1 © Lucent Technologies Proprietary 2005 - All Rights Reserved

lgreenwald@lucent.com

Bell Labs - Internet Research Department

• Investigate latent vulnerabilities and pathological deficiencies in network infrastructure, network services, and network user equipment.

• Provide technologies to protect and promote the security of IP networks like the Internet.

• Expand our technologies to protect and promote the security of distributed systems.

MissionMission

Lloyd Greenwaldlgreenwald@lucent.com (973) 386-6797

2 © Lucent Technologies Proprietary 2005 - All Rights Reserved

lgreenwald@lucent.com

Enabling Application Communities

• Infrastructure for monitoring and securing a distributed community of applications

• Algorithms and tools for understanding and addressing potential faults and attacks within the community

• Formal analysis tools for generating code variations without loss of manageability

3 © Lucent Technologies Proprietary 2005 - All Rights Reserved

lgreenwald@lucent.com

Internet Research Department Capabilities • Network Reconnaissance

• Cyber Situational Awareness

• Penetration Testing

• Protecting Application Communities

• High Speed, Distributed IPS/VDS

• Polymorphic Programs

4 © Lucent Technologies Proprietary 2005 - All Rights Reserved

lgreenwald@lucent.com

Network Reconnaissance Process

The IRD Team employs a proven iterative process to identify a network’s Internet Vulnerabilities

• Collect Public Information1Internet Registries

PressReleases

2 3 4

6ASN Map

Logical Topology Maps

Send crafted IP packets to IP addresses and infer network characteristics from returned data

Probe the Customer Networks

Search Internet for customer network information

• Map the target Networks

5

Produce routing and reachability maps from returned probe data

Data Fusion and Analysis

Analyze maps, data and public information to identify external vulnerabilities

Web Sites

1PublicSourceSearch

PublicSourceSearch

NetworkMappingNetworkMapping

5

VulnerabilityScan

VulnerabilityScan

4

HostDiscovery

HostDiscovery

3

NetworkDiscoveryNetwork

Discovery

2

6

NetworkAnalysisNetworkAnalysis

Network ReconnaissanceProcess

Internet Research Lab • Automated Probe Tools– Pre-Processing– Discovery tools– Vulnerability Scanners– Post Processing– Data Base– Mapping tools

DNS Name IP Address DNS Resolution

iocecweb1.spco.com 123.22.68.248 workediocecweb2.spco.com 123.22.68.249 workediocecweb3.spco.com - -iocecweb4.spco.com 123.22.68.74 worked

connectandcreate.spco.com 123.22.64.4 workedconnectandcreate1.spco.com -connectandcreate2.spco.com 123.22.64.29 workedconnectandcreate3.spco.com -connectandcreate4.spco.com -connectandcreate5.spco.com -connectandcreate6.spco.com -

DNS Names MPLS Network

ISP Network

ASN 8158

T1T1

NOC

DMZ

DNSWebServer

MailServer

FirewallLAN

SMS

MPLSNMS

Honey Pot

MPLS Core

C ISC O SY ST E M S

Enterprise Network

Mobility Test Network

GPS WebServer

MediaServer

UUNetSAVVIS

NetworkWorkstations

Network Probe Tools

Database

PlotterPrinter

Dial-OutProbe Tools

NetworkStorage

VoIP Network

IPv6 IPv6 TunnelTo MH, HO

C ISC O SY ST E M S

BGP4

www.iplab.org

IPv4, IPv6,IP Multicast

Customers

VisualizationTools

MAX TNTGateway

MVAMGatekeeper

PBX

Switch

DNS

Mobile IPv6

IPv6 Network

www6.iplab.orgns6.iplab.org

IPv6Probe Tools

PCM

CIA

5 6K

INSERT THIS END

PCM

CIA

5 6K

INSERT THIS END

LinuxContentServer

W2KHomeAgent Solaris

ContentServer

LinuxHomeAgent

AccessPoint

AccessPoint

MobileUnit

CISCO SY STE MS

Security Zone

NetworkAnalyzer

IDS Log

OSPF

Internet

VPN

IP Address Vulnerability Solution

172.25.55.50xxx.76.70.65xxx.76.70.11

Private Addressing is being used to connect the xxx.76.70.0 network to UUNet.

If Private Addressing is being used to conceal the connection then an Access Control List needs to be implemented on the router.

