102 slides - Cheswicks
Download
Report
Transcript 102 slides - Cheswicks
Pondering and Patrolling
Network Perimeters
Bill Cheswick
[email protected]
http://www.lumeta.com
102 slides
Perimeter Defenses
have a long history
102 slides
Pondering Perimeters
3 of 102
Pondering Perimeters
4 of 102
Lorton Prison
Pondering Perimeters
5 of 102
Pondering Perimeters
6 of 102
Perimeter Defense of the US
Capitol Building
Pondering Perimeters
7 of 102
Flower pots
Pondering Perimeters
8 of 102
Pondering Perimeters
9 of 102
Security doesn’t
have to be ugly
Pondering Perimeters
10 of 102
Pondering Perimeters
11 of 102
Pondering Perimeters
12 of 102
Pondering Perimeters
13 of 102
Pondering Perimeters
14 of 102
Delta barriers
Pondering Perimeters
15 of 102
Why use a perimeter defense?
• It is cheaper
– A man’s home is his castle, but most
people can’t afford the moat
• You can concentrate your equipment and
your expertise in a few areas
• It is simpler, and simpler security is usually
better
– Easier to understand and audit
– Easier to spot broken parts
Pondering Perimeters
16 of 102
What’s wrong with perimeter
defenses
• They are useless against insider attacks
• They provide a false sense of security
– You still need to toughen up the inside, at
least some
– You need to hire enough defenders
• They don’t scale well
Pondering Perimeters
17 of 102
The Pretty Good
Wall of China
Pondering Perimeters
18 of 102
Pondering Perimeters
19 of 102
Heidelberg Castle
started in the 1300s
Pondering Perimeters
20 of 102
Pondering Perimeters
21 of 102
Pondering Perimeters
22 of 102
Perimeters need gateways
• Let the good stuff in and keep out the bad
stuff
• This requires a bit of technology in any
case
– Doors, gates, murder holes, etc.
• A place to focus your defenses
Pondering Perimeters
23 of 102
Pondering Perimeters
24 of 102
Parliament: entrance
Pondering Perimeters
25 of 102
Parliament: exit
Pondering Perimeters
26 of 102
One gate is not enough
• Too much infrastructure
• Low-budget gates
– Sally ports
– Postern gates
Pondering Perimeters
27 of 102
Warsaw gate
Pondering Perimeters
28 of 102
Edinburgh Castle
Pondering Perimeters
29 of 102
Postern gate (Sterling castle)
Pondering Perimeters
30 of 102
A short bio regarding Internet
perimeters
• Started at Bell Labs in December 1987
– Immediately took over postmaster and
firewall duties
• Good way to learn the ropes, which was my
intention
Pondering Perimeters
31 of 102
Morris worm hit on Nov 1988
• Heard about it on NPR
– Had a “sinking feeling” about it
• The home-made firewall worked
– No fingerd
– No sendmail (we rewrote the mailer)
• Intranet connection to Bellcore
• We got lucky
• Bell Labs had 1330 hosts
• Corporate HQ didn’t know or care
Pondering Perimeters
32 of 102
Action items
• Shut down the unprotected connection to
Bellcore
– What we now call a “routing leak”
• Redesign the firewall for much more
capacity, and no “sinking feeling”
– (VAX 750, load average of 15)
• Write a paper on it
– “if you don’t write it up, you didn’t do the
work”
Pondering Perimeters
33 of 102
Old gateway:
Pondering Perimeters
34 of 102
New gateway:
Pondering Perimeters
35 of 102
New gateway:
(one referee’s suggestion)
Pondering Perimeters
36 of 102
“Design of a Secure Internet Gateway”
– Anaheim Usenix, Jan 1990
• My first real academic paper
• It was pretty good, I think
• Coined the work “proxy” in its current use
(this was for a circuit level gateway
• Predated socks by three years)
• Coined the expression “crunchy outside and
soft chewy center”
Pondering Perimeters
37 of 102
Pondering Perimeters
38 of 102
Lucent now (1997) (sort of)
We’d circled the wagons around Wyoming
The Internet
Columbus
Murray Murray
Hill
Hill
Holmdel
Allentown
Lucent - 130,000, 266K IP
addresses, 3000 nets ann.
thousands of
telecommuters
SLIP
PPP
ISDN
X.25
cable
...
~200 business partners
Pondering Perimeters
39 of 102
Anything large
enough to be
called an
‘intranet’ is
probably out of
control
102 slides
Controlling an intranet is hard,
even if you care a lot about it
• End-to-end philosophy is not helpful if you
are the phone company
• New networks and hosts are easily
connected without the knowledge and
permission of the network owner
• Security scan tools are not helpful if you
don’t know where to point them
• This is not the fault of the network
managers! They didn’t have the right tools!
