Transcript security in the post-Internet era

University of Washington
Computing & Communications
security in the post-Internet era
Terry Gray
C&C all-hands meeting
09 March 2004
1
University of Washington
Computing & Communications
thesis
• the Open Internet is history
-- “get over it”
• destroyed by predictable reaction to recent attacks
--but not without significant collateral damage
• replaced by the Indeterminate Internet
--that most people haven’t and won’t notice
• we can and must protect the needs of the few
--while still supporting the needs of the many
2
University of Washington
Computing & Communications
Internet metamorphosis
•
•
•
•
•
1969: “one network”
1983: “network of networks”
199-: “balkanization” begins
2003: “heat death” begins
2004: paradigm lost?
3
University of Washington
Computing & Communications
personal metamorphosis
•
•
•
•
•
•
•
•
1988: “five anti-interoperable networks” !!
2000: “network security credo” -manage those hosts!
2000: “my first NAT”
-hardly hurt a bit
2002: S@LS planning
-keeping the faith
2003: “slammer”
-intervention
2003: “blaster”
-wake
2004: “mydoom”
-groundhog day
2005: “five anti-interoperable networks” ??
4
University of Washington
Computing & Communications
grief counseling
• coping with post-Internet intellectual trauma:
–
–
–
–
–
denial
anger
bargaining
depression
acceptance
• I had not understood that all of these
emotions can occur simultaneously!
5
University of Washington
Computing & Communications
UW network security chronology
•
•
•
•
•
•
•
•
•
•
•
•
•
1988: Five anti-interoperable networks
1994: Nebula shows network utility model viable
1998: Defined OSFA border blocking policy
2000: Published Network Security Credo
2000: Added source address spoof filters
2000: Proposed med ctr network zone
2000: Proposed server sanctuaries
2001: Ban clear-text passwords on C&C systems
2001: Proposed pervasive host firewalls
2001: Developed logical firewall solution
2002: Developed Project-172 solution
2003: Slammer, Blaster… death of the Internet
2003: Begin work on flex-net architecture
6
University of Washington
Computing & Communications
security-related trends
•
•
•
•
•
•
•
•
•
•
•
more life-critical applications
more wireless use
more VoIP (and soon, VoWLAN)
faster networks
class action lawsuits
RIAA subpoenas
SEC filings to include security info?
more sophisticated attacks
more spyware, encrypted backdoors
less sophisticated attackers
profit motive for attacks
7
University of Washington
Computing & Communications
end of an era
• gone: the open Internet (connection transparency)
• going: autonomous unmanaged PCs
• at risk: full digital convergence?
• the network utility model is dead
– once hosts were all equally accessible
– once network jacks were all the same (‘cept speed)
– once all application ports were open
• welcome to the indeterminate Internet
– “Heisenberg/Einstein” networking...
– uncertain and relativistic connectivity
– you can make no assumptions about what should work
8
University of Washington
Computing & Communications
how we lost it: inevitable trainwreck?
• fundamental contradiction
– networking is about connectivity
– security is about isolation
• conflicting roles and goals
–
–
–
–
–
vendors
networkers
security people
sys admins
oh yeah… and the users
• insecurity = liability
– liability trumps innovation
– liability trumps operator concerns
– liability trumps user concerns
9
University of Washington
Computing & Communications
how we lost it: disconnects
• failure of “computer security”
– vendors gave customers what they wanted, not
what they needed
– responsibility/authority/accountability
disconnects guaranteed failure
– the network brought the trouble; the network
should fix it
• failure of networkers to understand
what users wanted
– not a completely open Internet!
– importance of “unlisted numbers”
10
University of Washington
Computing & Communications
observations
• feedback loop:
– closed nets encourage constrained apps
– constrained apps encourage closed nets
• thus: the Indeterminate Internet may become the
Single-Port Internet
• tunneling, encryption trends undermine perimeter
defense effectiveness
• isolation strategies are limited by how many
devices you want on your desk.
