Transcript George Jelatis

SECURE
COMPUTING
Countering the Insider Threat with
Autonomic Distributed Firewall
(ADF) Technology
Black Hat Briefings
Las Vegas, NV, 11 July 2001
George Jelatis & David Papas
[email protected]
[email protected]
www.securecomputing.com
© 2000-2001, Secure Computing
Corp. All rights reserved.
1
SECURE
ADF
COMPUTING
•
•
•
•
•
•
Outline
Firewall trends and issues
Approach & Architecture
Security policy management
Implementation
Applications
Demonstration Scenarios
© 2000-2001, Secure Computing Corp. All rights reserved.
2
SECURE
COMPUTING
Perimeter Firewall Issues
ADF
• Perimeter firewalls have limited visibility
– They cannot see activity behind the firewall
thus they do little to counter insider threats
– Blurring of the line between insiders and
outsiders
– IPv6/IPSEC significantly limits perimeter based
filtering and intrusion detection
– Wireless/mobile computing frustrates policy
• Perimeter firewalls are expensive (but
necessary)
© 2000-2001, Secure Computing Corp. All rights reserved.
3
SECURE
COMPUTING
Host Based Firewalls
ADF
• Operating systems are vulnerable
– Back Orifice, Melissa, <attack of the week>.
– Windows 2000 has 25M+ LOC and maybe one
or two security bugs
• Firewalls implemented on vulnerable
operating systems may suffer from
circular logic
• Many host based firewalls assume the
user is trusted. Even good users do bad
things when they unwittingly run hostile
code.
© 2000-2001, Secure Computing Corp. All rights reserved.
4
SECURE
COMPUTING
ADF Approach
• Push the firewall closer to, but not on to, the host.
ADF
– The host cannot be trusted because the operating
system may be subverted.
• Create a “firewall-on-a-Network Interface Card
(NIC)” that is independent from the host
• Use a master-slave architecture to provide
scalability & centralized security policy
management
© 2000-2001, Secure Computing Corp. All rights reserved.
5
SECURE
Insider Threat ?
ADF
COMPUTING
© 2000-2001, Secure Computing Corp. All rights reserved.
6
SECURE
COMPUTING
ADF Concept
Distribute network layer security onto smart
hardware directly in front of critical hosts
• Complements existing perimeter firewalls
ADF
– Protects against insider threat
• Stronger than existing host/application security
– Mechanisms cannot be subverted by malicious users or
code running on a weak operating system
• An affordable security solution
– Low cost of hardware and software
– Incremental deployment to address specific threats
• A survivable security solution
– Transparent to hosts and applications
– Redundant management system
– Fail-safe hardware components
© 2000-2001, Secure Computing Corp. All rights reserved.
7
SECURE
Technical Objective
ADF
COMPUTING
• Provide robust, intrusion tolerant networks via a
firewall per host
– Provide defense in depth
– Provide protection from insiders
– Tie distributed firewall to autonomic response mechanisms
© 2000-2001, Secure Computing Corp. All rights reserved.
8
SECURE
COMPUTING
ADF Background
DARPA
ADF
ADF technology
development
SCC software
• Modified NIC firmware
• Centralized policy
management
COTS NIC
• IPSec 3DES encryption
• ARM 9 processor
• New approach to network security
• Addresses needs of complex, partner networks
EMBEDDED FIREWALL
© 2000-2001, Secure Computing Corp. All rights reserved.
9
SECURE
COMPUTING
Major Components
ADF Controller
GUI
ADF
Protected host
Controller
front end
MIB
ADF Agent
Host OS Driver Runtime
image
NIC
© 2000-2001, Secure Computing Corp. All rights reserved.
Audit
database
Policy
database
Audit
daemon
Controller
daemon
10
SECURE
COMPUTING
NIC Implementation
• Isolation from the host operating system
ADF
– Separate processor
– Isolated memory
• IPSEC crypto hardware on the NIC
provides high performance VPNs
– Windows 2000 based Dec 2000
– ADFC managed late 2001
NIC based policy supports servers,
desktops, telecommuters, and laptops
© 2000-2001, Secure Computing Corp. All rights reserved.
