110 slides
Defending Your Network: Identifying and Patrolling
Your True Network Perimeter
Bill Cheswick
Chief Scientist, Lumeta Corp
110 slides
Pondering and Patrolling
PerimetersBill Cheswick
http://www.lumeta.com
3 of 110Patrolling the Perimeter
Talk Outline
• Outside: mapping the Internet
• A discussion of perimeter defenses
• Strong host security
• Mapping and understanding intranets
• The past and future of Microsoft host security:– my Dad’s computer
110 slides
The Internet Mapping Project
An experiment in exploring network connectivity
5 of 110Patrolling the Perimeter
Motivations
• Highlands “day after” scenario
• Panix DOS attacks– a way to trace
anonymous packets back!
• Visualization experiments
• Curiosity about size and growth of the Internet
• Databases for graph theorists, grad students, etc.
6 of 110Patrolling the Perimeter
Methods - data collection
• Single reliable host connected at the company perimeter
• Daily full scan of Lucent
• Daily partial scan of Internet, monthly full scan
• One line of text per network scanned– Unix tools
• Use a light touch, so we don’t bother Internet denizens
7 of 110Patrolling the Perimeter
Methods - network discovery (ND)
• Obtain master network list– network lists from Merit, RIPE, APNIC, etc.– BGP data or routing data from customers– hand-assembled list of Yugoslavia/Bosnia
• Run a traceroute-style scan towards each network
• Stop on error, completion, no data– Keep the natives happy
8 of 110Patrolling the Perimeter
Intranet implications of Internet mapping
• High speed technique, able to handle the largest networks
• Light touch: “what are you going to do to my intranet?”
• Acquire and maintain databases of Internet network assignments and usage
9 of 110Patrolling the Perimeter
Related Work
• See Martin Dodge’s cyber geography page
• MIDS - John Quarterman
• CAIDA - kc claffy
• Mercator
• “Measuring ISP topologies with rocketfuel” - 2002– Spring, Mahajan, Wetherall
• Enter “internet map” in your search engine
10 of 110Patrolling the Perimeter
TTL probes
• Used by traceroute and other tools
• Probes toward each target network with increasing TTL
• Probes are ICMP, UDP, TCP to port 80, 25, 139, etc.
• Some people block UDP, others ICMP
11 of 110Patrolling the Perimeter
Advantages
• We don’t need access (I.e. SNMP) to the routers
• It’s very fast
• Standard Internet tool: it doesn’t break things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types
12 of 110Patrolling the Perimeter
Limitations
• View is from scanning host only– Multiple scan sources gives a better view
• Outgoing paths only
• Level 3 (IP) only– ATM networks appear as a single node
• Not all routers respond– Some are silent– Others are “shy” (RFC 1123 compliant),
limited to one response per second
13 of 110Patrolling the Perimeter
Data collection complaints
• Australian parliament was the first to complain
• List of whiners (25 nets)
• On the Internet, these complaints are mostly a thing of the past– Internet background radiation
predominates
14 of 110Patrolling the Perimeter
Intranet uses of Don’t Scan list
• Hands off particular business partners
• Hands off especially sensitive networks– Hanging ATMs– 3B2s with broadcast storms– Wollongong software (!) on factory floor
computers
• Intranet vs. ISP customer networks
15 of 110Patrolling the Perimeter
Visualization goals
• make a map– show interesting features– debug our database and collection
methods– hard to fold up
• geography doesn’t matter
• use colors to show further meaning
16 of 110Patrolling the Perimeter
110 slides
Visualization of the layout algorithm
Laying out the Internet graph
18 of 110Patrolling the Perimeter
110 slides
Visualization of the layout algorithm
Laying out an intranet
20 of 110Patrolling the Perimeter
21 of 110Patrolling the Perimeter
A simplified map, for the Internet layouts
• Minimum distance spanning tree uses 80% of the data
• Much easier visualization
• Most of the links still valid
• Redundancy is in the middle
22 of 110Patrolling the Perimeter
Colored byAS number
23 of 110Patrolling the Perimeter
Map Coloring
• distance from test host
• IP address– shows communities
• Geographical (by TLD)
• ISPs
• future– timing, firewalls, LSRR blocks
24 of 110Patrolling the Perimeter
Colored by IP address!
25 of 110Patrolling the Perimeter
Colored by geography
26 of 110Patrolling the Perimeter
Colored by ISP
27 of 110Patrolling the Perimeter
Colored by distancefrom scanning host
28 of 110Patrolling the Perimeter
US militaryreached by ICMP ping
29 of 110Patrolling the Perimeter
US military networksreached by UDP
30 of 110Patrolling the Perimeter
31 of 110Patrolling the Perimeter
110 slides
Yugoslavia
An unclassified peek at a new battlefield
33 of 110Patrolling the Perimeter
110 slides
Un film par Steve “Hollywood” Branigan...
