Clear and Present Perils.


122 views
Uploaded on:
Description
Clear and Present Threats. Bill Cheswick Lumeta Corp. c hes@lumeta.com. Clear and Present Threats. Border Releases Poor host security. Mapping the Web and Intranets. Bill Cheswick ches@lumeta.com http://www.cheswick.com. Intranets are wild Dependably have been
Transcripts
Slide 2

Clear and Present Dangers Bill Cheswick Lumeta Corp. c hes@lumeta.com

Slide 3

Clear and Present Dangers Perimeter Leaks Poor host security

Slide 4

Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com http://www.cheswick.com

Slide 5

Intranets are wild Always have been Highlands “day after” situation Panix DOS assaults an approach to follow unknown bundles back! Web tomography Curiosity about size and development of the Internet Same apparatuses are helpful for seeing any extensive system, including intranets Motivations

Slide 6

Related Work See Martin Dodge’s digital topography page MIDS - John Quarterman CAIDA - kc claffy Mercator “ Measuring ISP topologies with rocketfuel ” - 2002 Spring , Mahajan , Wetherall Enter “internet map” in your web index

Slide 7

Long term dependable accumulation of Internet and Lucent network data without irritating an excess of individuals Attempt some straightforward perceptions of the information motion picture of Internet development! Create apparatuses to test intranets Probe the far off corners of the Internet The Goals

Slide 8

Methods - information gathering Single dependable host associated at the organization border Daily full output of Lucent Daily fractional sweep of Internet, month to month full sweep One line of content for each system examined Unix devices

Slide 9

Methods - system checking Obtain expert system rundown system records from Merit, RIPE, APNIC, and so on. BGP information or directing information from clients hand-gathered rundown of Yugoslavia/Bosnia Run a traceroute-style filter towards every system Stop on blunder, finish, no information Keep the locals glad

Slide 10

TTL tests Used by traceroute and different apparatuses Probes toward every objective system with expanding TTL Probes are ICMP, UDP, TCP to port 80, 25, 139, and so forth. A few individuals piece UDP, others ICMP

Slide 11

Server Client Application level Application level Router TCP/UDP TCP/UDP IP Hardware TTL tests Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

Slide 12

Server Client Application level Application level Router TCP/UDP TCP/UDP IP Hardware Send a bundle with a TTL of 1… Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

Slide 13

Server Client Application level Application level Router TCP/UDP TCP/UDP IP Hardware …and we get the passing notice from the first jump Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

Slide 14

Server Client Application level Application level Router TCP/UDP TCP/UDP IP Hardware Send a parcel with a TTL of 2… Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

Slide 15

Server Client Application level Application level Router TCP/UDP TCP/UDP IP Hardware … thus on … Hop 3 Hop 1 Hop 2 Hop 4 Hop 3

Slide 16

Advantages We don’t need access (I.e. SNMP) to the switches It’s quick Standard Internet instrument: it doesn’t break things Insignificant burden on the switches Not liable to appear on IDS reports We can test with numerous parcel sorts

Slide 17

Limitations Outgoing ways just Level 3 (IP) just ATM systems show up as a solitary hub This bends graphical examination Not all switches react Many switches restricted to one reaction for every second

Slide 18

Limitations View is from filtering host just Takes a while to gather exchanging ways Gentle mapping means missed endpoints Imputes non-existent connections

Slide 19

The information can go whichever way B C D An E F

Slide 20

The information can go whichever way B C D An E F

Slide 21

But our test bundles just go almost B C D An E F

Slide 22

We record the hop… B C D An E F

Slide 23

The following test happens to go the other way B C D An E F

Slide 24

…and we record the other hop… B C D An E F

Slide 25

We’ve attributed a connection that doesn’t exist B C D An E F

Slide 26

Data accumulation grievances Australian parliament was the first to grumble List of whiners (25 nets) Military saw promptly Steve Northcutt courses of action/notices to DISA and CERT These protests are for the most part a relic of past times Internet foundation radiation prevails

Slide 27

Visualization objectives make a guide show intriguing components troubleshoot our database and accumulation routines difficult to overlay up geology doesn’t matter utilization hues to show further significance

Slide 30

Infovis best in class in 1998 800 hubs was a gigantic chart We had 100,000 hubs Use spring-power reproduction with heaps of observational changes Each design required 20 hours of Pentium time

Slide 32

Visualization of the format calculation Laying out the Internet diagram

Slide 34

Visualization of the format calculation Laying out an intranet

Slide 36

A disentangled guide Minimum separation spreading over tree utilizes 80% of the information Much simpler representation Most of the connections still substantial Redundancy is in the center

Slide 37

Colored by AS number

Slide 38

Map Coloring separation from test host IP location shows groups Geographical (by TLD) ISPs future timing, firewalls, LSRR pieces

Slide 39

Colored by IP address!

