110 slides defending your network: identifying and patrolling your true network perimeter bill...
TRANSCRIPT
![Page 1: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/1.jpg)
110 slides
Defending Your Network: Identifying and Patrolling
Your True Network Perimeter
Bill Cheswick
Chief Scientist, Lumeta Corp
![Page 2: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/2.jpg)
110 slides
Pondering and Patrolling
PerimetersBill Cheswick
http://www.lumeta.com
![Page 3: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/3.jpg)
3 of 110Patrolling the Perimeter
Talk Outline
• Outside: mapping the Internet
• A discussion of perimeter defenses
• Strong host security
• Mapping and understanding intranets
• The past and future of Microsoft host security:– my Dad’s computer
![Page 4: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/4.jpg)
110 slides
The Internet Mapping Project
An experiment in exploring network connectivity
![Page 5: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/5.jpg)
5 of 110Patrolling the Perimeter
Motivations
• Highlands “day after” scenario
• Panix DOS attacks– a way to trace
anonymous packets back!
• Visualization experiments
• Curiosity about size and growth of the Internet
• Databases for graph theorists, grad students, etc.
![Page 6: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/6.jpg)
6 of 110Patrolling the Perimeter
Methods - data collection
• Single reliable host connected at the company perimeter
• Daily full scan of Lucent
• Daily partial scan of Internet, monthly full scan
• One line of text per network scanned– Unix tools
• Use a light touch, so we don’t bother Internet denizens
![Page 7: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/7.jpg)
7 of 110Patrolling the Perimeter
Methods - network discovery (ND)
• Obtain master network list– network lists from Merit, RIPE, APNIC, etc.– BGP data or routing data from customers– hand-assembled list of Yugoslavia/Bosnia
• Run a traceroute-style scan towards each network
• Stop on error, completion, no data– Keep the natives happy
![Page 8: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/8.jpg)
8 of 110Patrolling the Perimeter
Intranet implications of Internet mapping
• High speed technique, able to handle the largest networks
• Light touch: “what are you going to do to my intranet?”
• Acquire and maintain databases of Internet network assignments and usage
![Page 9: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/9.jpg)
9 of 110Patrolling the Perimeter
Related Work
• See Martin Dodge’s cyber geography page
• MIDS - John Quarterman
• CAIDA - kc claffy
• Mercator
• “Measuring ISP topologies with rocketfuel” - 2002– Spring, Mahajan, Wetherall
• Enter “internet map” in your search engine
![Page 10: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/10.jpg)
10 of 110Patrolling the Perimeter
TTL probes
• Used by traceroute and other tools
• Probes toward each target network with increasing TTL
• Probes are ICMP, UDP, TCP to port 80, 25, 139, etc.
• Some people block UDP, others ICMP
![Page 11: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/11.jpg)
11 of 110Patrolling the Perimeter
Advantages
• We don’t need access (I.e. SNMP) to the routers
• It’s very fast
• Standard Internet tool: it doesn’t break things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types
![Page 12: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/12.jpg)
12 of 110Patrolling the Perimeter
Limitations
• View is from scanning host only– Multiple scan sources gives a better view
• Outgoing paths only
• Level 3 (IP) only– ATM networks appear as a single node
• Not all routers respond– Some are silent– Others are “shy” (RFC 1123 compliant),
limited to one response per second
![Page 13: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/13.jpg)
13 of 110Patrolling the Perimeter
Data collection complaints
• Australian parliament was the first to complain
• List of whiners (25 nets)
• On the Internet, these complaints are mostly a thing of the past– Internet background radiation
predominates
![Page 14: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/14.jpg)
14 of 110Patrolling the Perimeter
Intranet uses of Don’t Scan list
• Hands off particular business partners
• Hands off especially sensitive networks– Hanging ATMs– 3B2s with broadcast storms– Wollongong software (!) on factory floor
computers
• Intranet vs. ISP customer networks
![Page 15: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/15.jpg)
15 of 110Patrolling the Perimeter
Visualization goals
• make a map– show interesting features– debug our database and collection
methods– hard to fold up
• geography doesn’t matter
• use colors to show further meaning
![Page 16: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/16.jpg)
16 of 110Patrolling the Perimeter
![Page 17: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/17.jpg)
110 slides
Visualization of the layout algorithm
Laying out the Internet graph
![Page 18: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/18.jpg)
18 of 110Patrolling the Perimeter
![Page 19: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/19.jpg)
110 slides
Visualization of the layout algorithm
Laying out an intranet
![Page 20: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/20.jpg)
20 of 110Patrolling the Perimeter
![Page 21: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/21.jpg)
21 of 110Patrolling the Perimeter
A simplified map, for the Internet layouts
• Minimum distance spanning tree uses 80% of the data
• Much easier visualization
• Most of the links still valid
• Redundancy is in the middle
![Page 22: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/22.jpg)
22 of 110Patrolling the Perimeter
Colored byAS number
![Page 23: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/23.jpg)
23 of 110Patrolling the Perimeter
Map Coloring
• distance from test host
• IP address– shows communities
• Geographical (by TLD)
• ISPs
• future– timing, firewalls, LSRR blocks
![Page 24: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/24.jpg)
24 of 110Patrolling the Perimeter
Colored by IP address!
