Submarine Warfare -- Perimeter Defense without Walls


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Submarine Warfare -- Perimeter Defense without Walls

  1. 1. Submarine Warfare: Perimeter defense without walls Dan Houser, CISSP, CISM
  2. 2. Overview <ul><li>Classic firewall perspective </li></ul><ul><li>Where firewalls fall short </li></ul><ul><li>Changes in the security space </li></ul><ul><li>Suggestions for improving network security </li></ul><ul><ul><li>Strategic vision </li></ul></ul><ul><ul><li>Tactical focus </li></ul></ul><ul><li>Q&A </li></ul><ul><li>This presentation is designed to be the visit through the looking glass… Thinking about perimeter security with a different perspective. </li></ul>
  3. 3. <ul><li>Fortress mentality </li></ul><ul><li>Network implementation of physical barriers </li></ul><ul><li>Designed with overlapping, visible, impenetrable barriers </li></ul>Classic perimeter security Atlantic Wall
  4. 4. Classic firewall/DMZ design <ul><li>External </li></ul>Throne Room Outer Courtyard Inner Courtyard
  5. 5. Assumptions of the classic perimeter security model <ul><li>Attackers are outside trying to break in </li></ul><ul><li>Attackers cannot breach the wall </li></ul><ul><li>Attackers are identified by guards </li></ul><ul><li>Guards are loyal </li></ul><ul><li>All contact comes through single path </li></ul><ul><li>Unfortunately, these are all wrong. </li></ul>
  6. 6. Reality <ul><li>Most attackers are inside </li></ul><ul><li>Attackers can breach the wall </li></ul><ul><li>Guards can’t identify all attackers </li></ul><ul><li>Guards can be subverted </li></ul><ul><li>Communication over MANY paths </li></ul>
  7. 7. Reality: Many communication paths Business partners Affiliates Subsidiaries Telecommuters On-site Consultants Support Technicians Off-site Consultants ?? ?? ?? Spybots Spyware / Adware Spyware / Adware
  8. 8. Red Queen race <ul><li>“ You have to run faster and faster just to stay in the same place!” </li></ul><ul><li>– The Red Queen, Alice in Wonderland </li></ul>Image courtesy
  9. 9. Red Queen race Information courtesy CERT®/CC , Statistics 1988-2004,
  10. 10. <ul><li>Web Services Security is changing the rules: </li></ul><ul><ul><li>Outsourced authentication (federated) </li></ul></ul><ul><ul><li>Extranet access to core systems </li></ul></ul><ul><ul><li>RPC calls over HTTP using XML & SOAP </li></ul></ul><ul><li>Offshore services, data processing </li></ul><ul><li>Highly connected networks </li></ul><ul><li>Very tight business integration </li></ul><ul><li>In short, there is no network perimeter </li></ul>Red Queen race
  11. 11. New paradigms are needed <ul><li>We must migrate from ground-based warfare to a model that fits information warfare </li></ul><ul><li>“ He who does not learn from history is doomed to repeat it.” </li></ul><ul><ul><li>The Maginot Line was bypassed </li></ul></ul><ul><ul><li>The Atlantic Wall was pierced and defeated </li></ul></ul><ul><ul><li>The Great Wall provided only partial protection </li></ul></ul><ul><ul><li>The Alamo fell to a massive attack </li></ul></ul>
  12. 12. New paradigm: Submarine warfare <ul><li>In submarine warfare </li></ul><ul><ul><li>Everyone is an enemy until proven otherwise </li></ul></ul><ul><ul><li>All contacts are tracked and logged </li></ul></ul><ul><ul><li>Hardened autonomous systems </li></ul></ul><ul><ul><li>Rules of engagement govern all response </li></ul></ul><ul><ul><li>Constant vigilance </li></ul></ul><ul><li>Identify Friend or Foe (IFF) becomes vital </li></ul><ul><li>Hunter-killer units vital to protect strategic investments – offensive as well as defensive players </li></ul><ul><li>Environment “listeners” for ASW and tracking </li></ul><ul><li>Evade detection, hound and confuse the enemy </li></ul>
