Making Your Enterprise Network Safe: How to Plan Internet Security and Firewalls Marcus J. Ranum mjr@iwi.com http:/ / www.iwi.com Information Warehouse! Inc. http: / /www.iwi.com Goals of this Tutorial * Take a consistent approach to computer security * Recognize that computer security is not rocket science * Model computer security practices on what works for you * Coordinate operational and security requirements * Learn to recognize hype * Look before you leap Threats * Loss of service - Downtime - System cleanup after hacker attack is expensive * Theft of service - Telephone/modem usage charges * Loss of reputation * Loss of data - Data can be damaged, corrupted, or lost * Theft of data - Disclosure of trade secrets - Disclosure of customer proprietary information or records Service-Oriented Requirements Analysis * Ignore implementation details and list high-level services that are required * A typical set of core services: - Email - Web - FTP - USENET news - Telnet/Rlogin * Form a list of high-level service requirements * Include any special services particular to your business needs Risk Assessment * Risk assessment is the process of assigning likelihoods to potential vulnerabilities * List assets that must be protected * Categorize vulnerabilities based on potential damage to assets - If asset is destroyed - If asset is stolen or disclosed - If asset is temporarily unavailable * Describe maximum and minimum possible impact of damage and costs associated with damage control or containment (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 6 http: / /www.iwi.com Rationalize Risks and Benefits * Requirements analysis and results of risk assessment should provide a case for connectivity - Some organizations perhaps should never connect to another network * Consider results of risk assessment in terms of existing security practices - Many organizations get very worried about Internet connectivity and ignore lax security practices elsewhere - Attempt to address security consistently - if you have dial-in modem pools with no passwords it is a waste of time to build a fancy Internet firewall - Sometimes performing a detailed risk assessment can trigger a lot of firedrills or make you very unpopular Page 4 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 7 http: / /www.iwi.com Security Goals * If your risk assessment requires absolutely 100% security ...and... * If your requirements analysis requires 100% open connectivity Take a good dose of reality and start over * Look at the services required and figure out if they can be achieved in a manner consistent with your security requirements (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 8 http: / /www.iwi.com Policies and Procedures * There are two things nobody should ever have to watch being made: 1. Sausage 2. Policy* * Budgets are a close third Page 5 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 9 http: / /www.iwi.com Policies and Procedures * You can go completely overboard with policies if you like * Organizations with existing policies and procedures may not require anything fancy Remember: The Internet is not that different from anything else your business does * If your organization already has existing policies that "fit" for Internet simply make sure employees understand that organization policies apply to Internet behavior just like everything else (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 10 http: / /www.iwi.com Policies Should Address * Rights and responsibilities of users * Account and resource use * Software and data access and use, including copyright * Privacy rights of individuals * How violations of acceptable use are addressed * Etiquette* * Who to contact in the event of security incidents *Though one would prefer to assume one is dealing with adults Page 6 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 11 http: / /www.iwi.com A Simple Internet Access Policy I __________________ understand that by having Internet access from my corporate account I have the ability to embarrass myself and my corporation instantly in front of 3 million people. Signed:____________________ Date:____________________ (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 12 http: / /www.iwi.com Another Simple Policy From a policies and procedures manual: "Respect for the rights and sensibilities of others is required of all staff. When representing the company in any way, by telephone, in person, electronically, or in print, we expect our staff to maintain the highest standards of professional conduct." ... "Use of corporate resources for personal business is not permitted without management approval." Page 7 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 13 http: / /www.iwi.com More Complex Access Policies * Many organizations have computer usage policies in the dozens of pages * Some federal agencies require 3 page-long login banners consisting of a synopsis of access and usage policies * Make sure that staff actually read the policy at some point * Some organizations require a signature on a form Whatever you do, be consistent with other practices within your organization (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 14 http: / /www.iwi.com Security Maintenance Policies * Policies should be active, living documents * Security policies should include information about the procedures to follow in order to change the policy * List required periodic maintenance and who performs it * Clearly define responsibilities for maintenance * Make sure that those responsible for maintaining security have the power, budget, and time to do so Page 8 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 15 http: / /www.iwi.com Two Security Models * Host based security * Perimeter security * Isolation is a third technique which we won't discuss here * These are not just an either/or choice though many organizations