Transcript Patrolling - Cheswicks

Identifying and Patrolling
your True Network
Perimeter
Bill Cheswick
[email protected]
http://www.lumeta.com
105 slides
Talk Outline
• A little personal history concerning perimeter
defenses
• Outside: mapping the Internet
• A discussion of perimeter defenses
• Strong host security
• Mapping and understanding intranets
• The past and future of Microsoft host security:
– my Dad’s computer
• Ned will show you some details of our product
Pondering Perimeters: GFIRST Orlando
2 of 105
A short bio regarding Internet
perimeters
• Started at Bell Labs in December 1987
– Immediately took over postmaster and
firewall duties
• Good way to learn the ropes, which was my
intention
Pondering Perimeters: GFIRST Orlando
3 of 105
Morris worm hit on Nov 1988
• Heard about it on NPR
– Had a “sinking feeling” about it
• The home-made firewall worked
– No fingerd
– No sendmail (we rewrote the mailer)
• Intranet connection to Bellcore
• We got lucky
• Bell Labs had 1330 hosts
• Corporate HQ didn’t know or care
Pondering Perimeters: GFIRST Orlando
4 of 105
Action items
• Shut down the unprotected connection to
Bellcore
– What we now call a “routing leak”
• Redesign the firewall for much more
capacity, and no “sinking feeling”
– (VAX 750, load average of 15)
• Write a paper on it
– “if you don’t write it up, you didn’t do the
work”
Pondering Perimeters: GFIRST Orlando
5 of 105
Old gateway:
Pondering Perimeters: GFIRST Orlando
6 of 105
New gateway:
Pondering Perimeters: GFIRST Orlando
7 of 105
New gateway:
(one referee’s suggestion)
Pondering Perimeters: GFIRST Orlando
8 of 105
“Design of a Secure Internet Gateway”
– Anaheim Usenix, Jan 1990
• My first real academic paper
• It was pretty good, I think
• It didn’t have much impact, except for two
pieces:
– Coined the work “proxy” in its current use
(this was for a circuit level gateway
• Predated “socks by three years)
– Coined the expression “crunchy outside
and soft chewy center”
Pondering Perimeters: GFIRST Orlando
9 of 105
Why wasn’t the paper more
influential?
• Because the hard part isn’t the firewall, it is
the perimeter
– I built a high security firewall for USSS
from scratch in about 2 hours in Sept.
2001.
• I raised our firewall security from “low
medium” to “high”
– (that’s about as good as computer and
network security measurement gets)
• The perimeter security was “dumb luck”,
which we raised to “probably none”
Pondering Perimeters: GFIRST Orlando
10 of 105
Network and host security levels
• Dumb luck
• None
• Low
• Medium
• High = no “sinking feeling”
Pondering Perimeters: GFIRST Orlando
11 of 105
By 1996, AT&T’s intranet
• Firewall security: high, and sometimes quite
a pain, which meant
• Perimeter security: dumb luck
• Trivestiture didn’t change the intranet
configuration that much
Pondering Perimeters: GFIRST Orlando
12 of 105
Lucent now (1997) (sort of)
We’d circled the wagons around Wyoming
The Internet
Columbus
Murray Murray
Hill
Hill
Holmdel
Allentown
Lucent - 130,000, 266K IP
addresses, 3000 nets ann.
thousands of
telecommuters
SLIP
PPP
ISDN
X.25
cable
...
~200 business partners
Pondering Perimeters: GFIRST Orlando
13 of 105
Pondering Perimeters: GFIRST Orlando
14 of 105
Highlands forum, Annapolis, Dec
1996
• A Rand corp. game to help brief a member of
the new President’s Infrastructure Protection
Commission
• Met Esther Dyson and Fred Cohen there
– Personal assessment by intel profiler
• “Day after” scenario
• Gosh it would be great to figure out where
these networks actually go
Pondering Perimeters: GFIRST Orlando
15 of 105
Perimeter Defenses
have a long history
105 slides
Lorton Prison
Pondering Perimeters: GFIRST Orlando
17 of 105
The Pretty Good
Wall of China
Pondering Perimeters: GFIRST Orlando
18 of 105
Pondering Perimeters: GFIRST Orlando
19 of 105
Pondering Perimeters: GFIRST Orlando
20 of 105
Pondering Perimeters: GFIRST Orlando
21 of 105
Perimeter Defense of the US
Capitol Building
Pondering Perimeters: GFIRST Orlando
22 of 105
Flower pots
Pondering Perimeters: GFIRST Orlando
23 of 105
Pondering Perimeters: GFIRST Orlando
24 of 105
Security doesn’t
have to be ugly
Pondering Perimeters: GFIRST Orlando
25 of 105
Pondering Perimeters: GFIRST Orlando
26 of 105
Pondering Perimeters: GFIRST Orlando
27 of 105
Pondering Perimeters: GFIRST Orlando
28 of 105
Pondering Perimeters: GFIRST Orlando
29 of 105
Delta barriers
Pondering Perimeters: GFIRST Orlando
30 of 105
Edinburgh Castle
Pondering Perimeters: GFIRST Orlando
31 of 105
Warwick Castle
Pondering Perimeters: GFIRST Orlando
32 of 105
Heidelberg Castle
started in the 1300s
Pondering Perimeters: GFIRST Orlando
33 of 105
Pondering Perimeters: GFIRST Orlando
34 of 105
Berwick Castle
Pondering Perimeters: GFIRST Orlando
35 of 105
Pondering Perimeters: GFIRST Orlando
36 of 105
Pondering Perimeters: GFIRST Orlando
37 of 105
Parliament: entrance
Pondering Perimeters: GFIRST Orlando
38 of 105
Parliament: exit
Pondering Perimeters: GFIRST Orlando
39 of 105
Why use a perimeter defense?
