2 sec-212 3084_05_2001_c1 © 2001, cisco systems, inc. all rights reserved. deploying secure...
TRANSCRIPT
2SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Deploying Secure Enterprise Networks
333333SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Disclaimer
“This presentation provides a tit for tat description of a fictional electronic war between an irritable yet determined cracker and an overworked, but well funded, IT staff. Any similarities to your current environment is purely coincidental.
Cisco does not recommend such reactionary security design. Rather we suggest you attend the second session in this series for a systematic approach to the network security problem.”
The Authors at Cisco Systems
444444SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Agenda
• Welcome to HackFest 2001!
555555SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
• Scott Daniels (aka n3T51ay3r)
College age, too much free time
Two notches above “script kiddie”
Recently banned from netgamesrus.com for cheating on their latest game “Xtreme Secret Agent”
Wants revenge
The Aggressor
666666SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
The Defenders
• Netgamesrus.com
Web-based gaming company
Experienced explosive growth and hasn’t had much time to think about security
IT staff is minimal, and most have occupied their time play testing their newest creation
Just went through a second round of funding that hasn’t been spent yet
777777SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Public Hosts (WWW, DNS,
SMTP, FTP)
Internal Net
Netgamesrus.comNetgamesrus.com
Initial Solution
• Router only provides WAN connectivity
• FW is concerned with internal net
Internet
888888SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
In My Sleep
• Scan ports and vulnerabilities to find target
• Outdated bind discovered on web server
• Root privilege obtained, logs cleaned, and root kit installed
• “You are so owned”
n3T51ay3rn3T51ay3r
Internal NetInternet
999999SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Scanning Tools
101010101010SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
SANS #1: BIND
111111111111SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Root Kits
121212121212SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Quick Fix
• A player with scanning software happens to find your host is compromised and tattles
• Rebuild (due to rootkit) and patch hosts
• Turn off unwanted services
• Rinse and repeat (for all the hosts)
• Move public services off third leg of firewall for service isolation
Internet Internal Net
Netgamesrus.comNetgamesrus.com
131313131313SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Internet Internal Net
Hey, What Happened?
• What happened to “my” system?
• Rescan
There are less services available
Services are patched
• Wait for “new” vulnerability posting on net (no hurry…)
n3T51ay3rn3T51ay3r
141414141414SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
It’s Only a Matter of Time
151515151515SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
??
!!
Concerns with Open and Closed Source
161616161616SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Odds in My Favor
• Exploit latest vulnerability (a race)
• Reinstall rootkit, clean logs
• Download add’l attack tools (getting angry)
• Scan isolated service network and internal net
• Own more public hosts
Internet Internal Net
n3T51ay3rn3T51ay3r
171717171717SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Raise the Bar
• Internal scan finds compromised hosts
• Fix and rebuild hosts
• Install network IDS
• Turn on liberal shunning and TCP resets
Most signatures
Reconfigure ACLs on the router
Internet Internal Net
Netgamesrus.comNetgamesrus.com
181818181818SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
NIDS Response
7100he#show access-list
Extended IP access list 197
permit ip host 10.1.1.20 any
deny ip host 112.70.126.43 any
deny ip host 96.193.155.79 any
deny ip host 40.232.39.97 any
deny ip host 220.64.150.28 any
deny ip host 50.19.117.109 any
deny ip host 176.82.33.85 any
deny ip host 196.161.217.4 any
deny ip host 111.100.101.15 any
deny ip host 130.234.112.89 any
deny ip host 243.68.1.8 any
deny ip host 59.93.177.47 any
deny ip host 239.213.208.158 any
deny ip host 204.170.43.113 any
191919191919SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Lost Tone Again?
• Services found, though patched again
• Run vulnerability scans but inconsistent response
• Pings also blocked
• A “friend” observes the same result
• Rats…what’s going on?
Internet Internal Net
n3T51ay3rn3T51ay3r
202020202020SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
IT Success!
