Submarine Warfare: Perimeter defense without walls Dan Houser, CISSP, CISM

Submarine Warfare:Perimeter defense without walls

Dan Houser, CISSP, CISM

©Copyright 2004 – Daniel D. Houser

Overview

Classic firewall perspective

Where firewalls fall short

Changes in the security space

Suggestions for improving network security• Strategic vision

• Tactical focus

Q&A

This presentation is designed to be the visit through the looking glass… Thinking about perimeter security with a different perspective.


Fortress mentality

Network implementation of physical barriers

Designed with overlapping, visible, impenetrable barriers

Classic perimeter security Atlantic Wall


Classic firewall/DMZ design

External

Throne

Room

Outer Courtyard

Inner Courtyard


Assumptions of the classic perimeter security model

Attackers are outside trying to break

in

Attackers cannot breach the wall

Attackers are identified by guards

Guards are loyal

All contact comes through single path

Unfortunately, these are all wrong.


Reality

Most attackers are inside

Attackers can breach the wall

Guards can’t identify all attackers

Guards can be subverted

Communication over MANY paths


Reality: Many communication paths

Business partners

Affiliates Subsidiaries

Telecommuters

On-site Consultants Support Technicians

Off-site Consultants

??

??

??

Spybots

Spyware / Adware

Spyware / Adware


Red Queen race

“You have to run faster and faster just to stay

in the same place!”

– The Red Queen, Alice in Wonderland

Image courtesy www.rushlimbaugh.com


CERT Statistics 1990 - 2Q2004

0

50000

100000

150000

200000

250000

300000

Incidents

Information courtesy CERT®/CC, Statistics 1988-2004, http://www.cert.org/stats/cert_stats.html

Red Queen race


Web Services Security is changing the rules:

• Outsourced authentication (federated)

• Extranet access to core systems

• RPC calls over HTTP using XML & SOAP

Offshore services, data processing

Highly connected networks

Very tight business integration

In short, there is no network perimeter

Red Queen race


New paradigms are needed

We must migrate from ground-based warfare to a

model that fits information warfare

“He who does not learn from history is doomed to

repeat it.”

• The Maginot Line was bypassed

• The Atlantic Wall was pierced and defeated

• The Great Wall provided only partial protection

• The Alamo fell to a massive attack


New paradigm: Submarine warfare

In submarine warfare• Everyone is an enemy until proven otherwise

• All contacts are tracked and logged

• Hardened autonomous systems

• Rules of engagement govern all response

• Constant vigilance

Identify Friend or Foe (IFF) becomes vital

Hunter-killer units vital to protect strategic investments – offensive as well as defensive players

Environment “listeners” for ASW and tracking

Evade detection, hound and confuse the enemy


How does submarine warfare translate into InfoWarfare?

Harden all devices, not just DMZ• Use of hardened kernels for all servers• Harden all systems and run minimal services

Minimal installations on desktops• Dumb terminals where available• Provide Office tools to knowledge workers only• Strip unneeded capabilities from kiosks• Remove the ability to install software

Analyze traffic, not just headers• Application-based firewalls • XML Filtering


How does Submarine Warfare translateinto InfoWarfare? (2)

Segregate boot camp from the theatre of operations

• VLAN development, test, DR & production

• Make change control your code firewall

• Only change control spans 2 security zones

• Production support segregated from source code

Core network becomes the DMZ

• Since most attacks are from within, make cubicles a DMZ

• Create hardened subnets for accounting, HR, IT,

operations

• Publish intranets in the DMZ


Source: InformationSecurity Magazine, “Network Security: Submarine Warfare”, Dan Houser, 2003, http://tinyurl.com/nwk7

Network segmentation:Crunchy on the outside and the middle


How does submarine warfare translate into InfoWarfare? (3)

Heavy use of crypto for IFF functions• Accelerators & HSM will be key technologies• Require all packets to be signed (e.g. Kerberos)• Certificate revocation for intrusion prevention• Network PKI becomes mission critical at layer 2• Some early products emerging in this space (e.g.

EndForce)

Network IDS is key• Analyzing packets for IFF analysis, heuristics• ISP pre-filtered IDS• Analog threat tagging • Identifying and tracking intruders• Isolating subnets with hostile traffic• Revoke certificates for hostile servers• Vectoring CIRT



Tiger teams and internal search & seizure• Businesses can’t afford rogue servers• Zero tolerance policy for hacking• Ethical hackers, capture the flag & war games: A&P• Vulnerability assessment teams

Drill and war games• Red teams – capture the flag• Blue teams – learn from red teams, patch vulnerabilities

Highly trained staff becomes core competency• Training• Education • Employee retention



Confuse and harass attackers

Make your real servers look bogus

• Save all .ASP code as .CGI files, perl as .ASP

• Configure responses from Apache that mimic IIS

• Open dummy NetBIOS ports on Unix servers

• Open bogus 21, 23, 25, 80 & 443 ports on all servers, with

netcat listening on the bogus ports

• Call your database server “Firewall”

