S E C U R E C O M P U T I N G © 2000-2001, Secure Computing Corp. All rights reserved. 1 Countering the Insider Threat with Autonomic Distributed Firewall

© 2000-2001, Secure Computing Cor© 2000-2001, Secure Computing Corp. All rights reserved.p. All rights reserved.

1

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G

Countering the Insider Threat with Countering the Insider Threat with Autonomic Distributed Firewall Autonomic Distributed Firewall

(ADF) Technology(ADF) Technology

Black Hat BriefingsBlack Hat BriefingsLas Vegas, NV, 11 July 2001Las Vegas, NV, 11 July 2001

George Jelatis & David PapasGeorge Jelatis & David Papas

David_Papas@[email protected]

Jelatis@[email protected]

www.securecomputing.comwww.securecomputing.com

© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.2

ADF

ADF


OutlineOutline

• Firewall trends and issuesFirewall trends and issues• Approach & ArchitectureApproach & Architecture• Security policy managementSecurity policy management• Implementation Implementation • ApplicationsApplications• Demonstration ScenariosDemonstration Scenarios


ADF

ADF


Perimeter Firewall IssuesPerimeter Firewall Issues

• Perimeter firewalls have limited visibilityPerimeter firewalls have limited visibility– They cannot see activity behind the firewall They cannot see activity behind the firewall

thus they do little to counter insider threatsthus they do little to counter insider threats– Blurring of the line between insiders and Blurring of the line between insiders and

outsidersoutsiders– IPv6/IPSEC significantly limits perimeter based IPv6/IPSEC significantly limits perimeter based

filtering and intrusion detectionfiltering and intrusion detection– Wireless/mobile computing frustrates policyWireless/mobile computing frustrates policy

• Perimeter firewalls are expensive (but Perimeter firewalls are expensive (but necessary)necessary)


ADF

ADF


Host Based FirewallsHost Based Firewalls

• Operating systems are vulnerableOperating systems are vulnerable– Back Orifice, Melissa, <attack of the week>.Back Orifice, Melissa, <attack of the week>.– Windows 2000 has 25M+ LOC and Windows 2000 has 25M+ LOC and maybe one maybe one

or two security bugsor two security bugs

• Firewalls implemented on vulnerable Firewalls implemented on vulnerable operating systems may suffer from operating systems may suffer from circular logic circular logic

• Many host based firewalls assume the Many host based firewalls assume the user is trusted. Even user is trusted. Even goodgood users do users do badbad things when they unwittingly run hostile things when they unwittingly run hostile code.code.


ADF

ADF


ADF ApproachADF Approach

• Push the firewall closer to, but not on to, the Push the firewall closer to, but not on to, the host. host. – The host cannot be trusted because the operating The host cannot be trusted because the operating

system may be subverted.system may be subverted.

• Create a “firewall-on-a-Network Interface Card Create a “firewall-on-a-Network Interface Card (NIC)” that is independent from the host(NIC)” that is independent from the host

• Use a master-slave architecture to provide Use a master-slave architecture to provide scalability & centralized security policy scalability & centralized security policy managementmanagement


ADF

ADF


Insider Threat ?Insider Threat ?


ADF

ADF


ADF ConceptADF Concept

Distribute network layer security onto smart Distribute network layer security onto smart hardware directly in front of critical hostshardware directly in front of critical hosts

• Complements existing perimeter firewallsComplements existing perimeter firewalls– Protects against insider threatProtects against insider threat

• Stronger than existing host/application securityStronger than existing host/application security– Mechanisms cannot be subverted by malicious users or Mechanisms cannot be subverted by malicious users or

code running on a weak operating systemcode running on a weak operating system

• An affordable security solutionAn affordable security solution– Low cost of hardware and softwareLow cost of hardware and software– Incremental deployment to address specific threatsIncremental deployment to address specific threats

