Perimeter Defense when you don't have a perimeter, and how to change the paradigm to protect hosts, and hide from the bad guys. Introduction of the Big Freakin' Haystack project (that, sadly, went nowhere).
2. 2
OverviewOverview
Classic firewall perspectiveClassic firewall perspective
Where firewalls fall shortWhere firewalls fall short
Changes in the security spaceChanges in the security space
Suggestions for improving network securitySuggestions for improving network security
Strategic visionStrategic vision
Tactical focusTactical focus
Q&AQ&A
This presentation is designed to be the visit through theThis presentation is designed to be the visit through the
looking glass… Thinking about perimeter security with alooking glass… Thinking about perimeter security with a
different perspective.different perspective.
3. 3
Fortress mentalityFortress mentality
NetworkNetwork
implementation ofimplementation of
physical barriersphysical barriers
Designed withDesigned with
overlapping, visible,overlapping, visible,
impenetrableimpenetrable
barriersbarriers
Classic perimeter securityClassic perimeter security
Atlantic Wall
5. 5
Assumptions of theAssumptions of the
classic perimeter security modelclassic perimeter security model
Attackers are outside trying toAttackers are outside trying to
break inbreak in
Attackers cannot breach the wallAttackers cannot breach the wall
Attackers are identified by guardsAttackers are identified by guards
Guards are loyalGuards are loyal
All contact comes through singleAll contact comes through single
pathpath
Unfortunately, these are all wrong.Unfortunately, these are all wrong.
6. 6
RealityReality
Most attackers are insideMost attackers are inside
Attackers can breach the wallAttackers can breach the wall
Guards can’t identify allGuards can’t identify all
attackersattackers
Guards can be subvertedGuards can be subverted
Communication over MANYCommunication over MANY
pathspaths
7. 7
Reality: Many communication pathsReality: Many communication paths
Business partners
Affiliates Subsidiaries
Telecommuters
On-site Consultants Support Technicians
Off-site Consultants
??
??
??
Spybots
Spyware / Adware
Spyware / Adware
8. 8
Red Queen raceRed Queen race
““You have to run faster and faster just to stayYou have to run faster and faster just to stay
in the same place!”in the same place!”
–– The Red Queen,The Red Queen, Alice in WonderlandAlice in Wonderland
Image courtesy www.rushlimbaugh.com
10. 10
Web Services Security is changing the rules:Web Services Security is changing the rules:
Outsourced authentication (federated)Outsourced authentication (federated)
Extranet access to core systemsExtranet access to core systems
RPC calls over HTTP using XML & SOAPRPC calls over HTTP using XML & SOAP
Offshore services, data processingOffshore services, data processing
Highly connected networksHighly connected networks
Very tight business integrationVery tight business integration
In short,In short, there is no network perimeterthere is no network perimeter
Red Queen raceRed Queen race
11. 11
New paradigms are neededNew paradigms are needed
We must migrate from ground-basedWe must migrate from ground-based
warfare to a model that fits informationwarfare to a model that fits information
warfarewarfare
““He who does not learn from history is doomedHe who does not learn from history is doomed
to repeat it.”to repeat it.”
The Maginot Line was bypassedThe Maginot Line was bypassed
The Atlantic Wall was pierced and defeatedThe Atlantic Wall was pierced and defeated
The Great Wall provided only partial protectionThe Great Wall provided only partial protection
The Alamo fell to a massive attackThe Alamo fell to a massive attack
12. 12
New paradigm: Submarine warfareNew paradigm: Submarine warfare
In submarine warfare…In submarine warfare…
Everyone is an enemy until proven otherwiseEveryone is an enemy until proven otherwise
All contacts are tracked and loggedAll contacts are tracked and logged
Hardened autonomous systemsHardened autonomous systems
Rules of engagement govern all responseRules of engagement govern all response
Constant vigilanceConstant vigilance
Identify Friend or Foe (IFF) becomes vitalIdentify Friend or Foe (IFF) becomes vital
Hunter-killer units vital to protect strategic investmentsHunter-killer units vital to protect strategic investments
– offensive as well as defensive players– offensive as well as defensive players
Environment “listeners” for ASW and trackingEnvironment “listeners” for ASW and tracking
Evade detection, hound and confuse the enemyEvade detection, hound and confuse the enemy
13. 13
Harden all devices, not just DMZHarden all devices, not just DMZ
Use of hardened kernels forUse of hardened kernels for allall serversservers
Harden all systems and run minimal servicesHarden all systems and run minimal services
Minimal installations on desktopsMinimal installations on desktops
Dumb terminals where availableDumb terminals where available
Provide Office tools to knowledge workers onlyProvide Office tools to knowledge workers only
Strip unneeded capabilities from kiosksStrip unneeded capabilities from kiosks
Remove the ability to install softwareRemove the ability to install software
Analyze traffic, not just headersAnalyze traffic, not just headers
Application-based firewallsApplication-based firewalls
XML FilteringXML Filtering
How does Submarine Warfare translateHow does Submarine Warfare translate
into InfoWarfare?into InfoWarfare?