  13. 13. How does submarine warfare translate into InfoWarfare? <ul><li>Harden all devices, not just DMZ </li></ul><ul><ul><li>Use of hardened kernels for all servers </li></ul></ul><ul><ul><li>Harden all systems and run minimal services </li></ul></ul><ul><li>Minimal installations on desktops </li></ul><ul><ul><li>Dumb terminals where available </li></ul></ul><ul><ul><li>Provide Office tools to knowledge workers only </li></ul></ul><ul><ul><li>Strip unneeded capabilities from kiosks </li></ul></ul><ul><ul><li>Remove the ability to install software </li></ul></ul><ul><li>Analyze traffic, not just headers </li></ul><ul><ul><li>Application-based firewalls </li></ul></ul><ul><ul><li>XML Filtering </li></ul></ul>
  14. 14. How does Submarine Warfare translate into InfoWarfare? (2) <ul><li>Segregate boot camp from the theatre of operations </li></ul><ul><ul><li>VLAN development, test, DR & production </li></ul></ul><ul><ul><li>Make change control your code firewall </li></ul></ul><ul><ul><li>Only change control spans 2 security zones </li></ul></ul><ul><ul><li>Production support segregated from source code </li></ul></ul><ul><li>Core network becomes the DMZ </li></ul><ul><ul><li>Since most attacks are from within , make cubicles a DMZ </li></ul></ul><ul><ul><li>Create hardened subnets for accounting, HR, IT, operations </li></ul></ul><ul><ul><li>Publish intranets in the DMZ </li></ul></ul>
  15. 15. Source: InformationSecurity Magazine, “Network Security: Submarine Warfare”, Dan Houser, 2003, Network segmentation: Crunchy on the outside and the middle
  16. 16. How does submarine warfare translate into InfoWarfare? (3) <ul><li>Heavy use of crypto for IFF functions </li></ul><ul><ul><li>Accelerators & HSM will be key technologies </li></ul></ul><ul><ul><li>Require all packets to be signed (e.g. Kerberos) </li></ul></ul><ul><ul><li>Certificate revocation for intrusion prevention </li></ul></ul><ul><ul><li>Network PKI becomes mission critical at layer 2 </li></ul></ul><ul><ul><li>Some early products emerging in this space (e.g. EndForce) </li></ul></ul><ul><li>Network IDS is key </li></ul><ul><ul><li>Analyzing packets for IFF analysis, heuristics </li></ul></ul><ul><ul><li>ISP pre-filtered IDS </li></ul></ul><ul><ul><li>Analog threat tagging </li></ul></ul><ul><ul><li>Identifying and tracking intruders </li></ul></ul><ul><ul><li>Isolating subnets with hostile traffic </li></ul></ul><ul><ul><li>Revoke certificates for hostile servers </li></ul></ul><ul><ul><li>Vectoring CIRT </li></ul></ul>
  17. 17. How does submarine warfare translate into InfoWarfare? (4) <ul><li>Tiger teams and internal search & seizure </li></ul><ul><ul><li>Businesses can’t afford rogue servers </li></ul></ul><ul><ul><li>Zero tolerance policy for hacking </li></ul></ul><ul><ul><li>Ethical hackers, capture the flag & war games: A&P </li></ul></ul><ul><ul><li>Vulnerability assessment teams </li></ul></ul><ul><li>Drill and war games </li></ul><ul><ul><li>Red teams – capture the flag </li></ul></ul><ul><ul><li>Blue teams – learn from red teams, patch vulnerabilities </li></ul></ul><ul><li>Highly trained staff becomes core competency </li></ul><ul><ul><li>Training </li></ul></ul><ul><ul><li>Education </li></ul></ul><ul><ul><li>Employee retention </li></ul></ul>
  18. 18. How does submarine warfare translate into InfoWarfare? (5) <ul><li>Confuse and harass attackers </li></ul><ul><li>Make your real servers look bogus </li></ul><ul><ul><li>Save all .ASP code as .CGI files, perl as .ASP </li></ul></ul><ul><ul><li>Configure responses from Apache that mimic IIS </li></ul></ul><ul><ul><li>Open dummy NetBIOS ports on Unix servers </li></ul></ul><ul><ul><li>Open bogus 21, 23, 25, 80 & 443 ports on all servers, with netcat listening on the bogus ports </li></ul></ul><ul><ul><li>Call your database server “Firewall” </li></ul></ul><ul><ul><li>Route bogus traffic to IDS network </li></ul></ul>
