1 / 109

Defending Your Network: Identifying and Patrolling Your True Network Perimeter

Defending Your Network: Identifying and Patrolling Your True Network Perimeter. Bill Cheswick Chief Scientist, Lumeta Corp. Pondering and Patrolling Perimeters. Bill Cheswick ches@lumeta.com http://www.lumeta.com. Talk Outline. Outside: mapping the Internet

mika
Download Presentation

Defending Your Network: Identifying and Patrolling Your True Network Perimeter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp

  2. Pondering and Patrolling Perimeters Bill Cheswick ches@lumeta.com http://www.lumeta.com

  3. Talk Outline • Outside: mapping the Internet • A discussion of perimeter defenses • Strong host security • Mapping and understanding intranets • The past and future of Microsoft host security: • my Dad’s computer

  4. The Internet Mapping Project An experiment in exploring network connectivity

  5. Highlands “day after” scenario Panix DOS attacks a way to trace anonymous packets back! Visualization experiments Curiosity about size and growth of the Internet Databases for graph theorists, grad students, etc. Motivations

  6. Methods - data collection Single reliable host connected at the company perimeter Daily full scan of Lucent Daily partial scan of Internet, monthly full scan One line of text per network scanned Unix tools Use a light touch, so we don’t bother Internet denizens

  7. Methods - network discovery (ND) Obtain master network list network lists from Merit, RIPE, APNIC, etc. BGP data or routing data from customers hand-assembled list of Yugoslavia/Bosnia Run a traceroute-style scan towards each network Stop on error, completion, no data Keep the natives happy

  8. Intranet implications of Internet mapping • High speed technique, able to handle the largest networks • Light touch: “what are you going to do to my intranet?” • Acquire and maintain databases of Internet network assignments and usage

  9. Related Work • See Martin Dodge’s cyber geography page • MIDS - John Quarterman • CAIDA - kc claffy • Mercator • “Measuring ISP topologies with rocketfuel” - 2002 • Spring, Mahajan, Wetherall • Enter “internet map” in your search engine

  10. TTL probes Used by traceroute and other tools Probes toward each target network with increasing TTL Probes are ICMP, UDP, TCP to port 80, 25, 139, etc. Some people block UDP, others ICMP

  11. Advantages • We don’t need access (I.e. SNMP) to the routers • It’s very fast • Standard Internet tool: it doesn’t break things • Insignificant load on the routers • Not likely to show up on IDS reports • We can probe with many packet types

  12. Limitations • View is from scanning host only • Multiple scan sources gives a better view • Outgoing paths only • Level 3 (IP) only • ATM networks appear as a single node • Not all routers respond • Some are silent • Others are “shy” (RFC 1123 compliant), limited to one response per second

  13. Data collection complaints Australian parliament was the first to complain List of whiners (25 nets) On the Internet, these complaints are mostly a thing of the past Internet background radiation predominates

  14. Intranet uses of Don’t Scan list • Hands off particular business partners • Hands off especially sensitive networks • Hanging ATMs • 3B2s with broadcast storms • Wollongong software (!) on factory floor computers • Intranet vs. ISP customer networks

  15. Visualization goals make a map show interesting features debug our database and collection methods hard to fold up geography doesn’t matter use colors to show further meaning

  16. Visualization of the layout algorithm Laying out the Internet graph

  17. Visualization of the layout algorithm Laying out an intranet

  18. A simplified map, for the Internet layouts • Minimum distance spanning tree uses 80% of the data • Much easier visualization • Most of the links still valid • Redundancy is in the middle

  19. Colored by AS number

  20. Map Coloring distance from test host IP address shows communities Geographical (by TLD) ISPs future timing, firewalls, LSRR blocks

  21. Colored by IP address!

  22. Colored by geography

  23. Colored by ISP

  24. Colored by distance from scanning host

  25. US military reached by ICMP ping

  26. US military networks reached by UDP

  27. Yugoslavia An unclassified peek at a new battlefield

  28. Un film par Steve “Hollywood” Branigan...

  29. fin

  30. Perimeter defenses

  31. Perimeter defenses are a traditional means of protecting an area without hardening each of the things in that area

  32. Why use a perimeter defense? • It is cheaper • A man’s home is his castle, but most people can’t afford the moat • You can concentrate your equipment and your expertise in a few areas • It is simpler, and simpler security is usually better • Easier to understand and audit • Easier to spot broken parts

  33. Perimeter Defense of the US Capitol Building

  34. Flower pots

  35. Security doesn’t have to be ugly

  36. Delta barriers

  37. Parliament: entrance

  38. Parliament: exit

More Related