• It is cheaper
– A man’s home is his castle, but most
people can’t afford the moat
• You can concentrate your equipment and
your expertise in a few areas
• It is simpler, and simpler security is usually
better
– Easier to understand and audit
– Easier to spot broken parts
Pondering Perimeters: GFIRST Orlando
40 of 105
What’s wrong with perimeter
defenses
• They are useless against insider attacks
• They provide a false sense of security
– You still need to toughen up the inside, at
least some
– You need to hire enough defenders
• They don’t scale well
Pondering Perimeters: GFIRST Orlando
41 of 105
Anything large
enough to be
called an
‘intranet’ is out of
control
105 slides
Project 1:
Can we live
without an
intranet?
Strong host security
Mid 1990s
105 slides
I can, but you probably can’t
• “Skinny-dipping” on the Internet since the
mid 1990s
• The exposure focuses one clearly on the
threats and proactive security
• It’s very convenient, for the services I dare to
use
• Many important network services are
difficult to harden
Pondering Perimeters: GFIRST Orlando
44 of 105
Skinny dipping rules
• Only minimal services are offered to the general
public
– Ssh
– Web server (jailed Apache)
– DNS (self chrooted)
– SMTP (postfix, not sendmail)
• Children (like employees) and MSFT clients are
untrustworthy
• Offer hardened local services at home, like SAMBA
(chroot), POP3 (chroot)
• I’d like to offer other services, but they are hard to
secure
Pondering Perimeters: GFIRST Orlando
45 of 105
Skinny dipping requires strong
host security
• FreeBSD and Linux machines
• I am told that one can lock down an MSFT
host, but there are hundreds of steps, and I
don’t know how to do it.
• This isn’t just about operating systems: the
most popular client applications are, in
theory, very dangerous and, in practice, very
dangerous.
– Web browsers and mail readers have
many dangerous features
Pondering Perimeters: GFIRST Orlando
46 of 105
Skinny dipping flaws
• Less defense in depth
• No protection from denial-of-service attacks
Pondering Perimeters: GFIRST Orlando
47 of 105
Project 2:
The Internet
Mapping Project
An experiment in exploring network connectivity
1998
105 slides
Methods - network discovery
(ND)
• Obtain master network list
– network lists from Merit, RIPE, APNIC, etc.
– BGP data or routing data from customers
– hand-assembled list of Yugoslavia/Bosnia
• Run a TTL-type (traceroute) scan towards
each network
• Stop on error, completion, no data
– Keep the natives happy
Pondering Perimeters: GFIRST Orlando
49 of 105
Methods - data collection
• Single reliable host connected at the
company perimeter
• Daily full scan of Lucent
• Daily partial scan of Internet, monthly full
scan
• One line of text per network scanned
– Unix tools
• Use a light touch, so we don’t bother
Internet denizens
Pondering Perimeters: GFIRST Orlando
50 of 105
TTL probes
• Used by traceroute and other tools
• Probes toward each target network with
increasing TTL
• Probes are ICMP, UDP, TCP to port 80, 25,
139, etc.
• Some people block UDP, others ICMP
Pondering Perimeters: GFIRST Orlando
51 of 105
Intranet implications of
Internet mapping
• High speed technique, able to handle the
largest networks
• Light touch: “what are you going to do to my
intranet?”