• A survivable security solutionA survivable security solution– Transparent to hosts and applicationsTransparent to hosts and applications– Redundant management systemRedundant management system– Fail-safe hardware componentsFail-safe hardware components


ADF

ADF


Technical ObjectiveTechnical Objective

• Provide robust, intrusion tolerant networks via a Provide robust, intrusion tolerant networks via a firewall per hostfirewall per host– Provide defense in depthProvide defense in depth– Provide protection from insiders Provide protection from insiders – Tie distributed firewall to autonomic response mechanismsTie distributed firewall to autonomic response mechanisms


ADF

ADF


• New approach to network securityNew approach to network security• Addresses needs of complex, partner networksAddresses needs of complex, partner networks

ADF BackgroundADF Background

ADF technology development

COTS NIC• IPSec 3DES encryption• ARM 9 processor

SCC software• Modified NIC firmware• Centralized policy

management

EMBEDDEDEMBEDDED FIREWALL FIREWALL EMBEDDEDEMBEDDED FIREWALL FIREWALL

DARPA


ADF

ADF


Major ComponentsMajor Components

NIC

Driver - Runtime image

ADF Agent

Host OS

Protected host

Controllerdaemon

Auditdaemon

Auditdatabase

Controllerfront end

GUI

ADF Controller

Policydatabase

MIB


ADF

ADF


NIC ImplementationNIC Implementation

• Isolation from the host operating system Isolation from the host operating system – Separate processorSeparate processor– Isolated memoryIsolated memory

• IPSEC crypto hardware on the NIC IPSEC crypto hardware on the NIC provides high performance provides high performance VPNsVPNs – Windows 2000 based Dec 2000Windows 2000 based Dec 2000– ADFC managed late 2001ADFC managed late 2001

NIC based policy supports servers, NIC based policy supports servers, desktops, telecommuters, and laptopsdesktops, telecommuters, and laptops


ADF

ADF


NIC Packet FilteringNIC Packet Filtering

• No sniffingNo sniffing– Prevents sniffing passwords and other information Prevents sniffing passwords and other information

• No spoofingNo spoofing– Eliminates distributed denial of service attacks using Eliminates distributed denial of service attacks using

spoofed addresses. spoofed addresses.

• Additional rules based onAdditional rules based on– IP addressesIP addresses– DirectionDirection– Port rangesPort ranges– Initiate vs. accept connectionsInitiate vs. accept connections

• Possible NIC actions Possible NIC actions – Allow/deny. Passes or drops the packet Allow/deny. Passes or drops the packet – Audit/no audit. Sends audit to the ADF ControllerAudit/no audit. Sends audit to the ADF Controller


ADF

ADF


NIC Filter Engine NIC Filter Engine

• 64 packet filtering rules supported64 packet filtering rules supported• TCP Syn detection TCP Syn detection

– Allows the NIC to distinguish between accepting or Allows the NIC to distinguish between accepting or initiating connections e.g., Allow outbound Telnet but initiating connections e.g., Allow outbound Telnet but block inbound block inbound

• Actions in response to matching a packet filter Actions in response to matching a packet filter engine rule: engine rule: – Allow/deny. Passes or drops the packet Allow/deny. Passes or drops the packet – Audit/no audit. Sends audit to the ADFC Audit/no audit. Sends audit to the ADFC – Test. Flag packets that matched the packet filter rule Test. Flag packets that matched the packet filter rule

but do not enforce the policy; test new policies firstbut do not enforce the policy; test new policies first

• NoNo support for filtering inside tunnels (e.g., support for filtering inside tunnels (e.g., IPSEC) IPSEC)


ADF

ADF

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Embedded Firewall Embedded Firewall

ControllerController

• Provides the policy and audit GUIProvides the policy and audit GUI– Filter mode. Enforces the packet filter rulesFilter mode. Enforces the packet filter rules– Test mode. Does not enforce the policy but Test mode. Does not enforce the policy but

flags packets that matched the packet filter flags packets that matched the packet filter rulerule

