Docstoc

Mapping the Internet and Intranets

Document Sample
Mapping the Internet and  Intranets Powered By Docstoc
					Internet Mapping, Columbia   1 of 137
             Clear and Present
                 Dangers
                  Bill Cheswick
                  Lumeta Corp.
                ches@lumeta.com


137 slides
             Clear and Present
                 Dangers
                 Perimeter Leaks
                Poor host security




137 slides
             Mapping the
             Internet and
               Intranets
                  Bill Cheswick
                ches@lumeta.com
             http://www.cheswick.com




137 slides
Motivations
 • Intranets are out of           • Internet tomography
   control
                                  • Curiosity about size
    – Always have been               and growth of the
 • Highlands “day after”             Internet
   scenario                       • Same tools are useful
 • Panix DOS attacks                 for understanding any
    – a way to trace                 large network,
      anonymous packets              including intranets
      back!



                 Internet Mapping, Columbia              5 of 137
Related Work

 • See Martin Dodge’s cyber geography page
 • MIDS - John Quarterman
 • CAIDA - kc claffy
 • Mercator
 • “Measuring ISP topologies with
   rocketfuel” - 2002
   – Spring, Mahajan, Wetherall
 • Enter “internet map” in your search engine

               Internet Mapping, Columbia   6 of 137
The Goals
 • Long term reliable                 – movie of Internet
   collection of Internet                growth!
   and Lucent
   connectivity                   • Develop tools to probe
   information                       intranets
    – without annoying            • Probe the distant
      too many people                corners of the Internet
 • Attempt some simple
   visualizations of the
   data



                 Internet Mapping, Columbia             7 of 137
Methods - data collection

 • Single reliable host connected at the
   company perimeter
 • Daily full scan of Lucent
 • Daily partial scan of Internet, monthly full
   scan
 • One line of text per network scanned
   – Unix tools



                Internet Mapping, Columbia        8 of 137
Methods - network scanning

 • Obtain master network list
   – network lists from Merit, RIPE, APNIC, etc.
   – BGP data or routing data from customers
   – hand-assembled list of Yugoslavia/Bosnia
 • Run a traceroute-style scan towards each
   network
 • Stop on error, completion, no data
   – Keep the natives happy


               Internet Mapping, Columbia   9 of 137
TTL probes

 • Used by traceroute and other tools
 • Probes toward each target network with
   increasing TTL
 • Probes are ICMP, UDP, TCP to port 80, 25,
   139, etc.
 • Some people block UDP, others ICMP




               Internet Mapping, Columbia   10 of 137
TTL probes



      Client
                     Hop 1                Hop 2      Hop 3
 Application level

   TCP/UDP            Router               Router      Router
        IP              IP                  IP           IP
   Hardware          Hardware            Hardware    Hardware



                                          Hop 4          Server
                       Hop 3                         Application level
                        Router             Router      TCP/UDP
                             IP              IP             IP
                       Hardware           Hardware     Hardware



                     Internet Mapping, Columbia                    11 of 137
Send a packet with a TTL of
1…


      Client
                     Hop 1                Hop 2      Hop 3
 Application level

   TCP/UDP            Router               Router      Router
        IP              IP                  IP           IP
   Hardware          Hardware            Hardware    Hardware



                                          Hop 4          Server
                       Hop 3                         Application level
                        Router             Router      TCP/UDP
                             IP              IP             IP
                       Hardware           Hardware     Hardware



                     Internet Mapping, Columbia                    12 of 137
…and we get the death notice
from the first hop


      Client
                     Hop 1                Hop 2      Hop 3
 Application level

   TCP/UDP            Router               Router      Router
        IP              IP                  IP           IP
   Hardware          Hardware            Hardware    Hardware



                                          Hop 4          Server
                       Hop 3                         Application level
                        Router             Router      TCP/UDP
                             IP              IP             IP
                       Hardware           Hardware     Hardware



                     Internet Mapping, Columbia                    13 of 137
Send a packet with a TTL of
2…