Slide 40

Colored by geology

Slide 41

Colored by ISP

Slide 42

Colored by separation from filtering host

Slide 43

US military came to by ICMP ping

Slide 44

US military systems came to by UDP

Slide 47

Yugoslavia An unclassified look at another combat zone

Slide 49

Un film standard Steve “Hollywood” Branigan...

Slide 51

balance

Slide 52

Routers in New York City missing generator fuel

Slide 53

Intranets

Slide 54

We parcel our systems to escape from the diversion Companies, governments, offices, even families cover up in enclaves to constrain availability to sanction benefits These are called intranets The decentralized, cloud-like nature of webs makes them difficult to oversee at an essential issue My organization investigates the degree of intranets and their interconnections with different systems.

Slide 55

Intranets: whatever remains of the Internet

Slide 61

This was Supposed To be a VPN

Slide 64

Anything sufficiently vast to be gotten a “intranet” is wild

Slide 65

Case examines: corp. systems Some intranet measurements

Slide 66

A sends bundle to B , with mock return location of D If B would, it be able to will answer to D with a reaction, conceivably through an alternate interface Leak Detection glove Mapping host D An Internet intranet C B Test host

Slide 67

Packet must be created so the reaction won’t be allowed through the firewall A mixed bag of parcel sorts and reactions are utilized Either inside or outside location may be found Packet is named so we know where it originated from Leak Detection glove Mapping host D An Internet intranet C B Test host

Slide 68

Existence confirmations of intranet releases: jail worm It’s a pop-test on border trustworthiness The best run systems (e.g. spooks’ nets) don\'t get these diseases Internal hosts may be vulnerable

Slide 69

Some Lumeta lessons Reporting is the truly critical step Converting information to data “Tell me how we contrast with other clients” Offering an administration was great practice, for some time The customers need a gadget We have >70 Fortune-200 organizations and government offices as customers Need-to-have versus need to-have

Slide 70

Honeyd – system imitating Anti-hacking instruments by Niels Provos at citi.umich.edu Can react as one or more has I am arranging it to resemble a whole client’s system Useful for testing and investigating Product?

Slide 71

History of the Project Started in August 1998 at Bell Labs April-June 1999: Yugoslavia mapping July 2000: first client intranet examined Sept. 2000: spun off Lumeta from Lucent/Bell Labs June 2002: “B” round subsidizing finished 2003: deals >$4MM

Slide 73

Mapping the Internet and Intranets Bill Cheswick ches@lumeta.com http://www.cheswick.com

Slide 74

My Dad’s Computer and the Future of Internet Security Bill Cheswick ches@lumeta.com http://www.lumeta.com

Slide 76

My Dad’s PC Skinny-plunging with Microsoft

Slide 77

Case contemplate: My Dad’s PC Windows XP, a lot of strength, two screens Applications: Email (Outlook) “Bridge:” an extravagant stock exchange observing framework AIM

Slide 78

Case consider: My Dad’s PC Cable access dynamic IP address no NAT no firewall obsolete infection programming no spyware checker

Slide 79

This PC was a product harmful waste dump It was blazing a liter of oil each 500 km The popups appeared to be darned diverting to me

Slide 80

My Dad’s PC: what the repair nerd discovered Everything “Viruses I’ve never heard off” Constant popups Frequent impacts of different pages, all vulgar Dad: why do I give it a second thought? I am completing my work

Slide 81

Dad’s PC: how could he have been able to he get in this chaos? He doesn’t realize what the popup security messages mean Email-conceived infections Unsecured system administrations Executable code in site pages from unworthy destinations

Slide 82

He is completing his work Didn’t need a framework head to botch up his client interface settings Truly ruinous assaults are uncommo

Recommended
View more...