  19. 19. Internet attacks have changed… Photo Courtesy NASA
  20. 20. Old school attack <ul><li>Lone interloper targets major firm </li></ul><ul><li>Studies publicly available information </li></ul><ul><li>Hangs out at local pub, befriends sales team </li></ul><ul><li>Dumpster dives to obtain manuals, phone lists </li></ul><ul><li>Uses war-dialer to find modems & remote hosts </li></ul><ul><li>Uses social engineering to obtain passwords </li></ul><ul><li>Dials up hosts, logs in, mayhem & mischief </li></ul>
  21. 21. “Modern” attack <ul><li>Lone interloper targets IP range </li></ul><ul><li>Downloads script kiddy tools </li></ul><ul><li>Scans IP range looking for vulnerable hosts </li></ul><ul><li>Port scans hosts looking for exploitable services </li></ul><ul><li>Uses exploit tool, mayhem & mischief </li></ul><ul><li>Target selection now a target of opportunity… indiscriminate attack </li></ul>
  22. 22. Worms hit 10,000 networks at once… Photo Courtesy The Weather Channel
  23. 23. What we need is early warning Photo Courtesy NASA
  24. 24. Hide in the open: Big freakin’ haystack <ul><ul><li>Virtual honeynets + Intrusion Management </li></ul></ul><ul><ul><li>Create server that emulates address range: 10.x.x.x </li></ul></ul><ul><ul><li>Open tons of ports: 20, 21, 23, 25, 37, 42, 43, 49, 67, 68, 69, 80, 109, 110, 137-139, 389, 443, 666, 6667 </li></ul></ul><ul><ul><li>Emulate good hosts: MS-Exchange, Solaris/Oracle, MS-SQL, RedHat/Apache/Tomcat, WinXP Pro </li></ul></ul><ul><ul><li>Emulate bad boxes: botnet servers, Warez server, trojaned workstations, Win95 workstation, backdoor </li></ul></ul><ul><ul><li>Honeyd likely tool, or at least a starting point </li></ul></ul>
  25. 25. <ul><ul><li>Convert unused address space into decoy tripwire nets - 16,320,000 decoys to 200 &quot;real&quot; servers </li></ul></ul><ul><ul><li>Stop swallowing packets: route unreachable hosts to the virtual honeynet </li></ul></ul><ul><ul><li>190,000 decoys per “real” server = 99.9995% detection </li></ul></ul><ul><ul><li>Any hits are malicious – route to IDS / IPS </li></ul></ul><ul><ul><ul><li>Research attack profile. </li></ul></ul></ul><ul><ul><ul><li>Block attackers for 1 hour, 2 hours, 24 hours, 1 week. </li></ul></ul></ul><ul><ul><li>You’ve gained breathing room to respond to real attacks </li></ul></ul>Hide in the open: Big freakin’ haystack (2)
  26. 27. Hide in the open
  27. 28. The fun has just begun… <ul><ul><li>LaBrea: SYN/ACK, TCP Window size = 0 (wait) </li></ul></ul><ul><ul><ul><li>Load LaBrea to freeze a scan, run on random port </li></ul></ul></ul><ul><ul><ul><li>Freezes Windows-based scanners up to 4 minutes </li></ul></ul></ul><ul><ul><ul><li>Scanning 10,000 hosts takes 27 days . </li></ul></ul></ul><ul><ul><ul><li>Detecting 100 unpublished hosts in Class A would take approximately 112 years&quot; </li></ul></ul></ul><ul><ul><li>Disclaimer: This may be illegal in your municipality. I am not a lawyer. Talk to one. </li></ul></ul>
  28. 29. The fun has just begun… (2) <ul><ul><li>Storm Surge Mode: active re-configuration </li></ul></ul><ul><ul><li>Suppose your “standard” BFH net emulates: </li></ul></ul><ul><ul><ul><li>25% Apache/Tomcat on RedHat 7 </li></ul></ul></ul><ul><ul><ul><li>25% Microsoft SQL on Win2003 Server </li></ul></ul></ul><ul><ul><ul><li>25% Lotus Notes/Domino on Win2k Server </li></ul></ul></ul><ul><ul><ul><li>25% Oracle 9i on Solaris </li></ul></ul></ul><ul><ul><li>IDS from BFH telemetry notices big Win2k attack </li></ul></ul><ul><ul><li>BFH configuration changes: </li></ul></ul><ul><ul><ul><li>30% Microsoft SQL on Win2k Server </li></ul></ul></ul><ul><ul><ul><li>30% Exchange on Win2k Server </li></ul></ul></ul><ul><ul><ul><li>30% IIS on Win2k Server </li></ul></ul></ul><ul><ul><ul><li>10% Allocated among 30 other server/workstation images </li></ul></ul></ul>