• blaster: triggered more perimeter defense, but
showed futility of conventional perimeter defense
11
University of Washington
Computing & Communications
consequences
•
•
•
•
•
•
•
•
•
•
more closed nets & VPNs (bug or feature?)
more tunneling -“firewall friendly” apps
more encryption (thanks to RIAA)
more collateral harm -attack + remedy
worse MTTR (complexity, broken tools)
constrained innovation (e.g. p2p, voip)
cost shifted from “guilty” to “innocent”
pressure to fix problem at border
pressure for private nets
pressure to make network topology match
organization boundaries
12
University of Washington
Computing & Communications
roads not taken
• what if windows XP had shipped with its
integral firewall turned on?
• what if UW had mandated and funded
positive desktop control?
• too late… so what can we do now to
“protect and serve” our constituency in
the post-Internet era?
13
University of Washington
Computing & Communications
bonus slides!
14
University of Washington
Computing & Communications
design tradeoffs
 networks = connectivity; security = isolation
 fault zone size vs. economy/simplicity
 reliability vs. complexity
 prevention vs. (fast) remediation
 security vs. supportability vs. functionality
(conflicting admin, ops, user perspectives)
 differences in NetSec approaches relate to:
 Balancing priorities (security vs. ops vs. function)
 Local technical and institutional feasibility
15
University of Washington
Computing & Communications
design tradeoff examples
• defense-in-depth conjecture (for N layers)
– Security:
MTTE (exploit)
 N**2
– Functionality: MTTI (innovation)  N**2
– Supportability: MTTR (repair)
 N**2
• Perimeter Protection Paradox (for D devices)
– Firewall efficiency/value  D
– Firewall effectiveness  1 / D
• border blocking criteria (OSFA policy)
– Threat can’t reasonably be addressed at edge
– Won’t harm network (performance, stateless block)
– Widespread consensus to do it
• security by IP address
16
University of Washington
Computing & Communications
preserving the network utility model
•
•
•
•
•
goal: connection transparency
importance: improves MTTR, innovation
status: globally, dead… locally, ???
incompatible with perimeter security?
NUM-preserving perimeter defense
– Logical Firewalls
– Project 172
• foiled: security based on static IP addresses
– Requires all hosts be reconfigured
17
University of Washington
Computing & Communications
lines of defense
•
•
•
•
•
•
Network isolation for critical services.
Host integrity. (Make the OS is net-safe.)
Host perimeter. (OS integrity; firewalling)
Cluster/lab perimeter.
Network zone perimeter.
Real-time attack detection and containment.
18
University of Washington
Computing & Communications
next-gen network architecture
 parallel networks; more redundancy
 supportable (geographic) topology
 med ctr subnets = separate backbone zone
 perimeter, sanctuary, and end-point defense
 higher performance
 high-availability strategies
 Workstations spread across independent nets
 Redundant routers
 Dual-homed servers
19
University of Washington
Computing & Communications
final metamorphosis
• success then
– transparent/open Internet (network utility model)
– effective end-point security
• success now?
–
–
–
–
–
nobody gets hurt, nobody goes to jail
“works fine, lasts a long time”
easy to diagnose/fix
flexible connection transparency choices
unfair cost-shifting avoided
20
University of Washington
Computing & Communications
lessons











net reliability & host security are inextricably linked
five 9s (5 min/yr) is hard (unless we only attach phones?)
even host firewalls don’t guarantee safety
perimeter firewalls may increase user confusion, MTTR
perimeter firewalls won’t stop next-generation attacks
it only takes one compromise inside to defeat a firewall
Nebula existence proof: security in an open network
DDOS attacks: defense-in-depth is a Good Thing
controlling net devices is hard --hublets, wireless
security via static IP configuration does not scale
never underestimate non-technical barriers to progress 21
University of Washington
Computing & Communications
questions? comments?
22