35 of 110Patrolling the Perimeter
110 slides
fin
110 slides
Perimeter defenses
38 of 110Patrolling the Perimeter
Perimeter defenses are a traditional means of
protecting an area without hardening each of the things
in that area
39 of 110Patrolling the Perimeter
Why use a perimeter defense?
• It is cheaper– A man’s home is his castle, but most
people can’t afford the moat
• You can concentrate your equipment and your expertise in a few areas
• It is simpler, and simpler security is usually better– Easier to understand and audit– Easier to spot broken parts
40 of 110Patrolling the Perimeter
Perimeter Defense of the US Capitol Building
41 of 110Patrolling the Perimeter
Flower pots
42 of 110Patrolling the Perimeter
43 of 110Patrolling the Perimeter
Security doesn’t have to be ugly
44 of 110Patrolling the Perimeter
45 of 110Patrolling the Perimeter
46 of 110Patrolling the Perimeter
47 of 110Patrolling the Perimeter
48 of 110Patrolling the Perimeter
Delta barriers
49 of 110Patrolling the Perimeter
Parliament: entrance
50 of 110Patrolling the Perimeter
Parliament: exit
51 of 110Patrolling the Perimeter
What’s wrong with perimeter defenses
• They are useless against insider attacks
52 of 110Patrolling the Perimeter
Edinburgh Castle
• fell through a hole in its perimeter
• fell to siege in three years in 16th century– ran out of food and
water
• Unsuccessful attack by Bonnie Prince Charlie in 1745
• Devastated in 1544 by the Earl of Hertford
53 of 110Patrolling the Perimeter
What’s wrong with perimeter defenses
• They are useless against insider attacks
• They provide a false sense of security– You still need to toughen up the inside, at
least some– You need to hire enough defenders
54 of 110Patrolling the Perimeter
55 of 110Patrolling the Perimeter
56 of 110Patrolling the Perimeter
What’s wrong with perimeter defenses
• They are useless against insider attacks
• They provide a false sense of security– You still need to toughen up the inside, at
least some
• They don’t scale well
The Pretty GoodWall of China
58 of 110Patrolling the Perimeter
59 of 110Patrolling the Perimeter
60 of 110Patrolling the Perimeter
110 slides
Can we live without an intranet?
Strong host security
62 of 110Patrolling the Perimeter
I can, but you probably can’t
• “Skinny-dipping” on the Internet since the mid 1990s
• The exposure focuses one clearly on the threats and proactive security
• It’s very convenient, for the services I dare to use
• Many important network services are difficult to harden
63 of 110Patrolling the Perimeter
Skinny dipping rules
• Only minimal services are offered to the general public– Ssh– Web server (jailed Apache)– DNS (self chrooted)– SMTP (postfix, not sendmail)
• Children (like employees) and MSFT clients are untrustworthy
• Offer hardened local services at home, like SAMBA (chroot), POP3 (chroot)
• I’d like to offer other services, but they are hard to secure
64 of 110Patrolling the Perimeter
Skinny dipping requires strong host security
• FreeBSD and Linux machines
• I am told that one can lock down an MSFT host, but there are hundreds of steps, and I don’t know how to do it.
• This isn’t just about operating systems: the most popular client applications are, in theory, very dangerous and, in practice, very dangerous.– Web browsers and mail readers have
many dangerous features
65 of 110Patrolling the Perimeter
Lately, I have been cheating
• Backup hosts are unreachable from the Internet (which is a perimeter defense of sorts), and do not trust the exposed hosts
• Public servers have lower privilege than my crown jewels
• This means I can experiment a bit more with the exposed hosts
66 of 110Patrolling the Perimeter
Skinny dipping flaws
• Less depth to the defense
67 of 110Patrolling the Perimeter
68 of 110Patrolling the Perimeter
Skinny dipping flaws
• Less defense in depth
• No protection from denial-of-service attacks
69 of 110Patrolling the Perimeter
Hopes for Microsoft client security?
• I’ll talk about it at the end of the talk.
