Docstoc

Mapping the Internet and Intranets

Document Sample
Mapping the Internet and Intranets Powered By Docstoc
					        Identifying and Patrolling
           your True Network
                Perimeter
                   Bill Cheswick
                 ches@lumeta.com
               http://www.lumeta.com




105 slides
Talk Outline
 • A little personal history concerning perimeter
   defenses
 • Outside: mapping the Internet
 • A discussion of perimeter defenses
 • Strong host security
 • Mapping and understanding intranets
 • The past and future of Microsoft host security:
    – my Dad’s computer
 • Ned will show you some details of our product

              Pondering Perimeters: GFIRST Orlando   2 of 105
A short bio regarding Internet
perimeters

 • Started at Bell Labs in December 1987
   – Immediately took over postmaster and
     firewall duties
 • Good way to learn the ropes, which was my
  intention




           Pondering Perimeters: GFIRST Orlando   3 of 105
Morris worm hit on Nov 1988
 • Heard about it on NPR
   – Had a “sinking feeling” about it
 • The home-made firewall worked
    – No fingerd
    – No sendmail (we rewrote the mailer)
 • Intranet connection to Bellcore
 • We got lucky
 • Bell Labs had 1330 hosts
 • Corporate HQ didn’t know or care
           Pondering Perimeters: GFIRST Orlando   4 of 105
Action items

 • Shut down the unprotected connection to
   Bellcore
   – What we now call a “routing leak”
 • Redesign the firewall for much more
   capacity, and no “sinking feeling”
    – (VAX 750, load average of 15)
 • Write a paper on it
   – “if you don’t write it up, you didn’t do the
     work”

           Pondering Perimeters: GFIRST Orlando   5 of 105
Old gateway:




       Pondering Perimeters: GFIRST Orlando   6 of 105
New gateway:




      Pondering Perimeters: GFIRST Orlando   7 of 105
New gateway:
(one referee‟s suggestion)




         Pondering Perimeters: GFIRST Orlando   8 of 105
“Design of a Secure Internet Gateway”
– Anaheim Usenix, Jan 1990

  • My first real academic paper
  • It was pretty good, I think
  • It didn’t have much impact, except for two
    pieces:
     – Coined the work “proxy” in its current use
       (this was for a circuit level gateway
        • Predated “socks by three years)
     – Coined the expression “crunchy outside
       and soft chewy center”

            Pondering Perimeters: GFIRST Orlando   9 of 105
Why wasn‟t the paper more
influential?

 • Because the hard part isn’t the firewall, it is
   the perimeter
    – I built a high security firewall for USSS
      from scratch in about 2 hours in Sept.
      2001.
 • I raised our firewall security from “low
   medium” to “high”
   – (that’s about as good as computer and
     network security measurement gets)
 • The perimeter security was “dumb luck”,
   which we raised to “probably none”

            Pondering Perimeters: GFIRST Orlando   10 of 105
Network and host security levels

 • Dumb luck
 • None
 • Low
 • Medium
 • High = no “sinking feeling”




            Pondering Perimeters: GFIRST Orlando   11 of 105
By 1996, AT&T‟s intranet

 • Firewall security: high, and sometimes quite
   a pain, which meant
 • Perimeter security: dumb luck
 • Trivestiture didn’t change the intranet
   configuration that much




           Pondering Perimeters: GFIRST Orlando   12 of 105
Lucent now (1997) (sort of)
We‟d circled the wagons around Wyoming
               The Internet
           Columbus         Murray Murray
      Holmdel                Hill   Hill
                  Allentown



                                                    SLIP
    Lucent - 130,000, 266K IP                        PPP
                                                    ISDN
    addresses, 3000 nets ann.                        X.25
                                                    cable
                                                      ...

    thousands of
                               ~200 business partners
   telecommuters
             Pondering Perimeters: GFIRST Orlando           13 of 105
Pondering Perimeters: GFIRST Orlando   14 of 105
Highlands forum, Annapolis, Dec
1996