• Scan and exploit attempts captured
• Shunning worked
Internet Internal Net
Netgamesrus.comNetgamesrus.com
212121212121SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Stick IDS
• Researched behavior, NIDS and shunning assumed
• Find method to defeat NIDS — Stick is latest utility
http://www.eurocompton.net/stick/
Overwhelms shunning capability
• Launch stick, re-exploit hosts, install toys
Internal NetInternet
n3T51ay3rn3T51ay3r
222222222222SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Stick Tool
[root@sconvery-lnx stick]# ./stick -h
Usage: stick [sH ip_source] [sC ip_class_C_spoof] [sR start_spoof_ip end_spoof_ip] [dH ip_target] [dC ip_class_C_target] [dR starttargetip end_target_ip] ------------------------------------------------------------------------- defaults destination to 10.0.0.1 and source default is 0.0.0.0-255.255.255.255 Software Design for limitted Stress Test capablity.
[root@sconvery-lnx stick]# ./stick dH 12.1.1.1Destination target value of: 101010cStress Test - Source target is set to all 2^32 possiblities sending rule 496 sending rule 979 sending rule 896 sending rule 554 sending rule 735 sending rule 428
232323232323SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
New Management
• Two observationsNIDS shunning pre-FW may be overflowed so turn off shunning
Firewall logs show download of tools on hosts
• Install NIDS in public segment and liberally shun on FW
• FW ACLs to prevent public services segment outbound sessions
• Rebuild hosts using Ghost and patch
Internal NetInternet
Netgamesrus.comNetgamesrus.com
242424242424SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Customer
Public Services
Internal Services
Internal Users
Source: Public ServicesDestination: InternetPort: Any
Source: Public ServicesDestination: InternetPort: Anyokok
okok
SiSi
Specific Filtering
• No outbound for Web servers
• Be specific on other access
xx
252525252525SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Lessons Learned:n3T51ay3r vs. Netgamesrus.com
• Bind hack—mitigated by patches and NIDS
• Root kit—found by scan, manually removed
• New vulnerability—found by scan, mitigated by patches
• Attack tool download—mitigated by outbound filtering on FW
• IDS shun DoS—stick—no shunning on NIDS in front of FW
262626262626SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
This Is Getting Tough
• Lost tone again, must still be shunning
• Use stick again
• Still no tone???
Internal NetInternet
??n3T51ay3rn3T51ay3r
272727272727SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Internal NetInternet
Success Again
• NIDS alarming tracks cracker activities
• Shunning on FW working
• FW mitigates stick effects on NIDS in public services segment
Netgamesrus.comNetgamesrus.com
282828282828SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
The Empire Strikes Back
• What is being shunned?
Looks like composite and atomic attacks are shunned
• Exploit poorly deployed shunning:
Launch spoofed atomic attacks from proxy servers of large ISPs
• Now Legitimate Customers can’t get in!
Internal NetInternet
Proxied CustomersProxied Customers
n3T51ay3rn3T51ay3r
Proxy Svr50.50.50.50
292929292929SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
To Shun or Not to Shun
• Public exposure (due to shun problem) creates job uncertainties among the IT staff
• Perhaps shunning everything is a bad idea?
Set shun posture to only critical multi-packet TCP attacks
Tune IDS (shun length, false positives, alarm levels, hire staff to monitor IDS 24x7)
Optional: Tier IDS log analysis for better attack visibility
Internal NetInternet
Netgamesrus.comNetgamesrus.com
303030303030SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Try, Try Again
• Looks like they’ve got their act together
Trying the ISP DoS again doesn’t work
Shunning must have been tuned
• Shift gears, what CGI scripts are running on the box?
Internal NetInternet
Hmm…Hmm…n3T51ay3rn3T51ay3r
313131313131SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Application Layer Attacks
323232323232SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
godzilla.d
• Found a public domain CGI in use (SANS #2)
• Examine source code and run tools to find an unpublished vulnerability
• After substantial research, success
• Compromise web server with new toy (godzilla.d)
Internal NetInternet
godzilla!!godzilla!!n3T51ay3rn3T51ay3r
333333333333SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
SANS #2: CGI
343434343434SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Why Me?