      Client
                     Hop 1                Hop 2      Hop 3
 Application level

   TCP/UDP            Router               Router      Router
        IP              IP                  IP           IP
   Hardware          Hardware            Hardware    Hardware



                                          Hop 4          Server
                       Hop 3                         Application level
                        Router             Router      TCP/UDP
                             IP              IP             IP
                       Hardware           Hardware     Hardware



                     Internet Mapping, Columbia                    14 of 137
… and so on …



      Client
                     Hop 1                Hop 2      Hop 3
 Application level

   TCP/UDP            Router               Router      Router
        IP              IP                  IP           IP
   Hardware          Hardware            Hardware    Hardware



                                          Hop 4          Server
                       Hop 3                         Application level
                        Router             Router      TCP/UDP
                             IP              IP             IP
                       Hardware           Hardware     Hardware



                     Internet Mapping, Columbia                    15 of 137
Advantages

• We don’t need access (I.e. SNMP) to the
  routers
• It’s very fast
• Standard Internet tool: it doesn’t break
  things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types

                   Internet Mapping, Columbia   16 of 137
Limitations

 • Outgoing paths only
 • Level 3 (IP) only
    – ATM networks appear as a single node
    – This distorts graphical analysis
 • Not all routers respond
 • Many routers limited to one response per
   second



               Internet Mapping, Columbia     17 of 137
Limitations

 • View is from scanning host only
 • Takes a while to collect alternating paths
 • Gentle mapping means missed endpoints
 • Imputes non-existent links




               Internet Mapping, Columbia       18 of 137
The data can go either way

           B                       C


                                           D
  A


           E                           F




          Internet Mapping, Columbia           19 of 137
The data can go either way

           B                       C


                                           D
  A


           E                           F




          Internet Mapping, Columbia           20 of 137
But our test packets only go
part of the way

           B                       C


                                           D
  A


           E                           F




          Internet Mapping, Columbia           21 of 137
We record the hop…

          B                       C


                                          D
 A


          E                           F




         Internet Mapping, Columbia           22 of 137
The next probe happens to go
the other way

           B                       C


                                           D
  A


           E                           F




          Internet Mapping, Columbia           23 of 137
…and we record the other
hop…

           B                       C


                                           D
  A


           E                           F




          Internet Mapping, Columbia           24 of 137
We’ve imputed a link that
doesn’t exist

           B                       C


                                           D
  A


           E                           F




          Internet Mapping, Columbia           25 of 137
Data collection complaints
 • Australian parliament was the first to
   complain
 • List of whiners (25 nets)
 • Military noticed immediately
   – Steve Northcutt
   – arrangements/warnings to DISA and CERT
 • These complaints are mostly a thing of the
   past
    – Internet background radiation
      predominates

               Internet Mapping, Columbia   26 of 137
Visualization goals

 • make a map
   – show interesting features
   – debug our database and collection
     methods
   – hard to fold up
 • geography doesn’t matter
 • use colors to show further meaning



               Internet Mapping, Columbia   27 of 137
Internet Mapping, Columbia   28 of 137
Internet Mapping, Columbia   29 of 137
Infovis state-of-the-art in 1998

 • 800 nodes was a huge graph
 • We had 100,000 nodes
 • Use spring-force simulation with lots of
   empirical tweaks
 • Each layout needed 20 hours of Pentium
   time




               Internet Mapping, Columbia     30 of 137
Internet Mapping, Columbia   31 of 137
             Visualization of the
              layout algorithm
             Laying out the Internet graph




137 slides
Internet Mapping, Columbia   33 of 137
             Visualization of the
              layout algorithm
               Laying out an intranet




137 slides
Internet Mapping, Columbia   35 of 137
A simplified map

 • Minimum distance spanning tree uses 80%
   of the data
 • Much easier visualization
 • Most of the links still valid
 • Redundancy is in the middle




                 Internet Mapping, Columbia   36 of 137
Colored by
AS number




             Internet Mapping, Columbia   37 of 137
Map Coloring

 • distance from test host
 • IP address
    – shows communities
 • Geographical (by TLD)
 • ISPs
 • future
    – timing, firewalls, LSRR blocks


               Internet Mapping, Columbia   38 of 137
Colored by IP address!