• Acquire and maintain databases of Internet
network assignments and usage
Pondering Perimeters: GFIRST Orlando
52 of 105
Advantages
• We don’t need access (I.e. SNMP) to the
routers
• It’s very fast
• Standard Internet tool: it doesn’t break
things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types
Pondering Perimeters: GFIRST Orlando
53 of 105
Limitations
• View is from scanning host only
– Multiple scan sources gives a better view
• Outgoing paths only
• Level 3 (IP) only
– ATM networks appear as a single node
• Not all routers respond
– Some are silent
– Others are “shy” (RFC 1123 compliant),
limited to one response per second
Pondering Perimeters: GFIRST Orlando
54 of 105
Data collection complaints
• Australian parliament was the first to
complain
• List of whiners (25 nets)
• On the Internet, these complaints are mostly
a thing of the past
– Internet background radiation
predominates
Pondering Perimeters: GFIRST Orlando
55 of 105
Visualization goals
• make a map
– show interesting features
– debug our database and collection
methods
• geography doesn’t matter
• use colors to show further meaning
Pondering Perimeters: GFIRST Orlando
56 of 105
Pondering Perimeters: GFIRST Orlando
57 of 105
Visualization of the
layout algorithm
Laying out the Internet graph
105 slides
Pondering Perimeters: GFIRST Orlando
59 of 105
Pondering Perimeters: GFIRST Orlando
60 of 105
Colored by
AS number
Pondering Perimeters: GFIRST Orlando
61 of 105
Map Coloring
• distance from test host
• IP address
– shows communities
• Geographical (by TLD)
• ISPs
• future
– timing, firewalls, LSRR blocks
Pondering Perimeters: GFIRST Orlando
62 of 105
Colored by IP address!
Pondering Perimeters: GFIRST Orlando
63 of 105
Colored by geography
Pondering Perimeters: GFIRST Orlando
64 of 105
Colored by ISP
Pondering Perimeters: GFIRST Orlando
65 of 105
Colored by distance
from scanning host
Pondering Perimeters: GFIRST Orlando
66 of 105
Pondering Perimeters: GFIRST Orlando
67 of 105
Pondering Perimeters: GFIRST Orlando
68 of 105
Yugoslavia
An unclassified peek at a new battlefield
1999
105 slides
Pondering Perimeters: GFIRST Orlando
70 of 105
Un film par Steve
“Hollywood”
Branigan...
105 slides
Pondering Perimeters: GFIRST Orlando
72 of 105
fin
105 slides
Intranets: the rest
of the Internet
105 slides
Pondering Perimeters: GFIRST Orlando
75 of 105
Pondering Perimeters: GFIRST Orlando
76 of 105
Pondering Perimeters: GFIRST Orlando
77 of 105
This was
Supposed
To be a
VPN
Pondering Perimeters: GFIRST Orlando
78 of 105
Pondering Perimeters: GFIRST Orlando
79 of 105
Pondering Perimeters: GFIRST Orlando
80 of 105
Case studies: corp. networks
Some intranet statistics
Intranet sizes (devices)
Corporate address space
% devices in unknown address space
Min
Max
7,900
365,000
81,000 745,000,000
0.01%
20.86%
% routers responding to "public"
% routers responding to other
0.14%
0.00%
75.50%
52.00%
0
0%
0%
176,000
79%
82%
Outbound host leaks on network
% devices with outbound ICMP leaks
% devices with outbound UDP leaks
Inbound UDP host leaks
0
% devices with inbound ICMP leaks
0%
% devices with inbound UDP leaks
0%
% hosts runningPondering
Windows
36%
Perimeters: GFIRST Orlando
5,800
11%
12%
84%
81 of 105
Project 3:
Detecting
perimeter leaks
Lumeta’s Special Sauce
2000
105 slides
Types of leaks
• Routing leaks
– Internal routes are announced externally,
and the packets are allowed to flow
betwixt
• Host leaks
– Simultaneously connected inside and out,
probably without firewall-functionality
– Not necessarily a dual-homed host
• “Please don’t call them leaks”
– They aren’t always a Bad Thing
Pondering Perimeters: GFIRST Orlando
83 of 105
Routing leaks
• Easily seen on maps
• Shows up in our reports
• Generally easily fixed
Pondering Perimeters: GFIRST Orlando
84 of 105
Host leak detection
• Developed to find hosts that have access to
both intranet and Internet
• Or across any privilege boundary
• Leaking hosts do not route between the
networks
• Technology didn’t exist to find these
Pondering Perimeters: GFIRST Orlando
85 of 105
Possible host leaks
• Miss-configured telecommuters connecting
remotely
• VPNs that are broken
• DMZ hosts with too much access
• Business partner networks
• Internet connections by rogue managers
• Modem links to ISPs
Pondering Perimeters: GFIRST Orlando
86 of 105
Leak Detection Prerequisites
• List of potential leakers: obtained by census
