for e-Business - cisco.com · © 2001, Cisco Systems, Inc. All rights reserved. 4 Anatomy of Network Attacks

2© 2001, Cisco Systems, Inc. All rights reserved.

A Security Blueprintfor e-Business

Joshua McCloud, [email protected]

SAFESecurity Blue-Print for

e-Business

33© 2001, Cisco Systems, Inc. All rights reserved. 3

• Anatomy of Network Attacks

• Introducing: SAFE

• SAFE Network Design

• Cisco Security & VPN Products

• Security Certifications

Agenda


Anatomy of Network Attacks


Disclaimer

“This presentation provides a tit for tat description of a fictional electronic war between an irritable yet determined cracker and an overworked, but well funded, IT staff. Any similarities to your customer’s environments are purely coincidental.

Cisco does not recommend such reactionary security design. Rather we suggest you base designs on the Cisco SAFE white papers for a systematic approach to security design.”

The Authors at Cisco Systems


• Scott Daniels (aka n3T51ay3r)College age, too much free time

Two notches above “script kiddie”

Recently banned from netgamesrus.com for cheating on their latest game “Xtreme Secret Agent”

Wants revenge

The Aggressor


The Defenders

• Netgamesrus.com

Web-based gaming company

Experienced explosive growth and hasn’t had much time to think about security

IT staff is minimal, and most have occupied their time play testing their newest creation

Just went through a second round of funding that hasn’t been spent yet


Public Hosts (WWW, DNS, SMTP, FTP)

Internal Net

Netgamesrus.comNetgamesrus.com

Initial Solution

• Router only provides WAN connectivity

• FW is concerned with internal net

Internet


In My Sleep

• Scan ports and vulnerabilities to find target

• Outdated bind discovered on web server

• Root privilege obtained, logs cleaned, and root kit installed

• “You are so owned”

n3T51ay3rn3T51ay3r

Internal NetInternet

BIND – Berkeley Internet Name Domain (DNS)Buffer overflow vulnerability


Scanning Tools

http://www.insecure.org/nmap/


Quick Fix

• A player with scanning software happens to find your host is compromised and tattles

• Turn off unwanted services

• Rinse and repeat (for all the hosts)

• Move public services off third leg of firewall for service isolation

Internet Internal Net




Hey, What Happened?

• What happened to “my” system?

• RescanThere are less services available

Services are patched

• Wait for “new” vulnerability posting on net (no hurry…)

n3T51ay3rn3T51ay3r


Odds in My Favor

• Exploit latest vulnerability (a race)

• Reinstall rootkit, clean logs

• Download add’l attack tools (getting angry)

• Scan isolated service network and internal net

• Own more public hosts


n3T51ay3rn3T51ay3r


Raise the Bar

• Internal scan finds compromised hosts

• Fix and rebuild hosts

• Install network IDS

• Turn on liberal shunning and TCP resetsMost signatures

Reconfigure ACLs on the router




NIDS Response

7100he#show access-list

Extended IP access list 197

permit ip host 10.1.1.20 any

deny ip host 112.70.126.43 any














Lost Tone Again?

• Services found, though patched again

• Run vulnerability scans but inconsistent response

• Pings also blocked

• A “friend” observes the same result

• Drats…what’s going on?


n3T51ay3rn3T51ay3r


IT Success!

• Scan and exploit attempts captured

• Shunning worked




Stick IDS

• Researched behavior, NIDS and shunning assumed

• Find method to defeat NIDS — Stick & Whisker utilityhttp://www.eurocompton.net/stick/

http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html

Overwhelms shunning capability

• Launch Stick/Whisker, re-exploit hosts, install toys


n3T51ay3rn3T51ay3r


Stick Tool

[root@sconvery-lnx stick]# ./stick -h

Usage: stick [sH ip_source] [sC ip_class_C_spoof] [sR start_spoof_ip end_spoof_ip][dH ip_target] [dC ip_class_C_target] [dR starttargetip

end_target_ip]-------------------------------------------------------------------------defaults destination to 10.0.0.1 and source default is 0.0.0.0-255.255.255.255 Software Design for limitted Stress Test capablity.