11
SECURE
COMPUTING
NIC Packet Filtering
• No sniffing
– Prevents sniffing passwords and other information
ADF
• No spoofing
– Eliminates distributed denial of service attacks using
spoofed addresses.
• Additional rules based on
–
–
–
–
IP addresses
Direction
Port ranges
Initiate vs. accept connections
• Possible NIC actions
– Allow/deny. Passes or drops the packet
– Audit/no audit. Sends audit to the ADF Controller
© 2000-2001, Secure Computing Corp. All rights reserved.
12
SECURE
COMPUTING
NIC Filter Engine
ADF
• 64 packet filtering rules supported
• TCP Syn detection
– Allows the NIC to distinguish between accepting or
initiating connections e.g., Allow outbound Telnet but
block inbound
• Actions in response to matching a packet filter
engine rule:
– Allow/deny. Passes or drops the packet
– Audit/no audit. Sends audit to the ADFC
– Test. Flag packets that matched the packet filter rule but
do not enforce the policy; test new policies first
• No support for filtering inside tunnels (e.g.,
IPSEC)
© 2000-2001, Secure Computing Corp. All rights reserved.
13
SECURE
COMPUTING
Embedded Firewall
Controller
ADF
• Provides the policy and audit GUI
– Filter mode. Enforces the packet filter rules
– Test mode. Does not enforce the policy but
flags packets that matched the packet filter
rule
• Uses a SQL database for storing policy
and audit data
• Runs on Windows 2000 and NT
• Linux port underway
• Up to 3-way replication for fault tolerance
© 2000-2001, Secure Computing Corp. All rights reserved.
14
SECURE
COMPUTING
Security Policy
Desired policy
Clients
• Human resources
ADF
– Laura
– Mary
• Engineering
– Chris
– Nancy
• Sales
– Paul
– Sam
© 2000-2001, Secure Computing Corp. All rights reserved.
Servers
HR web server
FTP
HTTP
Engineering file
server
NFS
FTP
Sales database
SQL
15
.228
.235
.234
.233
.230
.229
potato
Solaris 7
E0
.200
.201
.91
.196
.198
.125
sunkist
NT4/Win2K
citra
NT4/Win2K
File Server
Client
tsetse
Solaris 2.6 .161
Sidewinder
.231
.121
.225
.81
milkyay
Sidewinder
.76
.101
.194
.222
Remote Site
E0/3
.33
vortex
(Cisco 3640)
E0/1
.1
E0/2
DMZ LAN
10.2.0.0/24
Internal LAN
5.12.160.0/26
.126
.82
E0/3
.39
g2
BSD
Sidewinder
Laptops
E0/0
.65 wormhole
(Cisco 3640)
E0/1
E0/0
.254
g1
Solaris 2.6
Sidewinder
.1
.1
Internet
Preserves LAN
5.12.160.224/28
LAN
5.12.160.64/26
E0/2
CC2-e1 LAN
5.12.161.192/27
AFRL/LL
Traffic
Generator
.193
cucumber
Solaris 7
crush
NT4/RH6.2
mrpipp
NT4/RH6.2
tomato
Solaris 7
ADF
carrot
Solaris 7
.197
.129
.225
ialab1
(Cisco 2514)
.198
.132
SSD LAN
5.12.129.128/27
gnat
Solaris 2.6
Sidewinder
E1
.131
beetle
Solaris 2.6
LAN
5.12.121.224/27
.130
Duracell
almondjoy, NT
coke
NT4/RH6.2
icb
NT4/RH6.2
jolt, SARRE
NT4/RH5.2
sprite, Cyc
NT4/RH5.2
.135
© 2000-2001, Secure Computing Corp. All rights
DMZ LAN
5.12.162.0/26
BBN Planet Router
reserved.
