Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Perimeter Defense in a World Without Walls

89 views

Published on

Perimeter Defense when you don't have a perimeter, and how to change the paradigm to protect hosts, and hide from the bad guys. Introduction of the Big Freakin' Haystack project (that, sadly, went nowhere).

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Perimeter Defense in a World Without Walls

  1. 1. ©Copyright 2005 – Daniel D. Houser Perimeter Defense in aPerimeter Defense in a World Without WallsWorld Without Walls Central Ohio ISSACentral Ohio ISSA Dan Houser, CISSP, CISMDan Houser, CISSP, CISM March 16, 2005
  2. 2. 2 OverviewOverview  Classic firewall perspectiveClassic firewall perspective  Where firewalls fall shortWhere firewalls fall short  Changes in the security spaceChanges in the security space  Suggestions for improving network securitySuggestions for improving network security  Strategic visionStrategic vision  Tactical focusTactical focus  Q&AQ&A This presentation is designed to be the visit through theThis presentation is designed to be the visit through the looking glass… Thinking about perimeter security with alooking glass… Thinking about perimeter security with a different perspective.different perspective.
  3. 3. 3 Fortress mentalityFortress mentality NetworkNetwork implementation ofimplementation of physical barriersphysical barriers Designed withDesigned with overlapping, visible,overlapping, visible, impenetrableimpenetrable barriersbarriers Classic perimeter securityClassic perimeter security Atlantic Wall
  4. 4. 4 Classic firewall/DMZ designClassic firewall/DMZ design ExternalExternal Throne Room Outer Courtyard Inner Courtyard
  5. 5. 5 Assumptions of theAssumptions of the classic perimeter security modelclassic perimeter security model  Attackers are outside trying toAttackers are outside trying to break inbreak in  Attackers cannot breach the wallAttackers cannot breach the wall  Attackers are identified by guardsAttackers are identified by guards  Guards are loyalGuards are loyal  All contact comes through singleAll contact comes through single pathpath Unfortunately, these are all wrong.Unfortunately, these are all wrong.
  6. 6. 6 RealityReality  Most attackers are insideMost attackers are inside  Attackers can breach the wallAttackers can breach the wall  Guards can’t identify allGuards can’t identify all attackersattackers  Guards can be subvertedGuards can be subverted  Communication over MANYCommunication over MANY pathspaths
  7. 7. 7 Reality: Many communication pathsReality: Many communication paths Business partners Affiliates Subsidiaries Telecommuters On-site Consultants Support Technicians Off-site Consultants ?? ?? ?? Spybots Spyware / Adware Spyware / Adware
  8. 8. 8 Red Queen raceRed Queen race ““You have to run faster and faster just to stayYou have to run faster and faster just to stay in the same place!”in the same place!” –– The Red Queen,The Red Queen, Alice in WonderlandAlice in Wonderland Image courtesy www.rushlimbaugh.com
  9. 9. 9 CERT Statistics 1990 - 2Q2004 0 50000 100000 150000 200000 250000 300000 19 9 0 1 9 9 2 1 9 9 4 1 9 9 6 1 9 9 8 2 0 0 0 2 0 0 2 20 0 4 Incidents Information courtesy CERT®/CC, Statistics 1988-2004, http://www.cert.org/stats/cert_stats.html Red Queen raceRed Queen race
  10. 10. 10  Web Services Security is changing the rules:Web Services Security is changing the rules:  Outsourced authentication (federated)Outsourced authentication (federated)  Extranet access to core systemsExtranet access to core systems  RPC calls over HTTP using XML & SOAPRPC calls over HTTP using XML & SOAP  Offshore services, data processingOffshore services, data processing  Highly connected networksHighly connected networks  Very tight business integrationVery tight business integration In short,In short, there is no network perimeterthere is no network perimeter Red Queen raceRed Queen race