 • A Rand corp. game to help brief a member of
   the new President’s Infrastructure Protection
   Commission
 • Met Esther Dyson and Fred Cohen there
   – Personal assessment by intel profiler
 • “Day after” scenario
 • Gosh it would be great to figure out where
   these networks actually go


           Pondering Perimeters: GFIRST Orlando   15 of 105
             Perimeter Defenses
             have a long history




105 slides
Lorton Prison




Pondering Perimeters: GFIRST Orlando   17 of 105
The Pretty Good
 Wall of China




  Pondering Perimeters: GFIRST Orlando   18 of 105
Pondering Perimeters: GFIRST Orlando   19 of 105
Pondering Perimeters: GFIRST Orlando   20 of 105
Pondering Perimeters: GFIRST Orlando   21 of 105
Perimeter Defense of the US
Capitol Building




       Pondering Perimeters: GFIRST Orlando   22 of 105
Flower pots




       Pondering Perimeters: GFIRST Orlando   23 of 105
Pondering Perimeters: GFIRST Orlando   24 of 105
Security doesn’t
have to be ugly




         Pondering Perimeters: GFIRST Orlando   25 of 105
Pondering Perimeters: GFIRST Orlando   26 of 105
Pondering Perimeters: GFIRST Orlando   27 of 105
Pondering Perimeters: GFIRST Orlando   28 of 105
Pondering Perimeters: GFIRST Orlando   29 of 105
Delta barriers



         Pondering Perimeters: GFIRST Orlando   30 of 105
Edinburgh Castle




Pondering Perimeters: GFIRST Orlando   31 of 105
Warwick Castle




      Pondering Perimeters: GFIRST Orlando   32 of 105
Heidelberg Castle
started in the 1300s




       Pondering Perimeters: GFIRST Orlando   33 of 105
Pondering Perimeters: GFIRST Orlando   34 of 105
 Berwick Castle




Pondering Perimeters: GFIRST Orlando   35 of 105
Pondering Perimeters: GFIRST Orlando   36 of 105
Pondering Perimeters: GFIRST Orlando   37 of 105
Parliament: entrance
  Pondering Perimeters: GFIRST Orlando   38 of 105
Parliament: exit
Pondering Perimeters: GFIRST Orlando   39 of 105
Why use a perimeter defense?

 • It is cheaper
    – A man’s home is his castle, but most
     people can’t afford the moat
 • You can concentrate your equipment and
   your expertise in a few areas
 • It is simpler, and simpler security is usually
   better
    – Easier to understand and audit
    – Easier to spot broken parts

           Pondering Perimeters: GFIRST Orlando   40 of 105
What‟s wrong with perimeter
defenses

 • They are useless against insider attacks
 • They provide a false sense of security
    – You still need to toughen up the inside, at
     least some
   – You need to hire enough defenders
 • They don’t scale well




           Pondering Perimeters: GFIRST Orlando   41 of 105
               Anything large
                enough to be
             called an „intranet‟
              is out of control




105 slides
              Project 1:
             Can we live
             without an
              intranet?
             Strong host security
                  Mid 1990s




105 slides
I can, but you probably can‟t

 • “Skinny-dipping” on the Internet since the
   mid 1990s
 • The exposure focuses one clearly on the
   threats and proactive security
 • It’s very convenient, for the services I dare
   to use
 • Many important network services are
   difficult to harden



            Pondering Perimeters: GFIRST Orlando   44 of 105
Skinny dipping rules
 • Only minimal services are offered to the general
   public
    – Ssh
    – Web server (jailed Apache)
    – DNS (self chrooted)
    – SMTP (postfix, not sendmail)
 • Children (like employees) and MSFT clients are
   untrustworthy
 • Offer hardened local services at home, like SAMBA
   (chroot), POP3 (chroot)
 • I’d like to offer other services, but they are hard to
   secure

             Pondering Perimeters: GFIRST Orlando      45 of 105
Skinny dipping requires strong
host security

