1. uw network security 2003 Terry Gray University of Washington Computing & Communications 17 October 2003

2. UW campus network (backbone) border router border router backbone switches ~ 30 level one routers subnets (733 total; 150 c&c); over 60,000 live devices

3. UW campus network (typical subnet) Level One Router Aggregation Switch Edge Switch campus subnets are a mixture of shared 10Mbps switched 10Mbps switched 10/100Mbps

4. network facilities

5. typical core routers

6. campus network traffic

7. Pacific Northwest Gigapop The PNW’s access point to next generation Internets, including Internet2, high performance USA Federal Networks, and high speed commodity Internet A high speed peering point for regional and international networks R&D testbed inviting national and international experimentation with advanced Internet-based applications

9. Pacific Northwest Gigapop uw border uw border 3 diverse network providersInternet2 national & internat’nl nets Internet2 2.5Gbps (10Gbps upgrade underway) Three different 1Gbps connections to the Internet Multiple gigabits of connections to other networks 30+ network customers

10. K-12 (307) Community/Technical College (73) Public Baccalaureate (50) Library (65 in process) Independent Colleges (9 approved) K20 Network Sites

11. seven security axioms Network security is maximized when we assume there is no such thing. Large security perimeters mean large vulnerability zones. Firewalls are such a good idea, every computer should have one. Seriously. Remote access is fraught with peril, just like local access. One person's security perimeter is another's broken network. Isolation strategies are limited by how many PCs you want on your desk. Network security is about psychology as much as technology. Bonus: never forget that computer ownership is not for the feint-hearted.

12. credo focus first on the edge (perimeter protection paradox) add defense in depth as needed keep it manageable provide for local policy choice... avoid one-size-fits-all

13. gray’s defense-in-depth conjecture MTTE (exploit) = k * N**2 MTTI (innovation) = k * N**2 MTTR (repair) = k * N**2 where N = number of layers

14. C&C security activities logical firewalls project 172 network infrastructure protection reverse IDS (local infection detection) auto-block; self-reenable traffic monitoring tools who/where traceability tools nebula proactive probing honeypots security operations training; consulting

15. security in the post-Internet era: the needs of the many the needs of the few Terry Gray University of Washington Fall Internet2 Meeting 16 October 2003

16. 2003: security ”annus horribilis” Slammer Blaster Sobig.F increasing spyware threat attackers discover encryption hints of more “advanced” attacks and let’s not even talk about spam…

17. 2003: security-related trends RIAA subpoenas growing wireless use VoIP over 802.11 pilots more mobile devices more critical application roll-outs faster networks “personal lambda” networks SEC filings on security? class action lawsuits?

18. impact end of an era… say farewell to  the open Internet  autonomous unmanaged PCs  full digital convergence? say hello to  one-size-fits-all (OSFA) solutions  conflict... everyone wants security and max availability, speed, autonomy, flexibility min hassle, cost the needs of the many trump the needs of the few (but at what cost?)

19. consequences more closed nets (bug or feature?) more VPNs (bug or feature?) more tunneling -“firewall friendly” apps more encryption (thanks to RIAA) more collateral harm -attack + remedy worse MTTR (complexity, broken tools) constrained innovation cost shifted from “guilty” to “innocent” pressure to fix problem at border pressure for private nets

20. revelations system administrators (2 kinds…)  want total local autonomy… or  want someone else to solve the problem  often unaware of cost impact on others users (2 kinds: happy & unhappy)  want “unlisted numbers”  need “openness” defined by apps feedback loop:  closed nets encourage constrained apps  constrained apps encourage closed nets

21. perimeter defense tradeoffs border  biggest vulnerability zone  biggest policy vs. performance concern subnet  doesn’t match org boundaries  worst case for NetOps debugging  consider also: sub-subnet LFWs, etc. host  optimal security perimeter  hardest to implement

22. never say die goal: simple core, local policy choice how to avoid OSFA closed net future?  design net for choice of open or closed  pervasive IPsec combine with “point response” won’t reverse trend to closed nets, but may avoid bad cost shifts alternative: only closed nets, policy wars

23. questions? comments?

24. outline thesis metamorphosis grief counseling what we lost how we lost it consequences critical questions

25. thesis the Open Internet is history --”get over it“ cheer up, things could be worse --and will be if we aren’t careful we can still make good decisions --to avoid even worse outcomes S@LS goal: evaluate alternative futures

26. metamorphosis: Internet paradigm 1969: “one network” 1982: “network of networks” 199x: balkanization begins 2003: balkanization complete 2004: paradigm lost?

27. metamorphosis: workshop goal 2000: “network security credo” 2001: “my first NAT” 2002: “uncle ken calls” > quest 2003: “slammer” > intervention 2003: “dcom/rpc” > wake

28. metamorphosis: success metrics nirvana then  open Internet / network utility model  successful end-point security nirvana now?  operational simplicity  admin-controlled security  user-controlled connectivity

29. grief counseling denial anger bargaining depression acceptance --simultaneously!

30. what we lost: network utility model the network utility model is dead --long live the NUM all ports once behaved the same  simple  easy to debug now they don’t:  bandwidth management polices  security policies

31. what we lost: operational integrity lost: network simplicity, leading to  lower MTBF  higher MTTR  higher costs lost: full connectivity, leading to  less innovation?  frustration, inconvenience  sometimes less security (faith, backdoors)

32. how we lost it: inevitable trainwreck? fundamental contradiction  networking is about connectivity  security is about isolation conflicting roles: strained bedfellows  the networking guy  the security guy  the sys admin  oh yeah… and the user insecurity = liability  liability trumps innovation  liability trumps operator concerns  liability trumps user concerns

33. how we lost it: firewall allure? firewalls = “packet disrupting devices” perimeter protection paradoxes large-perimeter FWs benefit:  SysAd, SecOps, maybe user  at expense of NetOps the best is the enemy of the good  microsoft rpc exploit has guaranteed that the firewall industry has a bright future

34. how we lost it: disconnects failure of “computer security”  vendors gave customers what they wanted, not what they needed  responsibility/authority disconnects guarantee failure failure of networkers to understand what others wanted  not a completely open Internet!  importance of “unlisted numbers”

35. consequences (1) mindset: “computer security” failed, so “network security” must be the answer extreme pressure to make network topology match organization boundaries ”network of networks” evolution  1982: minimum impedance between nets  2003: maximum impedance between nets Heisen/stein networking:  uncertain and relativistic connectivity

36. consequences (2) more self-imposed denial-of-service firewalls everywhere uphill battle for p2p more tunneled traffic over fewer ports one FTE per border --with or without firewall troubleshooting will be harder NAT survives unless/until a better “unlisted number” mechanism takes hold security/liability will continue to trump innovation/philosophy/ops costs

37. critical questions should we build net topologies that match organizational boundaries? will end-point security improve enough that perimeter defense will be secondary? is it too late to try to offer users a choice of open or closed nets? is the trend toward a single-port tunneled Internet good, bad, or indifferent? is there any chance IPS or DEN will make it all better? what’s the best way to implement an “unlisted number” semantic?

38. discussion! how do we redefine the Internet, going forward? I.e. how do we “reconnect”?