105 slides identifying and patrolling your true network perimeter bill cheswick [email protected]
TRANSCRIPT
![Page 1: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/1.jpg)
105 slides
Identifying and Patrolling your True Network Perimeter
Bill Cheswick
http://www.lumeta.com
![Page 2: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/2.jpg)
2 of 105Pondering Perimeters: GFIRST Orlando
Talk Outline
• A little personal history concerning perimeter defenses
• Outside: mapping the Internet
• A discussion of perimeter defenses
• Strong host security
• Mapping and understanding intranets
• The past and future of Microsoft host security:– my Dad’s computer
• Ned will show you some details of our product
![Page 3: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/3.jpg)
3 of 105Pondering Perimeters: GFIRST Orlando
A short bio regarding Internet perimeters
• Started at Bell Labs in December 1987– Immediately took over postmaster and
firewall duties
• Good way to learn the ropes, which was my intention
![Page 4: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/4.jpg)
4 of 105Pondering Perimeters: GFIRST Orlando
Morris worm hit on Nov 1988
• Heard about it on NPR– Had a “sinking feeling” about it
• The home-made firewall worked– No fingerd– No sendmail (we rewrote the mailer)
• Intranet connection to Bellcore
• We got lucky
• Bell Labs had 1330 hosts
• Corporate HQ didn’t know or care
![Page 5: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/5.jpg)
5 of 105Pondering Perimeters: GFIRST Orlando
Action items
• Shut down the unprotected connection to Bellcore– What we now call a “routing leak”
• Redesign the firewall for much more capacity, and no “sinking feeling”– (VAX 750, load average of 15)
• Write a paper on it– “if you don’t write it up, you didn’t do the
work”
![Page 6: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/6.jpg)
6 of 105Pondering Perimeters: GFIRST Orlando
Old gateway:
![Page 7: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/7.jpg)
7 of 105Pondering Perimeters: GFIRST Orlando
New gateway:
![Page 8: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/8.jpg)
8 of 105Pondering Perimeters: GFIRST Orlando
New gateway:(one referee’s suggestion)
![Page 9: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/9.jpg)
9 of 105Pondering Perimeters: GFIRST Orlando
“Design of a Secure Internet Gateway” – Anaheim Usenix, Jan 1990
• My first real academic paper
• It was pretty good, I think
• It didn’t have much impact, except for two pieces:– Coined the work “proxy” in its current use
(this was for a circuit level gateway• Predated “socks by three years)
– Coined the expression “crunchy outside and soft chewy center”
![Page 10: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/10.jpg)
10 of 105Pondering Perimeters: GFIRST Orlando
Why wasn’t the paper more influential?
• Because the hard part isn’t the firewall, it is the perimeter– I built a high security firewall for USSS
from scratch in about 2 hours in Sept. 2001.
• I raised our firewall security from “low medium” to “high”– (that’s about as good as computer and
network security measurement gets)
• The perimeter security was “dumb luck”, which we raised to “probably none”
![Page 11: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/11.jpg)
11 of 105Pondering Perimeters: GFIRST Orlando
Network and host security levels
• Dumb luck
• None
• Low
• Medium
• High = no “sinking feeling”
![Page 12: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/12.jpg)
12 of 105Pondering Perimeters: GFIRST Orlando
By 1996, AT&T’s intranet
• Firewall security: high, and sometimes quite a pain, which meant
• Perimeter security: dumb luck
• Trivestiture didn’t change the intranet configuration that much
![Page 13: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/13.jpg)
13 of 105Pondering Perimeters: GFIRST Orlando
Lucent now (1997) (sort of)We’d circled the wagons around Wyoming
Allentown
MurrayHill
ColumbusHolmdel
SLIPPPPISDNX.25cable
...
Lucent - 130,000, 266K IP addresses, 3000 nets ann.
