1 © lucent technologies proprietary 2005 - all rights reserved [email protected] bell labs -...
TRANSCRIPT
1 © Lucent Technologies Proprietary 2005 - All Rights Reserved
Bell Labs - Internet Research Department
• Investigate latent vulnerabilities and pathological deficiencies in network infrastructure, network services, and network user equipment.
• Provide technologies to protect and promote the security of IP networks like the Internet.
• Expand our technologies to protect and promote the security of distributed systems.
MissionMission
Lloyd [email protected] (973) 386-6797
2 © Lucent Technologies Proprietary 2005 - All Rights Reserved
Enabling Application Communities
• Infrastructure for monitoring and securing a distributed community of applications
• Algorithms and tools for understanding and addressing potential faults and attacks within the community
• Formal analysis tools for generating code variations without loss of manageability
3 © Lucent Technologies Proprietary 2005 - All Rights Reserved
Internet Research Department Capabilities • Network Reconnaissance
• Cyber Situational Awareness
• Penetration Testing
• Protecting Application Communities
• High Speed, Distributed IPS/VDS
• Polymorphic Programs
4 © Lucent Technologies Proprietary 2005 - All Rights Reserved
Network Reconnaissance Process
The IRD Team employs a proven iterative process to identify a network’s Internet Vulnerabilities
• Collect Public Information1Internet Registries
PressReleases
2 3 4
6ASN Map
Logical Topology Maps
Send crafted IP packets to IP addresses and infer network characteristics from returned data
Probe the Customer Networks
Search Internet for customer network information
• Map the target Networks
5
Produce routing and reachability maps from returned probe data
Data Fusion and Analysis
Analyze maps, data and public information to identify external vulnerabilities
Web Sites
1PublicSourceSearch
PublicSourceSearch
NetworkMappingNetworkMapping
5
VulnerabilityScan
VulnerabilityScan
4
HostDiscovery
HostDiscovery
3
NetworkDiscoveryNetwork
Discovery
2
6
NetworkAnalysisNetworkAnalysis
Network ReconnaissanceProcess
Internet Research Lab • Automated Probe Tools– Pre-Processing– Discovery tools– Vulnerability Scanners– Post Processing– Data Base– Mapping tools
DNS Name IP Address DNS Resolution
iocecweb1.spco.com 123.22.68.248 workediocecweb2.spco.com 123.22.68.249 workediocecweb3.spco.com - -iocecweb4.spco.com 123.22.68.74 worked
connectandcreate.spco.com 123.22.64.4 workedconnectandcreate1.spco.com -connectandcreate2.spco.com 123.22.64.29 workedconnectandcreate3.spco.com -connectandcreate4.spco.com -connectandcreate5.spco.com -connectandcreate6.spco.com -
DNS Names MPLS Network
ISP Network
ASN 8158
T1T1
NOC
DMZ
DNSWebServer
MailServer
FirewallLAN
SMS
MPLSNMS
Honey Pot
MPLS Core
C ISC O SY ST E M S
Enterprise Network
Mobility Test Network
GPS WebServer
MediaServer
UUNetSAVVIS
NetworkWorkstations
Network Probe Tools
Database
PlotterPrinter
Dial-OutProbe Tools
NetworkStorage
VoIP Network
IPv6 IPv6 TunnelTo MH, HO
C ISC O SY ST E M S
BGP4
www.iplab.org
IPv4, IPv6,IP Multicast
Customers
VisualizationTools
MAX TNTGateway
MVAMGatekeeper
PBX
Switch
DNS
Mobile IPv6
IPv6 Network
www6.iplab.orgns6.iplab.org
IPv6Probe Tools
PCM
CIA
5 6K
INSERT THIS END
PCM
CIA
5 6K
INSERT THIS END
LinuxContentServer
W2KHomeAgent Solaris
ContentServer
LinuxHomeAgent
AccessPoint
AccessPoint
MobileUnit
CISCO SY STE MS
Security Zone
NetworkAnalyzer
IDS Log
OSPF
Internet
VPN
IP Address Vulnerability Solution
172.25.55.50xxx.76.70.65xxx.76.70.11
Private Addressing is being used to connect the xxx.76.70.0 network to UUNet.
If Private Addressing is being used to conceal the connection then an Access Control List needs to be implemented on the router.