![Page 25: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/25.jpg)
25 of 110Patrolling the Perimeter
Colored by geography
![Page 26: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/26.jpg)
26 of 110Patrolling the Perimeter
Colored by ISP
![Page 27: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/27.jpg)
27 of 110Patrolling the Perimeter
Colored by distancefrom scanning host
![Page 28: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/28.jpg)
28 of 110Patrolling the Perimeter
US militaryreached by ICMP ping
![Page 29: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/29.jpg)
29 of 110Patrolling the Perimeter
US military networksreached by UDP
![Page 30: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/30.jpg)
30 of 110Patrolling the Perimeter
![Page 31: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/31.jpg)
31 of 110Patrolling the Perimeter
![Page 32: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/32.jpg)
110 slides
Yugoslavia
An unclassified peek at a new battlefield
![Page 33: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/33.jpg)
33 of 110Patrolling the Perimeter
![Page 34: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/34.jpg)
110 slides
Un film par Steve “Hollywood” Branigan...
![Page 35: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/35.jpg)
35 of 110Patrolling the Perimeter
![Page 36: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/36.jpg)
110 slides
fin
![Page 37: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/37.jpg)
110 slides
Perimeter defenses
![Page 38: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/38.jpg)
38 of 110Patrolling the Perimeter
Perimeter defenses are a traditional means of
protecting an area without hardening each of the things
in that area
![Page 39: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/39.jpg)
39 of 110Patrolling the Perimeter
Why use a perimeter defense?
• It is cheaper– A man’s home is his castle, but most
people can’t afford the moat
• You can concentrate your equipment and your expertise in a few areas
• It is simpler, and simpler security is usually better– Easier to understand and audit– Easier to spot broken parts
![Page 40: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/40.jpg)
40 of 110Patrolling the Perimeter
Perimeter Defense of the US Capitol Building
![Page 41: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/41.jpg)
41 of 110Patrolling the Perimeter
Flower pots
![Page 42: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/42.jpg)
42 of 110Patrolling the Perimeter
![Page 43: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/43.jpg)
43 of 110Patrolling the Perimeter
Security doesn’t have to be ugly
![Page 44: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/44.jpg)
44 of 110Patrolling the Perimeter
![Page 45: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/45.jpg)
45 of 110Patrolling the Perimeter
![Page 46: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/46.jpg)
46 of 110Patrolling the Perimeter
![Page 47: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/47.jpg)
47 of 110Patrolling the Perimeter
![Page 48: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/48.jpg)
48 of 110Patrolling the Perimeter
Delta barriers
![Page 49: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/49.jpg)
49 of 110Patrolling the Perimeter
Parliament: entrance
![Page 50: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/50.jpg)
50 of 110Patrolling the Perimeter
Parliament: exit
![Page 51: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/51.jpg)
51 of 110Patrolling the Perimeter
What’s wrong with perimeter defenses
• They are useless against insider attacks
![Page 52: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/52.jpg)
52 of 110Patrolling the Perimeter
Edinburgh Castle
• fell through a hole in its perimeter
• fell to siege in three years in 16th century– ran out of food and
water
• Unsuccessful attack by Bonnie Prince Charlie in 1745
• Devastated in 1544 by the Earl of Hertford
![Page 53: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/53.jpg)
53 of 110Patrolling the Perimeter
What’s wrong with perimeter defenses
• They are useless against insider attacks
• They provide a false sense of security– You still need to toughen up the inside, at
least some– You need to hire enough defenders
![Page 54: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/54.jpg)
54 of 110Patrolling the Perimeter
![Page 55: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/55.jpg)
55 of 110Patrolling the Perimeter
![Page 56: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/56.jpg)
56 of 110Patrolling the Perimeter
What’s wrong with perimeter defenses
• They are useless against insider attacks
• They provide a false sense of security– You still need to toughen up the inside, at
least some
• They don’t scale well
![Page 57: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/57.jpg)
The Pretty GoodWall of China
![Page 58: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/58.jpg)
58 of 110Patrolling the Perimeter
![Page 59: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/59.jpg)
59 of 110Patrolling the Perimeter
![Page 60: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/60.jpg)
60 of 110Patrolling the Perimeter
![Page 61: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/61.jpg)
110 slides
Can we live without an intranet?