• Route bogus traffic to IDS network


Internet attacks have changed…

Photo Courtesy NASA


Old school attack

Lone interloper targets major firm

Studies publicly available information

Hangs out at local pub, befriends sales team

Dumpster dives to obtain manuals, phone lists

Uses war-dialer to find modems & remote hosts

Uses social engineering to obtain passwords

Dials up hosts, logs in, mayhem & mischief


“Modern” attack

Lone interloper targets IP range

Downloads script kiddy tools

Scans IP range looking for vulnerable hosts

Port scans hosts looking for exploitable

services

Uses exploit tool, mayhem & mischief

Target selection now a target of opportunity…

indiscriminate attack


Worms hit 10,000 networks at once…

Photo Courtesy The Weather Channel


What we need is early warning

Photo Courtesy NASA


Hide in the open: Big freakin’ haystack

• Virtual honeynets + Intrusion Management

• Create server that emulates address range: 10.x.x.x

• Open tons of ports: 20, 21, 23, 25, 37, 42, 43, 49, 67, 68,

69, 80, 109, 110, 137-139, 389, 443, 666, 6667

• Emulate good hosts: MS-Exchange, Solaris/Oracle, MS-SQL,

RedHat/Apache/Tomcat, WinXP Pro

• Emulate bad boxes: botnet servers, Warez server, trojaned

workstations, Win95 workstation, backdoor

• Honeyd likely tool, or at least a starting point


• Convert unused address space into decoy tripwire

nets - 16,320,000 decoys to 200 "real" servers

• Stop swallowing packets: route unreachable hosts to the

virtual honeynet

• 190,000 decoys per “real” server = 99.9995% detection

• Any hits are malicious – route to IDS / IPS Research attack profile.

Block attackers for 1 hour, 2 hours, 24 hours, 1 week.

• You’ve gained breathing room to respond to real attacks

Hide in the open: Big freakin’ haystack (2)



Hide in the open


The fun has just begun…

LaBrea: SYN/ACK, TCP Window size = 0 (wait) Load LaBrea to freeze a scan, run on random port Freezes Windows-based scanners up to 4 minutes Scanning 10,000 hosts takes 27 days. Detecting 100 unpublished hosts in Class A would

take approximately 112 years"

Disclaimer: This may be illegal in your municipality. I am not a lawyer. Talk to one.


The fun has just begun… (2)

Storm Surge Mode: active re-configuration

• Suppose your “standard” BFH net emulates:

25% Apache/Tomcat on RedHat 7

25% Microsoft SQL on Win2003 Server

25% Lotus Notes/Domino on Win2k Server

25% Oracle 9i on Solaris

• IDS from BFH telemetry notices big Win2k attack

• BFH configuration changes:

30% Microsoft SQL on Win2k Server

30% Exchange on Win2k Server

30% IIS on Win2k Server

10% Allocated among 30 other server/workstation

images


• Virtual honeynets: Make legitimate servers look like bogus

servers.

• Make all servers (fake & real) look identical

• Port-level routing: Web Server gets ICMP echo reply, 80, 443

All other ports go to BFH

• BFH in your internal network Malware outbreaks see your network with 16 million hosts

Ability to detect worms while slowing spread by 600x

• If all Class A, B & C networks ran BFH, it would emulate

2,112,077,025 Internet-facing virtual hosts."

• Worms and script kiddies would be economically infeasible.

The fun has just begun… (3)


Where to get started?

Switching

models will

take time…

What do we do

in the

interim?

Copyright FarWorks & Gary Larson


Turning the tide: Resilient systems

Server & desktop hardened images

Security templates – lock down desktops

Server-based authentication – PKI

Host-based intrusion detection

Centralized logging

Out-of-band server management

Eliminate single points of failure

Honeypots / honeynets

Camouflage and deception in DMZ


Turning the tide: People

Security is a people problem, not a technical problemHire and train smart, security-minded people to run

your networks and serversReward security:

• Establish benchmarks & vulnerability metrics• More than just uptime – include confidentiality & integrity • Audit against the benchmarks• Include security as major salary/bonus modifier• Job descriptions must incorporate security objectives

Train developers, architects & BAs on how to develop secure systems

Equate security breaches & cracking tools like weapons or drugs in the workplace

– a “zero tolerance” policy?


Turning the tide: Process

Assess risk & vulnerability: BIA Include security in feature sets & requirementsSegregation of Developers, Testers & Production,

and particularly Prod Support from source codeChange management & access rightsCertification & Accreditation

• Engage security team in charter & proposal phase• Bake security into the systems lifecycle• Require sponsor risk acceptance & authorization• Embed accreditation into change control

Include security in contract review and ROIConfiguration Management security patch lists


SummaryUse firewalls, but as one of many tools

Start network security with people, process and host security

Think outside the box when developing security architectures

Be prepared to dump your perimeter

Focus on malleable networking

Protect assets according to their value


Q&A

Copyright FarWorks & Gary Larson


Contact information

Dan Houser, CISSP, CISM, CCP

[email protected]

See Submarine Warfare article:

http://tinyurl.com/nwk7

Documents

Submarine Warfare: Perimeter defense without walls Dan Houser, CISSP, CISM