110 slides
Intranets
Networked perimeter defenses
110 slides
“Anything large enough to be called an ‘intranet’ is out
of control”
- me
72 of 110Patrolling the Perimeter
Intranets have been out of control since they were invented
• This is not the fault of network administrators– The technology is amenable to abuse– Decentralization was a design goal of the
Internet
• CIO and CSOs want centralized control of their network
• The legacy information is lost with rapid employee turnover
• M&A breaks carefully-planned networking
73 of 110Patrolling the Perimeter
Perimeter security gives a false sense of security
• “Crunchy outside, and a soft, chewy center”– Me
• I think 40 hosts is about the most that I can control within a perimeter.– Others can probably do better
• Internet worms are pop quizzes on perimeter security
110 slides
Intranets: the rest of the Internet
75 of 110Patrolling the Perimeter
History of the Project and Lumeta
• Started in August 1998 at Bell Labs
• April-June 1999: Yugoslavia mapping
• July 2000: first customer intranet scanned
• Sept. 2000: spun off Lumeta from Lucent/Bell Labs
• June 2002: “B” round funding completed
• 2003: sales >$4MM
• After three years of a service offering, we built IPSonar so you can run it yourself.
76 of 110Patrolling the Perimeter
77 of 110Patrolling the Perimeter
78 of 110Patrolling the Perimeter
79 of 110Patrolling the Perimeter
80 of 110Patrolling the Perimeter
81 of 110Patrolling the Perimeter
This wasSupposedTo be aVPN
82 of 110Patrolling the Perimeter
83 of 110Patrolling the Perimeter
110 slides
This is useful, butcan we find hosts that have access
across the perimeter?
85 of 110Patrolling the Perimeter
Leaks
• We call the leaks shown in the maps “routing leaks”
• Can we find hosts that don’t forward packets, but straddle the perimeter?
• Yes: we call them “host leaks”, and detecting them is Lumeta’s “special sauce”
86 of 110Patrolling the Perimeter
How to find host leaks
• Run a census with ICMP and/or UDP packets
• Test each machine to see if it can receive a probe from one network, and reply on another
• Not just dual-homed hosts
• DMZ hosts, business partner machines, misconfigured VPN access
87 of 110Patrolling the Perimeter
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• A sends packet to B, with spoofed return address of D
• If B can, it will reply to D with a response, possibly through a different interface
88 of 110Patrolling the Perimeter
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• Packet must be crafted so the response won’t be permitted through the firewall
• A variety of packet types and responses are used
• Either inside or outside address may be discovered
• Packet is labeled so we know where it came from
89 of 110Patrolling the Perimeter
Leaks are not always bad
• Depends on the network policy
• Often, outgoing leaks are ok
• Sometimes our test packets get through, but not the services you are worrying about
• “Please don’t call them leaks”
• Until this test, there was no way for the CIO to detect them, good or bad
• Patent pending…
90 of 110Patrolling the Perimeter
We developed lot of stuff
• Leak detection (that’s the special sauce)
• Route discovery
• Host enumeration and identification
• Server discovery
• Lots of reports…the hardest part
• Wireless base station discovery
• And more…ask the sales people
• The “zeroth step in network intelligence”– me
91 of 110Patrolling the Perimeter
Case studies: corp. networksSome intranet statistics
Min MaxIntranet sizes (devices) 7,900 365,000Corporate address space 81,000 745,000,000% devices in unknown address space 0.01% 20.86%
% routers responding to "public" 0.14% 75.50%% routers responding to other 0.00% 52.00%
Outbound host leaks on network 0 176,000% devices with outbound ICMP leaks 0% 79%% devices with outbound UDP leaks 0% 82%
Inbound UDP host leaks 0 5,800% devices with inbound ICMP leaks 0% 11%% devices with inbound UDP leaks 0% 12%% hosts running Windows 36% 84%
92 of 110Patrolling the Perimeter
Some Lumeta lessons
• Reporting is the really hard part– Converting data to information
• “Tell me how we compare to other clients”
• Offering a service was good practice, for a while
• We have >70 Fortune-200 companies and government agencies as clients
• Need-to-have vs. want-to-have
110 slides
Microsoft client security
It has been getting worse
94 of 110Patrolling the Perimeter
Case study:My Dad’s computer
• Windows XP, plenty of horsepower, two screens
• Applications:– Email (Outlook)– “Bridge:” a fancy stock market monitoring