  11. 11. 11 New paradigms are neededNew paradigms are needed We must migrate from ground-basedWe must migrate from ground-based warfare to a model that fits informationwarfare to a model that fits information warfarewarfare ““He who does not learn from history is doomedHe who does not learn from history is doomed to repeat it.”to repeat it.”  The Maginot Line was bypassedThe Maginot Line was bypassed  The Atlantic Wall was pierced and defeatedThe Atlantic Wall was pierced and defeated  The Great Wall provided only partial protectionThe Great Wall provided only partial protection  The Alamo fell to a massive attackThe Alamo fell to a massive attack
  12. 12. 12 New paradigm: Submarine warfareNew paradigm: Submarine warfare  In submarine warfare…In submarine warfare…  Everyone is an enemy until proven otherwiseEveryone is an enemy until proven otherwise  All contacts are tracked and loggedAll contacts are tracked and logged  Hardened autonomous systemsHardened autonomous systems  Rules of engagement govern all responseRules of engagement govern all response  Constant vigilanceConstant vigilance  Identify Friend or Foe (IFF) becomes vitalIdentify Friend or Foe (IFF) becomes vital  Hunter-killer units vital to protect strategic investmentsHunter-killer units vital to protect strategic investments – offensive as well as defensive players– offensive as well as defensive players  Environment “listeners” for ASW and trackingEnvironment “listeners” for ASW and tracking  Evade detection, hound and confuse the enemyEvade detection, hound and confuse the enemy
  13. 13. 13 Harden all devices, not just DMZHarden all devices, not just DMZ  Use of hardened kernels forUse of hardened kernels for allall serversservers  Harden all systems and run minimal servicesHarden all systems and run minimal services Minimal installations on desktopsMinimal installations on desktops  Dumb terminals where availableDumb terminals where available  Provide Office tools to knowledge workers onlyProvide Office tools to knowledge workers only  Strip unneeded capabilities from kiosksStrip unneeded capabilities from kiosks  Remove the ability to install softwareRemove the ability to install software Analyze traffic, not just headersAnalyze traffic, not just headers  Application-based firewallsApplication-based firewalls  XML FilteringXML Filtering How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
  14. 14. 14 How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare? Segregate boot camp from the theatre of operationsSegregate boot camp from the theatre of operations  VLAN development, test, DR & productionVLAN development, test, DR & production  Make change control yourMake change control your code firewallcode firewall  Only change control spans 2 security zonesOnly change control spans 2 security zones  Production support segregated from source codeProduction support segregated from source code  Endpoint compliance / Walled GardenEndpoint compliance / Walled Garden Core network becomes the DMZCore network becomes the DMZ  SinceSince most attacks are from withinmost attacks are from within , make, make cubicles a DMZcubicles a DMZ  Create hardened subnets for accounting, HR, IT,Create hardened subnets for accounting, HR, IT, operationsoperations  Publish intranets in the DMZPublish intranets in the DMZ
  15. 15. 15Source: InformationSecurity Magazine, “Network Security: Submarine Warfare”, Dan Houser, 2003, http://tinyurl.com/nwk7 ` Network segmentation: Crunchy on the outside and the middle
  16. 16. 16 Heavy use of crypto for IFF functionsHeavy use of crypto for IFF functions  Accelerators & HSM will be key technologiesAccelerators & HSM will be key technologies  Require all packets to be signed (e.g. Kerberos)Require all packets to be signed (e.g. Kerberos)  Certificate revocation for intrusion preventionCertificate revocation for intrusion prevention  Network PKI becomes mission critical at layer 2Network PKI becomes mission critical at layer 2  Emerging products for Layer2 auth – TNT/EndforceEmerging products for Layer2 auth – TNT/Endforce Network IDS is keyNetwork IDS is key  Analyzing packets for IFF analysis, heuristicsAnalyzing packets for IFF analysis, heuristics  ISP pre-filtered IDSISP pre-filtered IDS  Analog threat taggingAnalog threat tagging  Identifying and tracking intrudersIdentifying and tracking intruders  Isolating subnets with hostile trafficIsolating subnets with hostile traffic  Revoke certificates for hostile serversRevoke certificates for hostile servers  Vectoring CIRTVectoring CIRT How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