 • FreeBSD and Linux machines
 • I am told that one can lock down an MSFT
   host, but there are hundreds of steps, and I
   don’t know how to do it.
 • This isn’t just about operating systems: the
   most popular client applications are, in
   theory, very dangerous and, in practice, very
   dangerous.
    – Web browsers and mail readers have
      many dangerous features

           Pondering Perimeters: GFIRST Orlando   46 of 105
Skinny dipping flaws

 • Less defense in depth
 • No protection from denial-of-service attacks




           Pondering Perimeters: GFIRST Orlando   47 of 105
                      Project 2:
                     The Internet
                    Mapping Project
             An experiment in exploring network connectivity
                                  1998




105 slides
Methods - network discovery
(ND)

 • Obtain master network list
   – network lists from Merit, RIPE, APNIC, etc.
   – BGP data or routing data from customers
   – hand-assembled list of Yugoslavia/Bosnia
 • Run a TTL-type (traceroute) scan towards
   each network
 • Stop on error, completion, no data
   – Keep the natives happy


           Pondering Perimeters: GFIRST Orlando   49 of 105
Methods - data collection

 • Single reliable host connected at the
   company perimeter
 • Daily full scan of Lucent
 • Daily partial scan of Internet, monthly full
   scan
 • One line of text per network scanned
   – Unix tools
 • Use a light touch, so we don’t bother
   Internet denizens
           Pondering Perimeters: GFIRST Orlando   50 of 105
TTL probes

 • Used by traceroute and other tools
 • Probes toward each target network with
   increasing TTL
 • Probes are ICMP, UDP, TCP to port 80, 25,
   139, etc.
 • Some people block UDP, others ICMP




           Pondering Perimeters: GFIRST Orlando   51 of 105
Intranet implications of
Internet mapping

 • High speed technique, able to handle the
   largest networks
 • Light touch: “what are you going to do to my
   intranet?”
 • Acquire and maintain databases of Internet
   network assignments and usage




           Pondering Perimeters: GFIRST Orlando   52 of 105
Advantages

• We don’t need access (I.e. SNMP) to the
  routers
• It’s very fast
• Standard Internet tool: it doesn’t break
  things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types

            Pondering Perimeters: GFIRST Orlando   53 of 105
Limitations

 • View is from scanning host only
   – Multiple scan sources gives a better view
 • Outgoing paths only
 • Level 3 (IP) only
    – ATM networks appear as a single node
 • Not all routers respond
   – Some are silent
   – Others are “shy” (RFC 1123 compliant),
     limited to one response per second
           Pondering Perimeters: GFIRST Orlando   54 of 105
Data collection complaints

 • Australian parliament was the first to
   complain
 • List of whiners (25 nets)
 • On the Internet, these complaints are mostly
   a thing of the past
    – Internet background radiation
      predominates




           Pondering Perimeters: GFIRST Orlando   55 of 105
Visualization goals

 • make a map
   – show interesting features
   – debug our database and collection
     methods
 • geography doesn’t matter
 • use colors to show further meaning




          Pondering Perimeters: GFIRST Orlando   56 of 105
Pondering Perimeters: GFIRST Orlando   57 of 105
             Visualization of the
              layout algorithm
             Laying out the Internet graph




105 slides
Pondering Perimeters: GFIRST Orlando   59 of 105
Pondering Perimeters: GFIRST Orlando   60 of 105
Colored by
AS number




             Pondering Perimeters: GFIRST Orlando   61 of 105
Map Coloring

 • distance from test host
 • IP address
    – shows communities
 • Geographical (by TLD)
 • ISPs
 • future
    – timing, firewalls, LSRR blocks


           Pondering Perimeters: GFIRST Orlando   62 of 105
Colored by IP address!