                         Internet Mapping, Columbia   39 of 137
Colored by geography




                       Internet Mapping, Columbia   40 of 137
Colored by ISP




                 Internet Mapping, Columbia   41 of 137
Colored by distance
from scanning host




                      Internet Mapping, Columbia   42 of 137
US military
reached by ICMP ping




                       Internet Mapping, Columbia   43 of 137
US military networks
reached by UDP




                       Internet Mapping, Columbia   44 of 137
Internet Mapping, Columbia   45 of 137
Internet Mapping, Columbia   46 of 137
                  Yugoslavia
             An unclassified peek at a new
                      battlefield




137 slides
Internet Mapping, Columbia   48 of 137
             Un film par Steve
               “Hollywood”
                Branigan...




137 slides
Internet Mapping, Columbia   50 of 137
             fin




137 slides
      Routers in New York City
      missing generator fuel

            1400


            1300
# Routers




            1200


            1100


            1000
                   9/11 9/12 9/13 9/14 9/15 9/16 9/17 9/18 9/19 9/20 9/21 9/22
                                                 Date
                                 Internet Mapping, Columbia             52 of 137
             Intranets




137 slides
We partition our networks to
get out of the game

 • Companies, governments, departments,
   even families hide in enclaves to limit
   connectivity to approved services
 • These are called intranets
 • The decentralized, cloud-like nature of
   internets makes them hard to manage at a
   central point
 • My company explores the extent of intranets
   and their interconnections with other
   networks.
               Internet Mapping, Columbia    54 of 137
             Intranets: the rest
               of the Internet




137 slides
Internet Mapping, Columbia   56 of 137
Internet Mapping, Columbia   57 of 137
Internet Mapping, Columbia   58 of 137
Internet Mapping, Columbia   59 of 137
Internet Mapping, Columbia   60 of 137
                             This was
                             Supposed
                             To be a
                             VPN




Internet Mapping, Columbia     61 of 137
Internet Mapping, Columbia   62 of 137
Internet Mapping, Columbia   63 of 137
             Anything large
              enough to be
                called an
              “intranet” is
             out of control




137 slides
Case studies: corp. networks
Some intranet statistics
                                              Min       Max
Intranet sizes (devices)                     7,900     365,000
Corporate address space                     81,000 745,000,000
% devices in unknown address space          0.01%      20.86%

% routers responding to "public"            0.14%      75.50%
% routers responding to other               0.00%      52.00%

Outbound host leaks on network                  0     176,000
% devices with outbound ICMP leaks             0%        79%
% devices with outbound UDP leaks              0%        82%

Inbound UDP host leaks                         0         5,800
% devices with inbound ICMP leaks             0%          11%
% devices with inbound UDP leaks              0%          12%
% hosts running Windows Mapping, Columbia
                    Internet
                                             36%          84% of 137
                                                             65
Leak Detection

   mitt        Mapping host
                                       • A sends packet to B,
           D             A                with spoofed return
                                          address of D
                                       • If B can, it will reply
Internet                                  to D with a
                      intranet            response, possibly
                                          through a different
                                          interface

               C               B
                   Test host

                      Internet Mapping, Columbia               66 of 137
Leak Detection

   mitt        Mapping host            • Packet must be crafted
           D             A                so the response won’t
                                          be permitted through the
                                          firewall
                                       • A variety of packet types
                                          and responses are used
Internet              intranet
                                       • Either inside or outside
                                          address may be
                                          discovered
                                       • Packet is labeled so we
               C               B          know where it came from
                   Test host

                      Internet Mapping, Columbia                67 of 137
Existence proofs of intranet
leaks: the slammer worm