Strong host security
![Page 62: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/62.jpg)
62 of 110Patrolling the Perimeter
I can, but you probably can’t
• “Skinny-dipping” on the Internet since the mid 1990s
• The exposure focuses one clearly on the threats and proactive security
• It’s very convenient, for the services I dare to use
• Many important network services are difficult to harden
![Page 63: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/63.jpg)
63 of 110Patrolling the Perimeter
Skinny dipping rules
• Only minimal services are offered to the general public– Ssh– Web server (jailed Apache)– DNS (self chrooted)– SMTP (postfix, not sendmail)
• Children (like employees) and MSFT clients are untrustworthy
• Offer hardened local services at home, like SAMBA (chroot), POP3 (chroot)
• I’d like to offer other services, but they are hard to secure
![Page 64: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/64.jpg)
64 of 110Patrolling the Perimeter
Skinny dipping requires strong host security
• FreeBSD and Linux machines
• I am told that one can lock down an MSFT host, but there are hundreds of steps, and I don’t know how to do it.
• This isn’t just about operating systems: the most popular client applications are, in theory, very dangerous and, in practice, very dangerous.– Web browsers and mail readers have
many dangerous features
![Page 65: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/65.jpg)
65 of 110Patrolling the Perimeter
Lately, I have been cheating
• Backup hosts are unreachable from the Internet (which is a perimeter defense of sorts), and do not trust the exposed hosts
• Public servers have lower privilege than my crown jewels
• This means I can experiment a bit more with the exposed hosts
![Page 66: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/66.jpg)
66 of 110Patrolling the Perimeter
Skinny dipping flaws
• Less depth to the defense
![Page 67: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/67.jpg)
67 of 110Patrolling the Perimeter
![Page 68: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/68.jpg)
68 of 110Patrolling the Perimeter
Skinny dipping flaws
• Less defense in depth
• No protection from denial-of-service attacks
![Page 69: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/69.jpg)
69 of 110Patrolling the Perimeter
Hopes for Microsoft client security?
• I’ll talk about it at the end of the talk.
![Page 70: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/70.jpg)
110 slides
Intranets
Networked perimeter defenses
![Page 71: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/71.jpg)
110 slides
“Anything large enough to be called an ‘intranet’ is out
of control”
- me
![Page 72: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/72.jpg)
72 of 110Patrolling the Perimeter
Intranets have been out of control since they were invented
• This is not the fault of network administrators– The technology is amenable to abuse– Decentralization was a design goal of the
Internet
• CIO and CSOs want centralized control of their network
• The legacy information is lost with rapid employee turnover
• M&A breaks carefully-planned networking
![Page 73: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/73.jpg)
73 of 110Patrolling the Perimeter
Perimeter security gives a false sense of security
• “Crunchy outside, and a soft, chewy center”– Me
• I think 40 hosts is about the most that I can control within a perimeter.– Others can probably do better
• Internet worms are pop quizzes on perimeter security
![Page 74: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/74.jpg)
110 slides
Intranets: the rest of the Internet
![Page 75: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/75.jpg)
75 of 110Patrolling the Perimeter
History of the Project and Lumeta
• Started in August 1998 at Bell Labs
• April-June 1999: Yugoslavia mapping
• July 2000: first customer intranet scanned
• Sept. 2000: spun off Lumeta from Lucent/Bell Labs
• June 2002: “B” round funding completed
• 2003: sales >$4MM
• After three years of a service offering, we built IPSonar so you can run it yourself.
![Page 76: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/76.jpg)
76 of 110Patrolling the Perimeter
![Page 77: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/77.jpg)
77 of 110Patrolling the Perimeter
![Page 78: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/78.jpg)
78 of 110Patrolling the Perimeter
![Page 79: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/79.jpg)
79 of 110Patrolling the Perimeter
![Page 80: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/80.jpg)
80 of 110Patrolling the Perimeter
![Page 81: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/81.jpg)
81 of 110Patrolling the Perimeter
This wasSupposedTo be aVPN
![Page 82: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/82.jpg)
82 of 110Patrolling the Perimeter
![Page 83: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/83.jpg)
83 of 110Patrolling the Perimeter
![Page 84: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/84.jpg)
110 slides
This is useful, butcan we find hosts that have access
across the perimeter?