tend to prefer one or the other * In many cases you may wish to mix techniques (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 16 http: / /www.iwi.com Host Based Security * Don't trust the network - Can have a wide open or nearly wide open Internet connection * Make sure that each host on the network is running with sufficient security - Possibly this means just the file servers - Possibly this means just the mainframe * Advantages: - Wide open connection - Can be very secure * Disadvantages - Expensive to maintain - Does not scale well Page 9 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 17 http: / /www.iwi.com Perimeter Security * Put a "wall" around the network * Control all access points into and out of the network - Internet links - Modem pools - Corporate partners * Advantages - Easier to implement quickly - Easier to maintain * Disadvantages - "Crunchy shell around soft, chewy center" - Single failure of security may compromise everything (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 18 http: / /www.iwi.com Perimeters Meet Mobile TCP/IP * As mobile computing becomes more common it is harder to define a clear perimeter * Mobile users can do much more damage if they misbehave * Decide to place mobile users inside or outside the perimeter * Depending on whether mobile users are inside or outside require either stronger authentication or give them reduced access Page 10 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 19 http: / /www.iwi.com Internet Host Security * When setting up a system to provide Internet services (e.g., Web or FTP) configure the system with as few unnecessary daemons as possible * Reduce the risk of a security hole in a service daemon providing a foothold into your system by running daemons without system privileges * Take advantage of system security features such as chroot (change root) wherever possible * Monitor CERT or vendor mailing lists and patch known holes on the system (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 20 http: / /www.iwi.com TCP/IP Security Issues * IP protocol is designed more for robustness than high security * The network designers assumed the host systems would take care of security* * Host system designers didn't bother * Easy to spoof addresses and traffic * Easy to sniff packets as they traverse network * Very easy to deny someone service - If someone wants to interrupt your Internet connection you are almost poweless to stop them * When TCP/IP was developed it was a miracle to see computers talking at all, never mind security Page 11 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 21 http: / /www.iwi.com IP Spoofing * Somewhat sophisticated attack permits one machine to temporarily masquerade as another * Relies on interrupting communictations between target system and machine that attacker is pretending to be * Attacker generates and consumes traffic with fake address * Software that relies on addresses for security is vulnerable - Unfortunately, addresses are about all that there is to rely on! (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 22 http: / /www.iwi.com IP Splicing * This attack not widely observed (yet) * Attacker interrupts an established connection between two systems * Can steal a user's session after they have successfully logged in * Requires jamming or interrupting communications between the system the user is really logged in from and the victim * End-to-end encryption is best means of protection against spoofing or splicing Page 12 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 23 http: / /www.iwi.com Virusses, Trojans, Trapdoors * Don't worry too much about virusses coming into your network via Internet - Most virusses enter networks on floppy disks - If you want to protect against virusses protect the desktop rather than the connectivity point(s) * There have been known cases of trojan horse or trapdoored software - If running an Internet service node try to use "official" versions of software - preferably signed or checksummed by the author - Be wary of "unofficial" patches or bugfixes - Monitor relevant mailing lists or news groups (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 24 http: / /www.iwi.com What is a Firewall? * A firewall is a system or combination of systems that enforces a boundary between two networks * Firewalls are an implementation of a security policy * Firewalls typically log or audit traffic * Firewalls typically are designed to resist attack from within as well as from without * Firewalls may incorporate intrusion detection Page 13 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 25 http: / /www.iwi.com Firewalls: Screening Routers * Screening routers operate at a network level - Examine packet headers and determine whether or not to let traffic through based on predefined rules - Most commercial routers support some form of packet screening * Advantages: - Fast - Flexible - Cheap * Disadvantages - No audit trail or logging - Vulnerable to network spoofing - Very low-level (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 26 http: / /www.iwi.com Firewalls: Application Firewalls * Operate at an application level - Instead of permitting traffic through firewall blocks all traffic - For each desired service some form of gateway service must be enabled by the administrator * Advantages - Very good logging and audit trail - Typically supports fewer services - May incorporate strong authentication/encryption - Can hide network addresses (network address translation) * Disadvantages - Not always transparent - Slow to support new or customized services Page 14 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 27 http: / /www.iwi.com Managing Firewalls * Managing a firewall often includes tasks that are unrelated to security - Configuring mail - Managing USENET - Network troubleshooting - Supporting users * Security related