SlideShare a Scribd company logo

Perimeter Defense in a World Without Walls

Download as PPT, PDF
D
Dan Houser

The document discusses the limitations of traditional perimeter security in network defense, emphasizing that attackers are often internal rather than external. It proposes a shift towards a more dynamic security approach modeled after submarine warfare, which includes strategies like constant monitoring, network segmentation, and the use of advanced deception techniques. The presentation advocates for hardened systems and proactive measures to enhance network security in a landscape with diminishing clear boundaries.

Internet
Related topics:
Information Security โ€ข Risk-Management
1 of 38
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
ยฉCopyright 2005 โ€“ Daniel D. Houser Perimeter Defense in aPerimeter Defense in a World Without WallsWorld Without Walls Central Ohio ISSACentral Ohio ISSA Dan Houser, CISSP, CISMDan Houser, CISSP, CISM March 16, 2005
2 OverviewOverview ๏ฎ Classic firewall perspectiveClassic firewall perspective ๏ฎ Where firewalls fall shortWhere firewalls fall short ๏ฎ Changes in the security spaceChanges in the security space ๏ฎ Suggestions for improving network securitySuggestions for improving network security ๏ฎ Strategic visionStrategic vision ๏ฎ Tactical focusTactical focus ๏ฎ Q&AQ&A This presentation is designed to be the visit through theThis presentation is designed to be the visit through the looking glassโ€ฆ Thinking about perimeter security with alooking glassโ€ฆ Thinking about perimeter security with a different perspective.different perspective.
3 Fortress mentalityFortress mentality NetworkNetwork implementation ofimplementation of physical barriersphysical barriers Designed withDesigned with overlapping, visible,overlapping, visible, impenetrableimpenetrable barriersbarriers Classic perimeter securityClassic perimeter security Atlantic Wall
4 Classic firewall/DMZ designClassic firewall/DMZ design ExternalExternal Throne Room Outer Courtyard Inner Courtyard
5 Assumptions of theAssumptions of the classic perimeter security modelclassic perimeter security model ๏ฎ Attackers are outside trying toAttackers are outside trying to break inbreak in ๏ฎ Attackers cannot breach the wallAttackers cannot breach the wall ๏ฎ Attackers are identified by guardsAttackers are identified by guards ๏ฎ Guards are loyalGuards are loyal ๏ฎ All contact comes through singleAll contact comes through single pathpath Unfortunately, these are all wrong.Unfortunately, these are all wrong.
6 RealityReality ๏ฎ Most attackers are insideMost attackers are inside ๏ฎ Attackers can breach the wallAttackers can breach the wall ๏ฎ Guards canโ€™t identify allGuards canโ€™t identify all attackersattackers ๏ฎ Guards can be subvertedGuards can be subverted ๏ฎ Communication over MANYCommunication over MANY pathspaths
7 Reality: Many communication pathsReality: Many communication paths Business partners Affiliates Subsidiaries Telecommuters On-site Consultants Support Technicians Off-site Consultants ?? ?? ?? Spybots Spyware / Adware Spyware / Adware
8 Red Queen raceRed Queen race โ€œโ€œYou have to run faster and faster just to stayYou have to run faster and faster just to stay in the same place!โ€in the same place!โ€ โ€“โ€“ The Red Queen,The Red Queen, Alice in WonderlandAlice in Wonderland Image courtesy www.rushlimbaugh.com
9 CERT Statistics 1990 - 2Q2004 0 50000 100000 150000 200000 250000 300000 19 9 0 1 9 9 2 1 9 9 4 1 9 9 6 1 9 9 8 2 0 0 0 2 0 0 2 20 0 4 Incidents Information courtesy CERTยฎ/CC, Statistics 1988-2004, http://www.cert.org/stats/cert_stats.html Red Queen raceRed Queen race
10 ๏ฎ Web Services Security is changing the rules:Web Services Security is changing the rules: ๏ฎ Outsourced authentication (federated)Outsourced authentication (federated) ๏ฎ Extranet access to core systemsExtranet access to core systems ๏ฎ RPC calls over HTTP using XML & SOAPRPC calls over HTTP using XML & SOAP ๏ฎ Offshore services, data processingOffshore services, data processing ๏ฎ Highly connected networksHighly connected networks ๏ฎ Very tight business integrationVery tight business integration In short,In short, there is no network perimeterthere is no network perimeter Red Queen raceRed Queen race
11 New paradigms are neededNew paradigms are needed We must migrate from ground-basedWe must migrate from ground-based warfare to a model that fits informationwarfare to a model that fits information warfarewarfare โ€œโ€œHe who does not learn from history is doomedHe who does not learn from history is doomed to repeat it.โ€to repeat it.โ€ ๏ฎ The Maginot Line was bypassedThe Maginot Line was bypassed ๏ฎ The Atlantic Wall was pierced and defeatedThe Atlantic Wall was pierced and defeated ๏ฎ The Great Wall provided only partial protectionThe Great Wall provided only partial protection ๏ฎ The Alamo fell to a massive attackThe Alamo fell to a massive attack
12 New paradigm: Submarine warfareNew paradigm: Submarine warfare ๏ฎ In submarine warfareโ€ฆIn submarine warfareโ€ฆ ๏ฎ Everyone is an enemy until proven otherwiseEveryone is an enemy until proven otherwise ๏ฎ All contacts are tracked and loggedAll contacts are tracked and logged ๏ฎ Hardened autonomous systemsHardened autonomous systems ๏ฎ Rules of engagement govern all responseRules of engagement govern all response ๏ฎ Constant vigilanceConstant vigilance ๏ฎ Identify Friend or Foe (IFF) becomes vitalIdentify Friend or Foe (IFF) becomes vital ๏ฎ Hunter-killer units vital to protect strategic investmentsHunter-killer units vital to protect strategic investments โ€“ offensive as well as defensive playersโ€“ offensive as well as defensive players ๏ฎ Environment โ€œlistenersโ€ for ASW and trackingEnvironment โ€œlistenersโ€ for ASW and tracking ๏ฎ Evade detection, hound and confuse the enemyEvade detection, hound and confuse the enemy
13 Harden all devices, not just DMZHarden all devices, not just DMZ ๏ฎ Use of hardened kernels forUse of hardened kernels for allall serversservers ๏ฎ Harden all systems and run minimal servicesHarden all systems and run minimal services Minimal installations on desktopsMinimal installations on desktops ๏ฎ Dumb terminals where availableDumb terminals where available ๏ฎ Provide Office tools to knowledge workers onlyProvide Office tools to knowledge workers only ๏ฎ Strip unneeded capabilities from kiosksStrip unneeded capabilities from kiosks ๏ฎ Remove the ability to install softwareRemove the ability to install software Analyze traffic, not just headersAnalyze traffic, not just headers ๏ฎ Application-based firewallsApplication-based firewalls ๏ฎ XML FilteringXML Filtering How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
