38

Richard Bejtlich is a seniorengineer, responsible for the

Managed Network SecurityOperations at Ball Aerospace &

Technologies Corporation. He runsthe network security operations,

process development, incidentresponse and technical training. Hebegan his computer security career

as a captain in the Air Force inlate 1998. He served as the Chiefof Current Operations at the Air

Force Computer EmergencyResponse Team (AFCERT),

supervising a 60-person globalnetwork security monitoring unit.He has published several papers,

such as Interpreting Network Traffic: ANetwork Intrusion Detector’s Look at

Suspicious Events and NetworkIntrusion Detection of Third PartyEffects. Mr Bejtlich is a 1996

graduate of Harvard University anda 1994 graduate of the US Air

Force Academy.

a report by

R i c h a r d B e j t l i c h

Senior Engineer, Managed Network Security Operations, Ball Aerospace & Technologies Corporation

Few people believe that maintaining a soundnetwork security posture is easy. Those who do aredeluding themselves, unless they practice twofundamental tenets of security: simplicity andawareness. Simplicity facilitates abstraction, which isthe basis of all computing. Abstraction is the abilityto imagine and evaluate processes and data with noequivalent in the physical world. Awareness is anaugmentation to abstraction, giving a better idea ofexactly what processes and communications must bemanipulated mentally. For example, a company mustbe aware of users from Hungary mounting drivesremotely on its file server. This may violate itssecurity policy. Unfortunately, the modernnetworking environment is destroying bothsimplicity and awareness. The purpose of this articleis to explain how security professionals can deal withthis hostile situation.

Simplicity takes many forms. In one sense, a homeuser operating a single machine with dial-up Internet access has a simple security task. He or shemust protect the computer from exploitation.Nevertheless, many home users are not equipped torecognise the vulnerabilities that are present in thedefault configuration of their personal computers. Asimple case of defending a single computer has beenmade complex by the obscurity of that machine’soperating system (OS).

Uniplexed Information and Computer System(UNIX)-based OSs, with their general reliance on text-based configuration files, give greatertransparency to knowledgeable users. It is simple toeliminate services that are started by the inetddaemon. The inner workings of Windows OSs,despite their ‘friendly’ graphical environment, can be more difficult to decipher. Terminating somedangerous services in Windows NT requiresunbinding protocols, modifying the registry andaltering object properties. Sadly, the majority ofhome users run opaque Windows platforms, largelynegating their initial simplicity advantage.

Beyond home users, corporate networkers defysimplicity at every turn. The home office paradigm ofa single machine with a single OS is shattered. Many

corporations run dozens to hundreds or thousands ofmachines, with a variety of functions being performedby multiple OSs. Small businesses might runsimultaneously Oracle databases on Solaris, MicrosoftOffice suites on Windows 2000, Sendmail mail agentson Red Hat Linux and Apache Web servers onFreeBSD. A single administrator may be responsiblefor every application, OS and platform.

Some argue that simplicity in small networks is served by running the same OS on every host.Homogeneous environments may be easier tomaintain, but they suffer a dangerous flaw. If acrippling exploit was introduced, every machinewould be at risk simultaneously. For example, the nextMelissa virus will plague everyone who is running thesame vulnerable configuration of Microsoft Outlook.An entire enterprise can be destroyed in the same waythat a virus can slaughter a genetically identical species.Diversity, but not complexity, facilitates survival.

One strategy with which to establish a securenetworking environment when simplicity is at risk is to reduce the number of workstations whilebalancing the risk of strict homogeneity carefully.Information appliances, such as Sun Microsystem’sSun Ray, provide computing power to users andcentralised control to system administrators. Ofcourse, the malicious insider may find it easy to access an entire office’s files from within a single compromised Solaris Enterprise server. Whileuseful within the boundaries of the corporatenetwork, this appliance deployment tactic does notreduce the threat to systems with Internet exposure.

Systems that are at risk from external threats residein demilitarised zones or ‘perimeter networks’,acting as external routers, firewalls and e-mail, Weband domain name servers. Some vendors do offerthis functionality in appliance form, promising‘hardened’ configurations with specialised settings.Often, these devices are endangered by the samelack of transparency as the inner workings ofMicrosoft platforms.

As it is safe to assume that the obsessive, incrediblyskilled attacker is intimately familiar with the design

S imp l i c i t y and Awareness – Keys to Network Secur i ty

Managed SecurityManaged Security

B U S I N E S S B R I E F I N G : G L O B A L I N F O S E C U R I T Y 2 0 0 2

People go to absurd lengthsto Protect their Data!

take the smarter option

InfoSecurity Services & Solutions fromTata Infotech Limited

Advanced IT Solutions

• Consulting • System Integration Services • Outsource R&D • Products & Solutions • Training

For more Information contact:USA & Latin America: info.contact@tatainfotech_usa.com ~ Tel. +1 (703) 734 9456 Europe & Africa: atginfo@tatainfotech.co.uk ~ Tel. +44 (0)20 7838 8910Rest of the World: atginfo@tatainfotech.com ~ Tel. +91 (0)22 829 0319

Corporate Office: Tata Infotech Ltd., Manish Commercial Centre, 216, Dr A.B. Road, Worli, Mumbai 400 025. Visit us at: www.tatainfotech.com

Products & Solutions

FORTIORATM, a suite of International Standards Compliant PKI based e-security solutions. These are based on indigenously developed cryptography systems, including the AES winner (Rijndael) and other popular algorithms, to ensure total security of information.

