University of WashingtonComputing & Communications Open Network Security or “closed network” insecurity? Terry Gray Director, Networks & Distributed Computing 14 March 2002

University of WashingtonComputing & Communications UW Environment $1.5 B/yr enterpise (75% research/clinical) 55,000 machines Infinite variety and vintage of computers Incredibly complex/diverse org structure Relatively little centralized desktop mgt Every dept’s middle name is Autonomous C&C provides core I.T. infrastructure Depts responsible for end-system support

University of WashingtonComputing & Communications Conventional Security Wisdom Popular Myth: “The network” caused the problem, so “the network” should solve it… So good security depends on: –border firewalls –border VPNs Unpopular Reality: In a large, diverse organization such as UW, security is not achieved by either one.

University of WashingtonComputing & Communications Unconventional Security Wisdom “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. “ Bruce Schneier Secrets and Lies

University of WashingtonComputing & Communications Gray’s Network Security Axioms Network security is maximized… when we assume there is no such thing. Firewalls are such a good idea… every host should have one. Seriously. Remote access is fraught with peril… just like local access.

University of WashingtonComputing & Communications Perimeter Protection Paradox Firewall “perceived value” is proportional to number of systems protected. Firewall effectiveness is inversely proportional to number of systems protected. –Probability of compromised systems existing inside –Lowest-common-denominator blocking policy

University of WashingtonComputing & Communications Credo Open networks Closed servers Protected sessions

University of WashingtonComputing & Communications Security Elements Architectural –Authentication & Authorization –Encryption –Packet filtering Operational –Prevention –Detection –Recovery Policy –Risk Management –Liability Management

University of WashingtonComputing & Communications Start with a Security Policy Now there’s an idea... Define who can/cannot do what to whom... Identify and prioritize threats Identify assumptions, e.g. –Security perimeters –Trusted systems and infrastructure –Hardware/software constraints Block threats or permit good apps? Minimize organizational distance between policy definition, configuration, and enforcement points

University of WashingtonComputing & Communications Network Risk Profile (notwithstanding recent SNMP exploits)

University of WashingtonComputing & Communications Heroic (but futile) Endeavors Getting anyone to focus on policies first Getting any consensus on border blocking Patching old end-systems Pretending that clients are only clients Securing access to older network gear

University of WashingtonComputing & Communications Bad Ideas Departmental firewalls within the core. VPNs only between institution borders. Over-reliance on large-perimeter defenses... e.g. believing firewalls can substitute for good host/application administration...

University of WashingtonComputing & Communications Good Ideas Two-factor authentication End-to-End encryption: IPSEC End-to-End encryption: SSH/SSL/K5 Proactive vulnerability probing Centralized desktop management service Latest OS versions (w/integral firewalls) Bulk virus scanning Server sanctuaries Logical firewalls

University of WashingtonComputing & Communications Jury Still Out Intrusion Detection Systems DDoS trackers Thin Clients

University of WashingtonComputing & Communications When do VPNs make sense? E2E: –Whenever config cost is acceptably small Non-E2E: –When legacy apps cannot be accessed via secure protocols, e.g. SSH, SSL, K5. and –When the tunnel end-points are very near the end-systems.

University of WashingtonComputing & Communications Where do firewalls make sense? Pervasively: (But of course we have a firewall…:) –For blocking spoofed source addresses Small perimeter/edge: –Cluster firewalls, e.g. server sanctuaries, labs –OS-based and Personal firewalls Large perimeter/border: –Maybe to block an immediate attack? –Maybe if there is widespread consensus to block certain ports? (Aye, and there’s the rub…) –And then again, maybe not...