172.25.55.50xxx.76.70.65xxx.76.70.11

It is believed that this is a 3640 or 4500M Cisco router that will respond to NTP and ICMP Time Stamp Requests.

The router needs to be configured to not respond to either type of request.

xxx.76.70.66xxx.76.70.12

yyy.172.70.138

information-systems.atlanta.net

It is believed that this is a 3640 or 4500M Cisco router. In addition, it seems that the router is configured as a TACAS server.

There are vulnerabilities with TACAS servers. To mitigate this vulnerability, verify that all updates have been implemented on this device.

xxx.76.70.66xxx.76.70.12

yyy.172.70.138

It is believed that this is a 3640 or 4500M Cisco router that will respond to NTP and ICMP Time Stamp Requests.

The router needs to be configured to not respond to either type of request.

xxx.76.70.85xxx.76.70.10

Responds with and ICMP Filtered or ICMP ADMIN Prohibited message

When implementing firewalls or access lists the device should not give away its position or the fact it is a security device. The device should have an access list to filter any ICMP message. The idea is to make the networks behind this device seem like a black hole.

CiscoCat 1900

AAGK1

xxx.yyy.12.1

AAGK2

xxx.yyy.12.2

BILLING2

xxx.yyy.12.3

DBCLIENT

xxx.yyy.12.4

BILLINGDB

xxx.yyy.12.6

AAVNM1

xxx.yyy.12.7

CiscoCat 1900

VTVGK1

xxx.yyy.12.20

BILLING

xxx.yyy.12.22

VTVG1

xxx.yyy.12.24

VTVG2

xxx.yyy.12.26

CiscoCat 1900

AAGW1

xxx.yyy.12.34

AAGW2

xxx.yyy.12.37

City 1

xxx.yyy.12.33

xxx.yyy.12.18

xxx.yyy.12.9

Cisco

CiscoCat 1900

BBGW1

xxx.yyy.12.50

BBGW2

xxx.yyy.12.53

Cisco

Cisco

CiscoCat 1900

GGGW1

xxx.yyy.12.66

GGGW2

xxx.yyy.12.69

City 2

City 3

Cisco

CiscoCat 1900

DDGW1

xxx.yyy.12.82

DDGW2

xxx.yyy.1284

City 4

Cisco

CiscoCat 1900

FFGW1

xxx.yyy.12.98

FFGW2

xxx.yyy.12.100

City 5

Cisco

CiscoCat 1900

RRGW1

xxx.yyy.12.114

RRGW2

xxx.yyy.12.116

City 6

Cisco

CiscoCat 1900

EEGW1

xxx.yyy.12.146

EEGW2

xxx.yyy.12.148

City 8

Cisco

CiscoCat 1900

JJGW1

xxx.yyy.12.162

JJGW2

xxx.yyy.12.164

City 9

Cisco

CiscoCat 1900

MMGW1

xxx.yyy.12.242

MMGW2

xxx.yyy.12.244

City 13

Cisco

CiscoCat 1900

HHGW1

xxx.yyy.12.130

HHGW2

xxx.yyy.12.132

City 7

City 10

Cisco

Cisco

CiscoCat 1900

KKGW1

xxx.yyy.12.194

KKGW2

xxx.yyy.12.196

City 11

CiscoCat 1900

NNGW1

xxx.yyy.12.178

NNGW2

xxx.yyy.12.180

City 12

CiscoCat 1900

PPGW1

xxx.yyy.12.210

PPGW2

xxx.yyy.12.212

Cisco

Cisco

CiscoCat 1900

LLGW1

xxx.yyy.12.226

LLGW2

xxx.yyy.12.228

City 14

xxx.yyy.12.49

xxx.yyy.12.65

xxx.yyy.12.81

xxx.yyy.12.yyy

xxx.yyy.12.113

xxx.yyy.12.129

xxx.yyy.12.145

xxx.yyy.12.161

xxx.yyy.12.177

xxx.yyy.12.193

xxx.yyy.12.209

xxx.yyy.12.225

xxx.yyy.12.241

xxx.yyy.10.10

xxx.yyy.18.102

xxx.yyy.10.81

xxx.yyy.10.86

xxx.yyy.10.50

xxx.yyy.18.98

xxx.yyy.10.106

xxx.yyy.10.118

xxx.yyy.10.122

xxx.yyy.10.114xxx.yyy.10.110xxx.yyy.10.74

xxx.yyy.10.42

SP 1

Gateway Network

SP 2 SP 2xxx.uuu.74.169

xxx.vvv.127.68

xxx.zzz.216.145

xxx.www.2.174

