Transcript Steve-Ches

Mapping the Internet and
intranets
Steve Branigan
Hal Burch
Bill Cheswick
Bell Labs, Lucent Tech.
Motivations
• Work on DOS anonymous packet
trace back - Internet tomography.
• Highlands “day after” scenario
• Curiosity about size and growth of
the Internet
• Same tools are useful for
understanding any large network,
including intranets
The Project
• Long term reliable
collection of
Internet and
Lucent connectivity
information
– without annoying
too many people
• Attempt some
simple
visualizations of
the data
– movie of Internet
growth!
• Develop tools to
probe intranets
• Extended database
for researchers
Uses for the Internet data
• topography studies
• long-term routing studies
• publicly available database (“open
source”) for spooks
• interesting database for graph
theorists
• combine with other mappers to make
an actual map of the Internet
Uses for intranet data
• Map “inside” the security perimeter
• Take a census of Lucent hosts
• Discover hosts that have
unauthorized access to both the
intranet and the Internet
– illegal connections
– miss-configured firewalls
– maybe miss-configured telecommuters
Network scanning
• Custom program
• Concurrently scans towards 500 nets
at once
• Throttled to 100 packets/sec: can do
much faster
• Slow daily scan for host on
destination network
Limitations
• My view of the Internet, not yours
– radical shifts when our ISP situation
changes
• Outgoing paths only
• Takes a while to collect alternating
paths
• Gentle mapping means missed
endpoints
– good v. evil
Data collection complaints
• Australian parliament was the first to
complain
• List of whiners (25 nets)
• Military noticed immediately
– Steve Northcutt
– arrangements/warnings to DISA and
CERT
Visualization goals
• make a map
– show interesting features
– debug our database and collection
methods
– hard to fold up
• geography doesn’t matter
• use colors to show further meaning
Early layouts
• Interesting art
• tantalizing edges
• interior shows ISPs (colored by IP
address!)
• can’t trace routes
• can’t even find the probe host
•
•
•
•
When data is inconvenient,
throw some away
minimum distance spanning tree
connectivity, not actual paths
we get more information out of it
add other paths to show further
information
What kind of maps can
we make?
Current map coloring
• distance from test host
• IP address
– shows communities
• Geographical (by TLD)
• ISPs
• future
– timing, firewalls, LSRR blocks
By ISP
By top level domain
Yugoslavia
Serbia and Bosnia
Results - Internet database
• 100,000 of the world’s most
important routers
• >150 routes to one destination!
• Yugoslavia bombing of power
infrastructure is apparent
• Offers for other scan points
– how to pick them?
12000
10000
8000
6000
4000
2000
0
Number of paths to a target
05 October, 1998
23
Distribution of path lengths
Reached
Not reached
8000
Number of nets
7000
6000
5000
4000
3000
2000
1000
0
Path length
Recipe for good intranet
security
• Know what you have.
• Then secure it.
Some basic questions…
• How large is the network address
space for your network?
• How many system are actually active
on the network?
• How much does the network change?
What is an intranet
• any network too large to control
• hosts residing inside a firewall
perimeter
• business partner connections
• corporate hosts outside of the
firewall
• DMZs
Intranet mapping work
• Apply the technology of Internet
mapping to the intranet
• See how far the network reaches.
• Surprises?
Firewall bypass case #1
ISP B
Internet
Bu
router
ISP A
Corp.
Firewall
Intranet
Our host census attempt
• 266,000 hosts
• complaints from business partners!
Multi-home hosts
• hosts having multiple network
connections
• dangerous when one is connected to
the intranet, and the other is
connected to the Internet
Firewall bypass case #2
Internet
Special
system
Corp.
Firewall
Intranet
Hard to find today.
• Vulnerability scanners are not finding
these vulnerabilities.
New products
• list of web servers
• list of mail servers
Results: New Products!
• Route rationalization (“routerat”)
– discover network routes (user supplied?)
– run frequently
More new products!
• Topology scan: traceroute scan
information and analysis
• Host census
• Scan for perimeter violations.
– spoofed through inside to outside
– spoofed outside through inside
New Products
• List of web and mail servers
• Detect route squatters
• Networks susceptible to broadcast
storms
• Find unauthorized firewalls and
internet connections
• Miss-configured telecommuting and
branch office hosts.
New Products
• Private address space use
• Connections with business partners
• Due diligence tool for joint ventures,
mergers, divestitures, etc.
Walking the perimeter
• There is a large potential market for
this
• New tool to gain some control over an
extensive network
• Fits with a number of companies’
product lines
• new Lucent venture
How we scan
• Via dialup, using RAS servers
• Secure tunnel, if you prefer
– IP/SEC
– PPTP
– others?
Auditing Firewall Rules
Over time, systems change but firewall rules may not...
a
b
c
d
Internet
allow web to a
allow web to b
allow web to c
allow web to d
allow mail to c
Oops! Legacy
rules can create
today’s security
holes.
How Firewall Auditor Works
Input
Intranet definition +
+ Query list of services
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix1
fixup protocol ftp 21
fixup protocol http 80
nat (inside) 0 0 0
static (inside, outside) 135.104.45.176 135.104.45.176 netmask 255.255.255.240
outbound 1 deny 0 0
apply (inside) 1 outgoing_dest
: RULE : OUT PASS http mh zero
conduit permit tcp host 135.104.45.180 eq 80 135.104.0.0 255.255.224.0
conduit permit tcp host 135.104.45.180 eq 80 135.104.32.0 255.255.248.0
Sample firewall rules
Analysis
What service traffic from the Internet can get through
the firewall rules to which intranet addresses?
Output
Query: Internet-> Inside : http
Internet -> ecnes01 (ecnes01.inet.lucent.com)
: http [Rule: 2 ]
Internet -> ecnes02 (ecnes02.inet.lucent.com)
: http [Rule: 4 ]
bcs-test (sapient2-bh.sapient.com) -> galileo (oh0012espweb1.inet.lucent.com) : http [Rule: 7 ]
bcs-test (sapient2-bh.sapient.com) -> voyager (voyager.inet.lucent.com)
: http [Rule: 9 ]