• Uses a SQL database for storing policy Uses a SQL database for storing policy and audit dataand audit data

• Runs on Windows 2000 and NTRuns on Windows 2000 and NT• Linux port underwayLinux port underway• Up to 3-way replication for fault toleranceUp to 3-way replication for fault tolerance


ADF

ADF

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Security PolicySecurity Policy

Desired policyDesired policy

ClientsClients

• Human resourcesHuman resources– LauraLaura

– MaryMary

• EngineeringEngineering– ChrisChris

– NancyNancy

• SalesSales– PaulPaul

– SamSam

Servers

HR web server

FTP

HTTP

Engineering file

server

NFS

FTP

Sales database

SQL


ADF

ADF

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N GTopologies are ComplicatedTopologies are Complicated

BBN Planet Router(Cisco 7505)

.161

gnatSolaris 2.6

Sidewinder

.129

.185

.91

.170 .186 .163 .174

Internal LAN5.12.160.0/26

wormhole(Cisco 3640)

LAN5.12.160.64/26

SSD LAN5.12.129.128/27

CC2-e1 LAN5.12.161.192/27

LAN5.12.121.224/27

.222

.193

.225

york

, N

T4.

0

.121

tsetseSolaris 2.6Sidewinder

.81

DLA LAN5.12.161.160/27

E0

E1

ialab1(Cisco 2514) D

urac

ell

alm

ondj

oy,

NT

.125

E0/1

E0/2 .65

E0/0

E0/3

SQ

LS

erve

r

.76

.225

milkyaySidewinder

Preserves LAN5.12.160.224/28

web

clie

nttw

ix,

NT

web

clie

ntki

tkat

, N

T

.231 .226

mrp

ipp

NT

4/R

H6.

2

crus

hN

T4/

RH

6.2

cucu

mbe

rS

olar

is 7

tom

ato

Sol

aris

7

.197 .196 .198 .194

g2BSDSidewinder

DMZ LAN5.12.162.0/26

vortex(Cisco 3640)

E0/2

E0/1

E0/0

E0/3

.82

DMZ LAN10.2.0.0/24

g1Solaris 2.6

Sidewinder

.1

beet

leS

olar

is 2

.6

.1

ia0106 LAN10.10.10.0/24

.5

.254

.39

.33

carr

otS

olar

is 7

.198

surg

eN

T4/

RH

6.2

cana

dadr

yiN

T4/

RH

6.2

Web

Ser

ver

Ana

lyst

.226 .232 .236 .228

Ana

lyst

.227

.234 .233 .230 .229.235

icb

NT

4/R

H6.

2

coke

NT

4/R

H6.

2

pota

toS

olar

is 7

jolt,

SA

RR

EN

T4/

RH

5.2

sprit

e, C

ycN

T4/

RH

5.2

Dat

aso

urce

Clie

nt

File

Ser

ver

skor

, N

TC

CS

GU

I

.135 .130 .131 .132

.101

AFRL/LLTrafficGenerator

.126

.1

Internet

.200 .201

citr

aN

T4/

Win

2K

sunk

ist

NT

4/W

in2K

Laptops

Remote Site


ADF

ADF

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Potential Targets Potential Targets withoutwithout ADF ADF

Remote PortsRemote PortsMessage Send ProtocolMessage Send ProtocolChargenChargenFTPFTPSSH remote loginSSH remote loginTelnetTelnetSMTP (mail)SMTP (mail)Host name serverHost name serverWho isWho isLogin host protocolLogin host protocolDomain name serverDomain name serverSQLSQLBootstrapBootstrapTFTPTFTPFingerFingerHTTPHTTPSun RPCSun RPCNetBIOSNetBIOSSNMPSNMPInternet relay chatInternet relay chatHTTP managementHTTP management……

Host Addresses0 32 64 96 128 160 192 224 2555


ADF

ADF

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Potential Targets Potential Targets withwith ADF ADF