management tasks typically consist of - Reviewing audit logs or summaries - Periodic system integrity checks * Average firewalls take approx 1hr/week to maintain (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 28 http: / /www.iwi.com Auditing Firewalls * Whenever possible test your firewall installation using existing tools like ISS, COPS, or Satan - Build on other people's knowledge if you decide to roll your own * Periodically test your firewall as part of routine maintenance * Set up cross-checks that recognize events that should not occur and notify administrators if the event is detected (burglar alarms) * Restrict access to the firewall itself and review all firewall access logs Page 15 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 29 http: / /www.iwi.com Questions for Firewall Vendors * Design principles on which firewall operates - Is it network level or application level? - How does the firewall's design enhance its security? * Types of management/configuration support or interface included with firewall * Types of logging/audit performed * Documentation * Size of installed base * Support policy * Trouble notification and patch policy (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 30 http: / /www.iwi.com Authentication * Weak - Trusts the network * Strong - Relying on sound cryptographic protocols that do not require transmitting secrets over the network * Any authentication system worth using should be able to resist an attacker even if the attacker can monitor the entire login exchange * Simple passwords are an obsolete technology which is only viable on private or protected networks Page 16 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 31 http: / /www.iwi.com Authentication: Tradeoffs * Strong authentication - Often requires extra steps - Often requires extra software or hardware - May require modification of applications base - Requires additional management * Weak authentication - Cheap - Easy - Worthless (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 32 http: / /www.iwi.com Authentication: Time Tokens 921810 1 2 3 4 5 6 7 8 9 0 Secret key contained in card Key used to encrypt clock within card Encrypted clock value displayed on LED Username: mjr Password: 921810 Encrypted value used instead of password Server software performs same encryption and permits access if values match Page 17 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 33 http: / /www.iwi.com Authentication: Challenge/Response 73234 1 2 3 4 5 6 7 8 9 0 Secret key contained in calculator User enters PIN to "unlock" calculator User enters challenge into calculator Username: mjr Challenge: 29381 Server software performs same encryption and permits access if values match Calculator displays challenge encrypted with secret key Response: 73234 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 34 http: / /www.iwi.com Authentication: Software Printed challenge/response list stored in user's wallet User consults challenge response list Selects requested response number Username: mjr Challenge:key #430 Server software permits access if values match Next challenge is #429 Response returned from list Response: CAT LAMP 432: FOO BAR BAZ 431: OTTER EEL MO 430: CAT LAMP 429: SNUZZ SNEEZE 428: KISS WAG SNAIL 427: FROB KNEE OM ... Page 18 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 35 http: / /www.iwi.com Authentication: Kerberos * Trusted third party authentication system * Requires secure server on network * Requires software modification or support * Permits use of plaintext passwords without compromising security - All transactions over network encrypted - Keys have limited/configurable duration * Not widely supported by vendors (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 36 http: / /www.iwi.com Virtual Network Perimeters * Build multiple separate networks into a single logical network using encrypted point-to-point links InternetSite "A" Site "B" Encrypting Router Encrypting Router All traffic between sites transparently encrypted Traffic to other sites normal (unencrypted) Page 19 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 37 http: / /www.iwi.com VNPs: Benefits * Permits use of Internet as a private backbone for organization * Permits trusted access between member networks * Insecure protocols (NFS, rsh, rlogin, etc) can be used since interception/spoofing is prevented * No software modification required * Relatively low entry cost (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 38 http: / /www.iwi.com VNPs: Disadvantages * All members of VNP must share common security policy * If one site is compromised the entire VNP may be compromised * Export control regulations/cryptography policies may make it difficult for international partners to build VNPs Page 20 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 39 http: / /www.iwi.com VNPs and Mobile Computing * Mobile computers or detached systems may become members of VNP temporarily from remote locations * Requires strong authentication (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 40 http: / /www.iwi.com The Future * Firewalls will get better * Networks will get faster * There will be new services invented - They will have security flaws - Security will be an afterthought * Vendor software will still have security flaws * Encryption will be deployed more widely - This will cause a renewed interest in host security on the part of hackers and systems administrators alike - Transitive trust and delegation of trust will remain problematic Page 21 (C) Copyright, 1995, Information Warehouse!, Inc. All rights reserved. 41 http: / /www.iwi.com Parting Thoughts * Most security problems are personnel related * Many security problems are "inside jobs" or the result of lax practices * You cannot solve social problems with software * Make sure your policies are consistent and are communicated to your staff