100 slides - Cheswicks
Download
Report
Transcript 100 slides - Cheswicks
Pondering and Patrolling
Network Perimeters
Bill Cheswick
[email protected]
http://www.lumeta.com
100 slides
Talk Outline
• A little personal history concerning
perimeter defenses
• Outside: mapping the Internet
• A discussion of perimeter defenses
• Strong host security
• Mapping and understanding intranets
Pondering Perimeters
2 of 100
A short bio regarding Internet
perimeters
• Started at Bell Labs in December 1987
– Immediately took over postmaster and
firewall duties
• Good way to learn the ropes, which was my
intention
Pondering Perimeters
3 of 100
Morris worm hit on Nov 1988
• Heard about it on NPR
– Had a “sinking feeling” about it
• The home-made firewall worked
– No fingerd
– No sendmail (we rewrote the mailer)
• Intranet connection to Bellcore
• We got lucky
• Bell Labs had 1330 hosts
• Corporate HQ didn’t know or care
Pondering Perimeters
4 of 100
Action items
• Shut down the unprotected connection to
Bellcore
– What we now call a “routing leak”
• Redesign the firewall for much more
capacity, and no “sinking feeling”
– (VAX 750, load average of 15)
• Write a paper on it
– “if you don’t write it up, you didn’t do the
work”
Pondering Perimeters
5 of 100
Old gateway:
Pondering Perimeters
6 of 100
New gateway:
Pondering Perimeters
7 of 100
New gateway:
(one referee’s suggestion)
Pondering Perimeters
8 of 100
“Design of a Secure Internet Gateway”
– Anaheim Usenix, Jan 1990
• My first real academic paper
• It was pretty good, I think
• It didn’t have much impact, except for two
pieces:
– Coined the work “proxy” in its current use
(this was for a circuit level gateway
• Predated socks by three years)
– Coined the expression “crunchy outside
and soft chewy center”
Pondering Perimeters
9 of 100
By 1996, AT&T’s intranet
• Firewall security: high, and sometimes quite
a pain, which meant
• Perimeter security: dumb luck
• Trivestiture didn’t change the intranet
configuration that much
Pondering Perimeters
10 of 100
Lucent now (1997) (sort of)
We’d circled the wagons around Wyoming
The Internet
Columbus
Murray Murray
Hill
Hill
Holmdel
Allentown
Lucent - 130,000, 266K IP
addresses, 3000 nets ann.
thousands of
telecommuters
SLIP
PPP
ISDN
X.25
cable
...
~200 business partners
Pondering Perimeters
11 of 100
Pondering Perimeters
12 of 100
Highlands forum, Annapolis, Dec
1996
• A Rand corp. game to help brief a member of
the new President’s Infrastructure Protection
Commission
• Met Esther Dyson and Fred Cohen there
– Personal assessment by intel profiler
• “Day after” scenario
• Gosh it would be great to figure out where
these networks actually go
Pondering Perimeters
13 of 100
Perimeter Defenses
have a long history
100 slides
Lorton Prison
Pondering Perimeters
15 of 100
Pondering Perimeters
16 of 100
The Pretty Good
Wall of China
Pondering Perimeters
17 of 100
Pondering Perimeters
18 of 100
Pondering Perimeters
19 of 100
Perimeter Defense of the US
Capitol Building
Pondering Perimeters
20 of 100
Flower pots
Pondering Perimeters
21 of 100
Pondering Perimeters
22 of 100
Security doesn’t
have to be ugly
Pondering Perimeters
23 of 100
Pondering Perimeters
24 of 100
Pondering Perimeters
25 of 100
Pondering Perimeters
26 of 100
Pondering Perimeters
27 of 100
Delta barriers
Pondering Perimeters
28 of 100
Edinburgh Castle
Pondering Perimeters
29 of 100
Warwick Castle
Pondering Perimeters
30 of 100
Heidelberg Castle
started in the 1300s
Pondering Perimeters
31 of 100
Pondering Perimeters
32 of 100
Pondering Perimeters
33 of 100
Parliament: entrance
Pondering Perimeters
34 of 100
Parliament: exit
Pondering Perimeters
35 of 100
Why use a perimeter defense?
• It is cheaper
– A man’s home is his castle, but most
people can’t afford the moat
• You can concentrate your equipment and
your expertise in a few areas
• It is simpler, and simpler security is usually
better
– Easier to understand and audit
– Easier to spot broken parts
Pondering Perimeters
36 of 100
What’s wrong with perimeter
defenses
• They are useless against insider attacks
• They provide a false sense of security
– You still need to toughen up the inside, at
least some
– You need to hire enough defenders
• They don’t scale well
Pondering Perimeters
37 of 100
Pondering Perimeters
38 of 100
Pondering Perimeters
39 of 100
Anything large
enough to be
called an
‘intranet’ is out of
control
100 slides
Controlling an intranet is hard,
even if you care a lot about it
• End-to-end philosophy is not helpful if you
are the phone company
• New networks and hosts are easily
connected without the knowledge and
permission of the network owner
• Security scan tools are not helpful if you
don’t know where to point them
Pondering Perimeters
41 of 100
Project 1:
Can we live
without an
intranet?