  29. 30. <ul><ul><li>Virtual honeynets: Make legitimate servers look like bogus servers. </li></ul></ul><ul><ul><li>Make all servers (fake & real) look identical </li></ul></ul><ul><ul><li>Port-level routing: </li></ul></ul><ul><ul><ul><li>Web Server gets ICMP echo reply, 80, 443 </li></ul></ul></ul><ul><ul><ul><li>All other ports go to BFH </li></ul></ul></ul><ul><ul><li>BFH in your internal network </li></ul></ul><ul><ul><ul><li>Malware outbreaks see your network with 16 million hosts </li></ul></ul></ul><ul><ul><ul><li>Ability to detect worms while slowing spread by 600x </li></ul></ul></ul><ul><ul><li>If all Class A, B & C networks ran BFH, it would emulate 2,112,077,025 Internet-facing virtual hosts.&quot; </li></ul></ul><ul><ul><li>Worms and script kiddies would be economically infeasible. </li></ul></ul>The fun has just begun… (3)
  30. 31. Where to get started? <ul><li>Switching models will take time… </li></ul><ul><li>What do we do in the interim? </li></ul>Copyright FarWorks & Gary Larson
  31. 32. Turning the tide: Resilient systems <ul><li>Server & desktop hardened images </li></ul><ul><li>Security templates – lock down desktops </li></ul><ul><li>Server-based authentication – PKI </li></ul><ul><li>Host-based intrusion detection </li></ul><ul><li>Centralized logging </li></ul><ul><li>Out-of-band server management </li></ul><ul><li>Eliminate single points of failure </li></ul><ul><li>Honeypots / honeynets </li></ul><ul><li>Camouflage and deception in DMZ </li></ul>
  32. 33. Turning the tide: People <ul><li>Security is a people problem, not a technical problem </li></ul><ul><li>Hire and train smart, security-minded people to run your networks and servers </li></ul><ul><li>Reward security: </li></ul><ul><ul><li>Establish benchmarks & vulnerability metrics </li></ul></ul><ul><ul><li>More than just uptime – include confidentiality & integrity </li></ul></ul><ul><ul><li>Audit against the benchmarks </li></ul></ul><ul><ul><li>Include security as major salary/bonus modifier </li></ul></ul><ul><ul><li>Job descriptions must incorporate security objectives </li></ul></ul><ul><li>Train developers, architects & BAs on how to develop secure systems </li></ul><ul><li>Equate security breaches & cracking tools like weapons or drugs in the workplace </li></ul><ul><li>– a “zero tolerance” policy? </li></ul>
  33. 34. Turning the tide: Process <ul><li>Assess risk & vulnerability: BIA </li></ul><ul><li>Include security in feature sets & requirements </li></ul><ul><li>Segregation of Developers, Testers & Production, and particularly Prod Support from source code </li></ul><ul><li>Change management & access rights </li></ul><ul><li>Certification & Accreditation </li></ul><ul><ul><li>Engage security team in charter & proposal phase </li></ul></ul><ul><ul><li>Bake security into the systems lifecycle </li></ul></ul><ul><ul><li>Require sponsor risk acceptance & authorization </li></ul></ul><ul><ul><li>Embed accreditation into change control </li></ul></ul><ul><li>Include security in contract review and ROI </li></ul><ul><li>Configuration Management  security patch lists </li></ul>
  34. 35. Summary <ul><li>Use firewalls, but as one of many tools </li></ul><ul><li>Start network security with people, process and host security </li></ul><ul><li>Think outside the box when developing security architectures </li></ul><ul><li>Be prepared to dump your perimeter </li></ul><ul><li>Focus on malleable networking </li></ul><ul><li>Protect assets according to their value </li></ul>
  35. 36. Q&A Copyright FarWorks & Gary Larson
  36. 37. Contact information <ul><li>Dan Houser, CISSP, CISM, CCP </li></ul><ul><li>[email_address] </li></ul><ul><li>See Submarine Warfare article: </li></ul>