14 How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare? Segregate boot camp from the theatre of operationsSegregate boot camp from the theatre of operations ๏ฎ VLAN development, test, DR & productionVLAN development, test, DR & production ๏ฎ Make change control yourMake change control your code firewallcode firewall ๏ฎ Only change control spans 2 security zonesOnly change control spans 2 security zones ๏ฎ Production support segregated from source codeProduction support segregated from source code ๏ฎ Endpoint compliance / Walled GardenEndpoint compliance / Walled Garden Core network becomes the DMZCore network becomes the DMZ ๏ฎ SinceSince most attacks are from withinmost attacks are from within , make, make cubicles a DMZcubicles a DMZ ๏ฎ Create hardened subnets for accounting, HR, IT,Create hardened subnets for accounting, HR, IT, operationsoperations ๏ฎ Publish intranets in the DMZPublish intranets in the DMZ
15Source: InformationSecurity Magazine, โ€œNetwork Security: Submarine Warfareโ€, Dan Houser, 2003, http://tinyurl.com/nwk7 ` Network segmentation: Crunchy on the outside and the middle
16 Heavy use of crypto for IFF functionsHeavy use of crypto for IFF functions ๏ฎ Accelerators & HSM will be key technologiesAccelerators & HSM will be key technologies ๏ฎ Require all packets to be signed (e.g. Kerberos)Require all packets to be signed (e.g. Kerberos) ๏ฎ Certificate revocation for intrusion preventionCertificate revocation for intrusion prevention ๏ฎ Network PKI becomes mission critical at layer 2Network PKI becomes mission critical at layer 2 ๏ฎ Emerging products for Layer2 auth โ€“ TNT/EndforceEmerging products for Layer2 auth โ€“ TNT/Endforce Network IDS is keyNetwork IDS is key ๏ฎ Analyzing packets for IFF analysis, heuristicsAnalyzing packets for IFF analysis, heuristics ๏ฎ ISP pre-filtered IDSISP pre-filtered IDS ๏ฎ Analog threat taggingAnalog threat tagging ๏ฎ Identifying and tracking intrudersIdentifying and tracking intruders ๏ฎ Isolating subnets with hostile trafficIsolating subnets with hostile traffic ๏ฎ Revoke certificates for hostile serversRevoke certificates for hostile servers ๏ฎ Vectoring CIRTVectoring CIRT How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
17 Tiger teams and internal search & seizureTiger teams and internal search & seizure ๏ฎ Businesses canโ€™t afford rogue serversBusinesses canโ€™t afford rogue servers ๏ฎ Zero tolerance policy for hackingZero tolerance policy for hacking ๏ฎ Ethical hackers, capture the flag & war games: A&PEthical hackers, capture the flag & war games: A&P ๏ฎ Vulnerability assessment teamsVulnerability assessment teams Drill and war gamesDrill and war games ๏ฎ Red teams โ€“ capture the flagRed teams โ€“ capture the flag ๏ฎ Blue teams โ€“ learn from red teams, patchBlue teams โ€“ learn from red teams, patch vulnerabilitiesvulnerabilities Highly trained staff becomes coreHighly trained staff becomes core competencycompetency ๏ฎ TrainingTraining ๏ฎ EducationEducation ๏ฎ Employee retentionEmployee retention How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
18 "All warfare is based on deception.". -Sun Tzu"All warfare is based on deception.". -Sun Tzu Confuse and harass attackersโ€ฆConfuse and harass attackersโ€ฆ Make your real servers look bogusMake your real servers look bogus ๏ฎ Save all .ASP code as .CGI files, perl as .ASPSave all .ASP code as .CGI files, perl as .ASP ๏ฎ Configure responses from Apache that mimic IISConfigure responses from Apache that mimic IIS ๏ฎ Open dummy NetBIOS ports on Unix serversOpen dummy NetBIOS ports on Unix servers ๏ฎ Use unpredictable ports: run SSH on 19384Use unpredictable ports: run SSH on 19384 ๏ฎ Call your database server โ€œFirewallโ€Call your database server โ€œFirewallโ€ ๏ฎ Route bogus traffic to IDS networkRoute bogus traffic to IDS network How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
19 Further deception techniquesFurther deception techniques ๏ฎ Perception managementPerception management ๏ฎ Low profile facilitiesLow profile facilities ๏ฎ Red Herring accountsRed Herring accounts ๏ฎ Minimalistic error messages (or fake error messages)Minimalistic error messages (or fake error messages) ๏ฎ Temporary blindness โ€“ ignoring misbehaving nodesTemporary blindness โ€“ ignoring misbehaving nodes ๏ฎ Deceptive websites: false configs & backdoorsDeceptive websites: false configs & backdoors See Fred Cohenโ€™s Site: www.all.netSee Fred Cohenโ€™s Site: www.all.net How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
20 Internet attacks haveInternet attacks have changedโ€ฆchangedโ€ฆ Photo Courtesy NASA
21 Old school attackOld school attack ๏ฎ Lone interloper targets major firmLone interloper targets major firm ๏ฎ Studies publicly available informationStudies publicly available information ๏ฎ Hangs out at local pub, befriends sales teamHangs out at local pub, befriends sales team ๏ฎ Dumpster dives to obtain manuals, phone listsDumpster dives to obtain manuals, phone lists ๏ฎ Uses war-dialer to find modems & remote hostsUses war-dialer to find modems & remote hosts ๏ฎ Uses social engineering to obtain passwordsUses social engineering to obtain passwords ๏ฎ Dials up hosts, logs in, mayhem & mischiefDials up hosts, logs in, mayhem & mischief
22 โ€œโ€œModernโ€ attackModernโ€ attack ๏ฎ Lone interloper targets IP rangeLone interloper targets IP range ๏ฎ Downloads script kiddy toolsDownloads script kiddy tools ๏ฎ Scans IP range looking for vulnerable hostsScans IP range looking for vulnerable hosts ๏ฎ Port scans hosts looking for exploitablePort scans hosts looking for exploitable servicesservices ๏ฎ Uses exploit tool, mayhem & mischiefUses exploit tool, mayhem & mischief Target selection now a target of opportunityโ€ฆTarget selection now a target of opportunityโ€ฆ indiscriminate attackindiscriminate attack
23 Worms hit 10,000 networks atWorms hit 10,000 networks at onceโ€ฆonceโ€ฆ Photo Courtesy The Weather Channel
24 What we need is early warningWhat we need is early warning Photo Courtesy NASA
