uw network security2003

Terry Gray

University of Washington

Computing & Communications

17 October 2003

UW campus network (backbone)

borderrouter

borderrouter

backbone switches

~ 30 level one routers

subnets (733 total; 150 c&c); over 60,000 live devices

UW campus network (typical subnet)

Level One Router

Aggregation Switch

Edge Switch Edge Switch Edge Switch

campus subnets are a mixture of• shared 10Mbps• switched 10Mbps• switched 10/100Mbps

network facilities

typical core routers

campus network traffic

Pacific Northwest Gigapop

The PNW’s access point to next generation Internets, including Internet2, high performance USA Federal Networks, and high speed commodity Internet

A high speed peering point for regional and international networks

R&D testbed inviting national and international experimentation with advanced Internet-based applications

Pacific Northwest Gigapop

uwborder

uwborder

3 diverse network providersInternet2national & internat’nl nets

•Internet2 2.5Gbps (10Gbps upgrade underway)•Three different 1Gbps connections to the Internet•Multiple gigabits of connections to other networks

30+ networkcustomers

K-12 (307)

Community/Technical College (73)

Public Baccalaureate (50)

Library (65 in process)Independent Colleges (9 approved)

K20 Network Sites

seven security axioms Network security is maximized when we assume there is no such

thing. Large security perimeters mean large vulnerability zones. Firewalls are such a good idea, every computer should have one.

Seriously. Remote access is fraught with peril, just like local access. One person's security perimeter is another's broken network. Isolation strategies are limited by how many PCs you want on your

desk. Network security is about psychology as much as technology

. Bonus: never forget that computer ownership is not for the feint-hearted.

credo

focus first on the edge(perimeter protection paradox)

add defense in depth as needed keep it manageable provide for local policy choice... avoid one-size-fits-all

gray’s defense-in-depth conjecture

MTTE (exploit) = k * N**2 MTTI (innovation) = k * N**2 MTTR (repair) = k * N**2

where N = number of layers

C&C security activities logical firewalls project 172 network infrastructure protection reverse IDS (local infection detection) auto-block; self-reenable traffic monitoring tools who/where traceability tools nebula proactive probing honeypots security operations training; consulting

security in the post-Internet era:the needs of the many

the needs of the few

Terry Gray

University of Washington

Fall Internet2 Meeting

16 October 2003

2003: security ”annus horribilis”SlammerBlasterSobig.F

increasing spyware threatattackers discover encryptionhints of more “advanced” attacks

and let’s not even talk about spam…

2003: security-related trends

RIAA subpoenasgrowing wireless useVoIP over 802.11 pilotsmore mobile devicesmore critical application roll-outsfaster networks“personal lambda” networksSEC filings on security?class action lawsuits?

impactend of an era… say farewell to

the open Internetautonomous unmanaged PCsfull digital convergence?

say hello toone-size-fits-all (OSFA) solutionsconflict... everyone wants security and

max availability, speed, autonomy, flexibilitymin hassle, cost

the needs of the many trump the needs of the few (but at what cost?)

consequencesmore closed nets (bug or feature?)more VPNs (bug or feature?)more tunneling -“firewall friendly” appsmore encryption (thanks to RIAA)more collateral harm -attack + remedyworse MTTR (complexity, broken tools)constrained innovationcost shifted from “guilty” to “innocent”pressure to fix problem at borderpressure for private nets

revelationssystem administrators (2 kinds…)

want total local autonomy… orwant someone else to solve the problemoften unaware of cost impact on others

users (2 kinds: happy & unhappy)want “unlisted numbers”need “openness” defined by apps

feedback loop: closed nets encourage constrained appsconstrained apps encourage closed nets

perimeter defense tradeoffsborder

biggest vulnerability zonebiggest policy vs. performance concern

subnetdoesn’t match org boundariesworst case for NetOps debuggingconsider also: sub-subnet LFWs, etc.

hostoptimal security perimeterhardest to implement

never say die

goal: simple core, local policy choicehow to avoid OSFA closed net future?

design net for choice of open or closedpervasive IPsec

combine with “point response”won’t reverse trend to closed nets,

but may avoid bad cost shiftsalternative: only closed nets, policy wars

questions? comments?

outline

thesismetamorphosisgrief counselingwhat we losthow we lost itconsequencescritical questions

thesis

the Open Internet is history--”get over it“

cheer up, things could be worse--and will be if we aren’t careful

we can still make good decisions--to avoid even worse outcomes

S@LS goal: evaluate alternative futures

metamorphosis: Internet paradigm

1969: “one network”1982: “network of networks”199x: balkanization begins2003: balkanization complete2004: paradigm lost?

metamorphosis: workshop goal

2000: “network security credo”2001: “my first NAT”

2002: “uncle ken calls” > quest 2003: “slammer” > intervention 2003: “dcom/rpc” > wake

metamorphosis: success metrics

nirvana then open Internet / network utility model successful end-point security

nirvana now? operational simplicity admin-controlled security user-controlled connectivity

grief counseling

denialangerbargainingdepressionacceptance

--simultaneously!

what we lost: network utility model

the network utility model is dead--long live the NUM

all ports once behaved the same simple easy to debug

now they don’t: bandwidth management polices security policies

what we lost: operational integrity

lost: network simplicity, leading to lower MTBF higher MTTR higher costs

lost: full connectivity, leading to less innovation? frustration, inconvenience sometimes less security (faith, backdoors)

how we lost it: inevitable trainwreck?

fundamental contradiction networking is about connectivity security is about isolation

conflicting roles: strained bedfellows the networking guy the security guy the sys admin oh yeah… and the user

insecurity = liability liability trumps innovation liability trumps operator concerns liability trumps user concerns

how we lost it: firewall allure?

firewalls = “packet disrupting devices”perimeter protection paradoxeslarge-perimeter FWs benefit:

SysAd, SecOps, maybe user at expense of NetOps

the best is the enemy of the good microsoft rpc exploit has guaranteed that the

firewall industry has a bright future

how we lost it: disconnects

failure of “computer security” vendors gave customers what they wanted, not

what they needed responsibility/authority disconnects guarantee

failure

failure of networkers to understand what others wanted not a completely open Internet! importance of “unlisted numbers”

consequences (1)

mindset: “computer security” failed, so “network security” must be the answer

extreme pressure to make network topology match organization boundaries

”network of networks” evolution 1982: minimum impedance between nets 2003: maximum impedance between nets

Heisen/stein networking: uncertain and relativistic connectivity

consequences (2)

more self-imposed denial-of-service firewalls everywhere uphill battle for p2p more tunneled traffic over fewer ports one FTE per border --with or without firewall troubleshooting will be harder NAT survives unless/until a better “unlisted number”

mechanism takes hold security/liability will continue to trump

innovation/philosophy/ops costs

critical questions

should we build net topologies that match organizational boundaries?

will end-point security improve enough that perimeter defense will be secondary?

is it too late to try to offer users a choice of open or closed nets?

is the trend toward a single-port tunneled Internet good, bad, or indifferent?

is there any chance IPS or DEN will make it all better?

what’s the best way to implement an “unlisted number” semantic?

discussion!

how do we redefine the Internet, going forward?

I.e. how do we “reconnect”?