[root@sconvery-lnx stick]# ./stick dH 12.1.1.1Destination target value of: 101010cStress Test - Source target is set to all 2^32 possiblitiessending rule 496 sending rule 979 sending rule 896 sending rule 554 sending rule 735 sending rule 428


Whisker Tool


New Management

• Two observationsNIDS shunning pre-FW may be overflowed so turn off shunning

Firewall logs show download of tools on hosts

• Install NIDS in public segment and liberally shun on FW

• FW ACLs to prevent public services segment outbound sessions

• Rebuild hosts using Ghost ☺ and patch




Customer

Public Services

Internal Services

Internal Users

Source: Public ServicesDestination: InternetPort: Any

Source: Public ServicesDestination: InternetPort: Anyokok

okok

Specific Filtering

• No outbound for Web servers

• Be specific on other access

xx SiSi


Lessons Learned:n3T51ay3r vs. Netgamesrus.com

• Bind hack—mitigated by patches and NIDS

• Root kit—found by scan, manually removed

• New vulnerability—found by FW logs, mitigated by patches

• Attack tool download—mitigated by outbound filtering on FW

• IDS shun DoS—stick—no shunning on NIDS in front of FW


This Is Getting Tough

• Lost tone again, must still be shunning

• Use stick again

• Still no tone???


??n3T51ay3rn3T51ay3r



Success Again

• NIDS alarming tracks cracker activities

• Shunning on FW working

• FW mitigates stick effects on NIDS in public services segment



The Empire Strikes Back

• What is being shunned?Looks like composite and atomic attacks are shunned

• Exploit poorly deployed shunning:Launch spoofed atomic attacks from proxy servers of large ISPs

• Now Legitimate Customers can’t get in!


Proxied CustomersProxied Customers

n3T51ay3rn3T51ay3r

Proxy Svr50.50.50.5

0


To Shun or Not to Shun

• Public exposure (due to shun problem) creates job uncertainties among the IT staff

• Perhaps shunning everything is a bad idea?Set shun posture to only critical multi-packet TCP attacks

Tune IDS (shun length, false positives, alarm levels, hire staff to monitor IDS 24x7)

Optional: Tier IDS log analysis for better attack visibility




Try, Try Again

• Looks like they’ve got their act together

Trying the ISP DoS again doesn’t work

Shunning must have been tuned

• Shift gears, what CGI scripts are running on the box?


Hmm…Hmm…n3T51ay3rn3T51ay3r


Application Layer Attacks


godzilla.d

• Found a public domain CGI in use

Examine source code and run tools to find an unpublished vulnerability

• After substantial research, success

• Compromise web server with new toy (godzilla.d)


godzilla!!godzilla!!n3T51ay3rn3T51ay3r


SANS #2: CGI


Why Me?

• Find, Ghost, and patch hosts

• Fix CGI script (with outside help)

• Post to Bugtraq (or not)

Do we really want more visibility?• Install host IDS on appropriate hosts




Host Intrusion Detection

• Host IDS is best installed on key servers

• Features vary per product, including watching for:

File system

Process table

I/O

System resource usage

Memory allocation

• Actions include alarm and sometimes prevent

• Financially and operationally impractical to install on all hosts


What Happened - DDoS

• Requires a available, reliable, secure network infrastructure…..

MicrosoftInternet ROOT DNS Servers

( Oct 21 02)


2. Install Software toScan for, Compromiseand Infect Agents

HandlerSystems

ClientSystem

4. Client IssuesCommands toHandlers WhichControl Agentsin a Mass Attack

1. Scan for Systems to Hack

AgentSystems

3. Agents Get Loaded with Remote Control Attack Software

DDoS, How Does It Work?


Legitimate CustomerClient

Handler

Agents (25)

Handler

Agents (25)

Handler

Agents (25)

xInternet

Stacheldraht Attack


Oh My Goodness!

• So that’s what DDoS does

• Research problem and call ISP

• Request that ISP implement CAR

• Reconsider edge architecture: Should we move our e-commerce elsewhere?

• Implement RFC 1918 and 2827 filtering

• Find and read SAFE White Paper

Internet AdminSystems

$$$sAAA Svr

PublicNet

Employees


SiSi


Traffic Matching

Specification

Traffic Matching

Specification

Traffic Measurement

Instrumentation

Traffic Measurement

Instrumentation

Action PolicyAction Policy

Next Policy

Excess Traffic

Conforming Traffic

Burst Limit

Tokens

Committed Access Rate

• Rate limiting

• Several ways to filter

• “Token bucket” implementation


• Limit outbound ping to 256 Kbps

• Limit inbound TCP SYN packets to 8 Kbpsinterface xy

rate-limit input access-group 103 8000 8000 8000conform-action transmit exceed-action drop

!access-list 103 deny tcp any host 142.142.42.1 establishedaccess-list 103 permit tcp any host 142.142.42.1

interface xy rate-limit output access-group 102 256000 8000 8000

conform-action transmit exceed-action drop !access-list 102 permit icmp any any echoaccess-list 102 permit icmp any any echo-reply