 • It’s a pop-quiz on perimeter integrity
 • The best run networks (e.g. spooks’ nets) do
   not get these plagues
    – Internal hosts may be susceptible




                Internet Mapping, Columbia   68 of 137
Some Lumeta lessons
• Reporting is the really hard part
  – Converting data to information
• “Tell me how we compare to other clients”
• Offering a service was good practice, for a
  while
• The clients want a device
• We have >70 Fortune-200 companies and
  government agencies as clients
• Need-to-have vs. want-to-have

              Internet Mapping, Columbia   69 of 137
Honeyd – network emulation

 • Anti-hacking tools by Niels Provos at
   citi.umich.edu
 • Can respond as one or more hosts
 • I am configuring it to look like an entire
   client’s network
 • Useful for testing and debugging
 • Product?


                Internet Mapping, Columbia      70 of 137
History of the Project

 • Started in August 1998 at Bell Labs
 • April-June 1999: Yugoslavia mapping
 • July 2000: first customer intranet scanned
 • Sept. 2000: spun off Lumeta from
   Lucent/Bell Labs
 • June 2002: “B” round funding completed
 • 2003: sales >$4MM


               Internet Mapping, Columbia   71 of 137
Internet Mapping, Columbia   72 of 137
             Mapping the
             Internet and
               Intranets
                  Bill Cheswick
                ches@lumeta.com
             http://www.cheswick.com




137 slides
     My Dad’s Computer and the
     Future of Internet Security
                 Bill Cheswick
               ches@lumeta.com
             http://www.lumeta.com




137 slides
Internet Mapping, Columbia   75 of 137
                    My Dad’s
                    computer
             Skinny-dipping with Microsoft




137 slides
Case study:
My Dad’s computer

 • Windows XP, plenty of horsepower, two
   screens
 • Applications:
   – Email (Outlook)
   – “Bridge:” a fancy stock market monitoring
     system
   – AIM




              Internet Mapping, Columbia   77 of 137
Case study:
My Dad’s computer

 • Cable access
 • dynamic IP address
 • no NAT
 • no firewall
 • outdated virus software
 • no spyware checker



                 Internet Mapping, Columbia   78 of 137
This computer was a software
toxic waste dump

 • It was burning a liter of oil every 500 km
 • The popups seemed darned distracting to
   me




                Internet Mapping, Columbia      79 of 137
My Dad’s computer: what the repair
geek found

 • Everything
 • “Viruses I’ve never heard off”
 • Constant popups
 • Frequent blasts of multiple web pages, all
   obscene
 • Dad: why do I care? I am getting my work
   done



                Internet Mapping, Columbia   80 of 137
Dad’s computer: how did he get
in this mess?

 • He doesn’t know what the popup security
   messages mean
 • Email-born viruses
 • Unsecured network services
 • Executable code in web pages from
   unworthy sites




              Internet Mapping, Columbia   81 of 137
He is getting his work done

 • Didn’t want a system administrator to mess
   up his user interface settings
 • Truly destructive attacks are rare
    – They aren’t lucrative or much fun
    – They are self-limiting




               Internet Mapping, Columbia   82 of 137
Recently

 • An alien G-rated screen saver for an X-rated
   site appeared
 • Changing the screen saver worked!
 • The screen saver software removed in the
   correct way!
 • Still, this should never have happened




                  Internet Mapping, Columbia   83 of 137
             Skinny Dipping on
                the Internet




137 slides
I’ve been skinny dipping on the
Internet for years

 • FreeBSD and Linux hosts
 • Very few, very hardened network services
 • Single-user hosts
 • Dangerous services placed in sandboxes
 • No known breakins
 • No angst



              Internet Mapping, Columbia    85 of 137
     “Best block is not be there”
               -Karate Kid




137 slides
Angst and the Morris Worm

 • Did the worm get past my firewall?
 • No. Why?
   – Partly smart design
   – Partly luck…removing fingerd
 • Peace of mind comes from staying out of the
   battle altogether




               Internet Mapping, Columbia   87 of 137
             “You’ve got to get
              out of the game”
                 -Fred Grampp




137 slides
             Can my Dad (and
             millions like him)
              get out of the
                   game?