![Page 85: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/85.jpg)
85 of 110Patrolling the Perimeter
Leaks
• We call the leaks shown in the maps “routing leaks”
• Can we find hosts that don’t forward packets, but straddle the perimeter?
• Yes: we call them “host leaks”, and detecting them is Lumeta’s “special sauce”
![Page 86: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/86.jpg)
86 of 110Patrolling the Perimeter
How to find host leaks
• Run a census with ICMP and/or UDP packets
• Test each machine to see if it can receive a probe from one network, and reply on another
• Not just dual-homed hosts
• DMZ hosts, business partner machines, misconfigured VPN access
![Page 87: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/87.jpg)
87 of 110Patrolling the Perimeter
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• A sends packet to B, with spoofed return address of D
• If B can, it will reply to D with a response, possibly through a different interface
![Page 88: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/88.jpg)
88 of 110Patrolling the Perimeter
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• Packet must be crafted so the response won’t be permitted through the firewall
• A variety of packet types and responses are used
• Either inside or outside address may be discovered
• Packet is labeled so we know where it came from
![Page 89: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/89.jpg)
89 of 110Patrolling the Perimeter
Leaks are not always bad
• Depends on the network policy
• Often, outgoing leaks are ok
• Sometimes our test packets get through, but not the services you are worrying about
• “Please don’t call them leaks”
• Until this test, there was no way for the CIO to detect them, good or bad
• Patent pending…
![Page 90: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/90.jpg)
90 of 110Patrolling the Perimeter
We developed lot of stuff
• Leak detection (that’s the special sauce)
• Route discovery
• Host enumeration and identification
• Server discovery
• Lots of reports…the hardest part
• Wireless base station discovery
• And more…ask the sales people
• The “zeroth step in network intelligence”– me
![Page 91: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/91.jpg)
91 of 110Patrolling the Perimeter
Case studies: corp. networksSome intranet statistics
Min MaxIntranet sizes (devices) 7,900 365,000Corporate address space 81,000 745,000,000% devices in unknown address space 0.01% 20.86%
% routers responding to "public" 0.14% 75.50%% routers responding to other 0.00% 52.00%
Outbound host leaks on network 0 176,000% devices with outbound ICMP leaks 0% 79%% devices with outbound UDP leaks 0% 82%
Inbound UDP host leaks 0 5,800% devices with inbound ICMP leaks 0% 11%% devices with inbound UDP leaks 0% 12%% hosts running Windows 36% 84%
![Page 92: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/92.jpg)
92 of 110Patrolling the Perimeter
Some Lumeta lessons
• Reporting is the really hard part– Converting data to information
• “Tell me how we compare to other clients”
• Offering a service was good practice, for a while
• We have >70 Fortune-200 companies and government agencies as clients
• Need-to-have vs. want-to-have
![Page 93: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/93.jpg)
110 slides
Microsoft client security
It has been getting worse
![Page 94: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/94.jpg)
94 of 110Patrolling the Perimeter
Case study:My Dad’s computer
• Windows XP, plenty of horsepower, two screens
• Applications:– Email (Outlook)– “Bridge:” a fancy stock market monitoring
system– AIM
• Cable access, dynamic IP address, no NAT, no firewall, outdated virus software, no spyware checker
![Page 95: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/95.jpg)
95 of 110Patrolling the Perimeter
This computer was a software toxic waste dump
• It was burning a quart of software every 300 miles
• The popups seemed darned distracting to me
• But he thought it was fine– Got his work done– Didn’t want a system administrator to
break his user interface somehow
![Page 96: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/96.jpg)
96 of 110Patrolling the Perimeter
Microsoft’s Augean Stables
• 3000 oxen, 30 years, that’s roughly one oxen-day per line of code in Windows
![Page 97: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/97.jpg)
97 of 110Patrolling the Perimeter
Windows MEActive Connections - Win ME
Proto Local Address Foreign Address State TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING TCP 223.223.223.10:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:31337 *:* UDP 0.0.0.0:162 *:* UDP 223.223.223.10:137 *:* UDP 223.223.223.10:138 *:*
