hank kluepfel, cpp 01-973-543-7064 [email protected] sept 10-11, 2001 workshop: mitigating...
Post on 20-Dec-2015
227 views
TRANSCRIPT
Hank Kluepfel, CPP01-973-543-7064
Sept 10-11, 2001Sept 10-11, 2001Workshop:Workshop:
Mitigating the Vulnerability of Critical Mitigating the Vulnerability of Critical Infrastructures to Catastrophic FailuresInfrastructures to Catastrophic Failures
Security of Next Generation Security of Next Generation Networks: When Best Effort is not Networks: When Best Effort is not enoughenough
2
My BackgroundMy Background
First case prosecuted under US Computer Crime Law First Defense-In-Depth Quality Program on Security Design
and Management:• Assess Current Environments e.g., multidiscipline audits• Close Known Holes e.g., awareness, patches & reporting• Architect Security Into standards, requirements, systems & R&D• Deploy a network element border firewall
First Information Sharing & Leadership• Domestic -NSTAC Network Security Panel –1990• International - IEEE International Carnahan Conference Papers
First to be sued in the line of duty, first to be dismissed for wrongful litigation
Authored First SS7 (CCITT #7) Security Best Practice – ATIS Security Base Guideline for Interconnected SS7
First to Chair an NRIC Focus Subgroup on Security
Traditional Threat TreeTraditional Threat Tree
Threat
UnintentionalNatural Errors, Omissions Intentional
Outsider
•software bugs•system overloads•hardware failures•poorly trained administrators•errors and accidents•uniformed, unmotivated and/or
incompetent custodians
•fires•floods•earthquakes•hurricanes•extreme heat•extreme cold
Insider•Dishonest or disgruntled employee, partner, outsource employee or contract employee
•Hacker/Phreaker•spy•fraudster•disgruntled former employee
Exploitable Vulnerabilities•buffer overflows•Insecure defaults
4
Telecom Incident’s At A Glance:Telecom Incident’s At A Glance: High Tech Telecom Hacks Linked to Organized Crime High Tech Theft Strong Arm Burglaries of Central Offices Burglary of Central Offices and Centers Sophisticated Theft of Services Unindicted Co-Conspirators Often On Payroll of Carriers Theft of Intellectual Property & Privacy Sophisticated Fraud through network manipulation Law Enforcement Operations Targeted Internet Economy Enabled Hacking Vulnerable Operations: If its isn’t in the release and administration neutral, its
not patched or managed Virtually every case found by accident or error
5
High
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
scanners/sweepers
sniffers
packet spoofing
GUI automated probes
denial of service
SONET /SDHbackbone attacks
Tools & Techniques
Threat
Skills &Knowledge
Sophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
network element Trojans
PAD to PAD
Y2K enabled hacking
Decreasing Barriers to Intrusion:It just gets easier!
Sources: •CERT® Coordination Center•Network Reliability and Interoperability Council
Distributed denial of service /advanced virus /worm techniques
Baseline Reference: Telecommunications Risk Assessment NSTAC, June ‘99
Wireless Hack-in-a-box e.g., AirSnort aimed at WEP/802.11bhttp://www.wired.com/news/print/0,1294,46187,00.html
6
Cross Elastic Converged Network attacks:Cross Elastic Converged Network attacks:
Use worm to gain control of 104 - 106 zombies
Anonymizer
Thousands of targets
Zombies(20-90 K observed during CodeRed)
Reflectors
Source: Stuart Staniford, O. Sami Saydjari & Ken Williams
7
Code Red WormCode Red Worm
Affecting IIS web server software and propagating to other selected IP addresses through Port80 (http) connectivity
Evolution and impact of worm inevitable– Exploit trust relationships – Multiple Operating Systems– Code Posted on the Internet by White hat hackers– Now targeting local hosts first causing network congestion– More hidden elements e.g., backdoor Trojan Horse for POST IIS
Patch Access Relevance to NGN
– At least three major providers of NGN products impacted– Access and management systems impacted– Other NGN aspects (e.g., Network OAM&P) ripe for potential
exploitation
8
Network Convergence Dream:Network Convergence Dream:Merging the Voice and Data WorldsMerging the Voice and Data Worlds
Circuit Switching TDM transport High reliability
(Five9’s) Limited
programmability Time sensitive billing Slow service set-up Dumb phones Telephony services IN Services
• Packet Switching• Intelligence at “edge”• Lower reliability &
security• Innovation in PC and
enterprise applications• Flat rate or bandwidth
pricing• Hard to achieve quality• Smart PCs
• Single infrastructure• Packet Switching• Intelligence
distributed/collaborative• Best Effort reliability,
security & QoS• Innovative business to
business applications• High value service
bundles• Steep learning curve on
security
9
Telcordia’s Call Agent Telcordia’s Call Agent ArchitectureArchitecture
ServiceServiceExecutionExecution
AnnouncementServer
AnnouncementServer
TCAP/SS7ISUP/SS7
MGCP MGCP
SS7SS7GatewayGateway
PublicSignalingNetwork
ISCPISCPISCPISCPCustomerCustomerCare &Care &BillingBilling
NetworkNetworkOSSsOSSs
MG
CP
ServiceServiceDefinitionDefinition
APICustomer
TelCoServiceApplets
- Service Definition- Billing- Provisioning
GUI JAVA
TrunkingGateway
BackboneNetwork
Res Hub
Voice/IP
Voice/IP
PSTNVoice/IP/ATMSONET/SDH
Call AgentExchange
Link
HFCADSLWLL
10
Lucent TechnologiesOpen Service Creation & Internetworking
Lucent Gateway 1000™
Cisco 5300™
Ascend MAX6000™
Lucent PacketVoice Gateway
Lucent 5ESS
Service Provider Servlet
User Feature Applet
H.323V2Device Server
SS7Device Server
Call CoordinatorCall Coordinator
DirectoryCoordinator
H.323v1Device Server SS7 Gateway
Device Servers
IP Databases PSTN Databases
PacketStar IP Services Platform
11
Network Connectivity
Protocols: TCP/IP, TL1
File Systems, DBMS
OS, Sys. Lib., Drivers
Middleware
Appl 1 Appl 2 Appl n
F1
Fn
F1
Fn
F1
Fn
Network Connectivity
Protocols: TCP/IP, TL1
File Systems, DBMS
OS, Sys. Lib., Drivers
Middleware
Appl 1 Appl 2 Appl n
F1
Fn
F1
Fn
F1
Fn
Security issues are suspect at every layer of the infrastructure ...