MurrayHill
The Internet
~200 business partnersthousands of
telecommuters
![Page 14: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/14.jpg)
14 of 105Pondering Perimeters: GFIRST Orlando
![Page 15: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/15.jpg)
15 of 105Pondering Perimeters: GFIRST Orlando
Highlands forum, Annapolis, Dec 1996
• A Rand corp. game to help brief a member of the new President’s Infrastructure Protection Commission
• Met Esther Dyson and Fred Cohen there– Personal assessment by intel profiler
• “Day after” scenario
• Gosh it would be great to figure out where these networks actually go
![Page 16: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/16.jpg)
105 slides
Perimeter Defenses have a long history
![Page 17: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/17.jpg)
17 of 105Pondering Perimeters: GFIRST Orlando
Lorton Prison
![Page 18: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/18.jpg)
18 of 105Pondering Perimeters: GFIRST Orlando
The Pretty GoodWall of China
![Page 19: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/19.jpg)
19 of 105Pondering Perimeters: GFIRST Orlando
![Page 20: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/20.jpg)
20 of 105Pondering Perimeters: GFIRST Orlando
![Page 21: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/21.jpg)
21 of 105Pondering Perimeters: GFIRST Orlando
![Page 22: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/22.jpg)
22 of 105Pondering Perimeters: GFIRST Orlando
Perimeter Defense of the US Capitol Building
![Page 23: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/23.jpg)
23 of 105Pondering Perimeters: GFIRST Orlando
Flower pots
![Page 24: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/24.jpg)
24 of 105Pondering Perimeters: GFIRST Orlando
![Page 25: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/25.jpg)
25 of 105Pondering Perimeters: GFIRST Orlando
Security doesn’t have to be ugly
![Page 26: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/26.jpg)
26 of 105Pondering Perimeters: GFIRST Orlando
![Page 27: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/27.jpg)
27 of 105Pondering Perimeters: GFIRST Orlando
![Page 28: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/28.jpg)
28 of 105Pondering Perimeters: GFIRST Orlando
![Page 29: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/29.jpg)
29 of 105Pondering Perimeters: GFIRST Orlando
![Page 30: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/30.jpg)
30 of 105Pondering Perimeters: GFIRST Orlando
Delta barriers
![Page 31: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/31.jpg)
31 of 105Pondering Perimeters: GFIRST Orlando
Edinburgh Castle
![Page 32: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/32.jpg)
32 of 105Pondering Perimeters: GFIRST Orlando
Warwick Castle
![Page 33: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/33.jpg)
33 of 105Pondering Perimeters: GFIRST Orlando
Heidelberg Castlestarted in the 1300s
![Page 34: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/34.jpg)
34 of 105Pondering Perimeters: GFIRST Orlando
![Page 35: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/35.jpg)
35 of 105Pondering Perimeters: GFIRST Orlando
Berwick Castle
![Page 36: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/36.jpg)
36 of 105Pondering Perimeters: GFIRST Orlando
![Page 37: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/37.jpg)
37 of 105Pondering Perimeters: GFIRST Orlando
![Page 38: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/38.jpg)
38 of 105Pondering Perimeters: GFIRST Orlando
Parliament: entrance
![Page 39: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/39.jpg)
39 of 105Pondering Perimeters: GFIRST Orlando
Parliament: exit
![Page 40: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/40.jpg)
40 of 105Pondering Perimeters: GFIRST Orlando
Why use a perimeter defense?
• It is cheaper– A man’s home is his castle, but most
people can’t afford the moat
• You can concentrate your equipment and your expertise in a few areas
• It is simpler, and simpler security is usually better– Easier to understand and audit– Easier to spot broken parts
![Page 41: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/41.jpg)
41 of 105Pondering Perimeters: GFIRST Orlando
What’s wrong with perimeter defenses
• They are useless against insider attacks
• They provide a false sense of security– You still need to toughen up the inside, at
least some– You need to hire enough defenders
• They don’t scale well
![Page 42: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/42.jpg)
105 slides
Anything large enough to be called an ‘intranet’ is out
of control
![Page 43: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/43.jpg)
105 slides
Project 1:Can we live without
an intranet?Strong host security
Mid 1990s
![Page 44: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/44.jpg)
44 of 105Pondering Perimeters: GFIRST Orlando
I can, but you probably can’t
• “Skinny-dipping” on the Internet since the mid 1990s
• The exposure focuses one clearly on the threats and proactive security
• It’s very convenient, for the services I dare to use
• Many important network services are difficult to harden
![Page 45: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/45.jpg)
45 of 105Pondering Perimeters: GFIRST Orlando
Skinny dipping rules
• Only minimal services are offered to the general public– Ssh– Web server (jailed Apache)– DNS (self chrooted)– SMTP (postfix, not sendmail)
• Children (like employees) and MSFT clients are untrustworthy
• Offer hardened local services at home, like SAMBA (chroot), POP3 (chroot)
• I’d like to offer other services, but they are hard to secure
![Page 46: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/46.jpg)
46 of 105Pondering Perimeters: GFIRST Orlando
Skinny dipping requires strong host security
• FreeBSD and Linux machines
• I am told that one can lock down an MSFT host, but there are hundreds of steps, and I don’t know how to do it.