25 Hide in the open: Honeyd + arpdHide in the open: Honeyd + arpd ๏ฎ Low-interaction virtual honeypotLow-interaction virtual honeypot ๏ฎ honeyd with arpd creates virtual networkhoneyd with arpd creates virtual network ๏ฎ Create server that emulates address range: 10.x.x.x,Create server that emulates address range: 10.x.x.x, 192.168.x.x, public IP range192.168.x.x, public IP range ๏ฎ Listen on all portsListen on all ports ๏ฎ Emulate good hosts: MS-Exchange, Solaris/Oracle,Emulate good hosts: MS-Exchange, Solaris/Oracle, MS-SQL, RedHat/Apache/Tomcat, WinXP ProMS-SQL, RedHat/Apache/Tomcat, WinXP Pro ๏ฎ Emulate bad boxes: botnet servers, Warez server,Emulate bad boxes: botnet servers, Warez server, trojaned workstations, Win95 workstation, backdoortrojaned workstations, Win95 workstation, backdoor
26 ๏ฎ Convert unused address space into decoyConvert unused address space into decoy tripwire nets - 16,320,000 decoys to 200 "real"tripwire nets - 16,320,000 decoys to 200 "real" serversservers ๏ฎ Stop swallowing packets: route unreachable hosts toStop swallowing packets: route unreachable hosts to the virtual honeynetthe virtual honeynet ๏ฎ 190,000 decoys per โ€œrealโ€ server = 99.9995%190,000 decoys per โ€œrealโ€ server = 99.9995% detectiondetection ๏ฎ Any hits are malicious โ€“ route to IDS / IPSAny hits are malicious โ€“ route to IDS / IPS ๏ฎ Research attack profile.Research attack profile. ๏ฎ Block attackers for 1 hour, 2 hours, 24 hours, 1 week.Block attackers for 1 hour, 2 hours, 24 hours, 1 week. ๏ฎ Youโ€™ve gained breathing room to respond to realYouโ€™ve gained breathing room to respond to real attacksattacks Hide in the open: Honeyd + arpdHide in the open: Honeyd + arpd
27 Router Real Network BFH Honeyd Emulator Honeycomb IDS Distributed Config IPS Hide in the open:Hide in the open: Big freakinโ€™ haystackBig freakinโ€™ haystack
28 Hide in the openHide in the open
29 The fun has just begunโ€ฆThe fun has just begunโ€ฆ LaBrea: SYN/ACK, TCP Window size = 0 (wait)LaBrea: SYN/ACK, TCP Window size = 0 (wait) ๏ฎ Load LaBrea to freeze a scan, run onLoad LaBrea to freeze a scan, run on randomrandom portport ๏ฎ Freezes Windows-based scanners up to 4 minutesFreezes Windows-based scanners up to 4 minutes ๏ฎ Scanning 10,000 hosts takesScanning 10,000 hosts takes 27 days27 days.. ๏ฎ Detecting 100 unpublished hosts in Class A wouldDetecting 100 unpublished hosts in Class A would take approximately 112 yearstake approximately 112 years Disclaimer:Disclaimer: This may be illegal in your municipality. I am not a lawyer. Talk to one.This may be illegal in your municipality. I am not a lawyer. Talk to one.
30 Storm Surge ModeStorm Surge Mode : active re-configuration: active re-configuration ๏ฎ Suppose your โ€œstandardโ€ BFH net emulates:Suppose your โ€œstandardโ€ BFH net emulates: 25%25% Apache/Tomcat on RedHat 7Apache/Tomcat on RedHat 7 25%25% Microsoft SQL on Win2003 ServerMicrosoft SQL on Win2003 Server 25%25% Lotus Notes/Domino on Win2k ServerLotus Notes/Domino on Win2k Server 25%25% Oracle 9i on SolarisOracle 9i on Solaris ๏ฎ IDS telemetry reports spike in Win2k attacksIDS telemetry reports spike in Win2k attacks ๏ฎ BFH configuration changes:BFH configuration changes: 30%30% Microsoft SQL on Win2k ServerMicrosoft SQL on Win2k Server 30%30% Exchange on Win2k ServerExchange on Win2k Server 30%30% IIS on Win2k ServerIIS on Win2k Server 10%10% Allocated among 30 other server/workstation imagesAllocated among 30 other server/workstation images The fun has just begunโ€ฆThe fun has just begunโ€ฆ
31 ๏ฎ Virtual honeynets: Make legitimate servers look likeVirtual honeynets: Make legitimate servers look like bogus servers.bogus servers. ๏ฎ Make all servers (fake & real) look identicalMake all servers (fake & real) look identical ๏ฎ BFH in your internal networkBFH in your internal network ๏ฎ Malware outbreaks see your network with 16 million hostsMalware outbreaks see your network with 16 million hosts ๏ฎ Ability to detect worms while slowing spread by 600xAbility to detect worms while slowing spread by 600x ๏ฎ If all Class A, B & C networks ran BFH:If all Class A, B & C networks ran BFH: ๏ฎ Emulation of 12,493,209,429,306 bogus hostsEmulation of 12,493,209,429,306 bogus hosts ๏ฎ Port scans & profiling a thing of the pastPort scans & profiling a thing of the past ๏ฎ Worms and script kiddies would be economicallyWorms and script kiddies would be economically infeasible.infeasible. The fun has just begunโ€ฆThe fun has just begunโ€ฆ
32 Where toWhere to get started?get started? SwitchingSwitching models willmodels will take timeโ€ฆtake timeโ€ฆ What do we doWhat do we do in thein the interim?interim?
33 Turning the tide: Resilient systemsTurning the tide: Resilient systems ๏ฎ Server & desktop hardened imagesServer & desktop hardened images ๏ฎ Security templates โ€“ lock down desktopsSecurity templates โ€“ lock down desktops ๏ฎ Server-based authentication โ€“ PKIServer-based authentication โ€“ PKI ๏ฎ Host-based intrusion detectionHost-based intrusion detection ๏ฎ Centralized loggingCentralized logging ๏ฎ Out-of-band server managementOut-of-band server management ๏ฎ Honeypots / honeynets / tarpitsHoneypots / honeynets / tarpits ๏ฎ Camouflage and deception in DMZCamouflage and deception in DMZ ๏ฎ Consider Layer 2 validation / Walled GardenConsider Layer 2 validation / Walled Garden
34 Turning the tide: PeopleTurning the tide: People ๏ฎ Security is a people problem, not a technical problemSecurity is a people problem, not a technical problem ๏ฎ Hire and train smart, security-minded people to run yourHire and train smart, security-minded people to run your networks and serversnetworks and servers ๏ฎ Reward security:Reward security: ๏ฎ Establish benchmarks & vulnerability metricsEstablish benchmarks & vulnerability metrics ๏ฎ Create confidentiality & integrity metrics & SLAsCreate confidentiality & integrity metrics & SLAs ๏ฎ Audit against the benchmarksAudit against the benchmarks ๏ฎ Include security as major salary/bonus modifierInclude security as major salary/bonus modifier ๏ฎ Job descriptions must incorporate security objectivesJob descriptions must incorporate security objectives ๏ฎ Train developers, architects & BAs on how to developTrain developers, architects & BAs on how to develop secure systemssecure systems ๏ฎ Equate security breaches & cracking tools like weaponsEquate security breaches & cracking tools like weapons or drugs in the workplace โ€“ a โ€œzero toleranceโ€ policy?or drugs in the workplace โ€“ a โ€œzero toleranceโ€ policy?