Strong host security
Mid 1990s
100 slides
I can, but maybe you can’t
• “Skinny-dipping” on the Internet since the
mid 1990s
• The exposure focuses one clearly on the
threats and proactive security
• It’s very convenient, for the services I dare to
use
• Many important network services are
difficult to harden
Pondering Perimeters
43 of 100
What you need to skinny dip
• Secure client
– Only enclave computers like my laptop
have access
• Secure communications (Κρυπτο)
– AES is OK for “type 1” crypto – NSA
• Secure server
Pondering Perimeters
44 of 100
Skinny dipping rules
• Only minimal services are offered to the general
public
– Ssh
– Web server (jailed Apache)
– DNS (self chrooted)
– SMTP (postfix, not sendmail)
• Children (like employees) and MSFT clients are
untrustworthy
• Offer hardened local services at home, like SAMBA
(chroot), POP3 (chroot)
• I’d like to offer other services, but they are hard to
secure
Pondering Perimeters
45 of 100
Skinny dipping requires strong
host security
• FreeBSD and Linux machines
• I am told that one can lock down an MSFT
host, but there are hundreds of steps, and I
don’t know how to do it.
• This isn’t just about operating systems: the
most popular client applications are, in
theory, very dangerous and, in practice, very
dangerous.
– Web browsers and mail readers have
many dangerous features
Pondering Perimeters
46 of 100
Skinny dipping flaws
• Less defense in depth
• No protection from denial-of-service attacks
Pondering Perimeters
47 of 100
Project 2:
The Internet
Mapping Project
An experiment in exploring network connectivity
1998
100 slides
Methods - network discovery
(ND)
• Obtain master network list
– network lists from Merit, RIPE, APNIC, etc.
– BGP data or routing data from customers
– hand-assembled list of Yugoslavia/Bosnia
• Run a TTL-type (traceroute) scan towards
each network
• Stop on error, completion, no data
– Keep the natives happy
Pondering Perimeters
49 of 100
Methods - data collection
• Single reliable host connected at the
company perimeter
• Daily full scan of Lucent
• Daily partial scan of Internet, monthly full
scan
• One line of text per network scanned
– Unix tools
• Use a light touch, so we don’t bother
Internet denizens
Pondering Perimeters
50 of 100
TTL probes
• Used by traceroute and other tools
• Probes toward each target network with
increasing TTL
• Probes are ICMP, UDP, TCP to port 80, 25,
139, etc.
• Some people block UDP, others ICMP
Pondering Perimeters
51 of 100
Intranet implications of
Internet mapping
• High speed technique, able to handle the
largest networks
• Light touch: “what are you going to do to my
intranet?”
• Acquire and maintain databases of Internet
network assignments and usage
Pondering Perimeters
52 of 100
Advantages
• We don’t need access (I.e. SNMP) to the
routers
• It’s very fast
• Standard Internet tool: it doesn’t break
things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types
Pondering Perimeters
53 of 100
Limitations
• View is from scanning host only
– Multiple scan sources gives a better view
• Outgoing paths only
• Level 3 (IP) only
– ATM networks appear as a single node
• Not all routers respond
– Some are silent
– Others are “shy” (RFC 1123 compliant),
limited to one response per second
Pondering Perimeters
54 of 100
Data collection complaints
• Australian parliament was the first to
complain
• List of whiners (25 nets)
• On the Internet, these complaints are a thing
of the past
– Internet background radiation
predominates
Pondering Perimeters
55 of 100
Visualization goals
• make a map
– show interesting features
– debug our database and collection
methods
• geography doesn’t matter
• use colors to show further meaning
Pondering Perimeters
56 of 100
Pondering Perimeters
57 of 100
Visualization of the
layout algorithm
Laying out the Internet graph
100 slides
Pondering Perimeters
59 of 100
Pondering Perimeters
60 of 100
Colored by
AS number
Pondering Perimeters
61 of 100
Map Coloring
• distance from test host
• IP address
– shows communities
• Geographical (by TLD)
• ISPs
• future
– timing, firewalls, LSRR blocks
Pondering Perimeters
62 of 100
Colored by IP address!
Pondering Perimeters
63 of 100
Colored by geography
Pondering Perimeters
64 of 100
Colored by ISP
Pondering Perimeters
65 of 100
Colored by distance
from scanning host
Pondering Perimeters
66 of 100
Pondering Perimeters
67 of 100
Pondering Perimeters
68 of 100
Yugoslavia
An unclassified peek at a new battlefield
1999
100 slides
Pondering Perimeters
70 of 100
Un film par Steve
“Hollywood”
Branigan...