Hardware Platforms Hardware Platforms
Interconnecting Networks
User Interface device/ system
User Interface device/ system
12
Common Problems Common Problems Vulnerabilities & ErrorsVulnerabilities & Errors
Policies and standards driven by known exploits rather than integral with evolving technology and services
Unencrypted Login Sessions over vulnerable networking coupled with Reusable Passwords
Poor access controls Search for Holes in Protocols Outdated Physical Security Uncontrolled networking Inadequate documentation Insecure System Defaults Weak Auditing & Reporting
CriticalInfrastructure
Resources
13
Network Convergence Nightmare:Network Convergence Nightmare:VoIP Service Attacks demonstrated VoIP Service Attacks demonstrated
Denial of service through buffer overflows against IP phones and gatekeepers (Root cause: Relevant Standards are ill-defined on security policy and expected behavior)
Modifying user registration to re-direct callsUnauthorized monitoring of RTP call flowsMan-in-the-Middle (H323) proxy modification of signaling & content
Brute force account password attacks on management interfaces
Local network sniffing of account passwords and software updates (configuration and feature changes)
Source: Utz Roedig paper, Darmstadt University of Technology http://www.aravox.com/literature/aravox_security_analysis_ip_telephony.pdf
Today’s Business Case Today’s Business Case for Securityfor Security
Vision/Strategy
Board ofDirectors
SeniorManagement
SecurityProgram
Assets
RiskAnalysis
BusinessCase
Incidents/Accidents
SecurityRequirements
VulnerabilityA
nalysis
Security Investments
Inve
stm
ent R
eque
sts
Motivations
• Shareholder/Stake-holder Value Added
• Capital Markets Perception
• Regulations/ Ordinances
• Securities Rules and Regulations Compliance
• Assurance/Insurance• Competitive
Advantage• Intangibles• Media
Organizational Response:
Prevention/ Mitigation
Source: www.ncs.gov (off line due to CODE RED WORM)
15
Factors influencing platform selections Factors influencing platform selections by Service Providersby Service Providers
Assure security in the initial architecture Stick with standards and avoid proprietary
security algorithms Focus on Authentication, Authorization,
Accounting Protect SS7 to IP interconnects Invite customers to test security of beta
products Set defaults to ‘secure’ on new elements
Source: Verizon paper, Converged Networks & Security; NSTAC R&D Exchange, Telecommunications and Information Security Workshop 2000
16
Related Security Standards and Best Practices Related Security Standards and Best Practices ForaFora
Secure Tunneling - e.g., IPSec Packet cable security specification Common Criteria switch profile ITU H235 SNMP security ATM Forum security specification T1S1 SS7 security standard based on the Generic Upper
Layer Security (GULS) functions described in 'Information Technology - Open Systems Interconnection Upper Layers Security Model', ISO/IEC IS 10745, June 1993. IETF efforts on control protocols (e.g., SIP)
Network Reliability and Interoperability Council (NRIC) V Others Candidates that we might help develop?
17
Targeting Interoperability and QualityTargeting Interoperability and QualityUse of security standards that can address GW-GW, inter-system and end-to-end interactions
Address signaling security, NGN and PSTN interfaceUse security tunneling designed for IPv4 & IPv6Adopt ATM Forum security specification that addresses multiple planes
Support intersystem negotiation of security parametersLeverage common security services and supporting infrastructure (e.g., Directories, DNS)
Extending security baseline requirements defined for PSTN - e.g., Telcordia GR-815 Update (Available for Comment)
Leveraging industry best practices - e.g., IPSec / VPNsAdopting common Internet firewall approachUse industry best practices & interoperability testing
18
Security of Telecom Network ElementsSecurity of Telecom Network ElementsCurrent GR-815-CORECurrent GR-815-CORE
First Published in 1989, updated in 1997 Procurements Specified by RBOCS and other
LECs Accepted as “de facto standard” for Telecom
NEs by all major suppliers and service operators From ~20% to Over ~95% compliance ‘90-’95 Model for NIST Common Criteria Telecom
Switching Profile Model for ATIS SS7 Base Security Guideline
19
Summary & CommentarySummary & Commentary
Next Generation Networks– More open and connected– More complex, distributed– More Interdependencies– Growing Vulnerabilities– Increasing standards of Due Care– Increased focus on standards– Less interoperable solutions
apparent– Great need for consensus on
standards and best practices An excellent opportunity for
CIPSource: Mike Thompson, Detroit Free Press
Questions: Hank Kluepfel, CPP01-973-543-7064