Upload
annis-jones
View
233
Download
6
Tags:
Embed Size (px)
Citation preview
Submarine Warfare:Perimeter defense without walls
Dan Houser, CISSP, CISM
©Copyright 2004 – Daniel D. Houser
Overview
Classic firewall perspective
Where firewalls fall short
Changes in the security space
Suggestions for improving network security• Strategic vision
• Tactical focus
Q&A
This presentation is designed to be the visit through the looking glass… Thinking about perimeter security with a different perspective.
©Copyright 2004 – Daniel D. Houser
Fortress mentality
Network implementation of physical barriers
Designed with overlapping, visible, impenetrable barriers
Classic perimeter security Atlantic Wall
©Copyright 2004 – Daniel D. Houser
Classic firewall/DMZ design
External
Throne
Room
Outer Courtyard
Inner Courtyard
©Copyright 2004 – Daniel D. Houser
Assumptions of the classic perimeter security model
Attackers are outside trying to break
in
Attackers cannot breach the wall
Attackers are identified by guards
Guards are loyal
All contact comes through single path
Unfortunately, these are all wrong.
©Copyright 2004 – Daniel D. Houser
Reality
Most attackers are inside
Attackers can breach the wall
Guards can’t identify all attackers
Guards can be subverted
Communication over MANY paths
©Copyright 2004 – Daniel D. Houser
Reality: Many communication paths
Business partners
Affiliates Subsidiaries
Telecommuters
On-site Consultants Support Technicians
Off-site Consultants
??
??
??
Spybots
Spyware / Adware
Spyware / Adware
©Copyright 2004 – Daniel D. Houser
Red Queen race
“You have to run faster and faster just to stay
in the same place!”
– The Red Queen, Alice in Wonderland
Image courtesy www.rushlimbaugh.com
©Copyright 2004 – Daniel D. Houser
CERT Statistics 1990 - 2Q2004
0
50000
100000
150000
200000
250000
300000
Incidents
Information courtesy CERT®/CC, Statistics 1988-2004, http://www.cert.org/stats/cert_stats.html
Red Queen race
©Copyright 2004 – Daniel D. Houser
Web Services Security is changing the rules:
• Outsourced authentication (federated)
• Extranet access to core systems
• RPC calls over HTTP using XML & SOAP
Offshore services, data processing
Highly connected networks
Very tight business integration
In short, there is no network perimeter
Red Queen race
©Copyright 2004 – Daniel D. Houser
New paradigms are needed
We must migrate from ground-based warfare to a
model that fits information warfare
“He who does not learn from history is doomed to
repeat it.”
• The Maginot Line was bypassed
• The Atlantic Wall was pierced and defeated
• The Great Wall provided only partial protection
• The Alamo fell to a massive attack
©Copyright 2004 – Daniel D. Houser
New paradigm: Submarine warfare
In submarine warfare• Everyone is an enemy until proven otherwise
• All contacts are tracked and logged
• Hardened autonomous systems
• Rules of engagement govern all response
• Constant vigilance
Identify Friend or Foe (IFF) becomes vital
Hunter-killer units vital to protect strategic investments – offensive as well as defensive players
Environment “listeners” for ASW and tracking
Evade detection, hound and confuse the enemy
©Copyright 2004 – Daniel D. Houser
How does submarine warfare translate into InfoWarfare?