Remote PortsRemote PortsMessage Send ProtocolMessage Send ProtocolChargenChargenFTPFTPSSH remote loginSSH remote loginTelnetTelnetSMTP (mail)SMTP (mail)Host name serverHost name serverWho isWho isLogin host protocolLogin host protocolDomain name serverDomain name serverSQLSQLBootstrapBootstrapTFTPTFTPFingerFingerHTTPHTTPSun RPCSun RPCNetBIOSNetBIOSSNMPSNMPInternet relay chatInternet relay chatHTTP managementHTTP management……

Host Addresses0 32 64 96 128 160 192 224 2550 32 64 96 128 160 192 224 255


ADF

ADF


Intranet Web server

5.19.42.93

Network Edge SecurityNetwork Edge Security

Core NetworkCore Network - Routing- Routing

- Bandwidth- Bandwidth

Analyst Workstation5.12.161.192

Data Source5.12.161.197

Web Server5.12.161.171

Remote Site5.12.163.142

Intel Resources, Web server5.12.111.23

SQL server5.19.42.93


ADF

ADF


ImplementationImplementation

LANLAN Firewall

ADF Policy Controller • Built by SCC under DARPA effort• Converts high level policy into low level

packet filtering rules for the NICs• Encrypted communication with NICs• Host cannot disable policy on its NIC• Controller has audit database and

browser

Workstation

Remote user

Server

INTERNET


ADF

ADF

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Protects Against Protects Against

Insider ThreatsInsider Threats

Web Server NIC• only accepts http from user systems • only initiates SQL to DB server• accepts SSH/telnet only from admin

Mail Server NIC• only accepts POP from user systems• only accepts/initiates SMTP with other

mail servers • accepts SSH/telnet only from admin

Admin NIC• initiates SSH/telnet to all servers• initiates POP, SQL, and http only to

servers• accepts nothing from anywhere else

User Workstation

Web Server

Mail Server

Database Server

Admin Workstation


ADF

ADF


NIC

ADF Connects the Warfighter ADF Connects the Warfighter

AttackerMail

serverDatabase

server

Enterprise Network

Attacker’sPC

Triple DESVPN Tunnel

WarFighter

Applications without security patches

Firewall/VPN GatewayIPSec

VPN

OS without security patches

Cable/DSL Modem

IP


ADF

ADF


Virtual SharedServer

NIC

USApp

Server

NIC

PartnerApp

Server

IPSec VPNIPSec VPN

Only allow servers to initiate IPSec connections between each other.

Protects Data Sharing Protects Data Sharing among Partnersamong Partners

USLAN

PartnerLAN

Controller

Firewall Internet

Locally initiated connections

Controller

Firewall

Do not allow shared servers to initiate inbound connections


ADF

ADF


Simple Shared ServerSimple Shared Server

Windows NT 4/2000 box FTP server

IIS IPSEC software

Internet

FirewallNIC

Cable modem / DSL modemOr Router

FirewallNIC

Partner

DistributedFirewall Controller

US Userworkstations

USLAN


ADF

ADF


Demo ScenariosDemo Scenarios

1.1. Management of INFOCON shift Management of INFOCON shift

2.2. Controlled sharing using protected Controlled sharing using protected servers servers


ADF

ADF


INFOCON AlphaINFOCON Alpha

• Protocols and/or addresses can be restricted on Protocols and/or addresses can be restricted on a per host basis as INFOCON changesa per host basis as INFOCON changes– Block all port x traffic to a user’s machineBlock all port x traffic to a user’s machine– Block a service from a specific subnetBlock a service from a specific subnet

