The Crumbling Perimeter Modern Problems Securing Your Network Douglas Orr Vice President of Engineering

The Crumbling Perimeter

Modern Problems Securing Your Network

Douglas Orr

Vice President of Engineering

Proprietary and Company Confidential Information

Company Background

Based on 5 years of academic research at the University of Michigan funded by Cisco, Intel and DARPA.

Recognized as the leading supplier of Worm, DDoS and routing attack solutions in North America, Europe and Asia.

Rich development partnership with Michnet, CAEN, UMHS, MAIS

Arbor Networks provides Network Integrity Systems that protect organizations from zero-day security threats and operational vulnerabilities.

Fully funded. $33 million from investors including:


Perimeter Security

…

Internal Security


Perimeter: Well known egress/ingress to/from outside world Home of firewall/IDS Gateway to DMZ

Perimeter vs. Internal

Inner Network: What we think of as: Inner Sanctum What therapists call a “safe place” Home of:

Unrestricted file shares Unexpected mssql servers Unsanctioned p2p servers



Internal Security Issues: Crumbling Perimeter

Wireless access points ContractorsVPN connectionsInternal threatsWorms/viruses

(careful what you track in on your boots…)

Mergers, Acquisitions


A Word about Worms

worm hosts within the first week:

witty, march, 2004. about 12,000 hosts.sasser, may 2004. about 200,000 hosts.SQLSlammer, january 2003. about 75,000 hosts.blaster, august 2003. about 300,000 hosts.nimda, september 2001. about 600,000 hosts.code red, july 2001. about 500,000 hosts.

sources: arbor, caida, cert, symantec.


Another reason to care: liability

So, let’s not forget the regulators…


Security-related Regulations

•Sarbanes-Oxley

•Gramm-Leach-Bliley

•Health Insurance Portability Accountability Act

•And, this is probably just the beginning…


Regulatory Environment: SOX

Focused on financials, auditorsMgmt responsible for confidentiality and integrity of financial infoSecurity focus:

AuthorizationAccessibility Auditing

Tools:2 factor passwordsLogging/audit trails


Regulatory Environment: GLBA

Graham-Leach-BlileyPrivacy of financial informationFor: financial institutions, banks, …Not allowed to disclose without written consentEstablish standard for safeguarding customer info

Requires written security policyApple pie: (training, design network w/security in mind, detect/prevent attacks)


Regulatory Environment: HIPAA

HIPAA -health insurance portability accountability actPrivacy/security of medical informationPrimarily insurance-relatedProviders, plans, data warehouses


Regulatory Environment: HIPAA…

Generally: Identity kept separate from medical recordsRequires risk assessment and security measures to mitigate risks identifiedAll focused on Protected Health Information (phi or ephi)All related to Confidentiality, Integrity and Availability (CIA)


Regulatory Environment: HIPAA…

Required and Addressable items…Examples:

Unique user authenticationAuto logoutEncryptionAuditIntegrity checkingStrong AuthTransmission securityMalicious codeIdentify and protect against incidents…


The Challenge

Securing the inside of your network is just as important as securing the perimeter.

It is also a lot harder…


TOOLS


The (Partial) PalettePerimeter

FirewallDMZ

InternalAnomaly DetectionIPSApplication-level AuthenticationPatch ManagementAVHost IDSNetwork Segmentation

BothNetwork IDSVulnerability assessmentSecurity Information Management


Briefly: the perimeter

FirewallProvides enforcement for policy of what gets in and what gets out

DMZReduces risk for resources that are shared between “inside” and “outside”

Network IDSAlerts to known bad behaviors


Perimeter Issues

Need a good policy, including “default deny”Port 80, encryption reduce granularity, visibilityApplications are more valuable if universally accessibleNobody likes limitations…


Internal Security


The Internal Security Environment

Perimeter Security Internal Security

Network Environment

10’s of Systems to protect 10’s of Mbps of traffic to inspect and mediate

1,000’s of systems to protect 100’s of Mbps of traffic to inspect and mediate

Application Environment

10’s of applications <10 protocols Standard/well-defined apps Stricter adherence to protocols Client Server apps

1,000s of applications >100 protocols (+weaker) Homegrown apps Loose adherence to protocols Peer-to-Peer apps

Management Environment

10’s of user groups to distinguish in terms of policy Block that which is unknown Typically centrally coordinated

100’s of user roles/groups to distinguish Observe that which is unknown (don’t disrupt) Typically locally coordinated


The Analysts

“Securing Internal Networks: The Final Frontier”

“The proliferation of alternate paths into the organization, application layer attacks and devastating worms, are all

hammering home the conclusion that perimeter defenses must be complimented by a full range of internal security measures.