• Find, Ghost, and patch hosts
• Fix CGI script (with outside help)
• Post to Bugtraq (or not)
Do we really want more visibility?• Install host IDS on appropriate hosts
Internal NetInternet
Netgamesrus.comNetgamesrus.com
353535353535SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Host Intrusion Detection
• Host IDS is best installed on key servers
• Features vary per product, including watching for:
File system
Process table
I/O
System resource usage
Memory allocation
• Actions include alarm and sometimes prevent
• Financially and operationally impractical to install on all hosts
363636363636SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Alternate Route Needed
• Their Internet access seems pretty locked-down
• I need another way in
• Shift gears to war dialing (Tone-Loc)
Internal NetInternet
Easier Way?Easier Way?n3T51ay3rn3T51ay3r
373737373737SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
War Dialers
383838383838SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Internet AdminSystems
$$$s
Employees
Netgamesrus.comNetgamesrus.com
AAA SvrPublicNet
Private Network Disclosed
• Private network is flat
• Management communications is:
In-band (over the company’s user network)
In the clear (telnet, tftp, syslog, SNMP)
• Dial-in access available (reusable passwords)
• Rogue machine with PC anywhere
393939393939SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Employees
Breach Private Network
• War dialing finds unsecured “modem” I can access
• Setup jump host on an employee machine, install rootkit and attack tools
• Use sniffers to map network & grab passwordsLearn addressing and server devices
Observe mgmt channels
Sniff passwords (rootkits, dsniff, etc)
Use SMBRelay to MITM passwords & export hashes to L0phtCrack
Internet AdminSystems
$$$s
AAA SvrPublicNet
n3T51ay3rn3T51ay3r
Entry Methods: Rogue Modem NAS Passwords
404040404040SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
CompromisedHost A
Host B
Attacker Source: AttackerDestination: APort: 22
Source: AttackerDestination: APort: 22
Source: ADestination: BPort: 23
Source: ADestination: BPort: 23
SiSi
Source: AttackerDestination: BPort: 23
Source: AttackerDestination: BPort: 23
Jump Hosts (Port Redirection)
414141414141SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Dug Song, Author of dsniff
Dsniff Is Not Your Friend
• ARP spoofing
• MAC flooding
• Selective sniffing
424242424242SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
SMBRelay
434343434343SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
LC3 (aka l0phtcrack)
444444444444SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Own Internal Devices
• Create backdoor logins (for use later!)
• Create a “pinhole” on the FW by modifying ACLs and NATUseful for “friendly” access
• Review company confidential data on servers
• Send IT and exec salary info to company-wide mail list
• Install BO2K server on several systems
Internet AdminSystems
$$$s
AAA SvrPublicNet
Netgamesrus.comNetgamesrus.comTo: All EmployeesSubj: Exec Salaries
Employees
n3T51ay3rn3T51ay3r
Entry Methods: Rogue Modem NAS Passwords Fake accts FW Pinhole
454545454545SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Back Orifice 2000
464646464646SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
There’s Movement All over the Place!
• Email got noticed, “originated” from innocent employee
• Host-based virus scanning detects and removes BO2K on several workstations and servers
• Install NIDS and watch traffic on key servers
• Install ACLs on FW to prevent outbound access for key servers
Internet AdminSystems
$$$s
AAA SvrPublicNet
Entry Methods: Rogue Modem NAS Passwords Fake accts FW Pinhole
Netgamesrus.comNetgamesrus.com
Employees
474747474747SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
BO2K Detection
484848484848SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
NIDS in High Load Environments
• NIDS value reduced when packet rate too high due to data loss
• Tricks for reducing load include:
Load balancing multiple NIDS devices
Layer 3 and 4 pre-screening of data
Unidirectional, not bi-directional, examination (some signatures do not fire properly)
• Beware overly sensitive alarming, don’t be overwhelmed
494949494949SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Modem Dial-in Again
• Access network again via modem
• Where’s my BO2K servers?
• Reinstall and run BO2K
• Client access to BO2K server keeps failing???
• Run away!