• This isn’t just about operating systems: the most popular client applications are, in theory, very dangerous and, in practice, very dangerous.– Web browsers and mail readers have
many dangerous features
![Page 47: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/47.jpg)
47 of 105Pondering Perimeters: GFIRST Orlando
Skinny dipping flaws
• Less defense in depth
• No protection from denial-of-service attacks
![Page 48: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/48.jpg)
105 slides
Project 2:The Internet Mapping
ProjectAn experiment in exploring network connectivity
1998
![Page 49: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/49.jpg)
49 of 105Pondering Perimeters: GFIRST Orlando
Methods - network discovery (ND)
• Obtain master network list– network lists from Merit, RIPE, APNIC, etc.– BGP data or routing data from customers– hand-assembled list of Yugoslavia/Bosnia
• Run a TTL-type (traceroute) scan towards each network
• Stop on error, completion, no data– Keep the natives happy
![Page 50: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/50.jpg)
50 of 105Pondering Perimeters: GFIRST Orlando
Methods - data collection
• Single reliable host connected at the company perimeter
• Daily full scan of Lucent
• Daily partial scan of Internet, monthly full scan
• One line of text per network scanned– Unix tools
• Use a light touch, so we don’t bother Internet denizens
![Page 51: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/51.jpg)
51 of 105Pondering Perimeters: GFIRST Orlando
TTL probes
• Used by traceroute and other tools
• Probes toward each target network with increasing TTL
• Probes are ICMP, UDP, TCP to port 80, 25, 139, etc.
• Some people block UDP, others ICMP
![Page 52: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/52.jpg)
52 of 105Pondering Perimeters: GFIRST Orlando
Intranet implications of Internet mapping
• High speed technique, able to handle the largest networks
• Light touch: “what are you going to do to my intranet?”
• Acquire and maintain databases of Internet network assignments and usage
![Page 53: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/53.jpg)
53 of 105Pondering Perimeters: GFIRST Orlando
Advantages
• We don’t need access (I.e. SNMP) to the routers
• It’s very fast
• Standard Internet tool: it doesn’t break things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types
![Page 54: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/54.jpg)
54 of 105Pondering Perimeters: GFIRST Orlando
Limitations
• View is from scanning host only– Multiple scan sources gives a better view
• Outgoing paths only
• Level 3 (IP) only– ATM networks appear as a single node
• Not all routers respond– Some are silent– Others are “shy” (RFC 1123 compliant),
limited to one response per second
![Page 55: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/55.jpg)
55 of 105Pondering Perimeters: GFIRST Orlando
Data collection complaints
• Australian parliament was the first to complain
• List of whiners (25 nets)
• On the Internet, these complaints are mostly a thing of the past– Internet background radiation
predominates
![Page 56: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/56.jpg)
56 of 105Pondering Perimeters: GFIRST Orlando
Visualization goals
• make a map– show interesting features– debug our database and collection
methods
• geography doesn’t matter
• use colors to show further meaning
![Page 57: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/57.jpg)
57 of 105Pondering Perimeters: GFIRST Orlando
![Page 58: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/58.jpg)
105 slides
Visualization of the layout algorithm
Laying out the Internet graph
![Page 59: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/59.jpg)
59 of 105Pondering Perimeters: GFIRST Orlando
![Page 60: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/60.jpg)
60 of 105Pondering Perimeters: GFIRST Orlando
![Page 61: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/61.jpg)
61 of 105Pondering Perimeters: GFIRST Orlando
Colored byAS number
![Page 62: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/62.jpg)
62 of 105Pondering Perimeters: GFIRST Orlando
Map Coloring
• distance from test host
• IP address– shows communities
• Geographical (by TLD)
• ISPs
• future– timing, firewalls, LSRR blocks
![Page 63: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/63.jpg)
63 of 105Pondering Perimeters: GFIRST Orlando
Colored by IP address!
