1 Information Security Vision Part II Network Planning Task Force 10/8/2003 Deke Kassabian and Dave Millar.

1

Information Security VisionPart II

Network Planning Task Force10/8/2003

Deke Kassabian and Dave Millar

2

Security: Defense in Depth

■ Prevent■ Patch management tools & services■ Training & education■ Anti-virus scanning on mail servers■ Firewalls/Router filtering■ Virtual Private Network■ Personal firewalls■ Secure out-of-the box■ Campus-wide vulnerability scanning

■ Detect■ Intrusion detection

■ Respond■ Find a better way to locate compromised and vulnerable

DHCP and wireless devices.

3

Simple Building NetworkR

oute

r

switchSw

itch switch

4

Simple Building Network, Firewall for all of subnetR

oute

r

switchSw

itch switch

5

Simple Building Network, Firewall for all of subnet

Pros:° More coverage from one FW device

Cons:° Blunt instrument, may subject too many things to one set of rules° Problematic for network management

Rou

ter

switchSw

itch switch

6


oute

r

switchSw

itch switch

7

Simple Building Network, with firewall for serversR

oute

r

Sw

itch

swit

ch

switch

switch

8

Simple Building Network, with firewall for servers

Pros:° Excellent server- or service-specific protection possible

Cons:° May require server moves

Rou

ter

Sw

itch

swit

ch

switch

switch

9


oute

r

switchSw

itch switch

10

Rou

ter

switchSw

itch switch

Simple Building Network, Firewall for one workgroup

11

Simple Building Network, Firewall for one workgroup

Pros:° Group-specific control and protection

Cons:° Can still be a blunt instrument° Still problematic for network management

Rou

ter

switchSw

itch

switch

12


oute

r

switchSw

itch switch

13

Simple Building Network, using VLAN FirewallR

oute

r

switchSw

itch switch

14

Simple Building Network, using VLAN Firewall

Pros:° Very flexible in terms of participation° Addresses net management problem

Cons:° Adds complexity and cost

Rou

ter

switchSw

itch

switch

15

Perimeter Firewall: Current Situation

Pros:° Provides limited protection from common attacks

Cons:° Collateral damage ° No provision for legitimate access to risky services.

Rou

ter

switch

switchRou

ter

Internet

Rou

ter

Rou

ter

Rou

ter switch

switch

switch

switch

16

Where to put a perimeter firewall?

Rou

ter

switch

switch

Rou

ter

Internet

Rou

ter

Rou

terR

oute

r

switch

switch

switch

switch

17

Rou

ter

switch

switch

Rou

ter

Internet

Rou

ter

Rou

terR

oute

r

switch

switch

switch

switch

Minimal perimeter filtering in edge routers

18

Rou

ter

switch

switch

Rou

ter

Internet

Rou

ter

Rou

terR

oute

r

switch

switch

switch

switch

Minimal filtering in campus routers

19

Campus VPN Service

Rou

ter

switch

switchRou

ter

Internet

Rou

ter

Rou

ter

Rou

ter switch

switch

switch

switch

VPNGateway

VPN Client

20

Campus firewall/VPN is not a panacea

University Date Netbios ports blocked

# Windows machines

# infected

% infected

Penn 9/11/2003 11,000 1,100 10%

Large state university

7/28/2003 12,000 1,500 13%

Ivy League peer 1/2/2002 18,000 3,146 17%

21

Campus VPN Service

Pros:° Allows us to block the most troublesome services and permit legitimate use.

Cons:° Complexity and cost° Traffic is not encrypted on PennNet.° Given the transient nature of PennNet this will at best stave off attacks for a few days

Rou

ter

switch

switchRou

ter

Internet

Rou

ter

Rou

ter

Rou

ter switch

switch

switch

switch

VPNGateway

VPN Client

22

Local VPN Service

Rou

ter

switch

switchRou

ter

Internet

Rou

ter

Rou

ter

Rou

ter switch

switch

switch

switch

VPNGateway

VPN Client

23

Local VPN Service

Pros:° Allows Schools and Centers to implement more restrictive firewall policies.° Unencrypted traffic need not travel over PennNet.

