Upload
libby
View
43
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Mapping the Internet and intranets. Steve Branigan Hal Burch Bill Cheswick Bell Labs, Lucent Tech. Motivations. Work on DOS anonymous packet trace back - Internet tomography. Highlands “day after” scenario Curiosity about size and growth of the Internet - PowerPoint PPT Presentation
Citation preview
Mapping the Internet and intranets
Steve BraniganHal Burch
Bill Cheswick
Bell Labs, Lucent Tech.
Motivations
• Work on DOS anonymous packet trace back - Internet tomography.
• Highlands “day after” scenario• Curiosity about size and growth of
the Internet• Same tools are useful for
understanding any large network, including intranets
The Project• Long term reliable
collection of Internet and Lucent connectivity information– without annoying too
many people
• Attempt some simple visualizations of the data
– movie of Internet growth!
• Develop tools to probe intranets
• Extended database for researchers
Uses for the Internet data
• topography studies• long-term routing studies• publicly available database (“open
source”) for spooks• interesting database for graph
theorists• combine with other mappers to make
an actual map of the Internet
Uses for intranet data
• Map “inside” the security perimeter• Take a census of Lucent hosts• Discover hosts that have
unauthorized access to both the intranet and the Internet– illegal connections– miss-configured firewalls– maybe miss-configured telecommuters
Network scanning
• Custom program• Concurrently scans towards 500
nets at once• Throttled to 100 packets/sec: can
do much faster• Slow daily scan for host on
destination network
Limitations
• My view of the Internet, not yours– radical shifts when our ISP situation
changes
• Outgoing paths only• Takes a while to collect alternating
paths• Gentle mapping means missed
endpoints– good v. evil
Data collection complaints
• Australian parliament was the first to complain
• List of whiners (25 nets)• Military noticed immediately
– Steve Northcutt– arrangements/warnings to DISA and
CERT
Visualization goals
• make a map– show interesting features– debug our database and collection
methods– hard to fold up
• geography doesn’t matter• use colors to show further meaning
Early layouts
• Interesting art• tantalizing edges• interior shows ISPs (colored by IP
address!)• can’t trace routes• can’t even find the probe host
When data is inconvenient, throw some
away• minimum distance spanning tree• connectivity, not actual paths• we get more information out of it• add other paths to show further
information
What kind of maps canwe make?
Current map coloring
• distance from test host• IP address
– shows communities
• Geographical (by TLD)• ISPs• future
– timing, firewalls, LSRR blocks
By ISP
By top level domain
Yugoslavia
Serbia and Bosnia
Results - Internet database
• 100,000 of the world’s most important routers
• >150 routes to one destination!• Yugoslavia bombing of power
infrastructure is apparent• Offers for other scan points
– how to pick them?
05 October, 1998 23
0
2000
4000
6000
8000
10000
12000
Number of paths to a target
Distribution of path lengths
0
1000
2000
3000
4000
5000
6000
7000
8000
Path length
Num
ber
of
nets
Reached Not reached
Recipe for good intranet security
• Know what you have.• Then secure it.
Some basic questions…
• How large is the network address space for your network?
• How many system are actually active on the network?
• How much does the network change?
What is an intranet
• any network too large to control• hosts residing inside a firewall
perimeter• business partner connections• corporate hosts outside of the
firewall• DMZs
Intranet mapping work
• Apply the technology of Internet mapping to the intranet
• See how far the network reaches.• Surprises?
Firewall bypass case #1
Burouter
Corp.Firewall
Internet
Intranet
ISP AISP B
Our host census attempt
• 266,000 hosts• complaints from business partners!
Multi-home hosts
• hosts having multiple network connections
• dangerous when one is connected to the intranet, and the other is connected to the Internet
Firewall bypass case #2
Specialsystem
Corp.Firewall
Internet
Intranet
Hard to find today.
• Vulnerability scanners are not finding these vulnerabilities.
New products
• list of web servers• list of mail servers
Results: New Products!
• Route rationalization (“routerat”)– discover network routes (user
supplied?)– run frequently
More new products!
• Topology scan: traceroute scan information and analysis
• Host census• Scan for perimeter violations.
– spoofed through inside to outside– spoofed outside through inside
New Products
• List of web and mail servers• Detect route squatters• Networks susceptible to broadcast
storms• Find unauthorized firewalls and
internet connections• Miss-configured telecommuting and
branch office hosts.
New Products
• Private address space use• Connections with business
partners• Due diligence tool for joint
ventures, mergers, divestitures, etc.
Walking the perimeter
• There is a large potential market for this
• New tool to gain some control over an extensive network
• Fits with a number of companies’ product lines
• new Lucent venture
How we scan
• Via dialup, using RAS servers• Secure tunnel, if you prefer
– IP/SEC– PPTP– others?
Auditing Firewall Rules
a
b
d
allow web to aallow web to b
allow web to d
Over time, systems change but firewall rules may not...
Oops! Legacy rules can create today’s security holes.
Internet
c
allow web to callow web to c
allow mail to c
c
How Firewall Auditor Works
Input
Analysis
Output
Intranet definition ++ Query list of services
Query: Internet-> Inside : http
Internet -> ecnes01 (ecnes01.inet.lucent.com) : http [Rule: 2 ]Internet -> ecnes02 (ecnes02.inet.lucent.com) : http [Rule: 4 ]bcs-test (sapient2-bh.sapient.com) -> galileo (oh0012espweb1.inet.lucent.com) : http [Rule: 7 ]bcs-test (sapient2-bh.sapient.com) -> voyager (voyager.inet.lucent.com) : http [Rule: 9 ]
nameif ethernet0 outside security0nameif ethernet1 inside security100hostname pix1fixup protocol ftp 21fixup protocol http 80nat (inside) 0 0 0static (inside, outside) 135.104.45.176 135.104.45.176 netmask 255.255.255.240 outbound 1 deny 0 0apply (inside) 1 outgoing_dest: RULE : OUT PASS http mh zeroconduit permit tcp host 135.104.45.180 eq 80 135.104.0.0 255.255.224.0 conduit permit tcp host 135.104.45.180 eq 80 135.104.32.0 255.255.248.0
Sample firewall rules
What service traffic from the Internet can get through the firewall rules to which intranet addresses?