CAR Rate Limiting

ACL Ave. Rate Burst Excess

Traffic can burst 8K above 256K average for 8k worth of data


ISPNetwork

CustomerNetwork

Ingress to Internet

RFC 1918 Filtering

interface Serial n ip access-group 101 in

!access-list 101 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 permit ip any any


!access-list 101 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 permit ip any any


ISPNetwork

CustomerNetwork:

142.142.0.0/16

RFC 2827 Filtering • Ingress packets

must be from customer addresses

interface Serial n ip access-group 120 inip access-group 130 out

!access-list 120 deny ip 142.142.0.0 0.0.255.255 anyaccess-list 120 permit ip any any!access-list 130 permit 142.142.0.0 0.0.255.255 anyaccess-list 130 deny ip any any

interface Serial n ip access-group 120 inip access-group 130 out

!access-list 120 deny ip 142.142.0.0 0.0.255.255 anyaccess-list 120 permit ip any any!access-list 130 permit 142.142.0.0 0.0.255.255 anyaccess-list 130 deny ip any any

Egress from Internet

• Egress packets cannot be from and to customer

• Ensure ingress packets are valid

Ingress to Internet


!access-list 101 permit 142.142.0.0 0.0.255.255 anyaccess-list 101 deny ip any any


!access-list 101 permit 142.142.0.0 0.0.255.255 anyaccess-list 101 deny ip any any


At the End of the Day

• n3t51ay3r:Used several ISPs

Several favors

Lots of Mountain Dew

And lots of time

• Netgamesrus.com:Several admins and managers

$200K of gear & software

Countless patching, re-imaging, password refreshes

Downtime and unhappy customers

PR nightmare


Is There a Better Way?

• Comprehensive security architectureHave a security policy

Technologies work together as a system

No single point of failure

Overwhelming defense (barriers, trip-wires, reactions)

• Skilled staffPrudent deployment and tuning of products

Limit how much is learned the hard way

• Know the threat and your weaknessesTrack threat tools and security technologies

Proactive approach to mitigation

Audit posture regularly

• Cheaper to pay upfront than after the factStay employed and in business!


Introducing: SAFE


Cisco SAFE is a flexible framework that empowers companies to securely take advantage of the Internet Economy

Cisco SAFE


• Cisco SAFE outlines a blueprint for secure networking solutions

• Cisco SAFE builds on intelligent security services embedded in routers, switches, appliances and applications

• Cisco SAFE offers a rich ecosystem of products, partners and services that enable companies to implement secure e-business infrastructures today

• Cisco SAFE builds on AVVID

Cisco SAFE


SAFE Positioning

Business Needs • Analyze business requirements• Define performance metrics

Security Policy• Define critical resources• Define trust model• Define network usage policy

SAFE• Define functional design• Define network threat• Define threat mitigation

Implementation• Implement network security• Implement application security• Manage to security life-cycle


WAN Module WANModule

Corporate Internet

VPN&Remote Access PSTNModule

ISP AModule

Public ServicesModule

ISP BModule

Cisco SAFE Architecture Goal:SecurityResiliencePerformanceScalabilityQoS AwarenessManageability

Cisco SAFE Architecture Goal:SecurityResiliencePerformanceScalabilityQoS AwarenessManageabilityDistribution

Core Management

Server

User Access

Distribution

Enterprise EdgeEnterprise Campus ISP Edge

SAFE Enterprise Network Design Guide


SAFE Network Design


User Access

Server

Management

Core

Distribution

VPN&Remote Access WANModule

ISPModule

SAFE Axioms• Routers are targets

• Switches are targets

• Hosts are targets

• Networks are targets

• Applications are targets

Distribution

Design Approach• Security through infrastructure

• Resiliency and scalability

• Secure management/reporting

• Authentication of users/operators

• Intrusion detection

• Voice/Video awareness

Public ServicesModule

Enterprise EdgeEnterprise Campus ISP Edge

Enterprise SAFE Network


Threats Mitigated:• Packet Sniffers: Switched infrastructure

and VLANs limit traffic snooping

• Private VLANs

• Port-level Authentication

• 802.1x Dynamic WEP

• VPN Client

• Virus & Trojan Horse Applications: Host based virus scans eliminate most viruses and Trojan horse applications

