Internet Security Successes: Its Hard, but its not Impossible

1
Internet Security Successes Its Hard, but its
not Impossible

• Bill Cheswick
• Lumeta Corp.

2
OrTheres a World of Hurt, but I dont have to
Share Your Pain
3
Overview

• Introduction/overview
• Quick case studies of success
• A quick review of what works
• What my dad really needs
• Predications/advice

4
Overview
5
Good enough security is good enough

• There is no such thing as perfect security
• In security vs. convenience, convenience may
  mean not losing a pair of large buildings
• Even the policies on the highest security
  networks are under review

6
In lots of places, the Internet security appears
good enough

• Many business have engineered workable solutions
  Fedex, Amazon, on-line banking
• Insurance companies are starting to offer hacking
  insurance
• Still extremely expensive
• (Worried about a hurricane Andrew on the Internet)

7
Some successes

• My dads Win XP machine
• My home networks
• SDSC
• Many Lumeta clients
• Intellink

8
You can engineer reliable systems out of
unreliable parts

• Early calculator at Bell Labs
• Checked for invalid codes and retried the
  computation
• Redundancy and layers
• Defense in depth
• Somewhat simple tools are available

9
Safe communications on an intranet

• Secure servers
• Secure communications
• Secure clients

10
Secure servers

• The pros run the servers
• They can engineer what they want with the tools
  they want
• They choose the operating systems, network
  configurations, etc.
• There are many successful examples
• Fedex, Amazon, microsoft.com, whitehouse.gov
• There are many unsuccessful examples

11
Secure communications

• We are in much better shape than during the
  crypto wars of the mid 90s
• In June 2003 NSA announced that AES was good
  enough for type 1 encryption
• When properly implemented, of course
• IP/sec, SSL, and even SSH protocol 2 seem to be
  holding up
• (formal methods for analyzing cryptographic
  protocols sure would be nice.)

12
Clients

• Thin clients (called terminals) are a rarity
• I miss my Hazeltine 1200 (sort of)
• Most clients are Windows boxes
• Way too much functionality
• One care engineer a thin client from Unix and
  Linux systems
• They are not thin enough jailing browsers

13
Applications

• A virus will transport nicely from a secure
  client to a secure server over an encrypted link
• Applications should be as dumb as possible, but
  no dumber
• Email should never execute external programs
• Web servers should execute code from trustable
  sources
• Windows update, virus update
• Applications ought to be sandboxed

14
Case Studies
15
Case studyMy Dads computer

• Windows XP, plenty of horsepower, two screens
• Applications
• Email (Outlook)
• Bridge a fancy stock market monitoring system
• AIM
• Cable access, dynamic IP address, no NAT, no
  firewall, outdated virus software, no spyware
  checker

16
This computer was a software toxic waste dump

• It was burning a quart of software every 300
  miles
• The popups seemed darned distracting to me
• But he thought it was fine
• Got his work done
• Didnt want a system administrator to break his
  user interface somehow
• Well get back to this later

17
Case StudyMy home network

• Firewall free since the mid-90s
• Internet skinny-dipping
• Targeted attacks as well as random probes
• Three security levels
• Top security backup and support machines and
  clients
• Public servers, hardened, with sandboxed server
  software
• The kids Windows hosts, untrusted

18
Case studies corp. networksSome intranet
statistics
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
This was Supposed To be a VPN
25
(No Transcript)
26
(No Transcript)
27
Case studySDSC

• Educational and research environment
• Typically notoriously open environments

28
SDSC Research institutions can get it right

• 6,000 users, 300 on site
• 5 petabytes of storage, several hundred terabytes
  of disks
• 10Gb Ethernet, lots of OC-192 connections

29
Risk analysis

• Need to protect integrity and confidentiality of
  data
• Protect resources, including storage, bandwidth,
  CPU cycles
• Protect reputation for security
• Threats come from external hackers, clueless
  users, and careless system administrators

30
Approach

• Trusted networks may contain only reference
  systems
• Only reference systems are trusted
• Data is stored on file servers
• File servers are located on trusted networks
• No plaintext passwords used ssh and Kerberos
  employed
• Passwords are checked with cracklib before
  acceptance
• Root password is not given out on reference
  systems. Sudo gives specific permissions

31
Non-compliant systems

• Are installed in the outback, a dirty untrusted
  network
• Outback users, and their supervisors, sign
  agreement that they are responsible for the hosts
• Compromised outback hosts may be seized for
  forensic analysis and possible evidence for
  criminal cases

32
Reference systems

• Available for Linux, Solaris, Irix, MacOS,
  several Windows variants
• Installed, patched, and local mods installed to
  maximize security
• Contains software to permit updates from the
  central reference site upon reboot
• Time-synchronized for proper logging, forensics
• Centralized logging keeps track of things
• Various network wrappers and routing limitations
  to limit network access

33
Results

• No successful intrusions in four years

34
Case studysurmises about Intellink

• Read about this in Banfords book, Body of
  Secrets
• Uses Internet technology to make numerous highly
  classified sources available to authorized
  personnel
• The following is mostly personal speculation
• It is a terrific thought experiment for an
  Internet security person.