Pondering Perimeters
41 of 102
Highlands forum, Annapolis, Dec
1996
• A Rand corp. game to help brief a member of
the new President’s Infrastructure Protection
Commission
• Met Esther Dyson and Fred Cohen there
– Personal assessment by intel profiler
• “Day after” scenario
• Gosh it would be great to figure out where
these networks actually go
Pondering Perimeters
42 of 102
Goals
• Consistent, reasonably thorough description
of the important topology of the Internet
• A light touch, so Internet denizens wouldn’t
be angry (or even notice) me.
• Use a technology that doesn’t require
access to routers
– Traceroute-style probes are fast,
informative, and recognized as harmless
by most network administrators
• Clean up Lucent’s intranet
Pondering Perimeters
44 of 102
Methods - network discovery
(ND)
• Obtain master network list
– network lists from Merit, RIPE, APNIC, etc.
– BGP data or routing data from customers
– hand-assembled list of Yugoslavia/Bosnia
• Run a TTL-type (traceroute) scan towards
each network
• Stop on error, completion, no data
– Keep the natives happy
Pondering Perimeters
45 of 102
Advantages
• We don’t need access (I.e. SNMP) to the
routers
• It’s very fast
• Standard Internet tool: it doesn’t break
things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types
Pondering Perimeters
46 of 102
Limitations
• View is from scanning host only
– Multiple scan sources gives a better view
• Outgoing paths only
• Level 3 (IP) only
– ATM networks appear as a single node
• Not all routers respond
– Some are silent
– Others are “shy” (RFC 1123 compliant),
limited to one response per second
Pondering Perimeters
47 of 102
Data collection complaints
• Australian parliament was the first to
complain
• List of whiners (25 nets)
• On the Internet, these complaints are a thing
of the past
– Internet background radiation
predominates
Pondering Perimeters
48 of 102
Visualization goals
• make a map
– show interesting features
– debug our database and collection
methods
• geography doesn’t matter
• use colors to show further meaning
Pondering Perimeters
49 of 102
Pondering Perimeters
50 of 102
Visualization of the
layout algorithm
Laying out the Internet graph
102 slides
Pondering Perimeters
52 of 102
Pondering Perimeters
53 of 102
Colored by
AS number
Pondering Perimeters
54 of 102
Map Coloring
• distance from test host
• IP address
– shows communities
• Geographical (by TLD)
• ISPs
• future
– timing, firewalls, LSRR blocks
Pondering Perimeters
55 of 102
Colored by IP address!
Pondering Perimeters
56 of 102
Colored by geography
Pondering Perimeters
57 of 102
Colored by ISP
Pondering Perimeters
58 of 102
Colored by distance
from scanning host
Pondering Perimeters
59 of 102
Pondering Perimeters
60 of 102
Pondering Perimeters
61 of 102
Yugoslavia
An unclassified peek at a new battlefield
1999
102 slides
Pondering Perimeters
63 of 102
Un film par Steve
“Hollywood”
Branigan...
102 slides
Pondering Perimeters
65 of 102
fin
102 slides
Intranets: the rest
of the Internet
102 slides
Pondering Perimeters
68 of 102
Lucent’s intranet
• Legacy links understood and removed
• Network list cleaned up
• M&A assistance
Pondering Perimeters
69 of 102
Pondering Perimeters
70 of 102
This was
Supposed
To be a
VPN
Pondering Perimeters
71 of 102
Pondering Perimeters
72 of 102
Pondering Perimeters
73 of 102
Perimeter leaks
Lumeta’s “Special Sauce”
2000
102 slides
Types of leaks
• Routing leaks
– Internal routes are announced externally,
and the packets are allowed to flow
betwixt
Pondering Perimeters
75 of 102
Pondering Perimeters
76 of 102
Types of leaks
• Host leaks
– Simultaneously connected inside and out,
probably without firewall-functionality
– Not necessarily a dual-homed host
Pondering Perimeters
77 of 102
Possible host leaks
• Miss-configured telecommuters connecting
remotely
• VPNs that are broken
• DMZ hosts with too much access
• Business partner networks
• Internet connections by rogue managers
• Modem links to ISPs
Pondering Perimeters
78 of 102
Leak Detection Layout
mitt
D
Mapping host
A
Internet
intranet
• Mapping host with
address A is
connected to the
intranet
• Mitt with address D
has Internet access
• Mapping host and
C
B
mitt are currently the
same host, with two
interfaces
Test host
Pondering Perimeters
80 of 102
Leak Detection
mitt
D
Mapping host
A
• Test host has known
address B on the
intranet
• It was found via
Internet
intranet
census
• We are testing for
C
B
unauthorized access
to the Internet,
possibly through a
different address, C
Test host
Pondering Perimeters
81 of 102
Leak Detection
mitt
D
Mapping host
A
• A sends packet to B,
with spoofed return
address of D
• If B can, it will reply
Internet
intranet
C
to D with a
response, possibly
through a different
interface
B
Test host
Pondering Perimeters
82 of 102
Leak Detection
mitt
D
Mapping host
A
• Packet must be crafted
so the response won’t
be permitted through the
firewall
• A variety of packet types
Internet
intranet
and responses are used
• Either inside or outside
address may be
discovered
• Packet is labeled so we
C
B
know where it came from
Test host
Pondering Perimeters
83 of 102
Inbound Leak Detection
mitt
D
Mapping host
A
• This direction is
usually more
important
• It all depends on the
Internet
intranet
site policy…
• …so many leaks
might be just fine.