Access Switch

PC & IP Phone

Access Point

Hand HeldDevice

User Access Module


Threats Mitigated:• Unauthorized Access: Layer 3 filtering

limits attacks on server module

• IP Spoofing: RFC 2827 filtering stops most spoofing attempts

Distribution Switch

Distribution Module


Threats Mitigated:• None: Relies on security deployed at

edge modules

Core Switch

Core Module


Threats Mitigated:• Unauthorized Access: Mitigated through

host -based intrusion detection

• Application Layer Attacks: OS kept up to date with latest patches


• Packet Sniffers: Switched infrastructure and VLANs limit traffic snooping

• Trust Exploitation: Private VLANs prevent compromised devices from masquerading as management hosts

• Port Redirection: Host based IDS prevents port redirection software from being installed

IDS IDS

Access Switch

Internal E-mail DepartmentServer

Call ManagerCorporate

Server

Server Modules


IDS

Firewall

SwitchVPN Gateway

Router(VPN Optimized)

Threats Mitigated:• Network Topology Discovery: Eliminates

network “foot-printing”

• Password Attack: Blocks password discovery

• Unauthorized Access: Remote access connections require authentication and IPSec

VPN & Remote Access Module

ISP


Threats Mitigated:• Unauthorized Access: Firewall blocks

attempts to penetrate internal network

• Application Layer Attacks: OS kept up to date with latest patches

• Password Attacks: Blocks password discovery

• Denial of Service Attacks: CAR and Firewall helps defend against DoS



• Port Redirection: Host based IDS prevents port redirection software from being installed

• Network Topology Discovery: Eliminates network “foot-printing”

IDS

DB Servers Application Servers

Firewall

Switch

Router

E-Commerce Module

ISP


OTP Server

AuthenticationServer

NetworkMonitoring

SecurityManagement

Syslog 1

Syslog 2

SystemAdministration

Terminal ServerIDS

Out-of-BandNetwork Management

EncryptedIn-Band

Network Management

Threats Mitigated:• Unauthorized Access: IOS filtering stops

unauthorized traffic in both directions

• Man in the Middle Attacks: Management data crosses private network

• Password Attacks: ACS enforces strong, two-factor device authentication

• IP Spoofing: Firewall stops spoofing in both directions

• Packet Sniffers: Switched infrastructure limits effectiveness of traffic snooping


Network Management Module


Cisco Security and VPN Products


SecurityManagement Identity Perimeter

Security Security

Monitoring Secure

Connectivity

Key Components of a SAFE Module


• OS: Windows 2000, NT, Solaris

• RADIUS/ TACACS+ server for user access control

• Interface to NT Domain, Active Directory, NDS, LDAP

• Web based management

• Vital component for access control in large scale VPN, dial, voice networks

Identity

Cisco Secure Access Control Server

Authentication Authorization Accounting


• PIX 535: Very Large enterprise

500,000 Connections

• PIX 525: Large enterprise

250,000 Connections

• PIX 515: Enterprise branch office and small-to-medium businesses

150,000 Connections

• PIX 506: Small branch office and small businesses

DES/3DES VPN

• PIX 501: Home office and home user

Full PIX OS - DES/3DES VPN

PerimeterSecurity

Cisco Secure PIX Firewall Family


• Enhanced, integrated security for Cisco IOS platformsFull-featured firewall

Active in-line intrusion detection

Authentication proxy

Supports NAT, IPSec VPN

Secure remote administration

• Strong security at low cost

• Leverages investment in Cisco infrastructure

PerimeterSecurity

Cisco IOS Firewall Feature Set


Catalyst 6500 Firewall Module

• PIX 6.0 base Feature Set + some features of 6.2• High Performance Firewall, up to OC48 or 5GB aggregate throughput• 1 million concurrent connections• 3 million pps• 100K new connections/sec for HTTP, DNS• 100 VLANs• LAN failover active/standby (both intra/inter chassis)• Dynamic Routing i.e. RIP, OSPF • Supports multiple IN/OUT and DMZs• IPSEC for management only

Fabric EnabledFabric Enabled


Cisco Provides the Industry’s Broadest VPN Solution Set!