• Access to intranet
• Simultaneous availability of a “mitt”
Pondering Perimeters: GFIRST Orlando
87 of 105
Leak Detection Layout
mitt
D
Mapping host
A
Internet
intranet
• Mapping host with
address A is
connected to the
intranet
• Mitt with address D
has Internet access
• Mapping host and
C
B
mitt are currently the
same host, with two
interfaces
Test host
Pondering Perimeters: GFIRST Orlando
88 of 105
Leak Detection
mitt
D
Mapping host
A
• Test host has known
address B on the
intranet
• It was found via
Internet
intranet
census
• We are testing for
C
B
unauthorized access
to the Internet,
possibly through a
different address, C
Test host
Pondering Perimeters: GFIRST Orlando
89 of 105
Leak Detection
mitt
D
Mapping host
A
• A sends packet to B,
with spoofed return
address of D
• If B can, it will reply
Internet
intranet
C
to D with a
response, possibly
through a different
interface
B
Test host
Pondering Perimeters: GFIRST Orlando
90 of 105
Leak Detection
mitt
D
Mapping host
A
• Packet must be crafted
so the response won’t
be permitted through the
firewall
• A variety of packet types
Internet
intranet
and responses are used
• Either inside or outside
address may be
discovered
• Packet is labeled so we
C
B
know where it came from
Test host
Pondering Perimeters: GFIRST Orlando
91 of 105
Inbound Leak Detection
mitt
D
Mapping host
A
• This direction is
usually more
important
• It all depends on the
Internet
intranet
site policy…
• …so many leaks
might be just fine.
C
B
Test host
Pondering Perimeters: GFIRST Orlando
92 of 105
Inbound Leak Detection
mitt
D
Mapping host
A
Internet
intranet
C
B
Test host
Pondering Perimeters: GFIRST Orlando
93 of 105
Leak results
• Found home web businesses
• At least two clients have tapped leaks
– One made front page news
• From the military: “the republic is a little
safer”
Pondering Perimeters: GFIRST Orlando
94 of 105
We developed lot of stuff
• Leak detection (that’s the special sauce)
• Lots of reports: the hardest part is converting data to
information
• Route discovery: TTL probes plus SNMP router queries
• Host enumeration and identification: ping and xprobestyle host identification
• Server discovery: SYN probes of popular TCP ports
• Wireless base station discovery: xprobe, SNMP, HTTP
• And more…ask the sales people
• The “zeroth step in network intelligence”
– me
Pondering Perimeters: GFIRST Orlando
95 of 105
What’s next?
IPv6
2005 + 3
105 slides
Pondering Perimeters: GFIRST Orlando
97 of 105
IPv6 deployment
• Has been 3 years away since 1993
• Widely deployed in the Far East, and in the
new cell phones
• Europe is getting on board
• US Government mandate for 2005
– But what does “IPv6 capable” really
mean?
• None of the three ISPs I am connected to at
home and work offer raw IPv6 feeds
Pondering Perimeters: GFIRST Orlando
98 of 105
IPv6 address space
• /48s seem to be freely available:
– Each US soldier will have one
– One for each home
• 80-bit host address is a hell of a hell of a
large space
• Easy to hide hosts in that space
• Hard to administer hosts in that space
• Some interesting cryptographic and “IP
hopping” applications come to mind.
Pondering Perimeters: GFIRST Orlando
99 of 105
IPv6 technical aspects
• Google-based research will lead you down
recently abandoned dead ends
– A6 came and went, AAAA is what to use
– Link level addressing is deprecated
– Use of bottom 128 – 48 = 80 bits not really
settled
• Addresses aren’t as bad as you might think:
– 2001:5bfe:16::1 (easy to grep!)
Pondering Perimeters: GFIRST Orlando
100 of 105
IPv6
• IPv6 is available through IPv4/IPv6 tunnel
brokers
– www.hexago.com formerly freenet6.net
• Not hard to set up on Unix hosts, then it Just
Works
Pondering Perimeters: GFIRST Orlando
101 of 105
What’s next?
Skinny dipping with Microsoft
operating systems?
2062?
105 slides
XP SP2: Bill gets it
• “a feature you don’t use should not be a security
problem for you.”
• “Security by design”
– Too late for that, its all retrofitting now
• “Security by default”
– No network services on by default
• Security control panel
– Many things missing from it
– Speaker could not find ActiveX security settings
• There are a lot of details that remain to be seen.
Pondering Perimeters: GFIRST Orlando
103 of 105
Pondering and
Patrolling
Perimeters
Bill Cheswick
[email protected]
http://www.lumeta.com
105 slides
Pondering Perimeters: GFIRST Orlando
105 of 105