Internet AdminSystems
$$$s
AAA SvrPublicNet
Netgamesrus.comNetgamesrus.com
Employees
n3T51ay3rn3T51ay3r
Entry Methods: Rogue Modem NAS Passwords Fake accts FW Pinhole
505050505050SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Internet AdminSystems
$$$s
AAA SvrPublicNet
Entry Methods: NAS Passwords Fake accts FW Pinhole
Netgamesrus.comNetgamesrus.com
Employees
Caught in the Act
• Sysadmin sees the BO2K reset on the NIDS box and traces it back to the rogue modem
• Remove modem and sweep for other rouge access points (“remind” employees of the corporate security policy)
• Remove BO2K from internal systems (again)
515151515151SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Still Have Other Ways In
• After a while, try to gain entry again
• Modem is no longer around, so access network via NAS with newly created account (leave the pinhole for last resort)
• Where’s BO2K?
• Reinstall BO2k with crypto and stealth updates, run it
• Seems to work
Internet AdminSystems
$$$s
AAA SvrPublicNet
Entry Methods: NAS Passwords Fake Accts FW Pinhole
Employees
n3T51ay3rn3T51ay3r
525252525252SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Back Orifice 2000 Plug-ins
535353535353SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Deja Vu
• Regular security virus scan catches BO2K
• Remove BO2K and install HIDS on key servers
• Start an audit to find out source of attack
Internet AdminSystems
$$$s
AAA SvrPublicNet
Entry Methods: NAS Passwords Fake Accts FW Pinhole
Netgamesrus.comNetgamesrus.com
Employees
545454545454SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Low Tech Attack
• Dial-in via NAS for check-up
• BO2K gone again?
• Feeling vindictive, launch smurf attack against public web server
• Smirk and logout
Internet AdminSystems
$$$s
AAA SvrPublicNet
Entry Methods: NAS Passwords Fake Accts FW Pinhole
Employees
n3T51ay3rn3T51ay3r
555555555555SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
ICMP REQ D=160.154.5.255 S= 172.18.1.2ICMP REQ D=160.154.5.255 S= 172.18.1.2
160.154.5.0
Smurf Attack
Attempt toOverwhelm
WANLink to
Destination
172.18.1.2
ICMP REPLY D=172.18.1.2 S=160.154.5.14ICMP REPLY D=172.18.1.2 S=160.154.5.14
ICMP REPLY D=172.18.1.2 S=160.154.5.19ICMP REPLY D=172.18.1.2 S=160.154.5.19
ICMP REPLY D=172.18.1.2 S=160.154.5.18ICMP REPLY D=172.18.1.2 S=160.154.5.18
ICMP REPLY D=172.18.1.2 S=160.154.5.17ICMP REPLY D=172.18.1.2 S=160.154.5.17
ICMP REPLY D=172.18.1.2 S=160.154.5.16ICMP REPLY D=172.18.1.2 S=160.154.5.16
ICMP REPLY D=172.18.1.2 S=160.154.5.15ICMP REPLY D=172.18.1.2 S=160.154.5.15
565656565656SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Internet AdminSystems
$$$s
AAA SvrPublic
Net
Employees
Entry Methods: FW Pinhole
DoS Clean Up
• Find and stop system generating broadcast echos
• Upgrade systems to prevent smurf attacks
• Host audit logs show bogus account in-use
• Purge bogus accounts from all systems (including AAA server) and expire all passwords
575757575757SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Host System Logs
585858585858SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Lessons Learned:n3T51ay3r vs. Netgamesrus.com
• Bind hack—mitigated by patches, NIDS, and HIDS
• New vulnerability—mitigated by HIDS or very good sysadmins
• Root kit—mitigated by HIDS
• Attack tool download—mitigated by outbound filtering on firewall
• IDS shun DoS—stick—no shunning on NIDS in front of FW
• CGI script vulnerability—mitigated by HIDS, good patch practices, code reviews, and NIDS
• LC3 password crack—assuming he gets the hashes somehow, its only a matter of time
• BO2K—mitigated by host virus scanning, host IDS, and NIDS
595959595959SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Internet AdminSystems
$$$s
AAA SvrPublicNet
Entry Methods: FW Pinhole
Employees
Through the Firewall
• Bogus accounts inactive and passwords changed