137 slides
             Arms Races




137 slides
Virus arms race

 • Early on, detectors used viral signatures
 • Virus encryption and recompilation (!) has
   thwarted this
 • Virus detectors now simulate the code,
   looking for signature actions
 • Virus writers now detect emulation and
   behave differently
 • Virus emulators are slowing down, even with
   Moore’s Law.

               Internet Mapping, Columbia      91 of 137
Virus arms race
 • I suspect that virus writers are going to win the
   detection battle, if they haven’t already
    – Emulation may become too slow
    – Even though we have the home-field advantage
    – Will we know if an undetectable virus is released?
 • Best defense is to get out of the game.
    – Don’t run portable programs, or
    – Improve our sandbox technology
 • People who really care about this worry about Ken
   Thompson’s attack
    – Read and understand “On Trusting Trust”

                  Internet Mapping, Columbia           92 of 137
Getting out of the virus game

 • Don’t execute roving programs of unknown
   provenance
 • Trusted Computing can fix the problem, in
   theory




                Internet Mapping, Columbia   93 of 137
Password sniffing and cracking
arms race

 • Ethernet has always been sniffable
 • WiFi is the new Ethernet




               Internet Mapping, Columbia   94 of 137
Password sniffing and cracking
arms race

 • Password cracking works 3% to 60% of the
   time using offline dictionary attacks
    – More, if the hashing is misdesigned (c.f.
      Microsoft)
 • This will never get better, so…
 • We have to get out of the game




               Internet Mapping, Columbia    95 of 137
Password sniffing and cracking
arms race

 • This battle is mostly won, thanks to SSL,
   IP/SEC, and VPNs.
 • There are many successful businesses
   using these techniques nicely.




               Internet Mapping, Columbia      96 of 137
Password sniffing is not a
problem for Dad

 • SSL fixes most of it
 • AIM is interceptible
   – Fixable…will it be?




               Internet Mapping, Columbia   97 of 137
Authentication/Identification
Arms races

 • Password/PIN selection vs. cracking
 • Human-chosen passwords and PINs can be
   ok if guessing is limited, and obvious
   choices are suppressed
 • Password cracking is getting better, thanks
   to Moore’s Law and perhaps even botnets




               Internet Mapping, Columbia   98 of 137
We don’t know how to leave the user in charge of
security decisions, safely.




                Internet Mapping, Columbia   99 of 137
User education vs. user
deception

 • We will continue losing this one
 • Even experts sometimes don’t understand
   the ramifications of choices they are offered




               Internet Mapping, Columbia    100 of 137
Authentication arms race:
predictions

 • USA needs two factor authentication for
   social security number. (Something better
   than MMN or birth date.)
 • I don’t see this improving much, but a global
   USB dongle would do it
 • Don’t wait for world-wide PKI.




               Internet Mapping, Columbia    101 of 137
Arms race (sort of)
hardware destruction
 • IBM monochrome monitor
 • Some more recent monitors
   – Current ones?
 • Hard drives? Beat the heads up?
 • EEPROM write limits
   – Viral attack on .cn and .kr PC
     motherboards
   – Other equipment
 • Anything that requires a hardware on-site
   service call
                  Internet Mapping, Columbia   102 of 137
Arms race (sort of)
hardware destruction

 • Rendering the firmware useless
   – This can be fixed (mostly) with a secure
     trusted computing base.