Medium Enterprise 3030 Concentrator 7x00, 37xx, 3600 Routers PIX Firewall 525,

PIX Firewall 515E

Large Enterprise 3080, 3060 Concentrators 7x VPN Routers/Cat 6k PIX Firewall 525PIX Firewall 535

Customer Remote Access Site-to-Site Firewall-based

Small Business/ 3015, 3005 Concentrators 3600, 2600, 1700 Routers PIX Firewall 515EBranch Office PIX Firewall 506E

800 Routers

SOHO Market VPN 3000 Client 1400 DSL Modem PIX Firewall 506E

VPN 3002 uBR 925 Cable Modem PIX Firewall 501

SecureConnectivity

Cisco’s VPN Portfolio Summary


Catalyst 6500 VPN Module

•Integrated into the Catalyst 6500 to address high bandwidth, rich service delivery, and leverage integrated IDS module.•Performance & Scalability:

Gbps 3DES (IMIX traffic)200 tunnels / second setup rate8,000 VPN sessions/tunnels

•VPN Ingress through Ethernet modules•Interoperates with IDS module•Switch Fabric Enabled



Cisco Remote Access VPN Solution

Cisco VPN 3000 Cisco VPN 3000 Concentrator SeriesConcentrator Series

Cisco VPN 3000 Cisco VPN 3000 ClientClient

HTMLHTML--Based Based ManagementManagement

Software

Hardware

SecureConnectivity


Features 3005 3015 3030 3060 3080Number of Users 100 100 1500 5000 10,000Encryption SW SW HW HW HWWAN Capability Yes Yes Yes Yes YesPerformance 4 Mb/s 4 Mb/s 50 Mb/s 100 Mb/s 100 Mb/sSEP 0 0 1 2 4Upgradeable No Yes Yes Yes N/ASupports Dual PS No Yes Yes Yes YesRedundancy No Yes Yes Yes Yes

SecureConnectivity

Cisco VPN 3000 Concentrator Series


Solution BreadthSolution Breadth

SwitchSensorSwitchSensor

RouterSensorRouterSensor

HostSensorHostSensor

FirewallSensorFirewallSensor

MgmtMgmt

NetworkSensorNetworkSensor

Pervasive ProtectionIDS Everywhere

42104210 42204220 42304230 42354235 42504250

IDSM-1IDSM-1

Standard SensorStandard Sensor Web SensorWeb Sensor

800800 17001700 26002600 3xxx3xxx 7xxx7xxx

501501 506E506E 515E515E 525525 535535

Secure Command Line

Secure Command Line

Web UIEmbedded Mgr

Web UIEmbedded Mgr

Enterprise MgmtVMS

Enterprise MgmtVMS

……


Cisco IDS Host Sensor

• Comprehensive protection for the server OS and server applications utilizing call interception techniques

• Sophisticated attack protection

OS and application attacks

Buffer Overflow attacks

Web server application attacks

SSL encrypted HTTP attacks

• Prevents access to server resources before any unauthorized activity occurs

• Complementary technology to Cisco IDS Network Sensors

Host + Network = Complete IDS Solution


Catalyst 6500 SSL Service Module

• High Performance SSL Termination on the Switch• Superior price/performance & functionality

• 3k~4k new connections per second• 50k~60k concurrent connections• 400 mbps bulk-rate encryption

• Enables Intelligent Content Switching of Encrypted Traffic • Centralized Key/Certificate Storage/Management

• Active-Passive Redundancy

• Multiple Blades supported per Chassis

• Switch Fabric Enabled



Cisco’s VPN and Security Management Architecture

Web

-In

ternet A

rchitectu

re

Automatic Policy ManagementCSPM

Embedded Device Managers

Cisco

Secu

re AC

S 2000

Device AdministrationCiscoWorks2000 CiscoView, RME

Cisco

AV

VID

Eco

systemC

isco A

VV

ID E

cosystemPIX IOS

Monitoring Centerfor Security

IDSManagement CentersManagement CentersManagement Centers

VPN Monitor

Host IDSSensor


Identity

Application Security Security

Management & Monitoring

Secure Connectivity Perimeter Security

Cisco SAFE Ecosystem:Security & VPN Associates

Entercept


The premier on-line repository for security vulnerability information and solutions

Provides Partner on-line access to network security expertise Enhances security monitoring, detection, and response solutions

Cisco Security Encyclopedia


Cisco VPNs

Cisco Training Partners provide certification training for Cisco security and VPN productsEnhance Cisco Channel Partner ability to install, monitor and manage security solutions

Cisco S

ecure

PIX Firew

all

Cisco Secure Intrusion Detection

CCNP - Security Specialization


For More Information Regarding Security and SAFE

• http://www.cisco.com/en/US/netsol/ns110/ns129/net_solution_home.html

• http://www.cisco.com/en/US/netsol/nettidx.html

© 2001, Cisco Systems, Inc. All rights reserved. 767676

Documents

for e-Business - cisco.com · © 2001, Cisco Systems, Inc. All rights reserved. 4 Anatomy of Network Attacks