  17. 17. 17 Tiger teams and internal search & seizureTiger teams and internal search & seizure  Businesses can’t afford rogue serversBusinesses can’t afford rogue servers  Zero tolerance policy for hackingZero tolerance policy for hacking  Ethical hackers, capture the flag & war games: A&PEthical hackers, capture the flag & war games: A&P  Vulnerability assessment teamsVulnerability assessment teams Drill and war gamesDrill and war games  Red teams – capture the flagRed teams – capture the flag  Blue teams – learn from red teams, patchBlue teams – learn from red teams, patch vulnerabilitiesvulnerabilities Highly trained staff becomes coreHighly trained staff becomes core competencycompetency  TrainingTraining  EducationEducation  Employee retentionEmployee retention How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
  18. 18. 18 "All warfare is based on deception.". -Sun Tzu"All warfare is based on deception.". -Sun Tzu Confuse and harass attackers…Confuse and harass attackers… Make your real servers look bogusMake your real servers look bogus  Save all .ASP code as .CGI files, perl as .ASPSave all .ASP code as .CGI files, perl as .ASP  Configure responses from Apache that mimic IISConfigure responses from Apache that mimic IIS  Open dummy NetBIOS ports on Unix serversOpen dummy NetBIOS ports on Unix servers  Use unpredictable ports: run SSH on 19384Use unpredictable ports: run SSH on 19384  Call your database server “Firewall”Call your database server “Firewall”  Route bogus traffic to IDS networkRoute bogus traffic to IDS network How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
  19. 19. 19 Further deception techniquesFurther deception techniques  Perception managementPerception management  Low profile facilitiesLow profile facilities  Red Herring accountsRed Herring accounts  Minimalistic error messages (or fake error messages)Minimalistic error messages (or fake error messages)  Temporary blindness – ignoring misbehaving nodesTemporary blindness – ignoring misbehaving nodes  Deceptive websites: false configs & backdoorsDeceptive websites: false configs & backdoors See Fred Cohen’s Site: www.all.netSee Fred Cohen’s Site: www.all.net How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
  20. 20. 20 Internet attacks haveInternet attacks have changed…changed… Photo Courtesy NASA
  21. 21. 21 Old school attackOld school attack  Lone interloper targets major firmLone interloper targets major firm  Studies publicly available informationStudies publicly available information  Hangs out at local pub, befriends sales teamHangs out at local pub, befriends sales team  Dumpster dives to obtain manuals, phone listsDumpster dives to obtain manuals, phone lists  Uses war-dialer to find modems & remote hostsUses war-dialer to find modems & remote hosts  Uses social engineering to obtain passwordsUses social engineering to obtain passwords  Dials up hosts, logs in, mayhem & mischiefDials up hosts, logs in, mayhem & mischief
  22. 22. 22 ““Modern” attackModern” attack  Lone interloper targets IP rangeLone interloper targets IP range  Downloads script kiddy toolsDownloads script kiddy tools  Scans IP range looking for vulnerable hostsScans IP range looking for vulnerable hosts  Port scans hosts looking for exploitablePort scans hosts looking for exploitable servicesservices  Uses exploit tool, mayhem & mischiefUses exploit tool, mayhem & mischief Target selection now a target of opportunity…Target selection now a target of opportunity… indiscriminate attackindiscriminate attack
  23. 23. 23 Worms hit 10,000 networks atWorms hit 10,000 networks at once…once… Photo Courtesy The Weather Channel
  24. 24. 24 What we need is early warningWhat we need is early warning Photo Courtesy NASA