172.25.55.50xxx.76.70.65xxx.76.70.11
It is believed that this is a 3640 or 4500M Cisco router that will respond to NTP and ICMP Time Stamp Requests.
The router needs to be configured to not respond to either type of request.
xxx.76.70.66xxx.76.70.12
yyy.172.70.138
information-systems.atlanta.net
It is believed that this is a 3640 or 4500M Cisco router. In addition, it seems that the router is configured as a TACAS server.
There are vulnerabilities with TACAS servers. To mitigate this vulnerability, verify that all updates have been implemented on this device.
xxx.76.70.66xxx.76.70.12
yyy.172.70.138
It is believed that this is a 3640 or 4500M Cisco router that will respond to NTP and ICMP Time Stamp Requests.
The router needs to be configured to not respond to either type of request.
xxx.76.70.85xxx.76.70.10
Responds with and ICMP Filtered or ICMP ADMIN Prohibited message
When implementing firewalls or access lists the device should not give away its position or the fact it is a security device. The device should have an access list to filter any ICMP message. The idea is to make the networks behind this device seem like a black hole.
CiscoCat 1900
AAGK1
xxx.yyy.12.1
AAGK2
xxx.yyy.12.2
BILLING2
xxx.yyy.12.3
DBCLIENT
xxx.yyy.12.4
BILLINGDB
xxx.yyy.12.6
AAVNM1
xxx.yyy.12.7
CiscoCat 1900
VTVGK1
xxx.yyy.12.20
BILLING
xxx.yyy.12.22
VTVG1
xxx.yyy.12.24
VTVG2
xxx.yyy.12.26
CiscoCat 1900
AAGW1
xxx.yyy.12.34
AAGW2
xxx.yyy.12.37
City 1
xxx.yyy.12.33
xxx.yyy.12.18
xxx.yyy.12.9
Cisco
CiscoCat 1900
BBGW1
xxx.yyy.12.50
BBGW2
xxx.yyy.12.53
Cisco
Cisco
CiscoCat 1900
GGGW1
xxx.yyy.12.66
GGGW2
xxx.yyy.12.69
City 2
City 3
Cisco
CiscoCat 1900
DDGW1
xxx.yyy.12.82
DDGW2
xxx.yyy.1284
City 4
Cisco
CiscoCat 1900
FFGW1
xxx.yyy.12.98
FFGW2
xxx.yyy.12.100
City 5
Cisco
CiscoCat 1900
RRGW1
xxx.yyy.12.114
RRGW2
xxx.yyy.12.116
City 6
Cisco
CiscoCat 1900
EEGW1
xxx.yyy.12.146
EEGW2
xxx.yyy.12.148
City 8
Cisco
CiscoCat 1900
JJGW1
xxx.yyy.12.162
JJGW2
xxx.yyy.12.164
City 9
Cisco
CiscoCat 1900
MMGW1
xxx.yyy.12.242
MMGW2
xxx.yyy.12.244
City 13
Cisco
CiscoCat 1900
HHGW1
xxx.yyy.12.130
HHGW2
xxx.yyy.12.132
City 7
City 10
Cisco
Cisco
CiscoCat 1900
KKGW1
xxx.yyy.12.194
KKGW2
xxx.yyy.12.196
City 11
CiscoCat 1900
NNGW1
xxx.yyy.12.178
NNGW2
xxx.yyy.12.180
City 12
CiscoCat 1900
PPGW1
xxx.yyy.12.210
PPGW2
xxx.yyy.12.212
Cisco
Cisco
CiscoCat 1900
LLGW1
xxx.yyy.12.226
LLGW2
xxx.yyy.12.228
City 14
xxx.yyy.12.49
xxx.yyy.12.65
xxx.yyy.12.81
xxx.yyy.12.yyy
xxx.yyy.12.113
xxx.yyy.12.129
xxx.yyy.12.145
xxx.yyy.12.161
xxx.yyy.12.177
xxx.yyy.12.193
xxx.yyy.12.209
xxx.yyy.12.225
xxx.yyy.12.241
xxx.yyy.10.10
xxx.yyy.18.102
xxx.yyy.10.81
xxx.yyy.10.86
xxx.yyy.10.50
xxx.yyy.18.98
xxx.yyy.10.106
xxx.yyy.10.118
xxx.yyy.10.122
xxx.yyy.10.114xxx.yyy.10.110xxx.yyy.10.74
xxx.yyy.10.42
SP 1
Gateway Network
SP 2 SP 2xxx.uuu.74.169
xxx.vvv.127.68