• Using existing pinhole, compromise internal sales report Web server using NT IIS RDS vulnerability (SANS #4)
• Use sniffers to re-learn passwords
• Compromised sales server has access to customer database, with credit card info, via a SQL access script with auth credentials stored in the clear
• Obtain, post, and use credit cards via bogus SQL script using obtained authentication credentials (call it “fetchmydata”)
NAS Passwordsn3T51ay3rn3T51ay3r
606060606060SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
SANS #4: IIS RDS
616161616161SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="auto 011, default">
</head>
<body background="_themes/auto/autobkgd.gif" bgcolor="#666666" text="#FFFFFF" link="#FFCC33" vlink="#CCCC99" alink="#CCCCCC"><!--mstheme--><font face="Arial, Arial, Helvetica">
<p><img border="0" src="images/pod<%Response.Write Application("sevt_podnumber")%>.gif" width="640" height="66"></p>
<p>
<%
On Error resume Next
openstr = "DRIVER={SQL Server}; server=192.168.0.10; database=pubs;UID=pubs;PWD=password"
Set cn = Server.CreateObject("ADODB.Connection")
cn.Open openstr
sql = "SELECT sum(qty) FROM buys; "
set rs = Server.CreateObject("ADODB.Recordset")
rs.Open sql, cn, 3, 3
Beware Where You Store Credentials
626262626262SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Customers Upset = Big Reaction
• Customers unhappy with credit card posting and charges
• Audit of FW rules coincidentally removes pinhole
• Exhaustively patch internal servers and sprinkle more HIDS
• Partition internal network, upgrading to L3 switch, and setup ACLs to block access
• Add custom string in NIDS for calls to “fetchmydata”, the script that was used in attack
Internet AdminSystems
$$$s
AAA SvrPublicNet
Employees
Entry Methods: NAS Passwords
SiSi
Netgamesrus.comNetgamesrus.com
636363636363SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Layer 4 ACLs in Switches
• L4 access control in switches (e.g. CAT6k)
• ASIC/HW support important for Gig environments
• Logging, when available, is unwise at high data rates
On a CAT6k performance drops an order of magnitude
• Note access control is stateless
Ideal for L3 use
L4 multi-channel protocol filtering is hard & insecure (no state tracking)
646464646464SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
access-list out deny ip any 192.168.254.0 255.255.255.0 access-list out deny ip any 192.168.253.0 255.255.255.0 access-list out permit icmp any any echo-reply access-list out permit tcp any host 172.16.225.52 eq www access-list out permit tcp any host 172.16.225.52 eq ftp access-list out permit tcp any host 172.16.225.50 eq smtpaccess-list out permit tcp any host 172.16.225.55 eq 22access-list out permit udp any host 172.16.225.51 eq domain access-list in deny ip any 192.168.254.0 255.255.255.0 access-list in deny ip any 192.168.253.0 255.255.255.0 access-list in permit icmp any any echo access-list in permit udp host 10.1.11.50 host 172.16.225.51 eq domain access-list in permit tcp 10.0.0.0 255.0.0.0 host 172.16.225.52 eq www access-list in permit tcp 10.0.0.0 255.0.0.0 host 10.1.103.50 eq 15871 access-list in permit tcp host 10.1.11.51 host 172.16.225.50 eq smtpaccess-list in permit tcp host 10.1.11.51 host 172.16.225.50 eq 20389 access-list in permit tcp 10.0.0.0 255.0.0.0 host 172.16.225.52 eq ftp access-list in deny ip any 172.16.225.0 255.255.255.0 access-list in permit ip 10.0.0.0 255.0.0.0 any
The Needle in the Haystack
pinhole
656565656565SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Custom SQL NIDS String
666666666666SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Another Regular Check-Up
• Firewall pinhole is plugged
• Dial-in via NAS with cracked password
• Use sniffers to learn admin password, add back pinhole
• Start poking around the databases again, access script on internal server…where did it go?
