Mapping the Internet and intranets

Steve BraniganHal Burch

Bill Cheswick

Bell Labs, Lucent Tech.

Motivations

• Work on DOS anonymous packet trace back - Internet tomography.

• Highlands “day after” scenario• Curiosity about size and growth of

the Internet• Same tools are useful for

understanding any large network, including intranets

The Project• Long term reliable

collection of Internet and Lucent connectivity information– without annoying too

many people

• Attempt some simple visualizations of the data

– movie of Internet growth!

• Develop tools to probe intranets

• Extended database for researchers

Uses for the Internet data

• topography studies• long-term routing studies• publicly available database (“open

source”) for spooks• interesting database for graph

theorists• combine with other mappers to make

an actual map of the Internet

Uses for intranet data

• Map “inside” the security perimeter• Take a census of Lucent hosts• Discover hosts that have

unauthorized access to both the intranet and the Internet– illegal connections– miss-configured firewalls– maybe miss-configured telecommuters

Network scanning

• Custom program• Concurrently scans towards 500

nets at once• Throttled to 100 packets/sec: can

do much faster• Slow daily scan for host on

destination network

Limitations

• My view of the Internet, not yours– radical shifts when our ISP situation

changes

• Outgoing paths only• Takes a while to collect alternating

paths• Gentle mapping means missed

endpoints– good v. evil

Data collection complaints

• Australian parliament was the first to complain

• List of whiners (25 nets)• Military noticed immediately

– Steve Northcutt– arrangements/warnings to DISA and

CERT

Visualization goals

• make a map– show interesting features– debug our database and collection

methods– hard to fold up

• geography doesn’t matter• use colors to show further meaning

Early layouts

• Interesting art• tantalizing edges• interior shows ISPs (colored by IP

address!)• can’t trace routes• can’t even find the probe host

When data is inconvenient, throw some

away• minimum distance spanning tree• connectivity, not actual paths• we get more information out of it• add other paths to show further

information

What kind of maps canwe make?

Current map coloring

• distance from test host• IP address

– shows communities

• Geographical (by TLD)• ISPs• future

– timing, firewalls, LSRR blocks

By ISP

By top level domain

Yugoslavia

Serbia and Bosnia

Results - Internet database

• 100,000 of the world’s most important routers

• >150 routes to one destination!• Yugoslavia bombing of power

infrastructure is apparent• Offers for other scan points

– how to pick them?

05 October, 1998 23

0

2000

4000

6000

8000

10000

12000

Number of paths to a target

Distribution of path lengths

0

1000

2000

3000

4000

5000

6000

7000

8000

Path length

Num

ber

of

nets

Reached Not reached

Recipe for good intranet security

• Know what you have.• Then secure it.

Some basic questions…

• How large is the network address space for your network?

• How many system are actually active on the network?

• How much does the network change?

What is an intranet

• any network too large to control• hosts residing inside a firewall

perimeter• business partner connections• corporate hosts outside of the

firewall• DMZs

Intranet mapping work

• Apply the technology of Internet mapping to the intranet

• See how far the network reaches.• Surprises?

Firewall bypass case #1

Burouter

Corp.Firewall

Internet

Intranet

ISP AISP B

Our host census attempt

• 266,000 hosts• complaints from business partners!

Multi-home hosts

• hosts having multiple network connections

• dangerous when one is connected to the intranet, and the other is connected to the Internet

Firewall bypass case #2

Specialsystem

Corp.Firewall

Internet

Intranet

Hard to find today.

• Vulnerability scanners are not finding these vulnerabilities.

New products

• list of web servers• list of mail servers

Results: New Products!

• Route rationalization (“routerat”)– discover network routes (user

supplied?)– run frequently

More new products!

• Topology scan: traceroute scan information and analysis

• Host census• Scan for perimeter violations.

– spoofed through inside to outside– spoofed outside through inside

New Products

• List of web and mail servers• Detect route squatters• Networks susceptible to broadcast

storms• Find unauthorized firewalls and

internet connections• Miss-configured telecommuting and

branch office hosts.

New Products

• Private address space use• Connections with business

partners• Due diligence tool for joint

ventures, mergers, divestitures, etc.

Walking the perimeter

• There is a large potential market for this

• New tool to gain some control over an extensive network

• Fits with a number of companies’ product lines

• new Lucent venture

How we scan

• Via dialup, using RAS servers• Secure tunnel, if you prefer

– IP/SEC– PPTP– others?

Auditing Firewall Rules

a

b

d

allow web to aallow web to b

allow web to d

Over time, systems change but firewall rules may not...

Oops! Legacy rules can create today’s security holes.

Internet

c

allow web to callow web to c

allow mail to c

c

How Firewall Auditor Works

Input

Analysis

Output

Intranet definition ++ Query list of services

Query: Internet-> Inside : http

Internet -> ecnes01 (ecnes01.inet.lucent.com) : http [Rule: 2 ]Internet -> ecnes02 (ecnes02.inet.lucent.com) : http [Rule: 4 ]bcs-test (sapient2-bh.sapient.com) -> galileo (oh0012espweb1.inet.lucent.com) : http [Rule: 7 ]bcs-test (sapient2-bh.sapient.com) -> voyager (voyager.inet.lucent.com) : http [Rule: 9 ]

nameif ethernet0 outside security0nameif ethernet1 inside security100hostname pix1fixup protocol ftp 21fixup protocol http 80nat (inside) 0 0 0static (inside, outside) 135.104.45.176 135.104.45.176 netmask 255.255.255.240 outbound 1 deny 0 0apply (inside) 1 outgoing_dest: RULE : OUT PASS http mh zeroconduit permit tcp host 135.104.45.180 eq 80 135.104.0.0 255.255.224.0 conduit permit tcp host 135.104.45.180 eq 80 135.104.32.0 255.255.248.0

Sample firewall rules

What service traffic from the Internet can get through the firewall rules to which intranet addresses?