Cons:° Complexity and cost

VPN Client

Rou

ter

switch

switchRou

ter

Internet

Rou

ter

Rou

ter

Rou

ter switch

switch

switch

switch

VPNGateway

24

Personal Firewalls (desktop & server software)R

oute

r

switchSw

itch switch

25

Reviewing Terminology

Pros Cons Effective for■Filtering router – a relatively blunt tool that allows you to block services by port number and IP address on routers.

■ Can be economical if existing routers support filtering.

■ All or nothing. If a service is blocked inbound or outbound it is blocked completely ■ Can affect router performance■ Can limit flexibility as new network services are created or requested by end users.

■ Temporary response to imminent or active threats.■ Blocking services that are generally agreed by the campus community to pose excessive risk.

■Firewall – a more robust security device that supports more complex security policies.

■ Greater flexibility: some allow you to inspect packets and block problematic traffic without blocking all traffic (e.g. block Code Red worm without blocking all web traffic). Other features allow you to permit inbound traffic if it is in response to a legitimate connection that was initiated internally (“stateful packet filtering”)

■ Expense, complexity■ Can limit flexibility as new network services are created or requested by end users.

■ Departments or workgroups desiring more than only a basic level of security.

26

Reviewing Terminology

■ Security Policy – This term, when used in connection with firewalls and filtering routers, is generally taken to mean what kinds of network services you permit into and out of your network. A firewall or a filtering router is the physical device that enforces the security policy. These are the rules of what kinds of traffic are permitted and what kinds aren’t.

■ VPN - Security policies sometimes block services that users need to use from home or on the road (e.g. Outlook). A VPN, or Virtual Private Network is server software and (usually, but not always) client software that establishes a secure connection and permits authenticated remote access to services otherwise blocked by the firewall security policy. In other words, a VPN allows you to make exceptions to the broad policy, when necessary.

■ VLAN – A firewall or filtering router has to be placed on the “choke point” between the machines inside the firewall and the external insecure network. Without VLAN (Virtual Local Area Networks) technology, expensive wiring projects are often required to isolate the workgroup from other building occupants’ network connections. For example, in a shared building, VLAN technology allows us to isolate one or more workgroups from one another and establishes a virtual choke point so that a firewall can protect the workgroup without affecting others in the building. In summary, a VLAN removes internal building physical constraints, allowing a firewall to be established within a building regardless of individuals’ locations.

27

Time-frame

Target Recommendations

Long-term

Servers, desktops and workstations

Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting more flexible use of internal and external router filtering/firewall technology…........................................................................................under evaluation

Near-term


Provide a basic level of network security by implementing router filter rules on external interfaces after campus consultation. Support department workgroup firewall requirements with firewalls and VLANs, or other topologies (see below)

Near-term

Desktops and workstations

Evaluate and recommend a personal firewall software product for targeted users and do a pilot evaluation.

Software license for 50-100 users…………………..………$2500 - $5000 for 3 years

Firewalls Recommendations & Estimated Costs

28

Firewalls Recommendations & Estimated Costs*

Time-frame

Target Recommendations

Near-term


■Enable Schools and Centers to implement local security policies:■ Select a campus firewall and VPN standard, avoiding a campus VPN “Tower of Babel”, buying time to patch systems, and enabling Schools and Centers to better implement local firewalls and VPN gateways………………………………………………………………………..……under evaluation■ Design, implement and manage VLAN’s within buildings on request. This is the first step in allowing one or more workgroups in the same building to place their desktops, servers and workstations behind a firewall without affecting other workgroups in the same building.■ Design and implementation costs…………………………………………….………………..…$1,300■ Annual, ongoing maintenance – $2.50 per port (16 ports) per month & $1,000 ………...$14.80/mo■ After establishing a VLAN to isolate a workgroup from their building neighbors, the next step is to select, configure and manage a firewall. For workgroups on campus that do not want to do that themselves, create a new ISC Firewall and VPN management service:

Firewall & VPN for under 25 users

Firewall and VPN for workgroup of 25-100 users & 2-5 workgroup servers

Hardware and software $3,000 – 5,000 every 3 years

$15,000 - $20,000 every 3 years

Hardware/Software Maintenance

$500 - $1,000/yr $3,000 - $4,000/yr

Configuration and design (one-time)

$500 - $2,000 $1,000 - $2,500

Management and support $2,500 - $5,000/yr $5,000 - $15,000/yr

*Note: Cost estimates assume internal staffing. For 3rd party consulting service, add 20 – 30 %.

