uw network security 2003 Terry Gray University of Washington Computing & Communications 17 October 2003
UW campus network (backbone) border router border router backbone switches ~ 30 level one routers subnets (733 total; 150 c&c); over 60,000 live devices
UW campus network (typical subnet) Level One Router Aggregation Switch Edge Switch campus subnets are a mixture of shared 10Mbps switched 10Mbps switched 10/100Mbps
network facilities
typical core routers
campus network traffic
Pacific Northwest Gigapop The PNW’s access point to next generation Internets, including Internet2, high performance USA Federal Networks, and high speed commodity Internet A high speed peering point for regional and international networks R&D testbed inviting national and international experimentation with advanced Internet-based applications
Pacific Northwest Gigapop uw border uw border 3 diverse network providersInternet2 national & internat’nl nets Internet2 2.5Gbps (10Gbps upgrade underway) Three different 1Gbps connections to the Internet Multiple gigabits of connections to other networks 30+ network customers
K-12 (307) Community/Technical College (73) Public Baccalaureate (50) Library (65 in process) Independent Colleges (9 approved) K20 Network Sites
seven security axioms Network security is maximized when we assume there is no such thing. Large security perimeters mean large vulnerability zones. Firewalls are such a good idea, every computer should have one. Seriously. Remote access is fraught with peril, just like local access. One person's security perimeter is another's broken network. Isolation strategies are limited by how many PCs you want on your desk. Network security is about psychology as much as technology. Bonus: never forget that computer ownership is not for the feint-hearted.
credo focus first on the edge (perimeter protection paradox) add defense in depth as needed keep it manageable provide for local policy choice... avoid one-size-fits-all
gray’s defense-in-depth conjecture MTTE (exploit) = k * N**2 MTTI (innovation) = k * N**2 MTTR (repair) = k * N**2 where N = number of layers
C&C security activities logical firewalls project 172 network infrastructure protection reverse IDS (local infection detection) auto-block; self-reenable traffic monitoring tools who/where traceability tools nebula proactive probing honeypots security operations training; consulting
security in the post-Internet era: the needs of the many the needs of the few Terry Gray University of Washington Fall Internet2 Meeting 16 October 2003
2003: security ”annus horribilis” Slammer Blaster Sobig.F increasing spyware threat attackers discover encryption hints of more “advanced” attacks and let’s not even talk about spam…
2003: security-related trends RIAA subpoenas growing wireless use VoIP over pilots more mobile devices more critical application roll-outs faster networks “personal lambda” networks SEC filings on security? class action lawsuits?
impact end of an era… say farewell to the open Internet autonomous unmanaged PCs full digital convergence? say hello to one-size-fits-all (OSFA) solutions conflict... everyone wants security and max availability, speed, autonomy, flexibility min hassle, cost the needs of the many trump the needs of the few (but at what cost?)
consequences more closed nets (bug or feature?) more VPNs (bug or feature?) more tunneling -“firewall friendly” apps more encryption (thanks to RIAA) more collateral harm -attack + remedy worse MTTR (complexity, broken tools) constrained innovation cost shifted from “guilty” to “innocent” pressure to fix problem at border pressure for private nets
revelations system administrators (2 kinds…) want total local autonomy… or want someone else to solve the problem often unaware of cost impact on others users (2 kinds: happy & unhappy) want “unlisted numbers” need “openness” defined by apps feedback loop: closed nets encourage constrained apps constrained apps encourage closed nets
perimeter defense tradeoffs border biggest vulnerability zone biggest policy vs. performance concern subnet doesn’t match org boundaries worst case for NetOps debugging consider also: sub-subnet LFWs, etc. host optimal security perimeter hardest to implement
never say die goal: simple core, local policy choice how to avoid OSFA closed net future? design net for choice of open or closed pervasive IPsec combine with “point response” won’t reverse trend to closed nets, but may avoid bad cost shifts alternative: only closed nets, policy wars
questions? comments?
outline thesis metamorphosis grief counseling what we lost how we lost it consequences critical questions
thesis the Open Internet is history --”get over it“ cheer up, things could be worse --and will be if we aren’t careful we can still make good decisions --to avoid even worse outcomes goal: evaluate alternative futures
metamorphosis: Internet paradigm 1969: “one network” 1982: “network of networks” 199x: balkanization begins 2003: balkanization complete 2004: paradigm lost?
metamorphosis: workshop goal 2000: “network security credo” 2001: “my first NAT” 2002: “uncle ken calls” > quest 2003: “slammer” > intervention 2003: “dcom/rpc” > wake
metamorphosis: success metrics nirvana then open Internet / network utility model successful end-point security nirvana now? operational simplicity admin-controlled security user-controlled connectivity
grief counseling denial anger bargaining depression acceptance --simultaneously!
what we lost: network utility model the network utility model is dead --long live the NUM all ports once behaved the same simple easy to debug now they don’t: bandwidth management polices security policies
what we lost: operational integrity lost: network simplicity, leading to lower MTBF higher MTTR higher costs lost: full connectivity, leading to less innovation? frustration, inconvenience sometimes less security (faith, backdoors)
how we lost it: inevitable trainwreck? fundamental contradiction networking is about connectivity security is about isolation conflicting roles: strained bedfellows the networking guy the security guy the sys admin oh yeah… and the user insecurity = liability liability trumps innovation liability trumps operator concerns liability trumps user concerns
how we lost it: firewall allure? firewalls = “packet disrupting devices” perimeter protection paradoxes large-perimeter FWs benefit: SysAd, SecOps, maybe user at expense of NetOps the best is the enemy of the good microsoft rpc exploit has guaranteed that the firewall industry has a bright future
how we lost it: disconnects failure of “computer security” vendors gave customers what they wanted, not what they needed responsibility/authority disconnects guarantee failure failure of networkers to understand what others wanted not a completely open Internet! importance of “unlisted numbers”
consequences (1) mindset: “computer security” failed, so “network security” must be the answer extreme pressure to make network topology match organization boundaries ”network of networks” evolution 1982: minimum impedance between nets 2003: maximum impedance between nets Heisen/stein networking: uncertain and relativistic connectivity
consequences (2) more self-imposed denial-of-service firewalls everywhere uphill battle for p2p more tunneled traffic over fewer ports one FTE per border --with or without firewall troubleshooting will be harder NAT survives unless/until a better “unlisted number” mechanism takes hold security/liability will continue to trump innovation/philosophy/ops costs
critical questions should we build net topologies that match organizational boundaries? will end-point security improve enough that perimeter defense will be secondary? is it too late to try to offer users a choice of open or closed nets? is the trend toward a single-port tunneled Internet good, bad, or indifferent? is there any chance IPS or DEN will make it all better? what’s the best way to implement an “unlisted number” semantic?
discussion! how do we redefine the Internet, going forward? I.e. how do we “reconnect”?