14. 14
How does Submarine Warfare translateHow does Submarine Warfare translate
into InfoWarfare?into InfoWarfare?
Segregate boot camp from the theatre of operationsSegregate boot camp from the theatre of operations
VLAN development, test, DR & productionVLAN development, test, DR & production
Make change control yourMake change control your code firewallcode firewall
Only change control spans 2 security zonesOnly change control spans 2 security zones
Production support segregated from source codeProduction support segregated from source code
Endpoint compliance / Walled GardenEndpoint compliance / Walled Garden
Core network becomes the DMZCore network becomes the DMZ
SinceSince most attacks are from withinmost attacks are from within , make, make
cubicles a DMZcubicles a DMZ
Create hardened subnets for accounting, HR, IT,Create hardened subnets for accounting, HR, IT,
operationsoperations
Publish intranets in the DMZPublish intranets in the DMZ
15. 15Source: InformationSecurity Magazine, “Network Security: Submarine Warfare”, Dan Houser, 2003, http://tinyurl.com/nwk7
`
Network segmentation:
Crunchy on the outside and the middle
16. 16
Heavy use of crypto for IFF functionsHeavy use of crypto for IFF functions
Accelerators & HSM will be key technologiesAccelerators & HSM will be key technologies
Require all packets to be signed (e.g. Kerberos)Require all packets to be signed (e.g. Kerberos)
Certificate revocation for intrusion preventionCertificate revocation for intrusion prevention
Network PKI becomes mission critical at layer 2Network PKI becomes mission critical at layer 2
Emerging products for Layer2 auth – TNT/EndforceEmerging products for Layer2 auth – TNT/Endforce
Network IDS is keyNetwork IDS is key
Analyzing packets for IFF analysis, heuristicsAnalyzing packets for IFF analysis, heuristics
ISP pre-filtered IDSISP pre-filtered IDS
Analog threat taggingAnalog threat tagging
Identifying and tracking intrudersIdentifying and tracking intruders
Isolating subnets with hostile trafficIsolating subnets with hostile traffic
Revoke certificates for hostile serversRevoke certificates for hostile servers
Vectoring CIRTVectoring CIRT
How does Submarine Warfare translateHow does Submarine Warfare translate
into InfoWarfare?into InfoWarfare?
17. 17
Tiger teams and internal search & seizureTiger teams and internal search & seizure
Businesses can’t afford rogue serversBusinesses can’t afford rogue servers
Zero tolerance policy for hackingZero tolerance policy for hacking
Ethical hackers, capture the flag & war games: A&PEthical hackers, capture the flag & war games: A&P
Vulnerability assessment teamsVulnerability assessment teams
Drill and war gamesDrill and war games
Red teams – capture the flagRed teams – capture the flag
Blue teams – learn from red teams, patchBlue teams – learn from red teams, patch
vulnerabilitiesvulnerabilities
Highly trained staff becomes coreHighly trained staff becomes core
competencycompetency
TrainingTraining
EducationEducation
Employee retentionEmployee retention
How does Submarine Warfare translateHow does Submarine Warfare translate
into InfoWarfare?into InfoWarfare?
18. 18
"All warfare is based on deception.". -Sun Tzu"All warfare is based on deception.". -Sun Tzu
Confuse and harass attackers…Confuse and harass attackers…
Make your real servers look bogusMake your real servers look bogus
Save all .ASP code as .CGI files, perl as .ASPSave all .ASP code as .CGI files, perl as .ASP
Configure responses from Apache that mimic IISConfigure responses from Apache that mimic IIS
Open dummy NetBIOS ports on Unix serversOpen dummy NetBIOS ports on Unix servers
Use unpredictable ports: run SSH on 19384Use unpredictable ports: run SSH on 19384
Call your database server “Firewall”Call your database server “Firewall”
Route bogus traffic to IDS networkRoute bogus traffic to IDS network
How does Submarine Warfare translateHow does Submarine Warfare translate
into InfoWarfare?into InfoWarfare?
19. 19
Further deception techniquesFurther deception techniques
Perception managementPerception management
Low profile facilitiesLow profile facilities
Red Herring accountsRed Herring accounts
Minimalistic error messages (or fake error messages)Minimalistic error messages (or fake error messages)
Temporary blindness – ignoring misbehaving nodesTemporary blindness – ignoring misbehaving nodes
Deceptive websites: false configs & backdoorsDeceptive websites: false configs & backdoors
See Fred Cohen’s Site: www.all.netSee Fred Cohen’s Site: www.all.net
How does Submarine Warfare translateHow does Submarine Warfare translate
into InfoWarfare?into InfoWarfare?