![Page 64: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/64.jpg)
64 of 105Pondering Perimeters: GFIRST Orlando
Colored by geography
![Page 65: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/65.jpg)
65 of 105Pondering Perimeters: GFIRST Orlando
Colored by ISP
![Page 66: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/66.jpg)
66 of 105Pondering Perimeters: GFIRST Orlando
Colored by distancefrom scanning host
![Page 67: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/67.jpg)
67 of 105Pondering Perimeters: GFIRST Orlando
![Page 68: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/68.jpg)
68 of 105Pondering Perimeters: GFIRST Orlando
![Page 69: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/69.jpg)
105 slides
Yugoslavia
An unclassified peek at a new battlefield
1999
![Page 70: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/70.jpg)
70 of 105Pondering Perimeters: GFIRST Orlando
![Page 71: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/71.jpg)
105 slides
Un film par Steve “Hollywood” Branigan...
![Page 72: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/72.jpg)
72 of 105Pondering Perimeters: GFIRST Orlando
![Page 73: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/73.jpg)
105 slides
fin
![Page 74: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/74.jpg)
105 slides
Intranets: the rest of the Internet
![Page 75: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/75.jpg)
75 of 105Pondering Perimeters: GFIRST Orlando
![Page 76: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/76.jpg)
76 of 105Pondering Perimeters: GFIRST Orlando
![Page 77: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/77.jpg)
77 of 105Pondering Perimeters: GFIRST Orlando
![Page 78: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/78.jpg)
78 of 105Pondering Perimeters: GFIRST Orlando
This wasSupposedTo be aVPN
![Page 79: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/79.jpg)
79 of 105Pondering Perimeters: GFIRST Orlando
![Page 80: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/80.jpg)
80 of 105Pondering Perimeters: GFIRST Orlando
![Page 81: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/81.jpg)
81 of 105Pondering Perimeters: GFIRST Orlando
Case studies: corp. networksSome intranet statistics
Min MaxIntranet sizes (devices) 7,900 365,000Corporate address space 81,000 745,000,000% devices in unknown address space 0.01% 20.86%
% routers responding to "public" 0.14% 75.50%% routers responding to other 0.00% 52.00%
Outbound host leaks on network 0 176,000% devices with outbound ICMP leaks 0% 79%% devices with outbound UDP leaks 0% 82%
Inbound UDP host leaks 0 5,800% devices with inbound ICMP leaks 0% 11%% devices with inbound UDP leaks 0% 12%% hosts running Windows 36% 84%
![Page 82: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/82.jpg)
105 slides
Project 3:Detecting perimeter
leaksLumeta’s Special Sauce
2000
![Page 83: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/83.jpg)
83 of 105Pondering Perimeters: GFIRST Orlando
Types of leaks
• Routing leaks– Internal routes are announced externally,
and the packets are allowed to flow betwixt
• Host leaks– Simultaneously connected inside and out,
probably without firewall-functionality– Not necessarily a dual-homed host
• “Please don’t call them leaks”– They aren’t always a Bad Thing
![Page 84: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/84.jpg)
84 of 105Pondering Perimeters: GFIRST Orlando
Routing leaks
• Easily seen on maps
• Shows up in our reports
• Generally easily fixed
![Page 85: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/85.jpg)
85 of 105Pondering Perimeters: GFIRST Orlando
Host leak detection
• Developed to find hosts that have access to both intranet and Internet
• Or across any privilege boundary
• Leaking hosts do not route between the networks
• Technology didn’t exist to find these
![Page 86: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/86.jpg)
86 of 105Pondering Perimeters: GFIRST Orlando
Possible host leaks
• Miss-configured telecommuters connecting remotely
• VPNs that are broken
• DMZ hosts with too much access
• Business partner networks
• Internet connections by rogue managers
• Modem links to ISPs
![Page 87: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/87.jpg)
87 of 105Pondering Perimeters: GFIRST Orlando
Leak Detection Prerequisites
• List of potential leakers: obtained by census
• Access to intranet
• Simultaneous availability of a “mitt”
![Page 88: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/88.jpg)
88 of 105Pondering Perimeters: GFIRST Orlando
Leak Detection Layout
Internet intranet
Mapping hostA
Test hostB
mittD
C
• Mapping host with address A is connected to the intranet
• Mitt with address D has Internet access
• Mapping host and mitt are currently the same host, with two interfaces
![Page 89: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/89.jpg)
89 of 105Pondering Perimeters: GFIRST Orlando
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• Test host has known address B on the intranet
• It was found via census
• We are testing for unauthorized access to the Internet, possibly through a different address, C
![Page 90: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/90.jpg)
90 of 105Pondering Perimeters: GFIRST Orlando
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• A sends packet to B, with spoofed return address of D
• If B can, it will reply to D with a response, possibly through a different interface
![Page 91: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/91.jpg)
91 of 105Pondering Perimeters: GFIRST Orlando
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• Packet must be crafted so the response won’t be permitted through the firewall
• A variety of packet types and responses are used
• Either inside or outside address may be discovered
• Packet is labeled so we know where it came from
![Page 92: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/92.jpg)
92 of 105Pondering Perimeters: GFIRST Orlando
Inbound Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• This direction is usually more important
• It all depends on the site policy…
• …so many leaks might be just fine.