xxx.www.122.69

xxx.www.164.51

Area 1

xxx.yyy.10.6xxx.yyy.17.18

SP1 Backbone

Loc15-R1

Loc14-R2

Loc6-R1

ISP2

ISP2

SP7

SP7

SP2

SP2

SP3

SP3

ISP1

ISP1SP2

SP2

SP3

SP3

SP9

SP9

SP8

SP8

ISP5

ISP5

SP13

SP13SP12

SP12SP10

SP10

SP15

SP15

SP11

SP11

SP16

SP16

ISP5

ISP5

SP14

SP14

SP6

SP6

Loc8-R3

Loc4-R1

Loc9-R1

Loc5-R1

Loc1-R2

Loc8-R2

Loc8-R4

Loc13-R1

Loc2-R1

Loc6-R2

Loc11-R1

SP1

SP1

ISP3

ISP3SP1

SP1

sp2

sp2

ISP4

ISP4

sp5

sp5

sp6

sp6

sp7

sp7

ISP7

ISP7

Loc4-R1, R2

Loc3-R1

Loc3-R4

Loc3-R2Loc3-R3

Loc8-R1, R2sp2

sp2

Loc10-R1

Loc13-R2

Loc6-R1

Loc3-R6

sp3

sp3

Area 1

Area 2

Satell i te dish

Ethernet

Cisco 7204fe00.mxxnet.com

Cisco 3640fe00.mxxnet.com

Satell i te

Satel l i te dish

xxx.xx.192.5 xxx.xx.192.1

Internet

xxx.xx.192.5

POS-1.GW3.BRU2.Alter.netxxx.xxx.38.145

Skyvision-gw.Alternet.netxxx.xxx.38.146

EMR-5000 Series Routerskystream.mxxnet.com

xxx.xx.192.128

CS5300.mxxnet.com

Possible VoIPGateway

xxx.xx.192.6

Txx.hxxx.mxx.netPossible Radius

Server

xxx.xx.192.7

Server.mxxnet.com

xxx.xx.192.20

tc.mxxnet.mx nmc.mxxnet.com

xxx.xx.192.3 xxx.xx.192.4

Grxxxx.mxxnet.com

xxx.xx.192.17

Rxxx.mxxnet.com

xxx.xx.192.10

xxx.xx.195.2xxx.xx.195.1UUNET

Txxxx-gw.customer.Alt

ernet.netxxx.xxx.32.26

Unknown Connect

xxx.xx.195.6

xxx.xx.195.9 xxx.xx.195.3

Internet

5 © Lucent Technologies Proprietary 2005 - All Rights Reserved

lgreenwald@lucent.com

Extension to Application Reconnaissance1. Search local and global networks for published

application and community data

2. Probe community computer systems for system configuration and component information and vulnerabilities

3. Produce composite system and community views from probe data

4. Fuse and analyze data to locate and address potential faults and attacks

5. Iterate

6 © Lucent Technologies Proprietary 2005 - All Rights Reserved

lgreenwald@lucent.com

Cyber Situational Awareness• Assessment of computer system

vulnerability to multi-stage/multi-host attacks

• Attack chains: series of sequentially executed exploits to gain access

• Visualization of the computer system vulnerabilities for analysis

• Interactive capabilities for determining the effects of:

• Remedial actions on individual machines

• Placement of defensive devices (firewalls, intrusion detection systems, etc.) in the network

• Applications: Vulnerability forensics, intrusion detection, cyber attack forensics, system design

ExnExn

Exn

Exn Exn Exn

Exn

Exn

Exn

Exn

Exn

Exn

Exn

Exn

Exn

Exn

Exn

Exn

Pri

vile

ge

Le

vel

None

Root

7 © Lucent Technologies Proprietary 2005 - All Rights Reserved

lgreenwald@lucent.com

Penetration Testing: Find and Address Weaknesses• Find: services, system info, users, file shares

• Address: buffer overflows, misconfigurations, weak password protection, poor input validation

• Access: user accounts, SQL injection, remote command execution, privilege escalation, backdoors, port redirection

• Custom tools

• Expertise with:

– Telephony

– Data networks

– Wireless technologies

8 © Lucent Technologies Proprietary 2005 - All Rights Reserved

lgreenwald@lucent.com

Protecting Application Communities

Issue

1. Ensuring that the distributed application code is authentic and authorized

2. Preventing unauthorized modification of the application

3. Application communities must be able to counter new threats (protected from malicious hosts and applications)

Solution

1. Hash functions, application generator, resident helper agent

2. Time-to-live timeouts, code shuffling and obfuscation

3. Resolved by addressing #1 and 2 effectively.

9 © Lucent Technologies Proprietary 2005 - All Rights Reserved

lgreenwald@lucent.com

Other Protection Mechanisms

• Applications communicate via encrypted messaging

– Encryption keys are based on generation of applications

– If an application can’t understand (i.e. decrypt) a message it receives, it reports a problem (unless suspected DoS is underway)

• Applications utilize helper agents

– Helper agents contain only the hash algorithm – very small

– If a helper agent returns with an incorrect value (or doesn’t return at all due to malicious host), a problem is indicated

• Intelligent application regeneration: detect and regenerate failed community members

10 © Lucent Technologies Proprietary 2005 - All Rights Reserved

lgreenwald@lucent.com

High Speed, Distributed IPS/VDS • Real-time intrusion prevention, virus/worm detection

• Monitor and analyze traffic patterns in real-time

• Detect anomalies or signatures of impending or actual attacks

– Adaptive statistical threshold anomaly detection

– Multi-character multi-pattern string matching

– Sequential change-point and persistence filter detection

• Filter the offending traffic at the ingress point

• Conduct post-attack analysis

• Detection at 40Gb/s line speeds

11 © Lucent Technologies Proprietary 2005 - All Rights Reserved

lgreenwald@lucent.com

Polymorphic Programs

Copy self to different code

Evade string recognition

1010111000 0010010

Match(1010) useless •Cannot test all runtime conditions in emulation•Dynamic analysis cannot detect many polymorphic code variations

Polymorphism Techniques

Dynamic analysis:

Varying encryption/decryption keys

Translate opcodesfor same actions,different opcode

Insert garbage instructionsand jump over garbage code

Reorder subroutines

Recompile source codeon host

Static structural code analysis:

Reverse engineer to opcodes.

- Map opcodes to find flowgraph: control, code, or function

- Discover decryption code and decrypt rest

- Statistically profile opcode use

- Map flowgraph to grammar

Polymorphic Programs

Bell Labs polymorphic program technology transforms code to be undetectable by string-matchers

12 © Lucent Technologies Proprietary 2005 - All Rights Reserved

lgreenwald@lucent.com

Internet Research Lab

MPLS Network

ISP NetworkASN 8158

T1T1

NOC

DMZ

DNS WebServer

MailServer

FirewallLAN

SMS

MPLSNMS

Honey Pot

MPLS Core

CISCO SYSTEMS

Enterprise Network

Mobility Test Network

GPS WebServer

MediaServer

UUNetSAVVIS

NetworkWorkstationsNetwork Probe Tools

Database

Plotter Printer

Dial-OutProbe Tools

NetworkStorage

VoIP Network

IPv6 IPv6 TunnelTo MH, HO

CISCO SYSTEMS

BGP4

www.iplab.org

IPv4, IPv6,IP Multicast

Customers

VisualizationTools

MAX TNTGateway

MVAMGatekeeper

PBX

Switch

DNS

Mobile IPv6

IPv6 Network

www6.iplab.orgns6.iplab.org

IPv6Probe Tools

PC

MC

IA

56K

IN SER T THI S E ND

PC

MC

IA

56K

IN SER T THI S E ND

LinuxContentServer

W2KHomeAgent

SolarisContentServer

LinuxHomeAgent

AccessPoint

AccessPoint

MobileUnit

CISCOSYSTEMS

Security Zone

NetworkAnalyzer

IDS Log

OSPF

Internet

VPN

13 © Lucent Technologies Proprietary 2005 - All Rights Reserved

lgreenwald@lucent.com

Enabling Application Communities

• Infrastructure for monitoring and securing a distributed community of applications

• Algorithms and tools for understanding and addressing potential faults and attacks within the community

• Formal analysis tools for generating code variations without loss of manageability

Bell Labs Internet Research Department has years of commercial, government,and internal R&D experience in enabling technologies for application communities

Lloyd Greenwaldlgreenwald@lucent.com (973) 386-6797