               Internet Mapping, Columbia   103 of 137
Software upgrade race: literally
a race

 • Patches are analyzed to determine the
   weakness
 • Patch-to-exploit time is now down below 10
   hours
    – NB: spammers have incentive to do this
      work
 • Now the good guys are trying to obfuscate
   code!
 • Future difficult to say: dark side obscures
   everything.
                 Internet Mapping, Columbia   104 of 137
Arms Races: deception

 • Jails
    – Cliff Stoll and SDInet
 • Honeypots
   – Honeynet
   – honeyd
 • The deception toolkit---Fred Cohen




                Internet Mapping, Columbia   105 of 137
                 Microsoft client
                    security
             It has been getting worse: can they
                      skinny-dip safely?




137 slides
   Windows ME
Active Connections - Win ME

  Proto   Local Address            Foreign Address   State
  TCP     127.0.0.1:1032           0.0.0.0:0         LISTENING
  TCP     223.223.223.10:139       0.0.0.0:0         LISTENING
  UDP     0.0.0.0:1025             *:*
  UDP     0.0.0.0:1026             *:*
  UDP     0.0.0.0:31337            *:*
  UDP     0.0.0.0:162              *:*
  UDP     223.223.223.10:137       *:*
  UDP     223.223.223.10:138       *:*




                       Internet Mapping, Columbia      107 of 137
   Windows 2000
Proto   Local Address            Foreign Address    State
  TCP     0.0.0.0:135              0.0.0.0:0          LISTENING
  TCP     0.0.0.0:445              0.0.0.0:0          LISTENING
  TCP     0.0.0.0:1029             0.0.0.0:0          LISTENING
  TCP     0.0.0.0:1036             0.0.0.0:0          LISTENING
  TCP     0.0.0.0:1078             0.0.0.0:0          LISTENING
  TCP     0.0.0.0:1080             0.0.0.0:0          LISTENING
  TCP     0.0.0.0:1086             0.0.0.0:0          LISTENING
  TCP     0.0.0.0:6515             0.0.0.0:0          LISTENING
  TCP     127.0.0.1:139            0.0.0.0:0          LISTENING
  UDP     0.0.0.0:445              *:*
  UDP     0.0.0.0:1038             *:*
  UDP     0.0.0.0:6514             *:*
  UDP     0.0.0.0:6515             *:*
  UDP     127.0.0.1:1108           *:*
  UDP     223.223.223.96:500       *:*
  UDP     223.223.223.96:4500      *:*

                       Internet Mapping, Columbia       108 of 137
Windows XP, this laptop
Proto   Local Address            Foreign Address       State
 TCP     ches-pc:epmap            ches-pc:0             LISTENING
 TCP     ches-pc:microsoft-ds     ches-pc:0             LISTENING
 TCP     ches-pc:1025             ches-pc:0             LISTENING
 TCP     ches-pc:1036             ches-pc:0             LISTENING
 TCP     ches-pc:3115             ches-pc:0             LISTENING
 TCP     ches-pc:3118             ches-pc:0             LISTENING
 TCP     ches-pc:3470             ches-pc:0             LISTENING
 TCP     ches-pc:3477             ches-pc:0             LISTENING
 TCP     ches-pc:5000             ches-pc:0             LISTENING
 TCP     ches-pc:6515             ches-pc:0             LISTENING
 TCP     ches-pc:netbios-ssn      ches-pc:0             LISTENING
 TCP     ches-pc:3001             ches-pc:0             LISTENING
 TCP     ches-pc:3002             ches-pc:0             LISTENING
 TCP     ches-pc:3003             ches-pc:0             LISTENING
 TCP     ches-pc:5180             ches-pc:0             LISTENING
 UDP     ches-pc:microsoft-ds     *:*
 UDP     ches-pc:isakmp           *:*
 UDP     ches-pc:1027             *:*
 UDP     ches-pc:3008             *:*
 UDP     ches-pc:3473             *:*
 UDP     ches-pc:6514             *:*
 UDP     ches-pc:6515             *:*
 UDP     ches-pc:netbios-ns       *:*
 UDP     ches-pc:netbios-dgm      *:*
 UDP     ches-pc:1900             *:*
 UDP     ches-pc:ntp              *:*
 UDP     ches-pc:1900             *:*
 UDP     ches-pc:3471             *:*
                                Internet Mapping, Columbia          109 of 137
FreeBSD partition, this laptop
(getting out of the game)
 Active Internet connections (including servers)
 Proto Recv-Q Send-Q Local Address
 tcp4       0      0 *.22
 tcp6       0      0 *.22