Experimental LAN4.22.160.64/26

yor

k, N

T4.0

.121

alm

ondj

oy, W

in2K

.122

prin

gle,

NT4

.0

.76

Internet

snic

ker,

Win

2K

.100


yor

k, N

T4.0

.121

yor

k, N

T4.0

.121

alm

ondj

oy, W

in2K

.122

alm

ondj

oy, W

in2K

.122

prin

gle,

NT4

.0

.76

prin

gle,

NT4

.0

.76

InternetInternet

snic

ker,

Win

2K

.100

snic

ker,

Win

2K

.100

Alpha Alpha


ADF

ADF


INFOCON BravoINFOCON Bravo


yor

k, N

T4.0

.121

alm

ondj

oy, W

in2K

.122

prin

gle,

NT4

.0

.76

Internet

snic

ker,

Win

2K

.100


yor

k, N

T4.0

.121

yor

k, N

T4.0

.121

alm

ondj

oy, W

in2K

.122

alm

ondj

oy, W

in2K

.122

prin

gle,

NT4

.0

.76

prin

gle,

NT4

.0

.76

InternetInternet

snic

ker,

Win

2K

.100

snic

ker,

Win

2K

.100

Bravo Alpha

• Each host can be at a different INFOCON levelEach host can be at a different INFOCON level• Changing INFOCON is easyChanging INFOCON is easy

• No rebooting requiredNo rebooting required• No user action requiredNo user action required


ADF

ADF


Controlled SharingControlled Sharing

• Controlled sharing provides a shared application Controlled sharing provides a shared application server while protecting the each LAN from the server while protecting the each LAN from the other coalition partnerother coalition partner

Virtual SharedServer

CoalitionLAN

USLAN

ADFC

NIC

CoalitionApp

Server

Router

ADFC

NIC

USApp

Server

RouterInternet

Locally initiated connection Locally initiated connection

IPSEC VPN


ADF

ADF


Distributed Defense in DepthDistributed Defense in Depth

• Uses the master/slave Uses the master/slave architecturearchitecture

• Provides centrally managed Provides centrally managed – VPN management and PKIVPN management and PKI

– Packet filtering policiesPacket filtering policies

– AuditAudit

• Provides protection forProvides protection for– Always online connectionsAlways online connections

– Field officesField offices

– Remote locationsRemote locations Node

Manager

Internet

Mobile Field Agent

Local Server

GatewayFirewall

ForeignField office

NIC NIC

NIC NIC

NIC NIC

NIC

NIC


ADF

ADF


ConclusionConclusion

• ADF provides affordable, survivable Defense in ADF provides affordable, survivable Defense in DepthDepth

• Complements existing paradigmsComplements existing paradigms– Firewall keeps unauthorized outsiders outFirewall keeps unauthorized outsiders out– Embedded Firewall controls where insiders goEmbedded Firewall controls where insiders go– Host and apps provide fine grained access controlHost and apps provide fine grained access control

• OS and application transparentOS and application transparent• Redundant, distributed management with fail-safe Redundant, distributed management with fail-safe

enforcement componentsenforcement components• Product availabilityProduct availability

– NICs are currently available COTS productNICs are currently available COTS product– Centralized controller and modified firmware completeCentralized controller and modified firmware complete– Betas in March 2001, product release in 3Q01Betas in March 2001, product release in 3Q01


33


Demo Screen ShotsDemo Screen Shots


ADF

ADF

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Controller GUIController GUI


ADF

ADF

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Policy ViewPolicy View


ADF

ADF

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Expanded Policy ViewExpanded Policy View


ADF

ADF

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Rule Set ManagerRule Set Manager


ADF

ADF

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Server ViewServer View


ADF

ADF

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Node Manager NIC ScreenNode Manager NIC Screen


40


Q & AQ & AGeorge Jelatis & David PapasGeorge Jelatis & David Papas

David_Papas@[email protected]

Jelatis@[email protected]

www.securecomputing.comwww.securecomputing.com

Documents

S E C U R E C O M P U T I N G © 2000-2001, Secure Computing Corp. All rights reserved. 1 Countering the Insider Threat with Autonomic Distributed Firewall