• Ping several servers—some respond, others do not
• Start SLOW network mapping script to stay below NIDS’s scan match signature timing then leave
Internet AdminSystems
$$$s
AAA SvrPublicNet
Entry Methods: NAS Passwords
Employees
FW Pinhole
SiSi
n3T51ay3rn3T51ay3r
676767676767SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
We’ve Got a Live One!
• NIDS triggers on “fetchmydata” bogus script call (alarms ensue)• Backtrack through access logs to determine who had the specific NAS IP at that time, initiate traceback• *Sigh* Another compromised password, time for OTP• Jump host finally discovered via NIDS logs!• Scripts, sniffers, and dsniff found, system taken out of service• Add NIDS custom string for traffic destined to the old jump host IP• Research dsniff, cry, then deploy SSH / SSL for management and improve
L2 security
Internet AdminSystems
$$$s
AAA SvrPublicNet
Employees
Entry Methods: NAS Passwords
SiSi
Netgamesrus.comNetgamesrus.com
686868686868SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Traceback
• Find the ingress/egress point
• Talk to your provider to initiate traceback
• If working with a managed service provider, work with them
• There is no 1800-TRACEBACK company other than through your provider
• Certain organizations may have special relationships with government, military, and the like
696969696969SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
One Time Passwords (OTP)
• Commonly used for NAS, device mgmt, and remote access VPNs (don’t rely solely on HW authentication)
• Mitigate eavesdropping and replay attacks
• Each password only useful once
• Synchronization between authentication server and client
• Agreement may be based on time, sequence, and a PIN
• Software and hardware based
707070707070SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
L2 Security
• Port security
• Static Arp
• Arpwatch
• Private VLANs
717171717171SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
e6506-7> (enable)
e6506-7> (enable) sh cam dy 3/1
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry
VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -------------------------------------------
129 00-02-4a-d1-20-01 3/1 [ALL]
Total Matching CAM Entries Displayed = 1
e6506-7> (enable) sh arp
ARP Aging time = 1200 sec
+ - Permanent Arp Entries
* - Static Arp Entries
192.168.254.57 at 00-30-94-0b-45-a0 port 3/48 on vlan 99
CAM Table and ARP Entries
727272727272SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
PromiscuousPort
PromiscuousPort
Community‘A’
Community‘B’
IsolatedPorts
Primary VLAN
Community VLAN
Community VLAN
Isolated VLAN
Only One Subnet!
xx xx xx xx
Private VLANs
737373737373SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Management Channel Security
• In-Band in the clear
Optionally with strong authentication
• In-Band secured
Application layer encryption (SSH, SSL)
Network layer encryption (IPSec)
Good for non config protocols
Syslog, TFTP, SNMP
• Out-of-Band management
Strongest security
Beware topo sensitive NMS
747474747474SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Dsniff Is Still Not Your Friend
757575757575SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Internet AdminSystems
$$$s
AAA SvrPublicNet
Entry Methods: FW Pinhole
Employees
SiSi
Time to Check on Scan
• After a period of time, try to gain access again
• Try NAS, prompted for PASSCODE??? Damn!
• Use pinhole to jump host, no response
Hmm…Hmm…n3T51ay3rn3T51ay3r
767676767676SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
They’re Here!
• NIDS triggers on custom rule for jump host IP access
• IP was outside our range
• Check firewall rules, discover additional pinhole
• Fix firewall
• Start trace back to attacking IP—now we’ve got you!
Internet AdminSystems
$$$s
AAA SvrPublicNet
Employees
Entry Methods: None
SiSi
Netgamesrus.comNetgamesrus.com
777777777777SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
n3T51ay3rn3T51ay3r
Vengeance
• Detect trace back on launch-site firewall
• Queries from my target? School is now in session
• Since I don’t have any way to get in
“I say we take off, nuke the site from orbit. It's the only way to be sure.”
• Launch DDoS
Internet AdminSystems
$$$s
AAA SvrPublicNet
Employees
SiSi
Nuke’m!Nuke’m!