(Cisco 7505)
web client
kitkat, NT
.236
DLA LAN
5.12.161.160/27
web client
twix, NT
.232
.185 .170 .186 .163 .174
SQL
Server
.226
york, NT4.0
.227
Data
source
skor, NT
CCS GUI
Web
Server
canadadryi
NT4/RH6.2
surge
NT4/RH6.2
Analyst
Analyst
S Topologies
ECURE
are Complicated
COMPUTING
ia0106 LAN
10.10.10.0/24
.5
17
.226
SECURE
COMPUTING
Potential Targets without ADF
Remote Ports
ADF
Message Send Protocol
Chargen
FTP
SSH remote login
Telnet
SMTP (mail)
Host name server
Who is
Login host protocol
Domain name server
SQL
Bootstrap
TFTP
Finger
HTTP
Sun RPC
NetBIOS
SNMP
Internet relay chat
HTTP management
…
0
32
64
© 2000-2001, Secure Computing Corp. All rights reserved.
96
128
160
Host Addresses
192
22419
255
SECURE
COMPUTING
Potential Targets with ADF
Remote Ports
ADF
Message Send Protocol
Chargen
FTP
SSH remote login
Telnet
SMTP (mail)
Host name server
Who is
Login host protocol
Domain name server
SQL
Bootstrap
TFTP
Finger
HTTP
Sun RPC
NetBIOS
SNMP
Internet relay chat
HTTP management
…
0
32
64
© 2000-2001, Secure Computing Corp. All rights reserved.
96
128
160
Host Addresses
192
22420
255
SECURE
COMPUTING
Network Edge Security
ADF
Analyst
Workstation
5.12.161.192
Intel Resources,
Web server
5.12.111.23
Data Source
5.12.161.197
Web Server
5.12.161.171
Core Network
- Routing
- Bandwidth
Remote Site
5.12.163.142
© 2000-2001, Secure Computing Corp. All rights reserved.
Intranet Web server
5.19.42.93
SQL server
5.19.42.93
21
SECURE
COMPUTING
Implementation
Remote user
ADF
ADF Policy Controller
• Built by SCC under DARPA effort
• Converts high level policy into low level
packet filtering rules for the NICs
• Encrypted communication with NICs
• Host cannot disable policy on its NIC
• Controller has audit database and
browser
INTERNET
Firewall
LAN
Workstation
Server
© 2000-2001, Secure Computing Corp. All rights reserved.
22
SECURE
COMPUTING
Protects Against
Insider Threats
ADF
Web Server NIC
• only accepts http from user systems
• only initiates SQL to DB server
• accepts SSH/telnet only from admin
Mail Server NIC
• only accepts POP from user systems
• only accepts/initiates SMTP with other
mail servers
• accepts SSH/telnet only from admin
Admin NIC
• initiates SSH/telnet to all servers
• initiates POP, SQL, and http only to
servers
• accepts nothing from anywhere else
© 2000-2001, Secure Computing Corp. All rights reserved.
User
Workstation
Admin
Workstation
Database
Server
Web
Server
Mail
Server
23
SECURE
COMPUTING
ADF Connects the Warfighter
ADF
WarFighter
Attacker
Applications without
security patches
Attacker’s
PC
OS without security
patches
IP
NIC
IPSec
VPN
Enterprise Network
Mail
server
Database
server
Firewall/
VPN Gateway
Cable/DSL Modem
© 2000-2001, Secure Computing Corp. All rights reserved.
Triple DES
VPN Tunnel
24
SECURE
COMPUTING
Protects Data Sharing
among Partners
Locally initiated connections
ADF
US
LAN
N
I
C
US
App
Server
Virtual
Shared
Server
Partner N
I
App
C
Server
Controller
Partner
LAN
Controller
IPSec VPN
Firewall
Internet
Firewall
Only allow servers to initiate IPSec connections between each other.
Do not allow shared servers to initiate inbound connections
© 2000-2001, Secure Computing Corp. All rights reserved.
