1 of 118

1
Identifying and Patrolling your True Network
Perimeter

• Bill Cheswick
• ches_at_lumeta.com
• http//www.lumeta.com

2
Brief personal history

• Started at Bell Labs in December 1987
• Immediately took over postmaster and firewall
  duties
• Good way to learn the ropes, which was my
  intention

3
Morris worm hit on Nov 1988

• Heard about it on NPR
• Had a sinking feeling about it
• The home-made firewall worked
• No fingerd
• No sendmail (we rewrote the mailer)
• Intranet connection to Bellcore
• We got lucky
• Bell Labs had 1330 hosts
• Corporate HQ didnt know or care

4
Action items

• Shut down the unprotected connection to Bellcore
• What we now call a routing leak
• Redesign the firewall for much more capacity, and
  no sinking feeling
• (VAX 750, load average of 15)
• Write a paper on it
• if you dont write it up, you didnt do the work

5
Old gateway
6
New gateway
suspenders
belt
7
New gateway(one referees suggestion)
8
Design of a Secure Internet Gateway Anaheim
Usenix, Jun 1990

• My first real academic paper
• It was pretty good, I think
• It didnt have much impact, except for two
  pieces
• Coined the work proxy in its current use (this
  was for a circuit level gateway
• Predated socks by three years)
• Coined the expression crunchy outside and soft
  chewy center

9
Why wasnt the paper more influential?

• Because the hard part isnt the firewall, it is
  the perimeter
• I built a high security firewall for USSS from
  scratch in about 2 hours in Sept. 2001.
• I raised our firewall security from low medium
  to high
• (thats about as good as computer and network
  security measurement gets)
• The perimeter security was dumb luck, which we
  raised to probably none

10
Network and host security levels

• Dumb luck
• None
• Low
• Medium
• High no sinking feeling

11
By 1996, ATTs intranet

• Firewall security high, and sometimes quite a
  pain, which meant
• Perimeter security dumb luck
• Trivestiture didnt change the intranet
  configuration that much

12
Lucent 1997Circling the wagons around Wyoming
The Internet
Columbus
Murray Hill
Murray Hill
Holmdel
Allentown
SLIP PPP ISDN X.25 cable ...
Lucent - 130,000, 266K IP addresses, 3000 nets
ann.
thousands of telecommuters
200 business partners
13
(No Transcript)
14
Highlands forum, Annapolis, Dec 1996

• A Rand corp. game to help brief a member of the
  new Presidents Infrastructure Protection
  Commission
• Met Esther Dyson and Fred Cohen there
• Personal assessment by intel profiler
• Day after scenario
• Gosh it would be great to figure out where these
  networks actually go

15
Perimeter Defenses have a long history
16
Lorton Prison
17
The Pretty Good Wall of China
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
Perimeter Defense
22
Flower pots
23
(No Transcript)
24
Security doesnt have to be ugly
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
Delta barriers
30
Edinburgh Castle
31
Warwick Castle
32
Heidelberg Castlestarted in the 1300s
33
(No Transcript)
34
Berwick Castle
35
(No Transcript)
36
(No Transcript)
37
Parliament entrance
38
Parliament exit
39
Why use a perimeter defense?

• It is cheaper
• A mans home is his castle, but most people cant
  afford the moat
• You can concentrate your equipment and your
  expertise in a few areas
• It is simpler, and simpler security is usually
  better
• Easier to understand and audit
• Easier to spot broken parts

40
(No Transcript)
41
Whats wrong with perimeter defenses

• They are useless against insider attacks
• They provide a false sense of security
• You still need to toughen up the inside, at least
  some
• You need to hire enough defenders
• They dont scale well

42
Anything large enough to be called an intranet
is out of control

43
Project 1Can we live without an intranet?

• Strong host security
• Mid 1990s

44
I can, but you probably cant

• Skinny-dipping on the Internet since the mid
  1990s
• The exposure focuses one clearly on the threats
  and proactive security
• Its very convenient, for the services I dare to
  use
• Many important network services are difficult to
  harden

45
Skinny dipping rules

• Only minimal services are offered to the general
  public
• Ssh
• Web server (jailed Apache)
• DNS (self chrooted)
• SMTP (postfix, not sendmail)
• Children (like employees) and MSFT clients are
  untrustworthy
• Offer hardened local services at home, like SAMBA
  (chroot), POP3 (chroot)
• Id like to offer other services, but they are
  hard to secure

46
Skinny dipping requires strong host security

• FreeBSD and Linux machines
• I am told that one can lock down a Microsoft
  host,
• hundreds of steps, and I dont know how
• Not just operating systems the most popular
  client applications are, in theory and practice
  very dangerous
• Web browsers and mail readers have many dangerous
  features