xxx.zzz.216.145
xxx.www.2.174
xxx.www.122.69
xxx.www.164.51
Area 1
xxx.yyy.10.6xxx.yyy.17.18
SP1 Backbone
Loc15-R1
Loc14-R2
Loc6-R1
ISP2
ISP2
SP7
SP7
SP2
SP2
SP3
SP3
ISP1
ISP1SP2
SP2
SP3
SP3
SP9
SP9
SP8
SP8
ISP5
ISP5
SP13
SP13SP12
SP12SP10
SP10
SP15
SP15
SP11
SP11
SP16
SP16
ISP5
ISP5
SP14
SP14
SP6
SP6
Loc8-R3
Loc4-R1
Loc9-R1
Loc5-R1
Loc1-R2
Loc8-R2
Loc8-R4
Loc13-R1
Loc2-R1
Loc6-R2
Loc11-R1
SP1
SP1
ISP3
ISP3SP1
SP1
sp2
sp2
ISP4
ISP4
sp5
sp5
sp6
sp6
sp7
sp7
ISP7
ISP7
Loc4-R1, R2
Loc3-R1
Loc3-R4
Loc3-R2Loc3-R3
Loc8-R1, R2sp2
sp2
Loc10-R1
Loc13-R2
Loc6-R1
Loc3-R6
sp3
sp3
Area 1
Area 2
Satell i te dish
Ethernet
Cisco 7204fe00.mxxnet.com
Cisco 3640fe00.mxxnet.com
Satell i te
Satel l i te dish
xxx.xx.192.5 xxx.xx.192.1
Internet
xxx.xx.192.5
POS-1.GW3.BRU2.Alter.netxxx.xxx.38.145
Skyvision-gw.Alternet.netxxx.xxx.38.146
EMR-5000 Series Routerskystream.mxxnet.com
xxx.xx.192.128
CS5300.mxxnet.com
Possible VoIPGateway
xxx.xx.192.6
Txx.hxxx.mxx.netPossible Radius
Server
xxx.xx.192.7
Server.mxxnet.com
xxx.xx.192.20
tc.mxxnet.mx nmc.mxxnet.com
xxx.xx.192.3 xxx.xx.192.4
Grxxxx.mxxnet.com
xxx.xx.192.17
Rxxx.mxxnet.com
xxx.xx.192.10
xxx.xx.195.2xxx.xx.195.1UUNET
Txxxx-gw.customer.Alt
ernet.netxxx.xxx.32.26
Unknown Connect
xxx.xx.195.6
xxx.xx.195.9 xxx.xx.195.3
Internet
5 © Lucent Technologies Proprietary 2005 - All Rights Reserved
Extension to Application Reconnaissance1. Search local and global networks for published
application and community data
2. Probe community computer systems for system configuration and component information and vulnerabilities
3. Produce composite system and community views from probe data
4. Fuse and analyze data to locate and address potential faults and attacks
5. Iterate
6 © Lucent Technologies Proprietary 2005 - All Rights Reserved
Cyber Situational Awareness• Assessment of computer system
vulnerability to multi-stage/multi-host attacks
• Attack chains: series of sequentially executed exploits to gain access
• Visualization of the computer system vulnerabilities for analysis
• Interactive capabilities for determining the effects of:
• Remedial actions on individual machines
• Placement of defensive devices (firewalls, intrusion detection systems, etc.) in the network
• Applications: Vulnerability forensics, intrusion detection, cyber attack forensics, system design
ExnExn
Exn
Exn Exn Exn
Exn
Exn
Exn
Exn
Exn
Exn
Exn
Exn
Exn
Exn
Exn
Exn
Pri
vile
ge
Le
vel
None
Root
7 © Lucent Technologies Proprietary 2005 - All Rights Reserved
Penetration Testing: Find and Address Weaknesses• Find: services, system info, users, file shares
• Address: buffer overflows, misconfigurations, weak password protection, poor input validation
• Access: user accounts, SQL injection, remote command execution, privilege escalation, backdoors, port redirection
• Custom tools
• Expertise with:
– Telephony
– Data networks
– Wireless technologies
8 © Lucent Technologies Proprietary 2005 - All Rights Reserved
Protecting Application Communities
Issue
1. Ensuring that the distributed application code is authentic and authorized
2. Preventing unauthorized modification of the application
3. Application communities must be able to counter new threats (protected from malicious hosts and applications)
Solution
1. Hash functions, application generator, resident helper agent
2. Time-to-live timeouts, code shuffling and obfuscation
3. Resolved by addressing #1 and 2 effectively.
9 © Lucent Technologies Proprietary 2005 - All Rights Reserved
Other Protection Mechanisms
• Applications communicate via encrypted messaging
– Encryption keys are based on generation of applications
– If an application can’t understand (i.e. decrypt) a message it receives, it reports a problem (unless suspected DoS is underway)
• Applications utilize helper agents
– Helper agents contain only the hash algorithm – very small
– If a helper agent returns with an incorrect value (or doesn’t return at all due to malicious host), a problem is indicated
• Intelligent application regeneration: detect and regenerate failed community members
10 © Lucent Technologies Proprietary 2005 - All Rights Reserved
High Speed, Distributed IPS/VDS • Real-time intrusion prevention, virus/worm detection
• Monitor and analyze traffic patterns in real-time
• Detect anomalies or signatures of impending or actual attacks
– Adaptive statistical threshold anomaly detection
– Multi-character multi-pattern string matching
– Sequential change-point and persistence filter detection
• Filter the offending traffic at the ingress point
• Conduct post-attack analysis
• Detection at 40Gb/s line speeds
11 © Lucent Technologies Proprietary 2005 - All Rights Reserved
Polymorphic Programs
Copy self to different code
Evade string recognition
1010111000 0010010
Match(1010) useless •Cannot test all runtime conditions in emulation•Dynamic analysis cannot detect many polymorphic code variations
Polymorphism Techniques
Dynamic analysis:
Varying encryption/decryption keys
Translate opcodesfor same actions,different opcode
Insert garbage instructionsand jump over garbage code
Reorder subroutines
Recompile source codeon host
Static structural code analysis:
Reverse engineer to opcodes.
- Map opcodes to find flowgraph: control, code, or function
- Discover decryption code and decrypt rest
- Statistically profile opcode use
- Map flowgraph to grammar
Polymorphic Programs
Bell Labs polymorphic program technology transforms code to be undetectable by string-matchers
12 © Lucent Technologies Proprietary 2005 - All Rights Reserved
Internet Research Lab
MPLS Network
ISP NetworkASN 8158
T1T1
NOC
DMZ
DNS WebServer
MailServer
FirewallLAN
SMS
MPLSNMS
Honey Pot
MPLS Core
CISCO SYSTEMS
Enterprise Network
Mobility Test Network
GPS WebServer
MediaServer
UUNetSAVVIS
NetworkWorkstationsNetwork Probe Tools
Database
Plotter Printer
Dial-OutProbe Tools
NetworkStorage
VoIP Network
IPv6 IPv6 TunnelTo MH, HO
CISCO SYSTEMS
BGP4
www.iplab.org
IPv4, IPv6,IP Multicast
Customers
VisualizationTools
MAX TNTGateway
MVAMGatekeeper
PBX
Switch
DNS
Mobile IPv6
IPv6 Network
www6.iplab.orgns6.iplab.org
IPv6Probe Tools
PC
MC
IA
56K
IN SER T THI S E ND
PC
MC
IA
56K
IN SER T THI S E ND
LinuxContentServer
W2KHomeAgent
SolarisContentServer
LinuxHomeAgent
AccessPoint
AccessPoint
MobileUnit
CISCOSYSTEMS
Security Zone
NetworkAnalyzer
IDS Log
OSPF
Internet
VPN
13 © Lucent Technologies Proprietary 2005 - All Rights Reserved
Enabling Application Communities
• Infrastructure for monitoring and securing a distributed community of applications
• Algorithms and tools for understanding and addressing potential faults and attacks within the community
• Formal analysis tools for generating code variations without loss of manageability
Bell Labs Internet Research Department has years of commercial, government,and internal R&D experience in enabling technologies for application communities
Lloyd [email protected] (973) 386-6797