Harden all devices, not just DMZ• Use of hardened kernels for all servers• Harden all systems and run minimal services
Minimal installations on desktops• Dumb terminals where available• Provide Office tools to knowledge workers only• Strip unneeded capabilities from kiosks• Remove the ability to install software
Analyze traffic, not just headers• Application-based firewalls • XML Filtering
©Copyright 2004 – Daniel D. Houser
How does Submarine Warfare translateinto InfoWarfare? (2)
Segregate boot camp from the theatre of operations
• VLAN development, test, DR & production
• Make change control your code firewall
• Only change control spans 2 security zones
• Production support segregated from source code
Core network becomes the DMZ
• Since most attacks are from within, make cubicles a DMZ
• Create hardened subnets for accounting, HR, IT,
operations
• Publish intranets in the DMZ
©Copyright 2004 – Daniel D. Houser
Source: InformationSecurity Magazine, “Network Security: Submarine Warfare”, Dan Houser, 2003, http://tinyurl.com/nwk7
Network segmentation:Crunchy on the outside and the middle
©Copyright 2004 – Daniel D. Houser
How does submarine warfare translate into InfoWarfare? (3)
Heavy use of crypto for IFF functions• Accelerators & HSM will be key technologies• Require all packets to be signed (e.g. Kerberos)• Certificate revocation for intrusion prevention• Network PKI becomes mission critical at layer 2• Some early products emerging in this space (e.g.
EndForce)
Network IDS is key• Analyzing packets for IFF analysis, heuristics• ISP pre-filtered IDS• Analog threat tagging • Identifying and tracking intruders• Isolating subnets with hostile traffic• Revoke certificates for hostile servers• Vectoring CIRT
©Copyright 2004 – Daniel D. Houser
How does submarine warfare translate into InfoWarfare? (4)
Tiger teams and internal search & seizure• Businesses can’t afford rogue servers• Zero tolerance policy for hacking• Ethical hackers, capture the flag & war games: A&P• Vulnerability assessment teams
Drill and war games• Red teams – capture the flag• Blue teams – learn from red teams, patch vulnerabilities
Highly trained staff becomes core competency• Training• Education • Employee retention
©Copyright 2004 – Daniel D. Houser
How does submarine warfare translate into InfoWarfare? (5)
Confuse and harass attackers
Make your real servers look bogus
• Save all .ASP code as .CGI files, perl as .ASP
• Configure responses from Apache that mimic IIS
• Open dummy NetBIOS ports on Unix servers
• Open bogus 21, 23, 25, 80 & 443 ports on all servers, with
netcat listening on the bogus ports
• Call your database server “Firewall”
• Route bogus traffic to IDS network
©Copyright 2004 – Daniel D. Houser
Internet attacks have changed…
Photo Courtesy NASA
©Copyright 2004 – Daniel D. Houser
Old school attack
Lone interloper targets major firm
Studies publicly available information
Hangs out at local pub, befriends sales team
Dumpster dives to obtain manuals, phone lists
Uses war-dialer to find modems & remote hosts
Uses social engineering to obtain passwords
Dials up hosts, logs in, mayhem & mischief
©Copyright 2004 – Daniel D. Houser
“Modern” attack
Lone interloper targets IP range
Downloads script kiddy tools
Scans IP range looking for vulnerable hosts
Port scans hosts looking for exploitable
services
Uses exploit tool, mayhem & mischief
Target selection now a target of opportunity…
indiscriminate attack
©Copyright 2004 – Daniel D. Houser
Worms hit 10,000 networks at once…
Photo Courtesy The Weather Channel
©Copyright 2004 – Daniel D. Houser
What we need is early warning
Photo Courtesy NASA
©Copyright 2004 – Daniel D. Houser
Hide in the open: Big freakin’ haystack
• Virtual honeynets + Intrusion Management
• Create server that emulates address range: 10.x.x.x
• Open tons of ports: 20, 21, 23, 25, 37, 42, 43, 49, 67, 68,
69, 80, 109, 110, 137-139, 389, 443, 666, 6667
• Emulate good hosts: MS-Exchange, Solaris/Oracle, MS-SQL,
RedHat/Apache/Tomcat, WinXP Pro
• Emulate bad boxes: botnet servers, Warez server, trojaned
workstations, Win95 workstation, backdoor
• Honeyd likely tool, or at least a starting point
©Copyright 2004 – Daniel D. Houser
• Convert unused address space into decoy tripwire
nets - 16,320,000 decoys to 200 "real" servers
• Stop swallowing packets: route unreachable hosts to the
virtual honeynet
• 190,000 decoys per “real” server = 99.9995% detection
• Any hits are malicious – route to IDS / IPS Research attack profile.
