
Internet Mapping, Columbia
124 of 137
XP SP2
Bill Gets It
137 slides
Microsoft’s Augean Stables:
a task for Hercules
• 3000 oxen, 30 years, that’s roughly one
oxen-day per line of code in Windows
• It’s been getting worse since Windows 95
Internet Mapping, Columbia
126 of 137
XP SP2: Bill gets it
• “a feature you don’t use should not be a security
problem for you.”
• “Security by design”
– Too late for that, its all retrofitting now
• “Security by default”
– No network services on by default
• Security control panel
– Many things missing from it
– Speaker could not find ActiveX security settings
• There are a lot of details that remain to be seen.
Internet Mapping, Columbia
127 of 137
Microsoft really means it about
improving their security
• Their security commitment appears to be
real
• It is a huge job
• Opposing forces are unclear to me
• It’s been a long time coming, and frustrating
Internet Mapping, Columbia
128 of 137
Microsoft secure client arms
race
• We are likely to win, but it is going to be a
while
Internet Mapping, Columbia
129 of 137
SP2 isn’t going to be easy to
deploy
• Many people rely on unsafe configurations,
even if they don’t realize it
• Future SPs won’t be easy either, especially if
they follow my advice
Internet Mapping, Columbia
130 of 137
Windows XP SP2
• Candidate 2 release is available
• Read the EULA…it is interesting and a bit
different
Internet Mapping, Columbia
131 of 137
Internet Mapping, Columbia
132 of 137
Internet Mapping, Columbia
133 of 137
SP2 is just a start: more work
is needed
• Security panel and ActiveX permissions
– Also, list of trusted signers needed
• Still too many network services
– They may not be reachable from outside
the box
• Clicking may still be dangerous
Internet Mapping, Columbia
134 of 137
Conclusions: we ought to win
these battles
• We control the playing field
• DOS is the worse they can do, in theory
• We can replicate our successes
• We can converge on a secure-enough
environment
Internet Mapping, Columbia
135 of 137
Conclusions: problems
• The business models to achieve these
successes seem surprisingly elusive to me
• Security devices, and stand-alone devices,
are close to meeting our needs
– Except full-functioned routers
• General purpose computers are the big
problem
– Apparently features are more important
than security, to the customers
– Is this really true?
Internet Mapping, Columbia
136 of 137
My Dad’s Computer and the
Future of Internet Security
Bill Cheswick
[email protected]
http://www.lumeta.com
137 slides