47
Skinny dipping flaws

• Less defense in depth
• No protection from denial-of-service attacks

48
Project 2The Internet Mapping Project

• An experiment in exploring network connectivity
• 1998

49
Methods - network discovery (ND)

• Obtain master network list
• network lists from Merit, RIPE, APNIC, etc.
• BGP data or routing data from customers
• hand-assembled list of Yugoslavia/Bosnia
• Run a TTL-type (traceroute) scan towards each
  network
• Stop on error, completion, no data
• Keep the natives happy

50
Methods - data collection

• Single reliable host connected at the company
  perimeter
• Daily full scan of Lucent
• Daily partial scan of Internet, monthly full scan
• One line of text per network scanned
• Unix tools
• Use a light touch, so we dont bother Internet
  denizens

51
TTL probes

• Used by traceroute and other tools
• Probes toward each target network with increasing
  TTL
• Probes are ICMP, UDP, TCP to port 80, 25, 139,
  etc.
• Some people block UDP, others ICMP

52
Intranet implications of Internet mapping

• High speed technique, able to handle the largest
  networks
• Light touch what are you going to do to my
  intranet?
• Acquire and maintain databases of Internet
  network assignments and usage

53
Advantages

• We dont need access (I.e. SNMP) to the routers
• Its very fast
• Standard Internet tool it doesnt break things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types

54
Limitations

• View is from scanning host only
• Multiple scan sources gives a better view
• Outgoing paths only
• Level 3 (IP) only
• ATM networks appear as a single node
• Not all routers respond
• Some are silent
• Others are shy (RFC 1123 compliant), limited to
  one response per second

55
Data collection complaints

• Australian parliament was the first to complain
• List of whiners (25 nets)
• On the Internet, these complaints are mostly a
  thing of the past
• Internet background radiation predominates

56
Visualization goals

• make a map
• show interesting features
• debug our database and collection methods
• geography doesnt matter
• use colors to show further meaning

57
(No Transcript)
58
Visualization of the layout algorithm

• Laying out the Internet graph

59
(No Transcript)
60
(No Transcript)
61
Colored by AS number
62
Map Coloring

• distance from test host
• IP address
• shows communities
• Geographical (by TLD)
• ISPs
• future
• timing, firewalls, LSRR blocks

63
Colored by IP address!
64
Colored by geography
65
Colored by ISP
66
Colored by distance from scanning host
67
(No Transcript)
68
(No Transcript)
69
Yugoslavia

• An unclassified peek at a new battlefield
• 1999

70
(No Transcript)
71
Un film par Steve Hollywood Branigan...
72
(No Transcript)
73
fin
74
Intranets the rest of the Internet
75
(No Transcript)
76
(No Transcript)
77
(No Transcript)
78
This was Supposed To be a VPN
79
(No Transcript)
80
(No Transcript)
81
Project 3Detecting perimeter leaks

• Lumetas Special Sauce
• 2000

82
Types of leaks

• Routing leaks
• Internal routes are announced externally, and the
  packets are allowed to flow betwixt
• Host leaks
• Simultaneously connected inside and out, probably
  without firewall-functionality
• Not necessarily a dual-homed host
• Please dont call them leaks
• They arent always a Bad Thing

83
Routing leaks

• Easily seen on maps
• Shows up in our reports
• Generally easily fixed

84
Host leak detection

• Developed to find hosts that have access to both
  intranet and Internet
• Or across any privilege boundary
• Leaking hosts do not route between the networks
• Technology didnt exist to find these

85
Possible host leaks

• Miss-configured telecommuters connecting remotely
• VPNs that are broken
• DMZ hosts with too much access
• Business partner networks
• Internet connections by rogue managers
• Modem links to ISPs

86
Leak Detection Prerequisites

• List of potential leakers obtained by census
• Access to intranet
• Simultaneous availability of a mitt

87
Leak Detection Layout

• Mapping host with address A is connected to the
  intranet
• Mitt with address D has Internet access
• Mapping host and mitt are currently the same
  host, with two interfaces

Mapping host
mitt
A
D
Internet
intranet
C
B
Test host
88
Leak Detection
Mapping host
mitt

• Test host has known address B on the intranet
• It was found via census
• We are testing for unauthorized access to the
  Internet, possibly through a different address, C

A
D
Internet
intranet
C
B
Test host
89
Leak Detection
Mapping host
mitt

• A sends packet to B, with spoofed return address
  of D
• If B can, it will reply to D with a response,
  possibly through a different interface

A
D
Internet
intranet
C
B
Test host
90
Leak Detection
Mapping host
mitt

• Packet must be crafted so the response wont be
  permitted through the firewall
• A variety of packet types and responses are used
• Either inside or outside address may be
  discovered
• Packet is labeled so we know where it came from

A
D
Internet
intranet
C
B
Test host
91
Inbound Leak Detection
Mapping host
mitt

• This direction is usually more important
• It all depends on the site policy
• so many leaks might be just fine.