29






30

Secure out-of-the box

■ When someone buys a new Dell or IBM machine in the Fall Truckload sale, it is very easy for them to complete the system install without creating an Administrator password. This has led to hundreds of compromised machines within days of going on PennNet.

■ Recommendation: Work with Dell, IBM and Microsoft to create more secure default images for newly purchased Penn machines

………………...…negotiated price < $25/image

31






32

RPC DCOM Scan results

# of Penn Machines Vulnerable

010002000300040005000600070008000

8/1/

2003

8/8/

2003

8/15

/2003

8/22

/2003

8/29

/2003

9/5/

2003

9/12

/2003

9/19

/2003

RPC Round 1

RPC Round 2

33

Campus-Wide Vulnerability Scanning

■ Vulnerability scanning has been a very useful tool in helping to manage the patching process University-wide.

■ Focused, campus-wide scans for single vulnerabilities campus-wide can be done quickly (i.e. in 45 minutes or so). This is very helpful to defend against a particular worm.

■ Broader, campus-wide scans for top twenty vulnerabilities take longer – more like 3-4 weeks. This is very helpful for “good hygiene” to ensure that we stay patched as new machines come onto PennNet over time. Goal: 1-3 weeks/campus-wide scan.

■ Finding contact information for the owners of thousands of DHCP (wired and wireless) is difficult and time-consuming.

■ The effectiveness of campus-wide scans is limited to the extent that laptops come and go at different locations on PennNet. We probably miss many vulnerable laptops if they’re “off-line” at the time we scan.

34

Vulnerability Scanning Recommendations

■ Develop more efficient methods of locating the owners of DHCP (wired and wireless) devices. See “Respond” section below.

35




■ Respond■ Find a better way to locate compromised and vulnerable DHCP and

wireless devices.

36

How do worms spread?

Rou

ter

switch

switch

Rou

ter

Internet

Rou

ter

Rou

terR

oute

r

switch

switch

switch

switch

■ 60% of the time attack Penn systems■ 40% of the time: attack external systems

37

How did we learn about Blaster/Welchia infected machines?

■ Outsiders automatically send personal firewall logs to central services like MyNetWatchman, who in turn email the report to us.

■ Penn people have automated extracts from their firewall logs and email us the results.

■ We are automatically scanning our firewall logs and extracting the results every four hours.

■ Strengths: simple approach, inexpensive

■ Weaknesses: limited coverage, relies on Penn people’s willingness to continue to devote the time.

38

Improving detection

Rou

ter

switch

switch

Rou

ter

Internet

Rou

ter

Rou

terR

oute

r

switch

switch

switch

switch

IDS

Box

IDS

Box

IDS

Box

39

How could we improve our detection capability?

Options Pros ConsIDS box connects to local switches

•Inexpensive •Limited visibility

IDS box connects to internal routers

•Broader visibility •More expensive equipment – e.g. fiber taps.

IDS box connects to edge routers

•Complete visibility of outbound attacks

•Technically challenging given our redundant internet connectivity.•Most expensive

Use edge router flow logs •Limited visibility of outbound attacks•Less expensive, challenging than IDS on edge routers.

40

Targeted Intrusion Detection Recommendations & Estimated Costs

Near-term Create policy establishing authority of ISC, Schools and Centers to conduct intrusion detection addressing privacy, log retention and related issues…………............................no incremental cost

Near-term Deploy and manage six-ten switch-connected IDS boxes to quickly identify compromised campus systems.

Hardware………………………$15,000-$20,000 every 2-3 years

Staff to configure, manage, analyze IDS systems and

follow up on intrusion reports………………….…$100,000/yr

Long-term Evaluate and determine best method to provide router flow logs for intrusion detection……………………………..under evaluation

Long-term Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting broader intrusion detection

…………............................................................under evaluation

41

Security Vision: Defense in Depth



■ Respond■ Find a better way to locate compromised and vulnerable machines

as well as targets of copyright complaints.