21. 21
Old school attackOld school attack
Lone interloper targets major firmLone interloper targets major firm
Studies publicly available informationStudies publicly available information
Hangs out at local pub, befriends sales teamHangs out at local pub, befriends sales team
Dumpster dives to obtain manuals, phone listsDumpster dives to obtain manuals, phone lists
Uses war-dialer to find modems & remote hostsUses war-dialer to find modems & remote hosts
Uses social engineering to obtain passwordsUses social engineering to obtain passwords
Dials up hosts, logs in, mayhem & mischiefDials up hosts, logs in, mayhem & mischief
22. 22
““Modern” attackModern” attack
Lone interloper targets IP rangeLone interloper targets IP range
Downloads script kiddy toolsDownloads script kiddy tools
Scans IP range looking for vulnerable hostsScans IP range looking for vulnerable hosts
Port scans hosts looking for exploitablePort scans hosts looking for exploitable
servicesservices
Uses exploit tool, mayhem & mischiefUses exploit tool, mayhem & mischief
Target selection now a target of opportunity…Target selection now a target of opportunity…
indiscriminate attackindiscriminate attack
23. 23
Worms hit 10,000 networks atWorms hit 10,000 networks at
once…once…
Photo Courtesy The Weather Channel
24. 24
What we need is early warningWhat we need is early warning
Photo Courtesy NASA
25. 25
Hide in the open: Honeyd + arpdHide in the open: Honeyd + arpd
Low-interaction virtual honeypotLow-interaction virtual honeypot
honeyd with arpd creates virtual networkhoneyd with arpd creates virtual network
Create server that emulates address range: 10.x.x.x,Create server that emulates address range: 10.x.x.x,
192.168.x.x, public IP range192.168.x.x, public IP range
Listen on all portsListen on all ports
Emulate good hosts: MS-Exchange, Solaris/Oracle,Emulate good hosts: MS-Exchange, Solaris/Oracle,
MS-SQL, RedHat/Apache/Tomcat, WinXP ProMS-SQL, RedHat/Apache/Tomcat, WinXP Pro
Emulate bad boxes: botnet servers, Warez server,Emulate bad boxes: botnet servers, Warez server,
trojaned workstations, Win95 workstation, backdoortrojaned workstations, Win95 workstation, backdoor
26. 26
Convert unused address space into decoyConvert unused address space into decoy
tripwire nets - 16,320,000 decoys to 200 "real"tripwire nets - 16,320,000 decoys to 200 "real"
serversservers
Stop swallowing packets: route unreachable hosts toStop swallowing packets: route unreachable hosts to
the virtual honeynetthe virtual honeynet
190,000 decoys per “real” server = 99.9995%190,000 decoys per “real” server = 99.9995%
detectiondetection
Any hits are malicious – route to IDS / IPSAny hits are malicious – route to IDS / IPS
Research attack profile.Research attack profile.
Block attackers for 1 hour, 2 hours, 24 hours, 1 week.Block attackers for 1 hour, 2 hours, 24 hours, 1 week.
You’ve gained breathing room to respond to realYou’ve gained breathing room to respond to real
attacksattacks
Hide in the open: Honeyd + arpdHide in the open: Honeyd + arpd
29. 29
The fun has just begun…The fun has just begun…
LaBrea: SYN/ACK, TCP Window size = 0 (wait)LaBrea: SYN/ACK, TCP Window size = 0 (wait)
Load LaBrea to freeze a scan, run onLoad LaBrea to freeze a scan, run on randomrandom
portport
Freezes Windows-based scanners up to 4 minutesFreezes Windows-based scanners up to 4 minutes
Scanning 10,000 hosts takesScanning 10,000 hosts takes 27 days27 days..
Detecting 100 unpublished hosts in Class A wouldDetecting 100 unpublished hosts in Class A would
take approximately 112 yearstake approximately 112 years
Disclaimer:Disclaimer:
This may be illegal in your municipality. I am not a lawyer. Talk to one.This may be illegal in your municipality. I am not a lawyer. Talk to one.
30. 30
Storm Surge ModeStorm Surge Mode : active re-configuration: active re-configuration
Suppose your “standard” BFH net emulates:Suppose your “standard” BFH net emulates:
25%25% Apache/Tomcat on RedHat 7Apache/Tomcat on RedHat 7
25%25% Microsoft SQL on Win2003 ServerMicrosoft SQL on Win2003 Server
25%25% Lotus Notes/Domino on Win2k ServerLotus Notes/Domino on Win2k Server
25%25% Oracle 9i on SolarisOracle 9i on Solaris
IDS telemetry reports spike in Win2k attacksIDS telemetry reports spike in Win2k attacks
BFH configuration changes:BFH configuration changes:
30%30% Microsoft SQL on Win2k ServerMicrosoft SQL on Win2k Server
30%30% Exchange on Win2k ServerExchange on Win2k Server
30%30% IIS on Win2k ServerIIS on Win2k Server
10%10% Allocated among 30 other server/workstation imagesAllocated among 30 other server/workstation images
The fun has just begun…The fun has just begun…
31. 31
Virtual honeynets: Make legitimate servers look likeVirtual honeynets: Make legitimate servers look like
bogus servers.bogus servers.