                 Internet Mapping, Columbia        110 of 137
          It is easy to dump on
       Microsoft, but many others
          have made the same
             mistakes before




137 slides
Default services
SGI workstation

   ftp     stream tcp     nowait   root    /v/gate/ftpd
   telnet stream tcp      nowait   root    /usr/etc/telnetd
   shell   stream tcp     nowait   root    /usr/etc/rshd
   login   stream tcp     nowait   root    /usr/etc/rlogind
   exec    stream tcp     nowait   root    /usr/etc/rexecd
   finger stream tcp      nowait   guest   /usr/etc/fingerd
   bootp   dgram  udp     wait     root    /usr/etc/bootp
   tftp    dgram  udp     wait     guest   /usr/etc/tftpd
   ntalk   dgram  udp     wait     root    /usr/etc/talkd
   tcpmux stream tcp      nowait   root    internal
   echo    stream tcp     nowait   root    internal
   discard stream tcp     nowait   root    internal
   chargen stream tcp     nowait   root    internal
   daytime stream tcp     nowait   root    internal
   time    stream tcp     nowait   root    internal
   echo    dgram  udp     wait     root    internal
   discard dgram  udp     wait     root    internal
   chargen dgram  udp     wait     root    internal
   daytime dgram  udp     wait     root    internal
   time    dgram  udp     wait     root    internal
   sgi-dgl stream tcp     nowait   root/rcv dgld
   uucp   stream tcp      nowait   root    /usr/lib/uucp/uucpd

                  Internet Mapping, Columbia                     112 of 137
More default services

  mountd/1    stream rpc/tcp wait/lc      root    rpc.mountd
  mountd/1    dgram   rpc/udp wait/lc     root    rpc.mountd
  sgi_mountd/1 stream rpc/tcp wait/lc     root    rpc.mountd
  sgi_mountd/1 dgram rpc/udp wait/lc      root    rpc.mountd
  rstatd/1-3 dgram    rpc/udp wait        root    rpc.rstatd
  walld/1     dgram   rpc/udp wait        root    rpc.rwalld
  rusersd/1   dgram   rpc/udp wait        root    rpc.rusersd
  rquotad/1   dgram   rpc/udp wait        root    rpc.rquotad
  sprayd/1    dgram   rpc/udp wait        root    rpc.sprayd
  bootparam/1 dgram   rpc/udp wait        root    rpc.bootparamd
  sgi_videod/1 stream rpc/tcp wait        root    ?videod
  sgi_fam/1   stream rpc/tcp wait         root    ?fam
  sgi_snoopd/1 stream rpc/tcp wait        root    ?rpc.snoopd
  sgi_pcsd/1 dgram    rpc/udp wait        root    ?cvpcsd
  sgi_pod/1   stream rpc/tcp wait         root    ?podd
  tcpmux/sgi_scanner stream tcp nowait    root    ?scan/net/scannerd
  tcpmux/sgi_printer stream tcp nowait    root    ?print/printerd
  9fs         stream tcp      nowait      root    /v/bin/u9fs u9fs
  webproxy    stream tcp      nowait      root    /usr/local/etc/webserv



                     Internet Mapping, Columbia                   113 of 137
                Firewalls and
               intranets try to
              get us out of the
              network services
             vulnerability game




137 slides
Internet Mapping, Columbia   115 of 137
               What my dad
             (and most of you)
                really needs




137 slides
Most of my Dad’s problems are
  caused by weaknesses in
  features he never uses or
           needs.