C
B
Test host
Pondering Perimeters
84 of 102
Inbound Leak Detection
mitt
D
Mapping host
A
Internet
intranet
C
B
Test host
Pondering Perimeters
85 of 102
Lumeta
Sept 2000
102 slides
Service offering
• Make sure everything works
• Our own experts ran it
• HTML report
• Map viewer (see below)
Pondering Perimeters
87 of 102
Early results
• Early adopters
• They want to run tests
– Like testing a cruiser on a small lake
– Surprisingly subtle…IDS misses it often
• That’s interesting to some clients
• Service offering, so we can fix up the software
– Surprisingly robust, especially the mapping
layout software
• No show-stopping intranets
Pondering Perimeters
88 of 102
Early results
• Maps and especially leak detection are popular,
as expected
Pondering Perimeters
89 of 102
We developed lot of stuff
Routing loops
• Routing errors
• Can load expensive lines
Pondering Perimeters
90 of 102
We developed lot of stuff
Address space visualization
• Outliers
• Network usage at the class B level
Pondering Perimeters
91 of 102
Leak results
• Found home web businesses
• At least two clients have tapped leaks
– One made front page news
• From the military: “the republic is a little
safer”
• Please don’t call them leaks”
– They aren’t always a Bad Thing
Pondering Perimeters
92 of 102
Case studies: corp. networks
Some intranet statistics
Intranet sizes (devices)
Corporate address space
% devices in unknown address space
Min
Max
7,900
365,000
81,000 745,000,000
0.01%
20.86%
% routers responding to "public"
% routers responding to other
0.14%
0.00%
75.50%
52.00%
0
0%
0%
176,000
79%
82%
Outbound host leaks on network
% devices with outbound ICMP leaks
% devices with outbound UDP leaks
Inbound UDP host leaks
% devices with inbound ICMP leaks
% devices with inbound UDP leaks
% hosts running WindowsPondering Perimeters
0
0%
0%
36%
5,800
11%
12%
84%
93 of 102
Pondering Perimeters
94 of 102
IPsonar
2003
102 slides
We developed lot of stuff
multi-protocol ND (by service)
• Are there some kinds of packets that penetrate
farther than others?
• E.g. Pings blocked, UDP probes continue
• Can show firewall leaks
Pondering Perimeters
96 of 102
We developed lot of stuff
service discovery
• The obvious service port scans
• We do it as gently as possible
Pondering Perimeters
97 of 102
We developed lot of stuff
Perimeter map
• Where exactly are the edges of your network?
• Are there intranet sections reached through the
Internet
Pondering Perimeters
98 of 102
We developed lot of stuff
Lumeta Network Index
• Computes an index of your network security
• Objective measurement of security
• Clients can vary what’s important
Pondering Perimeters
99 of 102
We developed lot of stuff
Route sources
• What routers announce routes that aren’t in our
official list?
Pondering Perimeters
100 of 102
We developed lot of stuff
Host enumeration and type
• Light-weight OS identification
• Not perfect, but very quick
• Non-intrusive. NOT nmap.
Pondering Perimeters
101 of 102
We developed lot of stuff
Wireless base station detection
• A lot of people care about this
• No antennas are involved
• We look for network signatures of base stations
– User-configurable
• You can find them from far away
• Rogue ones are much less likely to evade
detection than properly-run ones
Pondering Perimeters
102 of 102
The zeroth step in network
management
• You can’t secure what you don’t know
• Large investment in security stuff, now aim it
correctly
• I don’t know how network managers run a large
network without a tool like this
– Legacy links are almost always there
– Misconfigured DMZ hosts
– Business partners
– Personnel changes
Pondering Perimeters
103 of 102
What’s next?
IPv6
2005 + 3
102 slides
Pondering Perimeters
105 of 102
IPv6 deployment
• Has been 3 years away since 1993
• Widely deployed in the Far East, and in the
new cell phones
• Europe is getting on board
• US Government mandate
• Karl Siil and Lumeta are trying to figure all
this out….we will still have perimeter
defenses
Pondering Perimeters
106 of 102
Pondering and Patrolling
Network Perimeters
Bill Cheswick
[email protected]
http://www.lumeta.com
102 slides