                         Pondering Perimeters: GFIRST Orlando   63 of 105
Colored by geography




                       Pondering Perimeters: GFIRST Orlando   64 of 105
Colored by ISP




                 Pondering Perimeters: GFIRST Orlando   65 of 105
Colored by distance
from scanning host




                      Pondering Perimeters: GFIRST Orlando   66 of 105
Pondering Perimeters: GFIRST Orlando   67 of 105
Pondering Perimeters: GFIRST Orlando   68 of 105
                       Yugoslavia
             An unclassified peek at a new battlefield
                               1999




105 slides
Pondering Perimeters: GFIRST Orlando   70 of 105
             Un film par Steve
               “Hollywood”
                Branigan...




105 slides
Pondering Perimeters: GFIRST Orlando   72 of 105
             fin




105 slides
             Intranets: the rest
               of the Internet




105 slides
Pondering Perimeters: GFIRST Orlando   75 of 105
Pondering Perimeters: GFIRST Orlando   76 of 105
Pondering Perimeters: GFIRST Orlando   77 of 105
                                       This was
                                       Supposed
                                       To be a
                                       VPN




Pondering Perimeters: GFIRST Orlando     78 of 105
Pondering Perimeters: GFIRST Orlando   79 of 105
Pondering Perimeters: GFIRST Orlando   80 of 105
Case studies: corp. networks
Some intranet statistics




       Pondering Perimeters: GFIRST Orlando   81 of 105
                Project 3:
                Detecting
             perimeter leaks
              Lumeta’s Special Sauce
                      2000




105 slides
Types of leaks

 • Routing leaks
   – Internal routes are announced externally,
     and the packets are allowed to flow
     betwixt
 • Host leaks
   – Simultaneously connected inside and out,
     probably without firewall-functionality
   – Not necessarily a dual-homed host
 • “Please don’t call them leaks”
    – They aren’t always a Bad Thing
           Pondering Perimeters: GFIRST Orlando   83 of 105
Routing leaks

 • Easily seen on maps
 • Shows up in our reports
 • Generally easily fixed




           Pondering Perimeters: GFIRST Orlando   84 of 105
Host leak detection

 • Developed to find hosts that have access to
   both intranet and Internet
 • Or across any privilege boundary
 • Leaking hosts do not route between the
   networks
 • Technology didn’t exist to find these




           Pondering Perimeters: GFIRST Orlando   85 of 105
Possible host leaks

 • Miss-configured telecommuters connecting
  remotely
 • VPNs that are broken
 • DMZ hosts with too much access
 • Business partner networks
 • Internet connections by rogue managers
 • Modem links to ISPs


          Pondering Perimeters: GFIRST Orlando   86 of 105
Leak Detection Prerequisites

 • List of potential leakers: obtained by census
 • Access to intranet
 • Simultaneous availability of a “mitt”




           Pondering Perimeters: GFIRST Orlando   87 of 105
Leak Detection Layout

   mitt        Mapping host
                                      • Mapping host with
           D             A                address A is
                                          connected to the
                                          intranet

Internet                              • Mitt with address D
                      intranet            has Internet access
                                      • Mapping host and
                                          mitt are currently the
                                          same host, with two
               C               B          interfaces
                   Test host

               Pondering Perimeters: GFIRST Orlando          88 of 105
Leak Detection

   mitt        Mapping host
                                      • Test host has known
           D             A                address B on the
                                          intranet
                                      • It was found via
Internet                                  census
                      intranet
                                      • We are testing for
                                          unauthorized access
                                          to the Internet,
                                          possibly through a
               C               B          different address, C
                   Test host

               Pondering Perimeters: GFIRST Orlando          89 of 105
Leak Detection

   mitt        Mapping host
                                      • A sends packet to B,
           D             A                with spoofed return
                                          address of D
                                      • If B can, it will reply
Internet                                  to D with a
                      intranet            response, possibly
                                          through a different
                                          interface

               C               B
                   Test host

               Pondering Perimeters: GFIRST Orlando           90 of 105
Leak Detection

   mitt        Mapping host           • Packet must be crafted
           D             A                so the response won’t
                                          be permitted through the
                                          firewall
                                      • A variety of packet types
                                          and responses are used
Internet              intranet
                                      • Either inside or outside
                                          address may be
                                          discovered
                                      • Packet is labeled so we
               C               B          know where it came from
                   Test host

               Pondering Perimeters: GFIRST Orlando            91 of 105
Inbound Leak Detection

   mitt        Mapping host
                                      • This direction is
           D             A                usually more
                                          important
                                      • It all depends on the
Internet                                  site policy…
                      intranet
                                      • …so many leaks
                                          might be just fine.