35 Turning the tide: ProcessTurning the tide: Process ๏ฎ Assess risk & vulnerability: BIAAssess risk & vulnerability: BIA ๏ฎ Include security in feature sets & requirementsInclude security in feature sets & requirements ๏ฎ Segregation of Developers, Testers & Production,Segregation of Developers, Testers & Production, and particularly Prod Support from source codeand particularly Prod Support from source code ๏ฎ Change management & access rightsChange management & access rights ๏ฎ Certification & AccreditationCertification & Accreditation ๏ฎ Engage security team in charter & proposal phaseEngage security team in charter & proposal phase ๏ฎ Bake security into the systems lifecycleBake security into the systems lifecycle ๏ฎ Require sponsor risk acceptance & authorizationRequire sponsor risk acceptance & authorization ๏ฎ Embed accreditation into change controlEmbed accreditation into change control ๏ฎ Include security in contract review and ROIInclude security in contract review and ROI ๏ฎ Configuration ManagementConfiguration Management โ†’โ†’ security patch listssecurity patch lists
36 SummarySummary ๏ฎ Use firewalls, but as one of many toolsUse firewalls, but as one of many tools ๏ฎ Start network security with people,Start network security with people, process and host securityprocess and host security ๏ฎ Think outside the box when developingThink outside the box when developing security architecturessecurity architectures ๏ฎ Be prepared to dump your perimeterBe prepared to dump your perimeter ๏ฎ Focus on malleable networkingFocus on malleable networking ๏ฎ Protect assets according to their valueProtect assets according to their value
37 Q&AQ&A Copyright FarWorks & Gary Larson
38 Contact informationContact information Dan Houser, CISSP, CISM, ISSAPDan Houser, CISSP, CISM, ISSAP dan.houser@gmail.comdan.houser@gmail.com See Submarine Warfare article:See Submarine Warfare article: http://tinyurl.com/nwk7http://tinyurl.com/nwk7 This slide available on my (lame) homepage:This slide available on my (lame) homepage: http://web.infosec-forum.org/Members/ddhouserhttp://web.infosec-forum.org/Members/ddhouser

More Related Content

PDF
ECSA Cyber Security Conference 2011
Filip Maertens
ย 
PDF
Web Application Detection with SNORT
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
ย 
PDF
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Roger Johnston
ย 
PPTX
Safetower demo presetation1
spate.safetower
ย 
PPTX
Safetower demo presetationcompressed
spate.safetower
ย 
PDF
Total Defense Product Information
Zeeshan Humayun
ย 
PPTX
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
AgileNetwork
ย 
PDF
During the Next Generation Network and Data Centre โ€“ Now and into the Future ...
Cisco Canada
ย 
ECSA Cyber Security Conference 2011
Filip Maertens
ย 
Web Application Detection with SNORT
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
ย 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Roger Johnston
ย 
Safetower demo presetation1
spate.safetower
ย 
Safetower demo presetationcompressed
spate.safetower
ย 
Total Defense Product Information
Zeeshan Humayun
ย 
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
AgileNetwork
ย 
During the Next Generation Network and Data Centre โ€“ Now and into the Future ...
Cisco Canada
ย 

Similar to Perimeter Defense in a World Without Walls (20)

PPT
Castle Presentation 08-12-04
Howard Hellman
ย 
PPT
Cyber security innovation imho
W Fred Seigneur
ย 
PPTX
4 Easy Steps for Increased Industrial Cybersecurity
Westermo Network Technologies
ย 
PDF
CONFidence2015: Real World Threat Hunting - Martin Nystrom
PROIDEA
ย 
PDF
The importance of Cybersecurity
Benoit Callebaut
ย 
PDF
Advanced red teaming all your badges are belong to us
Priyanka Aash
ย 
PDF
SecurityOperations
Antonio (Tony) Robinson
ย 
PDF
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
David Etue
ย 
PPTX
Security Operations in the Cloud
Armor
ย 
PPTX
Fortinet Tanฤฑtฤฑm
Gรผney BiliลŸim
ย 
PDF
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
BGA Cyber Security
ย 
PPTX
Acorn Recovery: Restore IT infra within minutes
IP ServerOne
ย 
PDF
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Kyle Lai
ย 
PDF
CyberSecurity - UH IEEE Presentation 2015-04
Kyle Lai
ย 
PPTX
Zscaler Smokescreen Smoke Screen Foundation
TechRebate
ย 
PDF
HITCON FreeTalk 20240726 - Dark side of the Force - ๆŽข็ดขๆš—็ถฒๅจ่„…ใ€ ่ญฐ้กŒไธ‰๏ผš่—้šŠ็š„ๆš—็ถฒไบ‹ไปถๆ‡‰่ฎŠๅฎˆๅ‰‡ใ€‘
Hacks in Taiwan (HITCON)
ย 
PPTX
VoIP Security 101 what you need to know
Eric Klein
ย 
PDF
Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...
Diego Kreutz
ย 
PDF
The Next Generation Security
Cybera Inc.
ย 
PPTX
best_practices_for_preventing_and_recovering_from_ransomeware_240612 (1).pptx
Precisely
ย 
Castle Presentation 08-12-04
Howard Hellman
ย 
Cyber security innovation imho
W Fred Seigneur
ย 
4 Easy Steps for Increased Industrial Cybersecurity
Westermo Network Technologies
ย 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
PROIDEA
ย 
The importance of Cybersecurity
Benoit Callebaut
ย 
Advanced red teaming all your badges are belong to us
Priyanka Aash
ย 
SecurityOperations
Antonio (Tony) Robinson
ย 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
David Etue
ย 
Security Operations in the Cloud
Armor
ย 
Fortinet Tanฤฑtฤฑm
Gรผney BiliลŸim
ย 
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
BGA Cyber Security
ย 
Acorn Recovery: Restore IT infra within minutes
IP ServerOne
ย 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Kyle Lai
ย 
CyberSecurity - UH IEEE Presentation 2015-04
Kyle Lai
ย 
Zscaler Smokescreen Smoke Screen Foundation
TechRebate
ย 
HITCON FreeTalk 20240726 - Dark side of the Force - ๆŽข็ดขๆš—็ถฒๅจ่„…ใ€ ่ญฐ้กŒไธ‰๏ผš่—้šŠ็š„ๆš—็ถฒไบ‹ไปถๆ‡‰่ฎŠๅฎˆๅ‰‡ใ€‘
Hacks in Taiwan (HITCON)
ย 
VoIP Security 101 what you need to know
Eric Klein
ย 
Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...
Diego Kreutz
ย 
The Next Generation Security
Cybera Inc.
ย 
best_practices_for_preventing_and_recovering_from_ransomeware_240612 (1).pptx
Precisely
ย 
Ad

More from Dan Houser (20)

PPT
MFA, 42 & Compliance - Answers to the Wrong Questions
Dan Houser
ย 
PPTX
Protect passwords - User Awareness Training
Dan Houser
ย 
PPTX
Cryptography Overview Presentation circa 2005
Dan Houser
ย 
PPTX
RSA2003: Forget Firewalls - early Zero Trust
Dan Houser
ย 
PPTX
Digital Deception: Raising the Stakes on Hackers
Dan Houser
ย 
PPTX
The Hidden Enemy Within - Why Ungoverned Data is Such a Big Problem
Dan Houser
ย 
PPT
RSA2008: Sins of our Fathers, for which we still are punished
Dan Houser
ย 
PPTX
Now More than Ever: Ethics in Cybersecurity
Dan Houser
ย 
PPT
RSA 2005 H&T: Die Script Kiddie! Die, Die, Die!