787878787878SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
2. Install Software toScan for, Compromiseand Infect Agents
HandlerSystems
ClientSystem
4. Client IssuesCommands toHandlers WhichControl Agentsin a Mass Attack
1. Scan for Systems to Hack
AgentSystems
3. Agents Get Loaded with Remote Control Attack Software
DDoS, How Does It Work?
797979797979SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Legitimate CustomerClient
Handler
Agents (25)
Handler
Agents (25)
Handler
Agents (25)
xInternet
Stacheldraht Attack
808080808080SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Legitimate CustomerClient
Handler
Agents (25)
Handler
Agents (25)
Handler
Agents (25)
Internet
[*] stacheldraht [*]
(c) in 1999 by ...
trying to connect...
connection established. -------------------------------------- enter the passphrase : sicken -------------------------------------- entering interactive session. ****************************** welcome to stacheldraht ****************************** type .help if you are lame
stacheldraht(status: a!1 d!0)>.micmp www.yourcompany.com
Stacheldraht Attack
818181818181SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Oh My Goodness!
• So that’s what DDoS does
• Research problem and call ISP
• Request that ISP implement CAR
• Reconsider edge architecture: Should we move our e-commerce elsewhere?
• Implement RFC 1918 and 2827 filtering
• Find and read SAFE White Paper plus attend SEC-213
Internet AdminSystems
$$$s
AAA SvrPublicNet
Employees
SiSi
Netgamesrus.comNetgamesrus.com
828282828282SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Traffic Matching
Specification
Traffic Matching
Specification
Traffic Measurement
Instrumentation
Traffic Measurement
Instrumentation
Action PolicyAction Policy
Next Policy
Excess Traffic
Conforming Traffic
Burst Limit
Tokens
Committed Access Rate
• Rate limiting
• Several ways to filter
• “Token bucket” implementation
838383838383SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
• Limit outbound ping to 256 Kbps
• Limit inbound TCP SYN packets to 8 Kbpsinterface xy rate-limit input access-group 103 8000 8000 8000
conform-action transmit exceed-action drop !access-list 103 deny tcp any host 142.142.42.1 establishedaccess-list 103 permit tcp any host 142.142.42.1
interface xy rate-limit output access-group 102 256000 8000 8000
conform-action transmit exceed-action drop !access-list 102 permit icmp any any echoaccess-list 102 permit icmp any any echo-reply
CAR Rate Limiting
848484848484SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
ISPNetwork
CustomerNetwork
Ingress to Internet
RFC 1918 Filtering
interface Serial n ip access-group 101 in!access-list 101 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 permit ip any any
interface Serial n ip access-group 101 in!access-list 101 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 permit ip any any
858585858585SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
ISPNetwork
CustomerNetwork:
142.142.0.0/16
RFC 2827 Filtering
• Ingress packets must be from customer addresses
interface Serial n ip access-group 120 in ip access-group 130 out!access-list 120 deny ip 142.142.0.0 0.0.255.255 anyaccess-list 120 permit ip any any!access-list 130 permit 142.142.0.0 0.0.255.255 anyaccess-list 130 deny ip any any
interface Serial n ip access-group 120 in ip access-group 130 out!access-list 120 deny ip 142.142.0.0 0.0.255.255 anyaccess-list 120 permit ip any any!access-list 130 permit 142.142.0.0 0.0.255.255 anyaccess-list 130 deny ip any any
Egress from Internet
• Egress packets cannot be from and to customer
• Ensure ingress packets are valid
Ingress to Internet
interface Serial n ip access-group 101 in!access-list 101 permit 142.142.0.0 0.0.255.255 anyaccess-list 101 deny ip any any
interface Serial n ip access-group 101 in!access-list 101 permit 142.142.0.0 0.0.255.255 anyaccess-list 101 deny ip any any
868686868686SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
ip cef distributed ! interface Serial n ip verify unicast reverse-path
Verify Unicast Reverse-Path
• Mitigates source address spoofing by checking that a packets’ return path uses the same interface it arrives on