![Page 93: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/93.jpg)
93 of 105Pondering Perimeters: GFIRST Orlando
Inbound Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
![Page 94: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/94.jpg)
94 of 105Pondering Perimeters: GFIRST Orlando
Leak results
• Found home web businesses
• At least two clients have tapped leaks– One made front page news
• From the military: “the republic is a little safer”
![Page 95: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/95.jpg)
95 of 105Pondering Perimeters: GFIRST Orlando
We developed lot of stuff
• Leak detection (that’s the special sauce)
• Lots of reports: the hardest part is converting data to information
• Route discovery: TTL probes plus SNMP router queries
• Host enumeration and identification: ping and xprobe-style host identification
• Server discovery: SYN probes of popular TCP ports
• Wireless base station discovery: xprobe, SNMP, HTTP
• And more…ask the sales people
• The “zeroth step in network intelligence”– me
![Page 96: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/96.jpg)
105 slides
What’s next?
IPv6
2005 + 3
![Page 97: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/97.jpg)
97 of 105Pondering Perimeters: GFIRST Orlando
![Page 98: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/98.jpg)
98 of 105Pondering Perimeters: GFIRST Orlando
IPv6 deployment
• Has been 3 years away since 1993
• Widely deployed in the Far East, and in the new cell phones
• Europe is getting on board
• US Government mandate for 2005– But what does “IPv6 capable” really
mean?
• None of the three ISPs I am connected to at home and work offer raw IPv6 feeds
![Page 99: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/99.jpg)
99 of 105Pondering Perimeters: GFIRST Orlando
IPv6 address space
• /48s seem to be freely available:– Each US soldier will have one– One for each home
• 80-bit host address is a hell of a hell of a large space
• Easy to hide hosts in that space
• Hard to administer hosts in that space
• Some interesting cryptographic and “IP hopping” applications come to mind.
![Page 100: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/100.jpg)
100 of 105Pondering Perimeters: GFIRST Orlando
IPv6 technical aspects
• Google-based research will lead you down recently abandoned dead ends– A6 came and went, AAAA is what to use– Link level addressing is deprecated– Use of bottom 128 – 48 = 80 bits not really
settled
• Addresses aren’t as bad as you might think:– 2001:5bfe:16::1 (easy to grep!)
![Page 101: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/101.jpg)
101 of 105Pondering Perimeters: GFIRST Orlando
IPv6
• IPv6 is available through IPv4/IPv6 tunnel brokers– www.hexago.com formerly freenet6.net
• Not hard to set up on Unix hosts, then it Just Works
![Page 102: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/102.jpg)
105 slides
What’s next?Skinny dipping with Microsoft
operating systems?2062?
![Page 103: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/103.jpg)
103 of 105Pondering Perimeters: GFIRST Orlando
XP SP2: Bill gets it
• “a feature you don’t use should not be a security problem for you.”
• “Security by design”– Too late for that, its all retrofitting now
• “Security by default”– No network services on by default
• Security control panel– Many things missing from it– Speaker could not find ActiveX security settings
• There are a lot of details that remain to be seen.
![Page 105: 105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fc1/html5/thumbnails/105.jpg)
105 of 105Pondering Perimeters: GFIRST Orlando