Addressing this need will inevitably require implementing a combination of different types of security controls, though we expect products that are better tuned to the unique challenges

of internal security will begin to emerge in 2004.”Internal Security is a Critical Business ProblemSafe QuarantineWorms: A

Service Level Threat


IDS


IDS

Generally, signature based watching for network or host misuseHost-based IDS new variantIssues:

Chatty, false positivesFragileMonotonically increasing signature db

Examples:Okena (host), snort, realsecure, etc.


IPS


Intrusion Prevention Systems

Aim to make IDS-style signature information actionableStop intrusions, misuse, abuse, rather than just reporting on themIssues:

Bump-in-the-lineShare signature weaknesses with IDSMore serious consequences for false positives


Intrusion Prevention Systems

Latest thingSome products are recycled DoS prevention, IDS, web firewall tech, etc.Claims range from viruses, intrusion signatures to SPAM, IIS attacks

Very cool if it works…Examples

ISS proventia, Symantec Manhunt, ToplayerEntercept, Sanctum


Network Segmentation


Network Segmentation

Internal firewalls or switch aclsOnly permit explicitly sanctioned traffic between “zones”Limits exposure for hacking or internal threatIssues:

Big timeRequires detailed application knowledgeRequires hardwareRequires policy


Anomaly Detection


Anomaly Detection

Model “what is normal”Alert or act on “abnormal” eventsHost/NetworkUpdate of and largely complementary to IDSOptional enforcement tie-insRelational/Statistical AD


Relational ModelingEnterprise Network

Site 1

Site 2

Data Center

Extranet

A

A

A

A

B

B

C

D

C

E

E

F

G

H

C

C

C

D

D

D

C

E

F

F

G

G

H

I

Auto Learns Host Behaviors Who talks to Who Who talks to Who – HOW Across Your Entire Network


Anomaly Detection

Issues:HardScaling (detail, speed)Some network traffic patterns are difficult to interpret“what is normal” changes periodically and over timeIf there is enforcement, has false positive penalty, like IPS


Anomaly Detection

ExamplesPeakflow/X, Mazu, Lancope, Q1


Case Study -- HIPAA

Watch critical servers for anomalieshttps only permitted protocol -- ensures encryptionhttps only to known destinations -- transportational integrity https only in known bw patterns -- also transportational integrityAlert on violation; provide audit trail for investigation/prosecution


Case Study -- Network Segmentation

Observe all behaviors(Analyze, experience shock, repeat…)Group by known topologiesGenerate ACL’s to correspond to known, sanctioned applications)Default denyApply to segmentation routers


PKI, Strong Authentication


PKI, Strong Authentication

Decrease risk of false authenticationCan be application-level authenticationDecreases risks of damage after break-inDecreases risks of internal threatsIssues:

PITA… ideally requires application awareness


SIM


Security Integration Manager

Combines and correlates security eventsHelps rationalize multiple security outputs (e.g., IDS+FW logs+scanners…)Correlations can be more reliable than individual signalsIssues:

Big timeExamples

Netforensics, Intellitactics, etc.


AntiVirus


AntiVirus

Well understood and important… what can I say?

Issues:Polymorphic viruses may kick our assThe more popular the system, the bigger the problemWhy *did* you click on that attachment?Wasn’t your spouse *listening* to you???


Misc.


Internal Security Miscellanea

All good security practices also applyPolicy, policy, policyDefault denyAudit trailsBackup, catastrophe plansVulnerability assessmentPatch management


General Notes


General

Treat internal hosts as though exposed to internetInternal security requires significant insight to network operationsNetwork operations and security are Gemini twins of system operations

Documents

The Crumbling Perimeter Modern Problems Securing Your Network Douglas Orr Vice President of Engineering