RSA2003: Forget Firewalls - early Zero Trust

NW
Logo
here
Forget
Firewalls
RSA Conference 2003
Perimeter Defense Track
Dan Houser, CISSP, SSCP, CCP
Sr. Security Engineer, Nationwide

2
Daniel D. Houser, MBA, CISSP, e-Biz+ Copyright 2003, Nationwide Mutual Insurance Enterprises©
Overview
 Brief overview of firewall technology
 Analysis of firewall architecture
 Where firewalls fall short
 Changes in the security space
 Suggestions for improving network security
 Q&A

3
Forget Firewalls?
 Air compressor in your house?
 Does your car have these features?
disk brakes radial tires coolant overflow
bumpers doors electric starter
muffler engine firewall HEPA filter
hazard lights turn signal break wear indicators
safety glass headlights tail lights
rear view mirror windshield windshield wipers
hood prop rod hood safety catch sun visors
intermittent wipers windshield defroster rear defroster
UV tinted glass crash-tested fuel tank shock absorbers
suspension power brakes shoulder belts
safety belt reminder inside trunk release door ajar warning
fuel gauge safety belt remote-control mirrors

4
Forget Firewalls?
 Firewalls are becoming ubiquitous
 Switches no longer mention SNMP in their
feature set, it’s presumed to be there.
 QoS is universal in high-end switches
 IDS is a standard offering
 IOS firewalls are popular implementations
 Firewalls are next

5
Old Incantations Lose their Power
 Firewalls are no longer the magic elixir for
creating a “secure network”
 If firewalls were enough, would we have:
 Network IDS?
 Host-based IDS?
 Intrusion Prevention Systems?
 Honeypots?
 Simply firewalling networks is no longer enough
 Firewalls are now table stakes for doing
e-business

6
Firewalls
 Provide filtered access between networks of differing
trust levels, such as:
 Un-trusted (Internet)
 Semi-trusted (DMZ)
 Trusted (Core network)
 Routers are Gateways, Firewalls are Gatekeepers
 Provide technical implementation of access control
policies

7
Firewalls
 Trust granted largely on basis of IP header info
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options.... (Padding) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-

8
Firewall Operations
 Packet Filter
 Blocks or permits traffic based on address & port
Allow tcp 21 from 192.18.99.73:1111 to 10.2.1.17
Allow tcp 25 from 128.146.214.28:25 to 10.2.1.17
Allow tcp 80 from ANY to 10.2.1.16
Allow tcp 443 from ANY to 10.2.1.16
Deny everything else
 Problems:
 Makes assumptions on protocols based on ports
 Analysis of header only… attacks in data go undetected
 Most firewalls treat HTTP/ HTTPS traffic as benign traffic
 Over time, permissions table resembles Swiss Cheese
 Often permits packet leaks when overwhelmed

9
Firewall Operations
 Application Gateway/Proxy Firewall
 Protocol aware (ftp, http, smtp, etc.)
 Terminate network connections
 Intermediate between two networks
 Rebuilds packets based on protocols supported
 Usually provides extensive logging and authentication
features
 Problems:
 Can’t handle new or unsupported protocols
 Heavy performance hit
 Data attacks still largely permitted
 Often permits packet leaks when overwhelmed

10
Fortress Mentality
Network implementation
of physical barriers
Designed with
overlapping, visible,
impenetrable barriers
Firewall Model: Classic Perimeter Security
Atlantic Wall

11
Classic Firewall/DMZ Design
External
Throne
Room
Outer Courtyard
Inner Courtyard

12
Assumptions of the
Classic Perimeter Security Model
 Attackers are outside breaking in
 Attackers cannot breach the wall
 Attackers are identified by guards
 Guards are loyal
 All contact comes through single path
Unfortunately, these are all wrong.

13
Reality
 Most attackers are inside
 Attackers can breach the wall
 Guards can’t identify all attackers
 Guards can be subverted
 Communication over MANY paths

14
Reality: Inside Attacks
 Most attackers are inside
 Historically, 65% - 80% of attacks are internal
 Largest $$ losses are to internal attacks
 Firewalls offer no protection to internal
attacks

15
Reality: Breaching the Wall
Attackers can breach the wall
Insiders regularly open holes in network perimeters
 VPN or Dialup connection from trojaned home PC
 Users adding modems to their PCs
 Rogue Wireless Access Points
 Visitors in your conference rooms
 P2P: GoToMyPC, Gnutella, HTTPTunnel, KaZaA
 Malware & spyware – Is NIMDA on your ‘net?
 AIM, Windows Messenger