100 slides
Pondering Perimeters
72 of 100
fin
100 slides
Intranets: the rest
of the Internet
100 slides
Pondering Perimeters
75 of 100
Pondering Perimeters
76 of 100
Pondering Perimeters
77 of 100
This was
Supposed
To be a
VPN
Pondering Perimeters
78 of 100
Pondering Perimeters
79 of 100
Pondering Perimeters
80 of 100
Case studies: corp. networks
Some intranet statistics
Intranet sizes (devices)
Corporate address space
% devices in unknown address space
Min
Max
7,900
365,000
81,000 745,000,000
0.01%
20.86%
% routers responding to "public"
% routers responding to other
0.14%
0.00%
75.50%
52.00%
0
0%
0%
176,000
79%
82%
Outbound host leaks on network
% devices with outbound ICMP leaks
% devices with outbound UDP leaks
Inbound UDP host leaks
% devices with inbound ICMP leaks
% devices with inbound UDP leaks
% hosts running WindowsPondering Perimeters
0
0%
0%
36%
5,800
11%
12%
84%
81 of 100
Project 3:
Detecting
perimeter leaks
Lumeta’s “Special Sauce”
2000
100 slides
Types of leaks
• Routing leaks
– Internal routes are announced externally,
and the packets are allowed to flow
betwixt
• Host leaks
– Simultaneously connected inside and out,
probably without firewall-functionality
– Not necessarily a dual-homed host
• “Please don’t call them leaks”
– They aren’t always a Bad Thing
Pondering Perimeters
83 of 100
Possible host leaks
• Miss-configured telecommuters connecting
remotely
• VPNs that are broken
• DMZ hosts with too much access
• Business partner networks
• Internet connections by rogue managers
• Modem links to ISPs
Pondering Perimeters
84 of 100
Leak Detection Layout
mitt
D
Mapping host
A
Internet
intranet
• Mapping host with
address A is
connected to the
intranet
• Mitt with address D
has Internet access
• Mapping host and
C
B
mitt are currently the
same host, with two
interfaces
Test host
Pondering Perimeters
85 of 100
Leak Detection
mitt
D
Mapping host
A
• Test host has known
address B on the
intranet
• It was found via
Internet
intranet
census
• We are testing for
C
B
unauthorized access
to the Internet,
possibly through a
different address, C
Test host
Pondering Perimeters
86 of 100
Leak Detection
mitt
D
Mapping host
A
• A sends packet to B,
with spoofed return
address of D
• If B can, it will reply
Internet
intranet
C
to D with a
response, possibly
through a different
interface
B
Test host
Pondering Perimeters
87 of 100
Leak Detection
mitt
D
Mapping host
A
• Packet must be crafted
so the response won’t
be permitted through the
firewall
• A variety of packet types
Internet
intranet
and responses are used
• Either inside or outside
address may be
discovered
• Packet is labeled so we
C
B
know where it came from
Test host
Pondering Perimeters
88 of 100
Inbound Leak Detection
mitt
D
Mapping host
A
• This direction is
usually more
important
• It all depends on the
Internet
intranet
site policy…
• …so many leaks
might be just fine.
C
B
Test host
Pondering Perimeters
89 of 100
Inbound Leak Detection
mitt
D
Mapping host
A
Internet
intranet
C
B
Test host
Pondering Perimeters
90 of 100
Leak results
• Found home web businesses
• At least two clients have tapped leaks
– One made front page news
• From the military: “the republic is a little
safer”
Pondering Perimeters
91 of 100
We developed lot of stuff
• Leak detection (that’s the special sauce)
• Lots of reports: the hardest part is converting data to
information
• Route discovery: TTL probes plus SNMP router queries
• Host enumeration and identification: ping and xprobestyle host identification
• Server discovery: SYN probes of popular TCP ports
• Wireless base station discovery: xprobe, SNMP, HTTP
• And more…ask the sales people
• The “zeroth step in network intelligence”
– me
Pondering Perimeters
92 of 100
What’s next?
IPv6
2005 + 3
100 slides
Pondering Perimeters
94 of 100
IPv6 deployment
• Has been 3 years away since 1993
• Widely deployed in the Far East, and in the
new cell phones
• Europe is getting on board
• US Government mandate for 2005
– But what does “IPv6 capable” really
mean?
• None of the three ISPs I am connected to at
home and work offer raw IPv6 feeds
Pondering Perimeters
95 of 100
IPv6 address space
• /48s seem to be freely available:
– Each US soldier will have one
– One for each home
• 80-bit host address is a hell of a hell of a
large space
– ~2 * Avogadro’s Number
• Easy to hide hosts in that space
• Hard to administer hosts in that space
• Some interesting cryptographic and “IP
hopping” applications come to mind.
Pondering Perimeters
96 of 100
What’s next?
Skinny dipping with Microsoft
operating systems?
2062?
100 slides
XP SP2: Bill gets it
• “a feature you don’t use should not be a security
problem for you.”
• “Security by design”
– Too late for that, its all retrofitting now
• “Security by default”
– No network services on by default
• Security control panel
– Many things missing from it
– Speaker could not find ActiveX security settings
• There are a lot of details that remain to be seen.
Pondering Perimeters
98 of 100
Pondering and Patrolling
Network Perimeters
Bill Cheswick
[email protected]
http://www.lumeta.com
100 slides
Pondering Perimeters
100 of 100