A
D
Internet
intranet
C
B
Test host
92
Inbound Leak Detection
Mapping host
mitt
A
D
Internet
intranet
C
B
Test host
93
Leak results

• Found home web businesses
• At least two clients have tapped leaks
• One made front page news
• From the military the republic is a little
  safer

94
Case studies corp. networksSome intranet
statistics
95
We developed lot of stuff

• Leak detection (thats the special sauce)
• Lots of reports the hardest part is converting
  data to information
• Route discovery TTL probes plus SNMP router
  queries
• Host enumeration and identification ping and
  xprobe-style host identification
• Server discovery SYN probes of popular TCP
  ports
• Wireless base station discovery xprobe, SNMP,
  HTTP
• And moreask the sales people
• The zeroth step in network intelligence
• me

96
IP Sonar

• 2003

97
Nice research resulthappy clients

• Switched from service to appliance
• Developers did a nice job with GUI and
  productizing the software
• Priced by approx. number of active IP devices and
  length of time you have the appliance
• 100 Fortune 200 clients
• Growing government use among military, spooks,
  and various departments
• FAA, VA, EOP, DISA, DOD, Treasury, pilots at
  others including DOE

98
Whats next?

• IPv6
• 2005 3

99
ipv6.research.microsoft.com. 15M IN AAAA
131.107.65.121 ipv6.research.microsoft.com.
15M IN AAAA 2002836b4179836b4179
100
IPv6 deployment

• Has been 3 years away since 1993
• Widely deployed in the Far East, and in the new
  cell phones
• Europe is getting on board
• US Government mandate for 2005
• But what does IPv6 capable really mean?
• None of the three ISPs I am connected to at home
  and work offer raw IPv6 feeds

101
(No Transcript)
102
IPv4 vs. IPv6 address space
Class A
/8
/16
Class B (street value, 1MM?)
/24
Class C
China /32
soldier /48
link /64
103
IPv6 address space

• /48s seem to be freely available
• Each US soldier will have one
• One for each home
• 80-bit host address is a hell of a large space
• Easy to hide hosts in that space
• Hard to administer hosts in that space
• Some interesting cryptographic and IP hopping
  applications come to mind.

104
IPv6 technical aspects

• Addresses arent as bad as you might think
• 20015bfe161 (easy to grep!)
• Address format changes logfile processing
• Math not easy for processing IPv6 addresses

105
Conversion issues

• IPv4-only hardware
• Programmers have to relearn the socket dance
• Not a big deal, but requires changes to every
  Internet legacy program
• Address format changes logfile processing
• Have to replicate a whole new set of firewall
  rules

106
IPv6 dead ends

• Google-based research will lead you down recently
  abandoned dead ends
• A6 came and went, AAAA is what to use
• Link level addressing is deprecated
• The 6bone is dying, dont go there
• Use of bottom 128 48 80 bits not really
  settled

107
IPv6 pending problems

• chicken-and-egg startup
• DNS entries too small to hold all the root AAAA
  records
• Asset management

108
IPv6

• IPv6 is available through IPv4/IPv6 tunnel
  brokers
• www.hexago.com formerly freenet6.net
• Easy to set up on Unix hosts, then it Just Works
• In Windows XP for developers
• IPv4/IPv6 NAT boxes?
• Lumeta? We are working on it

109
Reasons to go to IPv6

• Address space stops being a problem
• Because the government policy says so
• There could be useful IPv6-only sites
• Early adopters (i.e. China) can restrict access
  to the IPv4 world
• Perhaps worm spreads might be slowed

110
Reasons not to go to IPv6

• Unnecessary expense for corporations using
  private address space
• Unsupported by most cheap devices
• Cable modems, base stations, etc.
• Not really there yet some standards unsettled

111
Who are the early adopters?

• China and japan
• Didnt receive very large initial IPv4
  allocations
• Nascent industries
• IP for cell phones
• US government, supposedly

112
Some IPv6 web sites

• www.ipv6.org
• www.ipv6forum.com
• vendors
• www.hexago.com
• Free IPv6 brokering

113
Whats next?Skinny dipping with Microsoft
operating systems?

• 2062?

114
XP SP2 Bill gets it

• a feature you dont use should not be a security
  problem for you.
• Security by design
• Too late for that, its all retrofitting now
• Perhaps this is the goal of Longhorn
• Security by default
• No network services on by default

115
XP SP2 Bill gets it(cont.)

• Security control panel
• Many things missing from it
• Speaker could not find ActiveX security settings
• There are a lot of details that remain to be seen.

116
Good signs

• For some, it has been painful to install
• Like going to the dentist for the first time
  after 20 years
• SP2 has been excepted from many (not all) of
  Microsofts recent security advisories

117
Pondering and Patrolling Perimeters

• Bill Cheswick
• ches_at_lumeta.com
• http//www.lumeta.com

(Bill, you can go drinking now)
118
(No Transcript)