Dan Houser
ย 
PPTX
Crypto in the Real World - ISACA 10-Jan-2008
Dan Houser
ย 
PPT
Power Up your LinkedIn Profile, Effectively Highlight your Branc
Dan Houser
ย 
PPTX
My Baby Done Bad Crypto - My Sweet Baby Done Me Wrong
Dan Houser
ย 
PPTX
The Death of Best-of-Breed - Leveraging Cloud for Security Transformation
Dan Houser
ย 
PPTX
2024 Security Outlook & Essential Security Practices
Dan Houser
ย 
PPTX
Hacking and Armoring Identity Ecosystems: When MFA Isn't Good Enough Any Longer
Dan Houser
ย 
PPTX
Driving Change and Resilience: Aligning Cybersecurity with Organizational St...
Dan Houser
ย 
ODP
2013 (ISC)ยฒ Congress: This Curious Thing Called Ethics
Dan Houser
ย 
PPTX
Securing Big Data and the Grid
Dan Houser
ย 
PPT
RSA2008: What Vendors Wonโ€™t Tell You About Federated Identity
Dan Houser
ย 
PPT
The Challenges & Risks of New Technology: Privacy Law & Policy
Dan Houser
ย 
MFA, 42 & Compliance - Answers to the Wrong Questions
Dan Houser
ย 
Protect passwords - User Awareness Training
Dan Houser
ย 
Cryptography Overview Presentation circa 2005
Dan Houser
ย 
RSA2003: Forget Firewalls - early Zero Trust
Dan Houser
ย 
Digital Deception: Raising the Stakes on Hackers
Dan Houser
ย 
The Hidden Enemy Within - Why Ungoverned Data is Such a Big Problem
Dan Houser
ย 
RSA2008: Sins of our Fathers, for which we still are punished
Dan Houser
ย 
Now More than Ever: Ethics in Cybersecurity
Dan Houser
ย 
RSA 2005 H&T: Die Script Kiddie! Die, Die, Die!
Dan Houser
ย 
Crypto in the Real World - ISACA 10-Jan-2008
Dan Houser
ย 
Power Up your LinkedIn Profile, Effectively Highlight your Branc
Dan Houser
ย 
My Baby Done Bad Crypto - My Sweet Baby Done Me Wrong
Dan Houser
ย 
The Death of Best-of-Breed - Leveraging Cloud for Security Transformation
Dan Houser
ย 
2024 Security Outlook & Essential Security Practices
Dan Houser
ย 
Hacking and Armoring Identity Ecosystems: When MFA Isn't Good Enough Any Longer
Dan Houser
ย 
Driving Change and Resilience: Aligning Cybersecurity with Organizational St...
Dan Houser
ย 
2013 (ISC)ยฒ Congress: This Curious Thing Called Ethics
Dan Houser
ย 
Securing Big Data and the Grid
Dan Houser
ย 
RSA2008: What Vendors Wonโ€™t Tell You About Federated Identity
Dan Houser
ย 
The Challenges & Risks of New Technology: Privacy Law & Policy
Dan Houser
ย 
Ad

Recently uploaded (20)

PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
ย 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
ย 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
ย 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
ย 
PDF
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
ย 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
ย 
PDF
๐Ÿ’ฐ ๐”๐Š๐“๐ˆ ๐Š๐„๐Œ๐„๐๐€๐๐†๐€๐ ๐Š๐ˆ๐๐„๐‘๐Ÿ’๐ƒ ๐‡๐€๐‘๐ˆ ๐ˆ๐๐ˆ ๐Ÿ๐ŸŽ๐Ÿ๐Ÿ“ ๐Ÿ’ฐ
GRAB
ย 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
ย 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
ย 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
ย 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
ย 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
ย 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
ย 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
ย 
PDF
Testing WebRTC applications at scale.pdf
Giacomo Vacca
ย 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
ย 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
ย 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
ย 
PPTX
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
ย 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
ย 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
ย 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
ย 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
ย 
Digital Literacy And Online Safety on internet
riksa rifqi
ย 
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
ย 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
ย 
๐Ÿ’ฐ ๐”๐Š๐“๐ˆ ๐Š๐„๐Œ๐„๐๐€๐๐†๐€๐ ๐Š๐ˆ๐๐„๐‘๐Ÿ’๐ƒ ๐‡๐€๐‘๐ˆ ๐ˆ๐๐ˆ ๐Ÿ๐ŸŽ๐Ÿ๐Ÿ“ ๐Ÿ’ฐ
GRAB
ย 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
ย 
Introduction to Information and Communication Technology
AkmadArzieAyao1
ย 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
ย 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
ย 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
ย 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
ย 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
ย 
Testing WebRTC applications at scale.pdf
Giacomo Vacca
ย 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
ย 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
ย 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
ย 
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
ย 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
ย 

Perimeter Defense in a World Without Walls

  • 1. ยฉCopyright 2005 โ€“ Daniel D. Houser Perimeter Defense in aPerimeter Defense in a World Without WallsWorld Without Walls Central Ohio ISSACentral Ohio ISSA Dan Houser, CISSP, CISMDan Houser, CISSP, CISM March 16, 2005
  • 2. 2 OverviewOverview ๏ฎ Classic firewall perspectiveClassic firewall perspective ๏ฎ Where firewalls fall shortWhere firewalls fall short ๏ฎ Changes in the security spaceChanges in the security space ๏ฎ Suggestions for improving network securitySuggestions for improving network security ๏ฎ Strategic visionStrategic vision ๏ฎ Tactical focusTactical focus ๏ฎ Q&AQ&A This presentation is designed to be the visit through theThis presentation is designed to be the visit through the looking glassโ€ฆ Thinking about perimeter security with alooking glassโ€ฆ Thinking about perimeter security with a different perspective.different perspective.
  • 3. 3 Fortress mentalityFortress mentality NetworkNetwork implementation ofimplementation of physical barriersphysical barriers Designed withDesigned with overlapping, visible,overlapping, visible, impenetrableimpenetrable barriersbarriers Classic perimeter securityClassic perimeter security Atlantic Wall
  • 4. 4 Classic firewall/DMZ designClassic firewall/DMZ design ExternalExternal Throne Room Outer Courtyard Inner Courtyard
  • 5. 5 Assumptions of theAssumptions of the classic perimeter security modelclassic perimeter security model ๏ฎ Attackers are outside trying toAttackers are outside trying to break inbreak in ๏ฎ Attackers cannot breach the wallAttackers cannot breach the wall ๏ฎ Attackers are identified by guardsAttackers are identified by guards ๏ฎ Guards are loyalGuards are loyal ๏ฎ All contact comes through singleAll contact comes through single pathpath Unfortunately, these are all wrong.Unfortunately, these are all wrong.