137 slides
             A proposal:
             Windows OK




137 slides
Windows OK

• Thin client implemented with Windows
• It would be fine for maybe half the Windows
  users
   – Students, consumers, many corporate
     and government users
• It would be reasonable to skinny dip with
  this client
   – Without firewall or virus checking
     software


              Internet Mapping, Columbia      119 of 137
Windows OK

• No network listeners
  – None of those services are needed, except
    admin access for centrally-administered
    hosts
• Default security settings
• All security controls in one or two places
• Security settings can be locked



              Internet Mapping, Columbia       120 of 137
Windows OK (cont)

 • There should be nothing you can click on, in
   email or a web page, that can hurt your
   computer
    – No portable programs are executed ever,
      except…
 • ActiveX from approved parties
   – MSFT and one or two others. List is
     lockable



                Internet Mapping, Columbia   121 of 137
Windows OK

• Reduce privileges in servers and all
  programs
• Sandbox programs
  – Belt and suspenders




              Internet Mapping, Columbia   122 of 137
Office OK

 • No macros in Word or PowerPoint. No
   executable code in PowerPoint files
 • The only macros allowed in Excel perform
   arithmetic. They cannot create files, etc.




               Internet Mapping, Columbia       123 of 137
Vulnerabilities in OK

 • Buffer overflows in processing of data (not
   from the network)
 • Stop adding new features and focus on bug
   fixes
 • Programmers can clean up bugs, if they
   don’t have a moving target
    – It converges, to some extent




               Internet Mapping, Columbia   124 of 137
             XP SP2
             Bill Gets It




137 slides
Microsoft’s Augean Stables:
a task for Hercules

 • 3000 oxen, 30 years, that’s roughly one
   oxen-day per line of code in Windows
 • It’s been getting worse since Windows 95




               Internet Mapping, Columbia    126 of 137
XP SP2: Bill gets it
 • “a feature you don’t use should not be a security
   problem for you.”
 • “Security by design”
    – Too late for that, its all retrofitting now
 • “Security by default”
    – No network services on by default
 • Security control panel
    – Many things missing from it
    – Speaker could not find ActiveX security settings
 • There are a lot of details that remain to be seen.

                   Internet Mapping, Columbia           127 of 137
Microsoft really means it about
improving their security

 • Their security commitment appears to be
   real
 • It is a huge job
 • Opposing forces are unclear to me
 • It’s been a long time coming, and frustrating




                Internet Mapping, Columbia   128 of 137
Microsoft secure client arms
race

 • We are likely to win, but it is going to be a
   while




                Internet Mapping, Columbia     129 of 137
SP2 isn’t going to be easy to
deploy

 • Many people rely on unsafe configurations,
   even if they don’t realize it
 • Future SPs won’t be easy either, especially if
   they follow my advice




                Internet Mapping, Columbia   130 of 137
Windows XP SP2

• Candidate 2 release is available
• Read the EULA…it is interesting and a bit
  different




              Internet Mapping, Columbia   131 of 137
Internet Mapping, Columbia   132 of 137
Internet Mapping, Columbia   133 of 137
SP2 is just a start: more work
is needed

 • Security panel and ActiveX permissions
   – Also, list of trusted signers needed
 • Still too many network services
   – They may not be reachable from outside
     the box
 • Clicking may still be dangerous




               Internet Mapping, Columbia   134 of 137
Conclusions: we ought to win
these battles

 • We control the playing field
 • DOS is the worse they can do, in theory
 • We can replicate our successes
 • We can converge on a secure-enough
   environment




               Internet Mapping, Columbia    135 of 137
Conclusions: problems

 • The business models to achieve these
   successes seem surprisingly elusive to me
 • Security devices, and stand-alone devices,
   are close to meeting our needs
    – Except full-functioned routers
 • General purpose computers are the big
   problem
    – Apparently features are more important
      than security, to the customers
    – Is this really true?
               Internet Mapping, Columbia   136 of 137
     My Dad’s Computer and the
     Future of Internet Security
                 Bill Cheswick
               ches@lumeta.com
             http://www.lumeta.com




137 slides

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:2/22/2012
language:
pages:137