               C               B
                   Test host

               Pondering Perimeters: GFIRST Orlando             92 of 105
Inbound Leak Detection

   mitt        Mapping host
           D             A



Internet              intranet




               C               B
                   Test host

               Pondering Perimeters: GFIRST Orlando   93 of 105
Leak results

 • Found home web businesses
 • At least two clients have tapped leaks
   – One made front page news
 • From the military: “the republic is a little
   safer”




            Pondering Perimeters: GFIRST Orlando   94 of 105
We developed lot of stuff
 • Leak detection (that’s the special sauce)
 • Lots of reports: the hardest part is converting data to
   information
 • Route discovery: TTL probes plus SNMP router queries
 • Host enumeration and identification: ping and xprobe-
   style host identification
 • Server discovery: SYN probes of popular TCP ports
 • Wireless base station discovery: xprobe, SNMP, HTTP
 • And more…ask the sales people
 • The “zeroth step in network intelligence”
    – me

              Pondering Perimeters: GFIRST Orlando           95 of 105
             What‟s next?
                 IPv6
                2005 + 3




105 slides
Pondering Perimeters: GFIRST Orlando   97 of 105
IPv6 deployment

 • Has been 3 years away since 1993
 • Widely deployed in the Far East, and in the
   new cell phones
 • Europe is getting on board
 • US Government mandate for 2005
   – But what does “IPv6 capable” really
     mean?
 • None of the three ISPs I am connected to at
   home and work offer raw IPv6 feeds
           Pondering Perimeters: GFIRST Orlando   98 of 105
IPv6 address space

 • /48s seem to be freely available:
    – Each US soldier will have one
    – One for each home
 • 80-bit host address is a hell of a hell of a
   large space
 • Easy to hide hosts in that space
 • Hard to administer hosts in that space
 • Some interesting cryptographic and “IP
   hopping” applications come to mind.
            Pondering Perimeters: GFIRST Orlando   99 of 105
IPv6 technical aspects

 • Google-based research will lead you down
   recently abandoned dead ends
    – A6 came and went, AAAA is what to use
    – Link level addressing is deprecated
    – Use of bottom 128 – 48 = 80 bits not really
      settled
 • Addresses aren’t as bad as you might think:
   – 2001:5bfe:16::1 (easy to grep!)



           Pondering Perimeters: GFIRST Orlando   100 of 105
IPv6

 • IPv6 is available through IPv4/IPv6 tunnel
   brokers
    – www.hexago.com formerly freenet6.net
 • Not hard to set up on Unix hosts, then it Just
   Works




           Pondering Perimeters: GFIRST Orlando   101 of 105
               What‟s next?
       Skinny dipping with Microsoft
            operating systems?
                   2062?




105 slides
XP SP2: Bill gets it
 • “a feature you don’t use should not be a security
   problem for you.”
 • “Security by design”
    – Too late for that, its all retrofitting now
 • “Security by default”
    – No network services on by default
 • Security control panel
    – Many things missing from it
    – Speaker could not find ActiveX security settings
 • There are a lot of details that remain to be seen.

              Pondering Perimeters: GFIRST Orlando      103 of 105
             Pondering and
               Patrolling
              Perimeters
                  Bill Cheswick
                ches@lumeta.com
              http://www.lumeta.com




105 slides
Pondering Perimeters: GFIRST Orlando   105 of 105

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:11/28/2011
language:English
pages:105