  • 6. 6 RealityReality ๏ฎ Most attackers are insideMost attackers are inside ๏ฎ Attackers can breach the wallAttackers can breach the wall ๏ฎ Guards canโ€™t identify allGuards canโ€™t identify all attackersattackers ๏ฎ Guards can be subvertedGuards can be subverted ๏ฎ Communication over MANYCommunication over MANY pathspaths
  • 7. 7 Reality: Many communication pathsReality: Many communication paths Business partners Affiliates Subsidiaries Telecommuters On-site Consultants Support Technicians Off-site Consultants ?? ?? ?? Spybots Spyware / Adware Spyware / Adware
  • 8. 8 Red Queen raceRed Queen race โ€œโ€œYou have to run faster and faster just to stayYou have to run faster and faster just to stay in the same place!โ€in the same place!โ€ โ€“โ€“ The Red Queen,The Red Queen, Alice in WonderlandAlice in Wonderland Image courtesy www.rushlimbaugh.com
  • 9. 9 CERT Statistics 1990 - 2Q2004 0 50000 100000 150000 200000 250000 300000 19 9 0 1 9 9 2 1 9 9 4 1 9 9 6 1 9 9 8 2 0 0 0 2 0 0 2 20 0 4 Incidents Information courtesy CERTยฎ/CC, Statistics 1988-2004, http://www.cert.org/stats/cert_stats.html Red Queen raceRed Queen race
  • 10. 10 ๏ฎ Web Services Security is changing the rules:Web Services Security is changing the rules: ๏ฎ Outsourced authentication (federated)Outsourced authentication (federated) ๏ฎ Extranet access to core systemsExtranet access to core systems ๏ฎ RPC calls over HTTP using XML & SOAPRPC calls over HTTP using XML & SOAP ๏ฎ Offshore services, data processingOffshore services, data processing ๏ฎ Highly connected networksHighly connected networks ๏ฎ Very tight business integrationVery tight business integration In short,In short, there is no network perimeterthere is no network perimeter Red Queen raceRed Queen race
  • 11. 11 New paradigms are neededNew paradigms are needed We must migrate from ground-basedWe must migrate from ground-based warfare to a model that fits informationwarfare to a model that fits information warfarewarfare โ€œโ€œHe who does not learn from history is doomedHe who does not learn from history is doomed to repeat it.โ€to repeat it.โ€ ๏ฎ The Maginot Line was bypassedThe Maginot Line was bypassed ๏ฎ The Atlantic Wall was pierced and defeatedThe Atlantic Wall was pierced and defeated ๏ฎ The Great Wall provided only partial protectionThe Great Wall provided only partial protection ๏ฎ The Alamo fell to a massive attackThe Alamo fell to a massive attack
  • 12. 12 New paradigm: Submarine warfareNew paradigm: Submarine warfare ๏ฎ In submarine warfareโ€ฆIn submarine warfareโ€ฆ ๏ฎ Everyone is an enemy until proven otherwiseEveryone is an enemy until proven otherwise ๏ฎ All contacts are tracked and loggedAll contacts are tracked and logged ๏ฎ Hardened autonomous systemsHardened autonomous systems ๏ฎ Rules of engagement govern all responseRules of engagement govern all response ๏ฎ Constant vigilanceConstant vigilance ๏ฎ Identify Friend or Foe (IFF) becomes vitalIdentify Friend or Foe (IFF) becomes vital ๏ฎ Hunter-killer units vital to protect strategic investmentsHunter-killer units vital to protect strategic investments โ€“ offensive as well as defensive playersโ€“ offensive as well as defensive players ๏ฎ Environment โ€œlistenersโ€ for ASW and trackingEnvironment โ€œlistenersโ€ for ASW and tracking ๏ฎ Evade detection, hound and confuse the enemyEvade detection, hound and confuse the enemy
  • 13. 13 Harden all devices, not just DMZHarden all devices, not just DMZ ๏ฎ Use of hardened kernels forUse of hardened kernels for allall serversservers ๏ฎ Harden all systems and run minimal servicesHarden all systems and run minimal services Minimal installations on desktopsMinimal installations on desktops ๏ฎ Dumb terminals where availableDumb terminals where available ๏ฎ Provide Office tools to knowledge workers onlyProvide Office tools to knowledge workers only ๏ฎ Strip unneeded capabilities from kiosksStrip unneeded capabilities from kiosks ๏ฎ Remove the ability to install softwareRemove the ability to install software Analyze traffic, not just headersAnalyze traffic, not just headers ๏ฎ Application-based firewallsApplication-based firewalls ๏ฎ XML FilteringXML Filtering How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
  • 14. 14 How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare? Segregate boot camp from the theatre of operationsSegregate boot camp from the theatre of operations ๏ฎ VLAN development, test, DR & productionVLAN development, test, DR & production ๏ฎ Make change control yourMake change control your code firewallcode firewall ๏ฎ Only change control spans 2 security zonesOnly change control spans 2 security zones ๏ฎ Production support segregated from source codeProduction support segregated from source code ๏ฎ Endpoint compliance / Walled GardenEndpoint compliance / Walled Garden Core network becomes the DMZCore network becomes the DMZ ๏ฎ SinceSince most attacks are from withinmost attacks are from within , make, make cubicles a DMZcubicles a DMZ ๏ฎ Create hardened subnets for accounting, HR, IT,Create hardened subnets for accounting, HR, IT, operationsoperations ๏ฎ Publish intranets in the DMZPublish intranets in the DMZ
  • 15. 15Source: InformationSecurity Magazine, โ€œNetwork Security: Submarine Warfareโ€, Dan Houser, 2003, http://tinyurl.com/nwk7 ` Network segmentation: Crunchy on the outside and the middle
  • 16. 16 Heavy use of crypto for IFF functionsHeavy use of crypto for IFF functions ๏ฎ Accelerators & HSM will be key technologiesAccelerators & HSM will be key technologies ๏ฎ Require all packets to be signed (e.g. Kerberos)Require all packets to be signed (e.g. Kerberos) ๏ฎ Certificate revocation for intrusion preventionCertificate revocation for intrusion prevention ๏ฎ Network PKI becomes mission critical at layer 2Network PKI becomes mission critical at layer 2 ๏ฎ Emerging products for Layer2 auth โ€“ TNT/EndforceEmerging products for Layer2 auth โ€“ TNT/Endforce Network IDS is keyNetwork IDS is key ๏ฎ Analyzing packets for IFF analysis, heuristicsAnalyzing packets for IFF analysis, heuristics ๏ฎ ISP pre-filtered IDSISP pre-filtered IDS ๏ฎ Analog threat taggingAnalog threat tagging ๏ฎ Identifying and tracking intrudersIdentifying and tracking intruders ๏ฎ Isolating subnets with hostile trafficIsolating subnets with hostile traffic ๏ฎ Revoke certificates for hostile serversRevoke certificates for hostile servers ๏ฎ Vectoring CIRTVectoring CIRT How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