16
Reality: Guards can be fooled
Application-based attacks go unchecked
 Hidden Manipulation
 Cookie Poisoning
 Application Parameter Tampering
 Forced Browsing
 70% of e-commerce attacks are over port 80
Host-based attacks largely unchecked
 Reactive, signature-based response
 Apache “chunking” vulnerability
 Exploit of sendmail, IIS vulnerabilities
 Buffer overflows continue to pop up
 Code Red and NIMDA still rampant

17
Reality:
Messengers can be subverted
 Servers in your DMZs serve as stepping
stones into your network
 Once a host is exploited, it’s a gateway
 Firewalls route subverted messages
 DMZ servers make great sniffers and
password crackers

18
Reality: Many communication paths
 The Classic model is flawed due to the
presence of alternate data paths to:
 Business Partners
 VPN & Dialup home PCs
 Subsidiaries and Affiliates
 Rogue networks

19
Classic Firewall/DMZ Design
External
Throne
Room
Outer Courtyard
Inner Courtyard

20
Reality: Many communication paths
Business partners
Affiliates Subsidiaries
Telecommuters
On-site Consultants Support Technicians
Off-site Consultants
??
??
??

21
Red Queen Race
 Web Services Security is changing the rules:
 Outsourced authentication
 Extranet access to core systems
 Datafeeds over HTTP using XML & SOAP
 Outsourced services, data processing
 Highly-connected networks
 Swiss-cheese firewall rulesets
In short, There is no network perimeter

22
New paradigms are needed
We must migrate from ground-based warfare to
a model that fits Information Warfare
“He who does not learn from history is doomed
to repeat it.”
 The Maginot Line was bypassed
 The Atlantic Wall was pierced and defeated
 The Great Wall was partial protection
 The Alamo fell to a massive attack

23
New Paradigm: Submarine Warfare
 In Submarine Warfare
 Everyone is an enemy until proven otherwise
 All contacts are tracked and logged
 Hardened autonomous systems
 Constant vigilance
 Identify Friend or Foe (IFF) becomes vital
 Hunter-killer units vital to protect strategic
investments – offense as well as defense
 Environment “listeners” for ASW and tracking
 Evade detection, hound and confuse the enemy

24
How does Submarine Warfare translate
into InfoWarfare?
 Use of hardened kernels for servers -e.g. PitBull
 All systems with hardened images and minimal services,
not just the DMZ servers
 Analyze traffic, not just headers
 Application-based firewalls (e.g. AppShield)
 HTTP host header compliance
 XML Filtering
 Confuse and harass attackers
 Save all .ASP code as .PHP files
 Configure responses from Apache that mimic IIS
 Open dummy Netbios ports on Unix servers
 Open bogus 21, 23, 25, 80 & 443 ports on all servers
 Virtual honeypots / honeynets

25
How does Submarine Warfare translate
into InfoWarfare?
 Heavy use of crypto for IFF functions
 Accelerators & HSM will be key technologies
 SSL-aware proxy servers
 Tiger teams and internal search & seizure
 Businesses can’t afford rogue servers
 Ethical hackers, capture the flag, & wargames: A&P
 Vulnerability assessment teams
 Network IDS is key
 Analyzing packets for IFF analysis
 Identifying and tracking intruders
 Vectoring CIRT
 Training, education and employee retention

26
Where to get started?
Switching
models will
take time…
What do we do in
the interim?

27
Turning the tide: Resilient Systems
 Server & Desktop hardening
 Security templates – lock down desktops
 Server-based authentication through PKI
 Host-based intrusion detection
 Centralized logging
 Out-of-band server management
 Eliminate single points of failure
 Honeypots

28
Turning the tide: People
 Security is a people problem, not a technical problem
 Hire and train smart, security-minded people to run your
networks and servers
 Reward security:
 Establish benchmarks & vulnerability metrics
 Audit against the benchmarks
 Include as major salary/bonus modifier
 More than just uptime - confidentiality & integrity key
 Train developers, architects & BAs on how to develop
secure systems
 Treat security breaches like weapons or drugs in the
workplace - Zero tolerance policy?

29
Turning the tide: Process
 Assess risk & vulnerability: BIA
 Include security in feature sets & requirements
 Segregation of Developers, Testers & Production,
and Prod Support from Code
 Change management & access rights
 Certification & Accreditation
 Engage security team in charter & proposal phase
 Bake security into the Systems Life Cycle
 Require security signoff for code migration
 Include security in contract review and ROI
 Turn Y2k lists into security patching lists

30
Summary
 Use firewalls, but as one of many tools
 Start network security with people, process
and host security
 Think outside the box when developing
security architectures
 Be prepared to increase either security
spending or security loss projections
 Protect assets according to their value

31
Q&A

RSA2003: Forget Firewalls - early Zero Trust

More Related Content

Similar to RSA2003: Forget Firewalls - early Zero Trust

More from Dan Houser

RSA2003: Forget Firewalls - early Zero Trust