1.14k likes | 1.36k Views
Pondering and Patrolling Network Perimeters. Bill Cheswick ches@lumeta.com http://www.lumeta.com. Perimeter Defenses have a long history. Lorton Prison. Perimeter Defense of the US Capitol Building. Flower pots. Security doesn’t have to be ugly. Delta barriers.
E N D
Pondering and Patrolling Network Perimeters Bill Cheswick ches@lumeta.com http://www.lumeta.com NLUUG: Pondering Perimeters
Perimeter Defenses have a long history NLUUG: Pondering Perimeters
Lorton Prison NLUUG: Pondering Perimeters
Perimeter Defense of the US Capitol Building NLUUG: Pondering Perimeters
Flower pots NLUUG: Pondering Perimeters
Security doesn’t have to be ugly NLUUG: Pondering Perimeters
Delta barriers NLUUG: Pondering Perimeters
Why use a perimeter defense? • It is cheaper • A man’s home is his castle, but most people can’t afford the moat • You can concentrate your equipment and your expertise in a few areas • It is simpler, and simpler security is usually better • Easier to understand and audit • Easier to spot broken parts NLUUG: Pondering Perimeters
What’s wrong with perimeter defenses • They are useless against insider attacks • They provide a false sense of security • You still need to toughen up the inside, at least some • You need to hire enough defenders • They don’t scale well NLUUG: Pondering Perimeters
The Pretty Good Wall of China NLUUG: Pondering Perimeters
Heidelberg Castlestarted in the 1300s NLUUG: Pondering Perimeters
Perimeters need gateways • Let the good stuff in and keep out the bad stuff • This requires a bit of technology in any case • Doors, gates, murder holes, etc. • A place to focus your defenses NLUUG: Pondering Perimeters
Parliament: entrance NLUUG: Pondering Perimeters
Parliament: exit NLUUG: Pondering Perimeters
One gate is not enough • Too much infrastructure • Low-budget gates • Sally ports • Postern gates NLUUG: Pondering Perimeters
Warsaw gate NLUUG: Pondering Perimeters
Edinburgh Castle NLUUG: Pondering Perimeters
Postern gate (Sterling castle) NLUUG: Pondering Perimeters
A short bio regarding Internet perimeters • Started at Bell Labs in December 1987 • Immediately took over postmaster and firewall duties • Good way to learn the ropes, which was my intention NLUUG: Pondering Perimeters
Morris worm hit on Nov 1988 • Heard about it on NPR • Had a “sinking feeling” about it • The home-made firewall worked • No fingerd • No sendmail (we rewrote the mailer) • Intranet connection to Bellcore • We got lucky • Bell Labs had 1330 hosts • Corporate HQ didn’t know or care NLUUG: Pondering Perimeters
Action items • Shut down the unprotected connection to Bellcore • What we now call a “routing leak” • Redesign the firewall for much more capacity, and no “sinking feeling” • (VAX 750, load average of 15) • Write a paper on it • “if you don’t write it up, you didn’t do the work” NLUUG: Pondering Perimeters
Old gateway: NLUUG: Pondering Perimeters
New gateway: NLUUG: Pondering Perimeters
New gateway:(one referee’s suggestion) NLUUG: Pondering Perimeters
“Design of a Secure Internet Gateway” – Anaheim Usenix, Jan 1990 • My first real academic paper • It was pretty good, I think • Coined the work “proxy” in its current use (this was for a circuit level gateway • Predated socks by three years) • Coined the expression “crunchy outside and soft chewy center” NLUUG: Pondering Perimeters
Lucent now (1997) (sort of)We’d circled the wagons around Wyoming The Internet Columbus Murray Hill Murray Hill Holmdel Allentown SLIP PPP ISDN X.25 cable ... Lucent - 130,000, 266K IP addresses, 3000 nets ann. thousands of telecommuters ~200 business partners NLUUG: Pondering Perimeters
Anything large enough to be called an ‘intranet’ is probably out of control NLUUG: Pondering Perimeters
Controlling an intranet is hard, even if you care a lot about it • End-to-end philosophy is not helpful if you are the phone company • New networks and hosts are easily connected without the knowledge and permission of the network owner • Security scan tools are not helpful if you don’t know where to point them • This is not the fault of the network managers! They didn’t have the right tools! NLUUG: Pondering Perimeters
Highlands forum, Annapolis, Dec 1996 • A Rand corp. game to help brief a member of the new President’s Infrastructure Protection Commission • Met Esther Dyson and Fred Cohen there • Personal assessment by intel profiler • “Day after” scenario • Gosh it would be great to figure out where these networks actually go NLUUG: Pondering Perimeters
The basic problem on intranets (1996) • The CIO doesn’t know where his network goes • Technical people • Are too busy to document their network consistently • Change jobs relatively often, leaving legacy connections with unknown properties • TCP/IP networks are, by design, decentralized NLUUG: Pondering Perimeters
Goals Consistent, reasonably thorough description of the important topology of the Internet A light touch, so Internet denizens wouldn’t be angry (or even notice) me. Use a technology that doesn’t require access to routers Traceroute-style probes are fast, informative, and recognized as harmless by most network administrators Clean up Lucent’s intranet NLUUG: Pondering Perimeters
Methods - network discovery (ND) Obtain master network list network lists from Merit, RIPE, APNIC, etc. BGP data or routing data from customers hand-assembled list of Yugoslavia/Bosnia Run a TTL-type (traceroute) scan towards each network Stop on error, completion, no data Keep the natives happy NLUUG: Pondering Perimeters
Advantages • We don’t need access (I.e. SNMP) to the routers • It’s very fast • Standard Internet tool: it doesn’t break things • Insignificant load on the routers • Not likely to show up on IDS reports • We can probe with many packet types NLUUG: Pondering Perimeters
Limitations • View is from scanning host only • Multiple scan sources gives a better view • Outgoing paths only • Level 3 (IP) only • ATM networks appear as a single node • Not all routers respond • Some are silent • Others are “shy” (RFC 1123 compliant), limited to one response per second NLUUG: Pondering Perimeters
Data collection complaints Australian parliament was the first to complain List of whiners (25 nets) On the Internet, these complaints are a thing of the past Internet background radiation predominates NLUUG: Pondering Perimeters
Visualization goals make a map show interesting features debug our database and collection methods geography doesn’t matter use colors to show further meaning NLUUG: Pondering Perimeters