  • 17. 17 Tiger teams and internal search & seizureTiger teams and internal search & seizure ๏ฎ Businesses canโ€™t afford rogue serversBusinesses canโ€™t afford rogue servers ๏ฎ Zero tolerance policy for hackingZero tolerance policy for hacking ๏ฎ Ethical hackers, capture the flag & war games: A&PEthical hackers, capture the flag & war games: A&P ๏ฎ Vulnerability assessment teamsVulnerability assessment teams Drill and war gamesDrill and war games ๏ฎ Red teams โ€“ capture the flagRed teams โ€“ capture the flag ๏ฎ Blue teams โ€“ learn from red teams, patchBlue teams โ€“ learn from red teams, patch vulnerabilitiesvulnerabilities Highly trained staff becomes coreHighly trained staff becomes core competencycompetency ๏ฎ TrainingTraining ๏ฎ EducationEducation ๏ฎ Employee retentionEmployee retention How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
  • 18. 18 "All warfare is based on deception.". -Sun Tzu"All warfare is based on deception.". -Sun Tzu Confuse and harass attackersโ€ฆConfuse and harass attackersโ€ฆ Make your real servers look bogusMake your real servers look bogus ๏ฎ Save all .ASP code as .CGI files, perl as .ASPSave all .ASP code as .CGI files, perl as .ASP ๏ฎ Configure responses from Apache that mimic IISConfigure responses from Apache that mimic IIS ๏ฎ Open dummy NetBIOS ports on Unix serversOpen dummy NetBIOS ports on Unix servers ๏ฎ Use unpredictable ports: run SSH on 19384Use unpredictable ports: run SSH on 19384 ๏ฎ Call your database server โ€œFirewallโ€Call your database server โ€œFirewallโ€ ๏ฎ Route bogus traffic to IDS networkRoute bogus traffic to IDS network How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
  • 19. 19 Further deception techniquesFurther deception techniques ๏ฎ Perception managementPerception management ๏ฎ Low profile facilitiesLow profile facilities ๏ฎ Red Herring accountsRed Herring accounts ๏ฎ Minimalistic error messages (or fake error messages)Minimalistic error messages (or fake error messages) ๏ฎ Temporary blindness โ€“ ignoring misbehaving nodesTemporary blindness โ€“ ignoring misbehaving nodes ๏ฎ Deceptive websites: false configs & backdoorsDeceptive websites: false configs & backdoors See Fred Cohenโ€™s Site: www.all.netSee Fred Cohenโ€™s Site: www.all.net How does Submarine Warfare translateHow does Submarine Warfare translate into InfoWarfare?into InfoWarfare?
  • 20. 20 Internet attacks haveInternet attacks have changedโ€ฆchangedโ€ฆ Photo Courtesy NASA
  • 21. 21 Old school attackOld school attack ๏ฎ Lone interloper targets major firmLone interloper targets major firm ๏ฎ Studies publicly available informationStudies publicly available information ๏ฎ Hangs out at local pub, befriends sales teamHangs out at local pub, befriends sales team ๏ฎ Dumpster dives to obtain manuals, phone listsDumpster dives to obtain manuals, phone lists ๏ฎ Uses war-dialer to find modems & remote hostsUses war-dialer to find modems & remote hosts ๏ฎ Uses social engineering to obtain passwordsUses social engineering to obtain passwords ๏ฎ Dials up hosts, logs in, mayhem & mischiefDials up hosts, logs in, mayhem & mischief
  • 22. 22 โ€œโ€œModernโ€ attackModernโ€ attack ๏ฎ Lone interloper targets IP rangeLone interloper targets IP range ๏ฎ Downloads script kiddy toolsDownloads script kiddy tools ๏ฎ Scans IP range looking for vulnerable hostsScans IP range looking for vulnerable hosts ๏ฎ Port scans hosts looking for exploitablePort scans hosts looking for exploitable servicesservices ๏ฎ Uses exploit tool, mayhem & mischiefUses exploit tool, mayhem & mischief Target selection now a target of opportunityโ€ฆTarget selection now a target of opportunityโ€ฆ indiscriminate attackindiscriminate attack
  • 23. 23 Worms hit 10,000 networks atWorms hit 10,000 networks at onceโ€ฆonceโ€ฆ Photo Courtesy The Weather Channel
  • 24. 24 What we need is early warningWhat we need is early warning Photo Courtesy NASA
  • 25. 25 Hide in the open: Honeyd + arpdHide in the open: Honeyd + arpd ๏ฎ Low-interaction virtual honeypotLow-interaction virtual honeypot ๏ฎ honeyd with arpd creates virtual networkhoneyd with arpd creates virtual network ๏ฎ Create server that emulates address range: 10.x.x.x,Create server that emulates address range: 10.x.x.x, 192.168.x.x, public IP range192.168.x.x, public IP range ๏ฎ Listen on all portsListen on all ports ๏ฎ Emulate good hosts: MS-Exchange, Solaris/Oracle,Emulate good hosts: MS-Exchange, Solaris/Oracle, MS-SQL, RedHat/Apache/Tomcat, WinXP ProMS-SQL, RedHat/Apache/Tomcat, WinXP Pro ๏ฎ Emulate bad boxes: botnet servers, Warez server,Emulate bad boxes: botnet servers, Warez server, trojaned workstations, Win95 workstation, backdoortrojaned workstations, Win95 workstation, backdoor
  • 26. 26 ๏ฎ Convert unused address space into decoyConvert unused address space into decoy tripwire nets - 16,320,000 decoys to 200 "real"tripwire nets - 16,320,000 decoys to 200 "real" serversservers ๏ฎ Stop swallowing packets: route unreachable hosts toStop swallowing packets: route unreachable hosts to the virtual honeynetthe virtual honeynet ๏ฎ 190,000 decoys per โ€œrealโ€ server = 99.9995%190,000 decoys per โ€œrealโ€ server = 99.9995% detectiondetection ๏ฎ Any hits are malicious โ€“ route to IDS / IPSAny hits are malicious โ€“ route to IDS / IPS ๏ฎ Research attack profile.Research attack profile. ๏ฎ Block attackers for 1 hour, 2 hours, 24 hours, 1 week.Block attackers for 1 hour, 2 hours, 24 hours, 1 week. ๏ฎ Youโ€™ve gained breathing room to respond to realYouโ€™ve gained breathing room to respond to real attacksattacks Hide in the open: Honeyd + arpdHide in the open: Honeyd + arpd
  • 27. 27 Router Real Network BFH Honeyd Emulator Honeycomb IDS Distributed Config IPS Hide in the open:Hide in the open: Big freakinโ€™ haystackBig freakinโ€™ haystack
  • 28. 28 Hide in the openHide in the open
  • 29. 29 The fun has just begunโ€ฆThe fun has just begunโ€ฆ LaBrea: SYN/ACK, TCP Window size = 0 (wait)LaBrea: SYN/ACK, TCP Window size = 0 (wait) ๏ฎ Load LaBrea to freeze a scan, run onLoad LaBrea to freeze a scan, run on randomrandom portport ๏ฎ Freezes Windows-based scanners up to 4 minutesFreezes Windows-based scanners up to 4 minutes ๏ฎ Scanning 10,000 hosts takesScanning 10,000 hosts takes 27 days27 days.. ๏ฎ Detecting 100 unpublished hosts in Class A wouldDetecting 100 unpublished hosts in Class A would take approximately 112 yearstake approximately 112 years Disclaimer:Disclaimer: This may be illegal in your municipality. I am not a lawyer. Talk to one.This may be illegal in your municipality. I am not a lawyer. Talk to one.