25
SECURE
COMPUTING
Simple Shared Server
Partner
US
User
workstations
ADF
Internet
Distributed
Firewall
Controller
Cable modem
/ DSL modem
Or Router
Firewall
NIC
Windows NT 4/2000 box
FTP server
IIS
IPSEC software
© 2000-2001, Secure Computing Corp. All rights reserved.
US
LAN
Firewall
NIC
26
SECURE
COMPUTING
Demo Scenarios
ADF
1. Management of INFOCON shift
2. Controlled sharing using protected
servers
© 2000-2001, Secure Computing Corp. All rights reserved.
27
SECURE
INFOCON Alpha
almondjoy , Win2K
y ork, NT4.0
pringle, NT4.0
snicker, Win2K
Alpha
Alpha
.122
.121
.76
.100
ADF
COMPUTING
Experimental LAN
4.22.160.64/26
Internet
• Protocols and/or addresses can be restricted on
a per host basis as INFOCON changes
– Block all port x traffic to a user’s machine
– Block a service from a specific subnet
© 2000-2001, Secure Computing Corp. All rights reserved.
28
SECURE
INFOCON Bravo
almondjoy , Win2K
y ork, NT4.0
pringle, NT4.0
snicker, Win2K
Alpha
Bravo
.122
.121
.76
.100
Experimental LAN
4.22.160.64/26
ADF
COMPUTING
Internet
• Each host can be at a different INFOCON level
• Changing INFOCON is easy
• No rebooting required
• No user action required
© 2000-2001, Secure Computing Corp. All rights reserved.
29
SECURE
COMPUTING
Controlled Sharing
Coalition
LAN
US
LAN
ADFC
ADFC
ADF
Locally initiated connection
N Coalition
I
App
C Server
Locally initiated connection
Virtual
Shared
Server
US N
App I
Server C
Internet
Router
IPSEC VPN
Router
• Controlled sharing provides a shared application
server while protecting the each LAN from the
other coalition partner
© 2000-2001, Secure Computing Corp. All rights reserved.
30
SECURE
COMPUTING
Distributed Defense in Depth
• Uses the master/slave
architecture
ADF
• Provides centrally managed
Mobile Field
Agent
Foreign
Field office
NIC
NIC
– VPN management and PKI
– Packet filtering policies
– Audit
Local Server
Internet
• Provides protection for
NIC
– Always online connections
– Field offices
© 2000-2001, Secure Computing Corp. All rights reserved.
NIC
– Remote locations
Gateway
Firewall
Node
Manager
31
SECURE
COMPUTING
Conclusion
ADF
• ADF provides affordable, survivable Defense in
Depth
• Complements existing paradigms
– Firewall keeps unauthorized outsiders out
– Embedded Firewall controls where insiders go
– Host and apps provide fine grained access control
• OS and application transparent
• Redundant, distributed management with fail-safe
enforcement components
• Product availability
– NICs are currently available COTS product
– Centralized controller and modified firmware complete
– Betas in March 2001, product release in 3Q01
© 2000-2001, Secure Computing Corp. All rights reserved.
32
SECURE
COMPUTING
Demo Screen Shots
© 2000-2001, Secure Computing
Corp. All rights reserved.
33
SECURE
Controller GUI
ADF
COMPUTING
© 2000-2001, Secure Computing Corp. All rights reserved.
34
SECURE
Policy View
ADF
COMPUTING
© 2000-2001, Secure Computing Corp. All rights reserved.
35
SECURE
Expanded Policy View
ADF
COMPUTING
© 2000-2001, Secure Computing Corp. All rights reserved.
36
SECURE
Rule Set Manager
ADF
COMPUTING
© 2000-2001, Secure Computing Corp. All rights reserved.
37
SECURE
Server View
ADF
COMPUTING
© 2000-2001, Secure Computing Corp. All rights reserved.
38
SECURE
Node Manager NIC Screen
ADF
COMPUTING
© 2000-2001, Secure Computing Corp. All rights reserved.
39
SECURE
COMPUTING
Q&A
George Jelatis & David Papas
[email protected]
[email protected]
www.securecomputing.com
© 2000-2001, Secure Computing
Corp. All rights reserved.
40