View
216
Download
0
Category
Preview:
Citation preview
uw network security2003
Terry Gray
University of Washington
Computing & Communications
17 October 2003
UW campus network (backbone)
borderrouter
borderrouter
backbone switches
~ 30 level one routers
subnets (733 total; 150 c&c); over 60,000 live devices
UW campus network (typical subnet)
Level One Router
Aggregation Switch
Edge Switch Edge Switch Edge Switch
campus subnets are a mixture of• shared 10Mbps• switched 10Mbps• switched 10/100Mbps
network facilities
typical core routers
campus network traffic
Pacific Northwest Gigapop
The PNW’s access point to next generation Internets, including Internet2, high performance USA Federal Networks, and high speed commodity Internet
A high speed peering point for regional and international networks
R&D testbed inviting national and international experimentation with advanced Internet-based applications
Pacific Northwest Gigapop
uwborder
uwborder
3 diverse network providersInternet2national & internat’nl nets
•Internet2 2.5Gbps (10Gbps upgrade underway)•Three different 1Gbps connections to the Internet•Multiple gigabits of connections to other networks
30+ networkcustomers
K-12 (307)
Community/Technical College (73)
Public Baccalaureate (50)
Library (65 in process)Independent Colleges (9 approved)
K20 Network Sites
seven security axioms Network security is maximized when we assume there is no such
thing. Large security perimeters mean large vulnerability zones. Firewalls are such a good idea, every computer should have one.
Seriously. Remote access is fraught with peril, just like local access. One person's security perimeter is another's broken network. Isolation strategies are limited by how many PCs you want on your
desk. Network security is about psychology as much as technology
. Bonus: never forget that computer ownership is not for the feint-hearted.
credo
focus first on the edge(perimeter protection paradox)
add defense in depth as needed keep it manageable provide for local policy choice... avoid one-size-fits-all
gray’s defense-in-depth conjecture
MTTE (exploit) = k * N**2 MTTI (innovation) = k * N**2 MTTR (repair) = k * N**2
where N = number of layers
C&C security activities logical firewalls project 172 network infrastructure protection reverse IDS (local infection detection) auto-block; self-reenable traffic monitoring tools who/where traceability tools nebula proactive probing honeypots security operations training; consulting
security in the post-Internet era:the needs of the many
the needs of the few
Terry Gray
University of Washington
Fall Internet2 Meeting
16 October 2003
2003: security ”annus horribilis”SlammerBlasterSobig.F
increasing spyware threatattackers discover encryptionhints of more “advanced” attacks
and let’s not even talk about spam…
2003: security-related trends
RIAA subpoenasgrowing wireless useVoIP over 802.11 pilotsmore mobile devicesmore critical application roll-outsfaster networks“personal lambda” networksSEC filings on security?class action lawsuits?
impactend of an era… say farewell to
the open Internetautonomous unmanaged PCsfull digital convergence?
say hello toone-size-fits-all (OSFA) solutionsconflict... everyone wants security and
max availability, speed, autonomy, flexibilitymin hassle, cost
the needs of the many trump the needs of the few (but at what cost?)
consequencesmore closed nets (bug or feature?)more VPNs (bug or feature?)more tunneling -“firewall friendly” appsmore encryption (thanks to RIAA)more collateral harm -attack + remedyworse MTTR (complexity, broken tools)constrained innovationcost shifted from “guilty” to “innocent”pressure to fix problem at borderpressure for private nets
revelationssystem administrators (2 kinds…)
want total local autonomy… orwant someone else to solve the problemoften unaware of cost impact on others
users (2 kinds: happy & unhappy)want “unlisted numbers”need “openness” defined by apps
feedback loop: closed nets encourage constrained appsconstrained apps encourage closed nets
perimeter defense tradeoffsborder
biggest vulnerability zonebiggest policy vs. performance concern
subnetdoesn’t match org boundariesworst case for NetOps debuggingconsider also: sub-subnet LFWs, etc.
hostoptimal security perimeterhardest to implement
never say die
goal: simple core, local policy choicehow to avoid OSFA closed net future?
design net for choice of open or closedpervasive IPsec
combine with “point response”won’t reverse trend to closed nets,
but may avoid bad cost shiftsalternative: only closed nets, policy wars
questions? comments?
outline
thesismetamorphosisgrief counselingwhat we losthow we lost itconsequencescritical questions
thesis
the Open Internet is history--”get over it“
cheer up, things could be worse--and will be if we aren’t careful
we can still make good decisions--to avoid even worse outcomes
S@LS goal: evaluate alternative futures
metamorphosis: Internet paradigm
1969: “one network”1982: “network of networks”199x: balkanization begins2003: balkanization complete2004: paradigm lost?
metamorphosis: workshop goal
2000: “network security credo”2001: “my first NAT”
2002: “uncle ken calls” > quest 2003: “slammer” > intervention 2003: “dcom/rpc” > wake
metamorphosis: success metrics
nirvana then open Internet / network utility model successful end-point security
nirvana now? operational simplicity admin-controlled security user-controlled connectivity
grief counseling
denialangerbargainingdepressionacceptance
--simultaneously!
what we lost: network utility model
the network utility model is dead--long live the NUM
all ports once behaved the same simple easy to debug
now they don’t: bandwidth management polices security policies
what we lost: operational integrity
lost: network simplicity, leading to lower MTBF higher MTTR higher costs
lost: full connectivity, leading to less innovation? frustration, inconvenience sometimes less security (faith, backdoors)
how we lost it: inevitable trainwreck?
fundamental contradiction networking is about connectivity security is about isolation
conflicting roles: strained bedfellows the networking guy the security guy the sys admin oh yeah… and the user
insecurity = liability liability trumps innovation liability trumps operator concerns liability trumps user concerns
how we lost it: firewall allure?
firewalls = “packet disrupting devices”perimeter protection paradoxeslarge-perimeter FWs benefit:
SysAd, SecOps, maybe user at expense of NetOps
the best is the enemy of the good microsoft rpc exploit has guaranteed that the
firewall industry has a bright future
how we lost it: disconnects
failure of “computer security” vendors gave customers what they wanted, not
what they needed responsibility/authority disconnects guarantee
failure
failure of networkers to understand what others wanted not a completely open Internet! importance of “unlisted numbers”
consequences (1)
mindset: “computer security” failed, so “network security” must be the answer
extreme pressure to make network topology match organization boundaries
”network of networks” evolution 1982: minimum impedance between nets 2003: maximum impedance between nets
Heisen/stein networking: uncertain and relativistic connectivity
consequences (2)
more self-imposed denial-of-service firewalls everywhere uphill battle for p2p more tunneled traffic over fewer ports one FTE per border --with or without firewall troubleshooting will be harder NAT survives unless/until a better “unlisted number”
mechanism takes hold security/liability will continue to trump
innovation/philosophy/ops costs
critical questions
should we build net topologies that match organizational boundaries?
will end-point security improve enough that perimeter defense will be secondary?
is it too late to try to offer users a choice of open or closed nets?
is the trend toward a single-port tunneled Internet good, bad, or indifferent?
is there any chance IPS or DEN will make it all better?
what’s the best way to implement an “unlisted number” semantic?
discussion!
how do we redefine the Internet, going forward?
I.e. how do we “reconnect”?
Recommended