University of WashingtonComputing & Communications Fundamental Firewall Truths... Bad guys aren’t always "outside" the moat One person’s security perimeter is another’s broken network Organization boundaries and filtering requirements constantly change Perimeter defenses always have holes

University of WashingtonComputing & Communications The Dark Side of Border Firewalls It’s not just that they don’t solve the problem very well; large-perimeter firewalls have serious unintended consequences Operational consequences –Force artificial mapping between biz and net perimeters –Catch 22: more port blocking -> more port 80 tunneling –Cost more than you think to manage; MTTR goes up –May inhibit legitimate activities –Are a performance bottleneck Organizational consequences –Give a false sense of security –Encourage backdoors –Separate policy configuration from best policy makers –Increase tensions between security, network, and sys admins

University of WashingtonComputing & Communications Mitnick’s Perspective "It's naive to assume that just installing a firewall is going to protect you from all potential security threats. That assumption creates a false sense of security, and having a false sense of security is worse than having no security at all." Kevin Mitnick eWeek 28 Sep 00

University of WashingtonComputing & Communications Do You Feel Lucky? QUESTION: If a restrictive border firewall surrounds your --and 50,000 other-- computers, should you feel safe? ANSWER: Only if you regularly win the lottery!

University of WashingtonComputing & Communications Distributed Firewall Management Given the credo of: –Open networks –Closed servers –Protected sessions What about all the desktops? –Organizations that can tolerate a restrictive border firewall usually centrally manage desktops –Thus, they can also centrally configure policy- based packet filters on each desktop and don’t need to suffer the problems of border firewalls –Centrally managing desktop firewalls possible even if desktops generally unmanaged

University of WashingtonComputing & Communications UW’s Logical Firewall If edge and/or E2E protection isn’t possible, and the idiots running the net “won’t help”… Plugs into any network port Departmentally managed Opt-in deployment Doesn’t interfere with network management Uses Network Address Translation (NAT) Intended for servers; can be used for clients Web-based rules generator Gibraltar Linux foundation

University of WashingtonComputing & Communications Server Sanctuaries Cluster sensitive/critical servers together… But don’t forget geographic-diversity needs Then provide additional logical and physical security

University of WashingtonComputing & Communications Technical Priorities Application security (e.g. SSH, SSL, K5) Host security (patches, minimum svcs) Strong authentication (e.g. SecureID) Net security (VPNs, firewalling)

University of WashingtonComputing & Communications Policy & Procedure Policy definition & enforcement structure Education/awareness: it’s everyone’s job Standards and documentation Adequate resources for system administration High-level support for policies Pro-active probing Security consulting services IDS and forensic services Virus scanning measures Acquiring/distributing tools, e.g. SSH

University of WashingtonComputing & Communications Risk & Liability Issues Liability over network misuse? –Policies define acceptable use –Post-audit strategy for enforcement –Wireless perimeter control? –Are networks an “attractive nuisance”? Risk of server compromise? –Strong preventive stance –Pre-audit via proactive probing –Greater sensitivity -> greater security

University of WashingtonComputing & Communications Reality Check John Gilmore: “The Internet deals with censorship as if it were a malfunction and routes around it” Isn’t this also true of other forms of policy- based restrictions, including Kazaa clamping and border port blocking?

University of WashingtonComputing & Communications “Inverted Networks” New trend in big companies (e.g. DuPont) Ditch the border firewall Assume LANs are “dirty” Use VPNs from each workstation to servers Hey, an open network, with closed servers and E2E encryption! Why didn’t we think of that? :)

University of WashingtonComputing & Communications Worrisome Trends Increasing sophistication of attacks Increasing number of attacks Tunneling everything thru port 80 Partially connected Internets Increasing complexity and diagnostic difficulty

University of WashingtonComputing & Communications Encouraging Trends Enterprise decision makers are engaged Vendors are paying more attention Software is slowly getting better ?

University of WashingtonComputing & Communications Conclusions Central network services: think of as an ISP Conventional wisdom won’t work in our world Border firewalls can actually be harmful We can’t afford to settle for fake security There are no silver bullets The hardest problems are non-technical It’s still going to be a long, up-hill battle Don’t forget disaster preparedness and recovery (e.g. High-Availability system design)

University of WashingtonComputing & Communications Resources