  • 30. 30 Storm Surge ModeStorm Surge Mode : active re-configuration: active re-configuration ๏ฎ Suppose your โ€œstandardโ€ BFH net emulates:Suppose your โ€œstandardโ€ BFH net emulates: 25%25% Apache/Tomcat on RedHat 7Apache/Tomcat on RedHat 7 25%25% Microsoft SQL on Win2003 ServerMicrosoft SQL on Win2003 Server 25%25% Lotus Notes/Domino on Win2k ServerLotus Notes/Domino on Win2k Server 25%25% Oracle 9i on SolarisOracle 9i on Solaris ๏ฎ IDS telemetry reports spike in Win2k attacksIDS telemetry reports spike in Win2k attacks ๏ฎ BFH configuration changes:BFH configuration changes: 30%30% Microsoft SQL on Win2k ServerMicrosoft SQL on Win2k Server 30%30% Exchange on Win2k ServerExchange on Win2k Server 30%30% IIS on Win2k ServerIIS on Win2k Server 10%10% Allocated among 30 other server/workstation imagesAllocated among 30 other server/workstation images The fun has just begunโ€ฆThe fun has just begunโ€ฆ
  • 31. 31 ๏ฎ Virtual honeynets: Make legitimate servers look likeVirtual honeynets: Make legitimate servers look like bogus servers.bogus servers. ๏ฎ Make all servers (fake & real) look identicalMake all servers (fake & real) look identical ๏ฎ BFH in your internal networkBFH in your internal network ๏ฎ Malware outbreaks see your network with 16 million hostsMalware outbreaks see your network with 16 million hosts ๏ฎ Ability to detect worms while slowing spread by 600xAbility to detect worms while slowing spread by 600x ๏ฎ If all Class A, B & C networks ran BFH:If all Class A, B & C networks ran BFH: ๏ฎ Emulation of 12,493,209,429,306 bogus hostsEmulation of 12,493,209,429,306 bogus hosts ๏ฎ Port scans & profiling a thing of the pastPort scans & profiling a thing of the past ๏ฎ Worms and script kiddies would be economicallyWorms and script kiddies would be economically infeasible.infeasible. The fun has just begunโ€ฆThe fun has just begunโ€ฆ
  • 32. 32 Where toWhere to get started?get started? SwitchingSwitching models willmodels will take timeโ€ฆtake timeโ€ฆ What do we doWhat do we do in thein the interim?interim?
  • 33. 33 Turning the tide: Resilient systemsTurning the tide: Resilient systems ๏ฎ Server & desktop hardened imagesServer & desktop hardened images ๏ฎ Security templates โ€“ lock down desktopsSecurity templates โ€“ lock down desktops ๏ฎ Server-based authentication โ€“ PKIServer-based authentication โ€“ PKI ๏ฎ Host-based intrusion detectionHost-based intrusion detection ๏ฎ Centralized loggingCentralized logging ๏ฎ Out-of-band server managementOut-of-band server management ๏ฎ Honeypots / honeynets / tarpitsHoneypots / honeynets / tarpits ๏ฎ Camouflage and deception in DMZCamouflage and deception in DMZ ๏ฎ Consider Layer 2 validation / Walled GardenConsider Layer 2 validation / Walled Garden
  • 34. 34 Turning the tide: PeopleTurning the tide: People ๏ฎ Security is a people problem, not a technical problemSecurity is a people problem, not a technical problem ๏ฎ Hire and train smart, security-minded people to run yourHire and train smart, security-minded people to run your networks and serversnetworks and servers ๏ฎ Reward security:Reward security: ๏ฎ Establish benchmarks & vulnerability metricsEstablish benchmarks & vulnerability metrics ๏ฎ Create confidentiality & integrity metrics & SLAsCreate confidentiality & integrity metrics & SLAs ๏ฎ Audit against the benchmarksAudit against the benchmarks ๏ฎ Include security as major salary/bonus modifierInclude security as major salary/bonus modifier ๏ฎ Job descriptions must incorporate security objectivesJob descriptions must incorporate security objectives ๏ฎ Train developers, architects & BAs on how to developTrain developers, architects & BAs on how to develop secure systemssecure systems ๏ฎ Equate security breaches & cracking tools like weaponsEquate security breaches & cracking tools like weapons or drugs in the workplace โ€“ a โ€œzero toleranceโ€ policy?or drugs in the workplace โ€“ a โ€œzero toleranceโ€ policy?
  • 35. 35 Turning the tide: ProcessTurning the tide: Process ๏ฎ Assess risk & vulnerability: BIAAssess risk & vulnerability: BIA ๏ฎ Include security in feature sets & requirementsInclude security in feature sets & requirements ๏ฎ Segregation of Developers, Testers & Production,Segregation of Developers, Testers & Production, and particularly Prod Support from source codeand particularly Prod Support from source code ๏ฎ Change management & access rightsChange management & access rights ๏ฎ Certification & AccreditationCertification & Accreditation ๏ฎ Engage security team in charter & proposal phaseEngage security team in charter & proposal phase ๏ฎ Bake security into the systems lifecycleBake security into the systems lifecycle ๏ฎ Require sponsor risk acceptance & authorizationRequire sponsor risk acceptance & authorization ๏ฎ Embed accreditation into change controlEmbed accreditation into change control ๏ฎ Include security in contract review and ROIInclude security in contract review and ROI ๏ฎ Configuration ManagementConfiguration Management โ†’โ†’ security patch listssecurity patch lists
  • 36. 36 SummarySummary ๏ฎ Use firewalls, but as one of many toolsUse firewalls, but as one of many tools ๏ฎ Start network security with people,Start network security with people, process and host securityprocess and host security ๏ฎ Think outside the box when developingThink outside the box when developing security architecturessecurity architectures ๏ฎ Be prepared to dump your perimeterBe prepared to dump your perimeter ๏ฎ Focus on malleable networkingFocus on malleable networking ๏ฎ Protect assets according to their valueProtect assets according to their value
  • 38. 38 Contact informationContact information Dan Houser, CISSP, CISM, ISSAPDan Houser, CISSP, CISM, ISSAP dan.houser@gmail.comdan.houser@gmail.com See Submarine Warfare article:See Submarine Warfare article: http://tinyurl.com/nwk7http://tinyurl.com/nwk7 This slide available on my (lame) homepage:This slide available on my (lame) homepage: http://web.infosec-forum.org/Members/ddhouserhttp://web.infosec-forum.org/Members/ddhouser