system– AIM
• Cable access, dynamic IP address, no NAT, no firewall, outdated virus software, no spyware checker
95 of 110Patrolling the Perimeter
This computer was a software toxic waste dump
• It was burning a quart of software every 300 miles
• The popups seemed darned distracting to me
• But he thought it was fine– Got his work done– Didn’t want a system administrator to
break his user interface somehow
96 of 110Patrolling the Perimeter
Microsoft’s Augean Stables
• 3000 oxen, 30 years, that’s roughly one oxen-day per line of code in Windows
97 of 110Patrolling the Perimeter
Windows MEActive Connections - Win ME
Proto Local Address Foreign Address State TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING TCP 223.223.223.10:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:31337 *:* UDP 0.0.0.0:162 *:* UDP 223.223.223.10:137 *:* UDP 223.223.223.10:138 *:*
98 of 110Patrolling the Perimeter
Windows 2000
Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING TCP 0.0.0.0:1086 0.0.0.0:0 LISTENING TCP 0.0.0.0:6515 0.0.0.0:0 LISTENING TCP 127.0.0.1:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1038 *:* UDP 0.0.0.0:6514 *:* UDP 0.0.0.0:6515 *:* UDP 127.0.0.1:1108 *:* UDP 223.223.223.96:500 *:* UDP 223.223.223.96:4500 *:*
99 of 110Patrolling the Perimeter
Windows XP, this laptop Proto Local Address Foreign Address State TCP ches-pc:epmap ches-pc:0 LISTENING TCP ches-pc:microsoft-ds ches-pc:0 LISTENING TCP ches-pc:1025 ches-pc:0 LISTENING TCP ches-pc:1036 ches-pc:0 LISTENING TCP ches-pc:3115 ches-pc:0 LISTENING TCP ches-pc:3118 ches-pc:0 LISTENING TCP ches-pc:3470 ches-pc:0 LISTENING TCP ches-pc:3477 ches-pc:0 LISTENING TCP ches-pc:5000 ches-pc:0 LISTENING TCP ches-pc:6515 ches-pc:0 LISTENING TCP ches-pc:netbios-ssn ches-pc:0 LISTENING TCP ches-pc:3001 ches-pc:0 LISTENING TCP ches-pc:3002 ches-pc:0 LISTENING TCP ches-pc:3003 ches-pc:0 LISTENING TCP ches-pc:5180 ches-pc:0 LISTENING UDP ches-pc:microsoft-ds *:* UDP ches-pc:isakmp *:* UDP ches-pc:1027 *:* UDP ches-pc:3008 *:* UDP ches-pc:3473 *:* UDP ches-pc:6514 *:* UDP ches-pc:6515 *:* UDP ches-pc:netbios-ns *:* UDP ches-pc:netbios-dgm *:* UDP ches-pc:1900 *:* UDP ches-pc:ntp *:* UDP ches-pc:1900 *:* UDP ches-pc:3471 *:*
100 of 110Patrolling the Perimeter
FreeBSD partition, this laptop
Active Internet connections (including servers)Proto Recv-Q Send-Q Local Address Foreign Address (state)tcp4 0 0 *.22 *.* LISTENtcp6 0 0 *.22 *.* LISTEN
101 of 110Patrolling the Perimeter
Microsoft really means it about improving their security
• Their security commitment appears to be real
• It is a huge job
• Opposing forces are unclear to me
• It’s been a long time coming, and frustrating
102 of 110Patrolling the Perimeter
Microsoft really means it about improving their security
• They need world-class sandboxes, many more layers in their security, and much safer defaults
• A Microsoft “terminal” will benefit millions of users
103 of 110Patrolling the Perimeter
Windows OK
• Thin client implemented with Windows
• It would be fine for maybe half the Windows users– Students, consumers, many corporate
and government users
• It would be reasonable to skinny dip with this client– Without firewall or virus checking
software
104 of 110Patrolling the Perimeter
Windows OK
• No network listeners– None of those services are needed, except
admin access for centrally-administered hosts
• Default security settings, all available on the control panel security screen
• Security settings can be locked
105 of 110Patrolling the Perimeter
Windows OK
• Reduce privileges in servers and all programs
• Sandbox programs– Belt and suspenders
106 of 110Patrolling the Perimeter
Windows OK (cont)
• There should be nothing you can click on, in email or a web page, that can hurt your computer– No portable programs are executed ever,
except…
• ActiveX from approved parties– MSFT and one or two others. List is
lockable
107 of 110Patrolling the Perimeter
Office OK
• No macros in Word or PowerPoint. No executable code in PowerPoint files
• The only macros allowed in Excel perform arithmetic. They cannot create files, etc.
108 of 110Patrolling the Perimeter
Vulnerabilities in OK
• Buffer overflows in processing of data (not from the network)
• Stop adding new features and focus on bug fixes
• Programmers can clean up bugs, if they don’t have a moving target– It converges, to some extent
110 slides
Defending Your Network: Identifying and Patrolling
Your True Network Perimeter
Bill Cheswick
Chief Scientist, Lumeta Corp