  25. 25. 25 Hide in the open: Honeyd + arpdHide in the open: Honeyd + arpd  Low-interaction virtual honeypotLow-interaction virtual honeypot  honeyd with arpd creates virtual networkhoneyd with arpd creates virtual network  Create server that emulates address range: 10.x.x.x,Create server that emulates address range: 10.x.x.x, 192.168.x.x, public IP range192.168.x.x, public IP range  Listen on all portsListen on all ports  Emulate good hosts: MS-Exchange, Solaris/Oracle,Emulate good hosts: MS-Exchange, Solaris/Oracle, MS-SQL, RedHat/Apache/Tomcat, WinXP ProMS-SQL, RedHat/Apache/Tomcat, WinXP Pro  Emulate bad boxes: botnet servers, Warez server,Emulate bad boxes: botnet servers, Warez server, trojaned workstations, Win95 workstation, backdoortrojaned workstations, Win95 workstation, backdoor
  26. 26. 26  Convert unused address space into decoyConvert unused address space into decoy tripwire nets - 16,320,000 decoys to 200 "real"tripwire nets - 16,320,000 decoys to 200 "real" serversservers  Stop swallowing packets: route unreachable hosts toStop swallowing packets: route unreachable hosts to the virtual honeynetthe virtual honeynet  190,000 decoys per “real” server = 99.9995%190,000 decoys per “real” server = 99.9995% detectiondetection  Any hits are malicious – route to IDS / IPSAny hits are malicious – route to IDS / IPS  Research attack profile.Research attack profile.  Block attackers for 1 hour, 2 hours, 24 hours, 1 week.Block attackers for 1 hour, 2 hours, 24 hours, 1 week.  You’ve gained breathing room to respond to realYou’ve gained breathing room to respond to real attacksattacks Hide in the open: Honeyd + arpdHide in the open: Honeyd + arpd
  27. 27. 27 Router Real Network BFH Honeyd Emulator Honeycomb IDS Distributed Config IPS Hide in the open:Hide in the open: Big freakin’ haystackBig freakin’ haystack
  28. 28. 28 Hide in the openHide in the open
  29. 29. 29 The fun has just begun…The fun has just begun… LaBrea: SYN/ACK, TCP Window size = 0 (wait)LaBrea: SYN/ACK, TCP Window size = 0 (wait)  Load LaBrea to freeze a scan, run onLoad LaBrea to freeze a scan, run on randomrandom portport  Freezes Windows-based scanners up to 4 minutesFreezes Windows-based scanners up to 4 minutes  Scanning 10,000 hosts takesScanning 10,000 hosts takes 27 days27 days..  Detecting 100 unpublished hosts in Class A wouldDetecting 100 unpublished hosts in Class A would take approximately 112 yearstake approximately 112 years Disclaimer:Disclaimer: This may be illegal in your municipality. I am not a lawyer. Talk to one.This may be illegal in your municipality. I am not a lawyer. Talk to one.
  30. 30. 30 Storm Surge ModeStorm Surge Mode : active re-configuration: active re-configuration  Suppose your “standard” BFH net emulates:Suppose your “standard” BFH net emulates: 25%25% Apache/Tomcat on RedHat 7Apache/Tomcat on RedHat 7 25%25% Microsoft SQL on Win2003 ServerMicrosoft SQL on Win2003 Server 25%25% Lotus Notes/Domino on Win2k ServerLotus Notes/Domino on Win2k Server 25%25% Oracle 9i on SolarisOracle 9i on Solaris  IDS telemetry reports spike in Win2k attacksIDS telemetry reports spike in Win2k attacks  BFH configuration changes:BFH configuration changes: 30%30% Microsoft SQL on Win2k ServerMicrosoft SQL on Win2k Server 30%30% Exchange on Win2k ServerExchange on Win2k Server 30%30% IIS on Win2k ServerIIS on Win2k Server 10%10% Allocated among 30 other server/workstation imagesAllocated among 30 other server/workstation images The fun has just begun…The fun has just begun…
  31. 31. 31  Virtual honeynets: Make legitimate servers look likeVirtual honeynets: Make legitimate servers look like bogus servers.bogus servers.  Make all servers (fake & real) look identicalMake all servers (fake & real) look identical  BFH in your internal networkBFH in your internal network  Malware outbreaks see your network with 16 million hostsMalware outbreaks see your network with 16 million hosts  Ability to detect worms while slowing spread by 600xAbility to detect worms while slowing spread by 600x  If all Class A, B & C networks ran BFH:If all Class A, B & C networks ran BFH:  Emulation of 12,493,209,429,306 bogus hostsEmulation of 12,493,209,429,306 bogus hosts  Port scans & profiling a thing of the pastPort scans & profiling a thing of the past  Worms and script kiddies would be economicallyWorms and script kiddies would be economically infeasible.infeasible. The fun has just begun…The fun has just begun…
  32. 32. 32 Where toWhere to get started?get started? SwitchingSwitching models willmodels will take time…take time… What do we doWhat do we do in thein the interim?interim?