42

How do we find problem machines?

■ Problem machine is reported either by the RIAA, intrusion detection or campus vulnerability scan.

■ If static IP – look it up in assignments.■ If DHCP – ask NOC for a port trace

which translates the DHCP address to a physical location.

43

Current situation

■ Unable to respond to problems with wireless machines on parts of campus. Can’t very well disable the port :-(

■ Had to just drop 40-50 cases of infected machines because of short DHCP lease lengths.

■ Requested 1149 port traces and 126 disconnects in calendar year 2003 (~$45,000). Trend is up (requested 270 in one week in September).

■ Had to hold off requesting some disconnects because it would have been unmanageable.

44

Incident Response Recommendations & Estimated Costs

Near-term Provide tools to better support quick lookup of host and DNS contacts………………............…….under evaluation

Near-term Targeted deployment of PennKey authenticated network access in, for example, College Houses, GreekNet, Library…............................................$2,000 - $5,000/bldg

Long-term Full deployment of PennKey authenticated network access on campus

Hardware/Software (one-time)…………..........$1,000,000

Near-term Research ways of ensuring security of newly connected machines:

•Vulnerability scan of machines as they connect to PennNet•Ability to block infected/vulnerable machines based on MAC address

Hardware/Software…………...………..under evaluation

Staff………………………………………under evaluation

45

Next Steps & Estimated Costs

Initiative FY 2004ISC School/

Center

FY 2005ISC School/

Center

FY 2006ISC School/

Center

Security patch policy………………………………………………………………?

Create a new ISC Patch Management Service

Staff……………………………………………………………………….$100,000/yr

Hardware for campus SUS service…………………….…...$10,000 every 2-3 yr

Software – 1000 seats……………….......................................……..…$6/seat/yr

Virus scanning on pobox..………………….……..………….$5-$6/account/year

Network design supporting internal and external router filtering/firewall technology………………………………………………………….under evaluation

Support filter rules on external interfaces after campus consultation.

Personal firewall software selection/pilot

Software license for 50-100 users……..……………$2500 - $5000 for 3 years

Select campus firewall and VPN standard……….……..……under evaluation

Design, implement and manage VLAN’s within buildings on request

Design and implementation ……..………………………………………………?

Annual, ongoing maintenance……………………………………………….…..?

Managed firewall service -- estimates per firewall, based on internal staff

Hardware and software……………………...$3,000 - $20,000 every 3 years

Maintenance …………………………………………………..$500 - $4,000/yr

Set-up………………………………………………………..………$500-$2,500

Support…………………………………………………………$2,500 - $15,000

46

Next Steps & Estimated Costs

Initiative FY 2004ISC School/

Center

FY 2005ISC School/

Center

FY 2006ISC School/

Center

More secure default images for newly purchased Penn machines.< $25/image

Create Intrusion Detection policy.........................................no incremental cost

Deploy targeted campus intrusion detection systems

Hardware………………………………………$15,000-$20,000 every 2-3 year

Staff……………………………………………………………………$100,000/yr

Router flow logs for intrusion detection…………………………under evaluation

Network design supporting broader intrusion detection…..….under evaluation

Tools for fast Host and DNS contact lookup…………………..under evaluation

PennKey authenticated access in targeted locations………2,000 - $5,000/bldg

Full deployment of PennKey authenticated network access Hardware/Software (one-time)……………….....................................$1,000,000

Implement two additional functions in PennKey network authentication of DHCP connections:

Vulnerability scan of machines as they connect to PennNet

Ability to block infected/vulnerable machines based on MAC address

Hardware/Software…………...…………………………………under evaluation

Staff……………………………………………………………….under evaluation

1 Information Security Vision Part II Network Planning Task Force 10/8/2003 Deke Kassabian and Dave Millar.

Documents

workgroup slide

dave millar slide

perimeter firewall

campus vpn service pros

vlan firewall pros

network planning task

servers pros

protection cons