• Best Implemented at your ISP
• Requires CEF
• Not appropriate where asymmetric paths exist
878787878787SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
SiSi
Attacker
Public Services
Internal Services
Internal Users
Customer
DDoS Agent
Service Provider Filtering
• Best in e-commerce environments
• DDoS mitigation
• Bandwidth optimization okokPorts:80443
Source: AttackerDestination: Public ServicesPort: 23(Telnet)
Source: AttackerDestination: Public ServicesPort: 23(Telnet)xx
Source: DDoS AgentDestination: Public ServicesPort: UDP Flood
Source: DDoS AgentDestination: Public ServicesPort: UDP Flood
x
888888888888SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Lessons Learned:n3T51ay3r vs. Netgamesrus.com
• Bind hack—mitigated by patches, NIDS, and HIDS
• New vulnerability—mitigated by HIDS or VERY good sysadmins
• Root kit—mitigated by HIDS
• Attack tool download—mitigated by outbound filtering on firewall
• IDS shun DoS—stick—no shunning on NIDS in front of FW
• CGI script vulnerability—mitigated by HIDS, good patch practices, code reviews, and NIDS
• War dialing—mitigated by one time passwords
• Internal jump host—mitigated by local private VLANs
• Dsniff/SMBRelay—mitigated by L2 security practices and L3 filtering
• LC3 password crack—assuming he gets the hashes somehow, its only a matter of time
• Internal mgmt access—mitigated by OOB and encrypted management
• BO2K—mitigated by host virus scanning, host IDS, NIDS, and private VLANs
• Internal smurf attack—mitigated by Private VLANs and L3 filtering, NIDS can detect
• NT IIS RDS vulnerability—mitigated by HIDS and good patch practices
• SQL clear text auth problem—mitigated by smart app developers
• DDoS—mitigated by CAR and RFC 2827 and 1918 filtering, NIDS can detect
898989898989SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
At the End of the Day
• n3t51ay3r:
Used several ISPs
Several favors
Lots of Mountain Dew
And lots of risk
• Netgamesrus.com:
Several admins and managers
$200K of gear & software
Countless patching, re-imaging, password refreshes
Downtime and unhappy customers
PR nightmare
909090909090SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Is There a Better Way?
• Comprehensive security architecture
Have a security policy
Technologies work together as a system
No single point of failure
Overwhelming defense (barriers, trip-wires, reactions)
• Skilled staff
Prudent deployment and tuning of products
Limit how much is learned the hard way
• Know the threat and your weaknesses
Track threat tools and security technologies
Proactive approach to mitigation
Audit posture regularly
• Cheaper to pay upfront than after the fact
Stay employed and in business!
919191919191SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Medium Business/Branch EdgeMedium Business/
Branch CampusSP Edge
SEC 213: Teaser
Campus Module
ISP Edge ModuleISP Edge Module
CorporateServers
CorporateUsers
Public Services
PSTN ModulePSTN Module Corporate Internet Module
PSTN
WAN ModuleFrame/ATM Mod.Frame/ATM Mod.
ManagementServer
ISP
FR/ATM
929292929292SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Other Sessions of Interest
• Deploying Secure Enterprise Networks—Part II—SEC-213
• Deploying and Managing Enterprise IPSec VPNs—SEC-210
• Understanding Secure Management of Network Devices—SEC-221
• Deploying and Managing Network-Based IDS—SEC-230
• Advanced Concepts in Security Threats—SEC-401
• Deploying Complex and Large-Scale IOS IPSec VPNs—SEC-214
939393939393SEC-2123084_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Further Reading
• http//www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm
www.cisco.com/go/safe
www.cisco.com/go/security
www.cisco.com/go/evpn
www.cisco.com/go/securityassociates
• Networking Professionals Connection (forums.cisco.com)
• Improving Security on Cisco Routers
http://www.cisco.com/warp/public/707/21.html
• Essential IOS Features Every ISP Should Consider
http://www.cisco.com/warp/public/707/EssentialIOSfeatures_pdf.zip
• Increasing Security on IP Networks
http://www.cisco.com/cpress/cc/td/cpress/ccie/ndcs798/nd2016.htm
94© 2001, Cisco Systems, Inc. All rights reserved.
SEC-2123084_05_2001_c1