35
Case studysurmises about Intellink

• Vetted client software
• OS browser underlying libraries and services
  link ASN.1, X.509, SSL, etc.
• Careful monitoring of the network usage
• Big mallet to dissuade misuse.
• Disconnection, firing, jail time
• Hardware encryption devices to enforce enclave
  access

36
What works
37
What works

• Perimeter defenses work, if you know where your
  perimeter is and watch it

38
The Pretty Good Wall of China
39
What workslayered defenses
40
(No Transcript)
41
What worksEnclaves

• Security has a lot to do with numbers
• I think 40 computers is about the limit for me

42
What worksVirtual machines

• IBMs virus test farm a sea of Linux hosts
  running target operating system inside vmware.
  Disks reinitialized instantly using logging file
  system.
• Terminal for secret networks
• Virtual machines for different security levels

43
What worksDefault to safety

• Dont expect users to understand and make the
  right security moves
• Make people work to reduce their security
• screw me command

44
What works

• Dont let strangers run programs on your computer
• A stranger is anyone who isnt your system
  administrator and the company he trusts
• The mouse is used for cut and paste in my mailer.
  Period.
• Hence, no virus execution is possible

45
What works simplicity

• ASCII (or Unicode) mail
• Twenty-year old email
• Telephone SMS version 1.0

46
What works

• Small enclaves

47
What my dad(and most of you)really needs
48
My Dads computer what the repair geek found

• Everything
• Viruses Ive never heard off
• Constant popups
• Frequent blasts of multiple web pages, all
  obscene
• Dad why do I care? I am getting my work done

49
Dads computer how did he get in this mess?

• He doesnt know what the popup security messages
  mean
• Email-born viruses
• Unsecured network services
• Executable code in web pages from unworthy sites

50
Properties of Windows OK

• No network servers
• SMS access ok for managed hosts
• Nothing emailed must ever get executed
• Html processing ok, but no scripting, etc.
• Nothing from the web ever gets executed except
• ActiveX code from MSFT for updates
• Java and JavaScript truly sandboxed
• AIM, web, email saved files must stay in
  non-executable sandbox

51
Predictions
52
More pain virus detection appears doomed to me

• Ultimately they do try to solve the halting
  problem
• Virus writers are getting very good
• Virus detectors have to resort to simulation
  fingerprints arent good enough
• Simulations are taking longer
• Best block is not be there
• Safe fail

53
Microsofts Augean Stables
54
Microsoft really means it about improving their
security

• Their security commitment appears to be real
• It is a huge job
• Opposing forces are unclear to me
• Its been a long time coming, and frustrating

55
Windows XP, this laptop
Proto Local Address Foreign Address
State TCP ches-pcepmap
ches-pc0 LISTENING TCP
ches-pcmicrosoft-ds ches-pc0
LISTENING TCP ches-pc1025
ches-pc0 LISTENING TCP
ches-pc1036 ches-pc0
LISTENING TCP ches-pc3115
ches-pc0 LISTENING TCP
ches-pc3118 ches-pc0
LISTENING TCP ches-pc3470
ches-pc0 LISTENING TCP
ches-pc3477 ches-pc0
LISTENING TCP ches-pc5000
ches-pc0 LISTENING TCP
ches-pc6515 ches-pc0
LISTENING TCP ches-pcnetbios-ssn
ches-pc0 LISTENING TCP
ches-pc3001 ches-pc0
LISTENING TCP ches-pc3002
ches-pc0 LISTENING TCP
ches-pc3003 ches-pc0
LISTENING TCP ches-pc5180
ches-pc0 LISTENING UDP
ches-pcmicrosoft-ds
UDP ches-pcisakmp
UDP ches-pc1027
UDP ches-pc3008
UDP ches-pc3473
UDP ches-pc6514
UDP
ches-pc6515
UDP ches-pcnetbios-ns
UDP ches-pcnetbios-dgm
UDP ches-pc1900
UDP ches-pcntp
UDP ches-pc1900
UDP
ches-pc3471
56
Windows 2000
Proto Local Address Foreign Address
State TCP 0.0.0.0135
0.0.0.00 LISTENING TCP
0.0.0.0445 0.0.0.00
LISTENING TCP 0.0.0.01029
0.0.0.00 LISTENING TCP
0.0.0.01036 0.0.0.00
LISTENING TCP 0.0.0.01078
0.0.0.00 LISTENING TCP
0.0.0.01080 0.0.0.00
LISTENING TCP 0.0.0.01086
0.0.0.00 LISTENING TCP
0.0.0.06515 0.0.0.00
LISTENING TCP 127.0.0.1139
0.0.0.00 LISTENING UDP
0.0.0.0445
UDP 0.0.0.01038
UDP 0.0.0.06514
UDP 0.0.0.06515
UDP 127.0.0.11108
UDP
223.223.223.96500
UDP 223.223.223.964500

57
Windows ME
Active Connections - Win ME Proto Local
Address Foreign Address State
TCP 127.0.0.11032 0.0.0.00
LISTENING TCP 223.223.223.10139
0.0.0.00 LISTENING UDP
0.0.0.01025
UDP 0.0.0.01026
UDP 0.0.0.031337
UDP 0.0.0.0162
UDP 223.223.223.10137
UDP
223.223.223.10138
58
FreeBSD partition, this laptop
Active Internet connections (including
servers) Proto Recv-Q Send-Q Local Address
Foreign Address (state) tcp4 0
0 .22 .
LISTEN tcp6 0 0 .22
. LISTEN
59
Microsoft really means it about improving their
security

• They need world-class sandboxes, many more layers
  in their security, and much safer defaults
• A Microsoft terminal will benefit millions of
  users

60
Internet Security Successes Its Hard, but its
not Impossible

• Bill Cheswick
• Lumeta Corp.