Make all servers (fake & real) look identicalMake all servers (fake & real) look identical
BFH in your internal networkBFH in your internal network
Malware outbreaks see your network with 16 million hostsMalware outbreaks see your network with 16 million hosts
Ability to detect worms while slowing spread by 600xAbility to detect worms while slowing spread by 600x
If all Class A, B & C networks ran BFH:If all Class A, B & C networks ran BFH:
Emulation of 12,493,209,429,306 bogus hostsEmulation of 12,493,209,429,306 bogus hosts
Port scans & profiling a thing of the pastPort scans & profiling a thing of the past
Worms and script kiddies would be economicallyWorms and script kiddies would be economically
infeasible.infeasible.
The fun has just begun…The fun has just begun…
32. 32
Where toWhere to
get started?get started?
SwitchingSwitching
models willmodels will
take time…take time…
What do we doWhat do we do
in thein the
interim?interim?
33. 33
Turning the tide: Resilient systemsTurning the tide: Resilient systems
Server & desktop hardened imagesServer & desktop hardened images
Security templates – lock down desktopsSecurity templates – lock down desktops
Server-based authentication – PKIServer-based authentication – PKI
Host-based intrusion detectionHost-based intrusion detection
Centralized loggingCentralized logging
Out-of-band server managementOut-of-band server management
Honeypots / honeynets / tarpitsHoneypots / honeynets / tarpits
Camouflage and deception in DMZCamouflage and deception in DMZ
Consider Layer 2 validation / Walled GardenConsider Layer 2 validation / Walled Garden
34. 34
Turning the tide: PeopleTurning the tide: People
Security is a people problem, not a technical problemSecurity is a people problem, not a technical problem
Hire and train smart, security-minded people to run yourHire and train smart, security-minded people to run your
networks and serversnetworks and servers
Reward security:Reward security:
Establish benchmarks & vulnerability metricsEstablish benchmarks & vulnerability metrics
Create confidentiality & integrity metrics & SLAsCreate confidentiality & integrity metrics & SLAs
Audit against the benchmarksAudit against the benchmarks
Include security as major salary/bonus modifierInclude security as major salary/bonus modifier
Job descriptions must incorporate security objectivesJob descriptions must incorporate security objectives
Train developers, architects & BAs on how to developTrain developers, architects & BAs on how to develop
secure systemssecure systems
Equate security breaches & cracking tools like weaponsEquate security breaches & cracking tools like weapons
or drugs in the workplace – a “zero tolerance” policy?or drugs in the workplace – a “zero tolerance” policy?
35. 35
Turning the tide: ProcessTurning the tide: Process
Assess risk & vulnerability: BIAAssess risk & vulnerability: BIA
Include security in feature sets & requirementsInclude security in feature sets & requirements
Segregation of Developers, Testers & Production,Segregation of Developers, Testers & Production,
and particularly Prod Support from source codeand particularly Prod Support from source code
Change management & access rightsChange management & access rights
Certification & AccreditationCertification & Accreditation
Engage security team in charter & proposal phaseEngage security team in charter & proposal phase
Bake security into the systems lifecycleBake security into the systems lifecycle
Require sponsor risk acceptance & authorizationRequire sponsor risk acceptance & authorization
Embed accreditation into change controlEmbed accreditation into change control
Include security in contract review and ROIInclude security in contract review and ROI
Configuration ManagementConfiguration Management →→ security patch listssecurity patch lists
36. 36
SummarySummary
Use firewalls, but as one of many toolsUse firewalls, but as one of many tools
Start network security with people,Start network security with people,
process and host securityprocess and host security
Think outside the box when developingThink outside the box when developing
security architecturessecurity architectures
Be prepared to dump your perimeterBe prepared to dump your perimeter
Focus on malleable networkingFocus on malleable networking
Protect assets according to their valueProtect assets according to their value
38. 38
Contact informationContact information
Dan Houser, CISSP, CISM, ISSAPDan Houser, CISSP, CISM, ISSAP
dan.houser@gmail.comdan.houser@gmail.com
See Submarine Warfare article:See Submarine Warfare article:
http://tinyurl.com/nwk7http://tinyurl.com/nwk7
This slide available on my (lame) homepage:This slide available on my (lame) homepage:
http://web.infosec-forum.org/Members/ddhouserhttp://web.infosec-forum.org/Members/ddhouser