![Page 98: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/98.jpg)
98 of 110Patrolling the Perimeter
Windows 2000
Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING TCP 0.0.0.0:1086 0.0.0.0:0 LISTENING TCP 0.0.0.0:6515 0.0.0.0:0 LISTENING TCP 127.0.0.1:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1038 *:* UDP 0.0.0.0:6514 *:* UDP 0.0.0.0:6515 *:* UDP 127.0.0.1:1108 *:* UDP 223.223.223.96:500 *:* UDP 223.223.223.96:4500 *:*
![Page 99: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/99.jpg)
99 of 110Patrolling the Perimeter
Windows XP, this laptop Proto Local Address Foreign Address State TCP ches-pc:epmap ches-pc:0 LISTENING TCP ches-pc:microsoft-ds ches-pc:0 LISTENING TCP ches-pc:1025 ches-pc:0 LISTENING TCP ches-pc:1036 ches-pc:0 LISTENING TCP ches-pc:3115 ches-pc:0 LISTENING TCP ches-pc:3118 ches-pc:0 LISTENING TCP ches-pc:3470 ches-pc:0 LISTENING TCP ches-pc:3477 ches-pc:0 LISTENING TCP ches-pc:5000 ches-pc:0 LISTENING TCP ches-pc:6515 ches-pc:0 LISTENING TCP ches-pc:netbios-ssn ches-pc:0 LISTENING TCP ches-pc:3001 ches-pc:0 LISTENING TCP ches-pc:3002 ches-pc:0 LISTENING TCP ches-pc:3003 ches-pc:0 LISTENING TCP ches-pc:5180 ches-pc:0 LISTENING UDP ches-pc:microsoft-ds *:* UDP ches-pc:isakmp *:* UDP ches-pc:1027 *:* UDP ches-pc:3008 *:* UDP ches-pc:3473 *:* UDP ches-pc:6514 *:* UDP ches-pc:6515 *:* UDP ches-pc:netbios-ns *:* UDP ches-pc:netbios-dgm *:* UDP ches-pc:1900 *:* UDP ches-pc:ntp *:* UDP ches-pc:1900 *:* UDP ches-pc:3471 *:*
![Page 100: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/100.jpg)
100 of 110Patrolling the Perimeter
FreeBSD partition, this laptop
Active Internet connections (including servers)Proto Recv-Q Send-Q Local Address Foreign Address (state)tcp4 0 0 *.22 *.* LISTENtcp6 0 0 *.22 *.* LISTEN
![Page 101: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/101.jpg)
101 of 110Patrolling the Perimeter
Microsoft really means it about improving their security
• Their security commitment appears to be real
• It is a huge job
• Opposing forces are unclear to me
• It’s been a long time coming, and frustrating
![Page 102: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/102.jpg)
102 of 110Patrolling the Perimeter
Microsoft really means it about improving their security
• They need world-class sandboxes, many more layers in their security, and much safer defaults
• A Microsoft “terminal” will benefit millions of users
![Page 103: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/103.jpg)
103 of 110Patrolling the Perimeter
Windows OK
• Thin client implemented with Windows
• It would be fine for maybe half the Windows users– Students, consumers, many corporate
and government users
• It would be reasonable to skinny dip with this client– Without firewall or virus checking
software
![Page 104: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/104.jpg)
104 of 110Patrolling the Perimeter
Windows OK
• No network listeners– None of those services are needed, except
admin access for centrally-administered hosts
• Default security settings, all available on the control panel security screen
• Security settings can be locked
![Page 105: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/105.jpg)
105 of 110Patrolling the Perimeter
Windows OK
• Reduce privileges in servers and all programs
• Sandbox programs– Belt and suspenders
![Page 106: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/106.jpg)
106 of 110Patrolling the Perimeter
Windows OK (cont)
• There should be nothing you can click on, in email or a web page, that can hurt your computer– No portable programs are executed ever,
except…
• ActiveX from approved parties– MSFT and one or two others. List is
lockable
![Page 107: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/107.jpg)
107 of 110Patrolling the Perimeter
Office OK
• No macros in Word or PowerPoint. No executable code in PowerPoint files
• The only macros allowed in Excel perform arithmetic. They cannot create files, etc.
![Page 108: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/108.jpg)
108 of 110Patrolling the Perimeter
Vulnerabilities in OK
• Buffer overflows in processing of data (not from the network)
• Stop adding new features and focus on bug fixes
• Programmers can clean up bugs, if they don’t have a moving target– It converges, to some extent
![Page 109: 110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e3b5503460f94b2d17c/html5/thumbnails/109.jpg)
110 slides
Defending Your Network: Identifying and Patrolling
Your True Network Perimeter
Bill Cheswick
Chief Scientist, Lumeta Corp