Block attackers for 1 hour, 2 hours, 24 hours, 1 week.
• You’ve gained breathing room to respond to real attacks
Hide in the open: Big freakin’ haystack (2)
©Copyright 2004 – Daniel D. Houser
©Copyright 2004 – Daniel D. Houser
Hide in the open
©Copyright 2004 – Daniel D. Houser
The fun has just begun…
LaBrea: SYN/ACK, TCP Window size = 0 (wait) Load LaBrea to freeze a scan, run on random port Freezes Windows-based scanners up to 4 minutes Scanning 10,000 hosts takes 27 days. Detecting 100 unpublished hosts in Class A would
take approximately 112 years"
Disclaimer: This may be illegal in your municipality. I am not a lawyer. Talk to one.
©Copyright 2004 – Daniel D. Houser
The fun has just begun… (2)
Storm Surge Mode: active re-configuration
• Suppose your “standard” BFH net emulates:
25% Apache/Tomcat on RedHat 7
25% Microsoft SQL on Win2003 Server
25% Lotus Notes/Domino on Win2k Server
25% Oracle 9i on Solaris
• IDS from BFH telemetry notices big Win2k attack
• BFH configuration changes:
30% Microsoft SQL on Win2k Server
30% Exchange on Win2k Server
30% IIS on Win2k Server
10% Allocated among 30 other server/workstation
images
©Copyright 2004 – Daniel D. Houser
• Virtual honeynets: Make legitimate servers look like bogus
servers.
• Make all servers (fake & real) look identical
• Port-level routing: Web Server gets ICMP echo reply, 80, 443
All other ports go to BFH
• BFH in your internal network Malware outbreaks see your network with 16 million hosts
Ability to detect worms while slowing spread by 600x
• If all Class A, B & C networks ran BFH, it would emulate
2,112,077,025 Internet-facing virtual hosts."
• Worms and script kiddies would be economically infeasible.
The fun has just begun… (3)
©Copyright 2004 – Daniel D. Houser
Where to get started?
Switching
models will
take time…
What do we do
in the
interim?
Copyright FarWorks & Gary Larson
©Copyright 2004 – Daniel D. Houser
Turning the tide: Resilient systems
Server & desktop hardened images
Security templates – lock down desktops
Server-based authentication – PKI
Host-based intrusion detection
Centralized logging
Out-of-band server management
Eliminate single points of failure
Honeypots / honeynets
Camouflage and deception in DMZ
©Copyright 2004 – Daniel D. Houser
Turning the tide: People
Security is a people problem, not a technical problemHire and train smart, security-minded people to run
your networks and serversReward security:
• Establish benchmarks & vulnerability metrics• More than just uptime – include confidentiality & integrity • Audit against the benchmarks• Include security as major salary/bonus modifier• Job descriptions must incorporate security objectives
Train developers, architects & BAs on how to develop secure systems
Equate security breaches & cracking tools like weapons or drugs in the workplace
– a “zero tolerance” policy?
©Copyright 2004 – Daniel D. Houser
Turning the tide: Process
Assess risk & vulnerability: BIA Include security in feature sets & requirementsSegregation of Developers, Testers & Production,
and particularly Prod Support from source codeChange management & access rightsCertification & Accreditation
• Engage security team in charter & proposal phase• Bake security into the systems lifecycle• Require sponsor risk acceptance & authorization• Embed accreditation into change control
Include security in contract review and ROIConfiguration Management security patch lists
©Copyright 2004 – Daniel D. Houser
SummaryUse firewalls, but as one of many tools
Start network security with people, process and host security
Think outside the box when developing security architectures
Be prepared to dump your perimeter
Focus on malleable networking
Protect assets according to their value
©Copyright 2004 – Daniel D. Houser
Q&A
Copyright FarWorks & Gary Larson
©Copyright 2004 – Daniel D. Houser
Contact information
Dan Houser, CISSP, CISM, CCP
See Submarine Warfare article:
http://tinyurl.com/nwk7