  33. 33. 33 Turning the tide: Resilient systemsTurning the tide: Resilient systems  Server & desktop hardened imagesServer & desktop hardened images  Security templates – lock down desktopsSecurity templates – lock down desktops  Server-based authentication – PKIServer-based authentication – PKI  Host-based intrusion detectionHost-based intrusion detection  Centralized loggingCentralized logging  Out-of-band server managementOut-of-band server management  Honeypots / honeynets / tarpitsHoneypots / honeynets / tarpits  Camouflage and deception in DMZCamouflage and deception in DMZ  Consider Layer 2 validation / Walled GardenConsider Layer 2 validation / Walled Garden
  34. 34. 34 Turning the tide: PeopleTurning the tide: People  Security is a people problem, not a technical problemSecurity is a people problem, not a technical problem  Hire and train smart, security-minded people to run yourHire and train smart, security-minded people to run your networks and serversnetworks and servers  Reward security:Reward security:  Establish benchmarks & vulnerability metricsEstablish benchmarks & vulnerability metrics  Create confidentiality & integrity metrics & SLAsCreate confidentiality & integrity metrics & SLAs  Audit against the benchmarksAudit against the benchmarks  Include security as major salary/bonus modifierInclude security as major salary/bonus modifier  Job descriptions must incorporate security objectivesJob descriptions must incorporate security objectives  Train developers, architects & BAs on how to developTrain developers, architects & BAs on how to develop secure systemssecure systems  Equate security breaches & cracking tools like weaponsEquate security breaches & cracking tools like weapons or drugs in the workplace – a “zero tolerance” policy?or drugs in the workplace – a “zero tolerance” policy?
  35. 35. 35 Turning the tide: ProcessTurning the tide: Process  Assess risk & vulnerability: BIAAssess risk & vulnerability: BIA  Include security in feature sets & requirementsInclude security in feature sets & requirements  Segregation of Developers, Testers & Production,Segregation of Developers, Testers & Production, and particularly Prod Support from source codeand particularly Prod Support from source code  Change management & access rightsChange management & access rights  Certification & AccreditationCertification & Accreditation  Engage security team in charter & proposal phaseEngage security team in charter & proposal phase  Bake security into the systems lifecycleBake security into the systems lifecycle  Require sponsor risk acceptance & authorizationRequire sponsor risk acceptance & authorization  Embed accreditation into change controlEmbed accreditation into change control  Include security in contract review and ROIInclude security in contract review and ROI  Configuration ManagementConfiguration Management →→ security patch listssecurity patch lists
  36. 36. 36 SummarySummary  Use firewalls, but as one of many toolsUse firewalls, but as one of many tools  Start network security with people,Start network security with people, process and host securityprocess and host security  Think outside the box when developingThink outside the box when developing security architecturessecurity architectures  Be prepared to dump your perimeterBe prepared to dump your perimeter  Focus on malleable networkingFocus on malleable networking  Protect assets according to their valueProtect assets according to their value
  37. 37. 37 Q&AQ&A Copyright FarWorks & Gary Larson
  38. 38. 38 Contact informationContact information Dan Houser, CISSP, CISM, ISSAPDan Houser, CISSP, CISM, ISSAP dan.houser@gmail.comdan.houser@gmail.com See Submarine Warfare article:See Submarine Warfare article: http://tinyurl.com/nwk7http://tinyurl.com/nwk7 This slide available on my (lame) homepage:This slide available on my (lame) homepage: http://web.infosec-forum.org/Members/ddhouserhttp://web.infosec-forum.org/Members/ddhouser

×