• FORTIORA CSARTM: Issues certificates to requesting clients, and stores the certificates in a public repository. Supports popular public-key algorithms (between 512 and 4096 bits). Repository conformsto standard protocols such as LDAP.

• FORTIORA DEFTTM: Desktop application for message encryption and digital signing. Cryptographic messages and key formatsconform to standards. Can also be used off-line for generating self-signed certificates.

• FORTIORA SCOUTTM: Cryptographic toolkit of C/C++ library functions that facilitates the rapid development of secure applications.

InfoSecurity Consulting

• Providing Security Solutions

• Conducting Security Audits

• Public Key Infrastructure (PKI) Consulting

System Integration Services

Expertise in providing end-to-end security solutions, backed byproven Systems Integration Skills in implementing large projects

• Setting up Certification Authority (CA) Infrastructure

• PKI enabling existing applications

• Developing PKI enabled secure applications

• Network planning and implementation

Training

• Information System Security

• Overview of PKI

This

prod

uct/p

ublic

atio

n in

clude

s im

ages

from

Cor

elDR

AW®

9 w

hich

are

pro

tect

ed b

y th

e co

pyrig

ht la

ws o

f the

U.S

., Ca

nada

and

else

wher

e. U

sed

unde

r lice

nse.

AD

/ATG

/090

1/01

40

Managed SecurityManaged Security

B U S I N E S S B R I E F I N G : G L O B A L I N F O S E C U R I T Y 2 0 0 2

of his or her target’s defensive systems, any obscurityharms the security professional. Since the very natureof pure hacking is learning every detail of a system’s operation, openness is the best way tocounteract the skilled adversary’s knowledge ofclosed systems. However, transparency compensatesfor complexity only to a certain extent. Othermeasures must be taken.

Awareness is the best way to promote security in acomplex environment. Cultivating awareness is noteasy, as complexity can make gathering criticalinformation difficult. Managing the flood of vendorbulletins, computer emergency response teamadvisories and security mailing list postings can be afull-time job. In addition, an insidious aspect of theawareness principal makes matters worse. Forexample, there is the problem of being aware of –and defending against – a vulnerability in a localserver if the existence of the server is unknown. It isdifficult for system administrators to maintaincomplete and current network maps, and to preventothers from bringing new systems online.

From a network security perspective, awareness takesseveral forms. First, there must be an awareness of theworkstations and servers that are active in theenterprise. When confronting external threats, thereare concerns about servers with direct exposure tothe Internet. Typical enterprises supply multiplepublic targets: external routers and firewalls, as wellas e-mail, Web and domain name servers that offersuitable exposure.

Second, the services that are offered by these systems must be known. Improperly configured or‘unhardened’ servers may give attackers vectors withwhich to exploit systems that are unrelated to thetarget’s main purpose. For example, an e-mail servermay afford access to its line printer daemon, invitingexploitation of a service that is not required fortransmitting e-mail.

Third, the traffic that is traversing the enterprisenetwork boundary must be observed, recognised and understood. This point, and especially therecognition element, is crucial. The proliferation

of network protocols, and especially the growth ofprotocols within protocols, makes recognitionincreasingly challenging. Decoding raw Microsoft’sNetBIOS/Server Message Block traffic, even with the aid of analysis software such as Ethereal, is difficult. Recognising Simple Object AccessProtocol (SOAP) riding through Hyper TextTransfer Protocol (HTTP) is not any easier. Noless important is the increasing use of encryptionacross enterprise boundaries. While encryption can deny intruders access to transmitted data, it can also mask attackers who tunnel their activitiesthrough legitimate encrypted channels. Foundstonebegan demonstrating these techniques publiclyabout two years ago, compromising Web servers while hiding within Secure Sockets Layer(SSL) traffic.

A way in which to best serve the three elements ofawareness must be identified. The first and secondelements, awareness of the existence of hosts andtheir services, are met by two strategies. First, systemand network administrators can keep careful

inventory of their assets. Network discovery andlogging tools that are configured properly will help.Second, and more significantly, administrators canhire outside help. This assistance takes three forms:

1. auditing;2. vulnerability assessment; and 3. penetration testing.

Auditing is the process of measuring an enterprise’scompliance with its security policy. Vulnerabilityassessment is the process of examining computingassets for configuration and operational weaknessesthat could result in a loss of confidentiality orintegrity/availability. Penetration testing is the nextstep beyond vulnerability assessment. It is theactive exploitation of vulnerable assets todetermine the likely extent of a successfulenterprise intrusion. Typical penetration tests willresult in multiple compromised machines, eachleveraged to gain deeper access in accordance withthe rules of engagement that are set by the client enterprise.

It is vital to remember that security itself cannot be

‘outsourced’. Rather, tasks that contribute to enhanced security

can be outsourced. Security professionals should seek to

implement as much simplicity and awareness as their

positions allow.

C R E A T I N G A N S W E R S T O G E T H E R

©20

01 E

quan

t

global data network i need a

THAT WORKS WHEREVER I DO BUSINESS

I can be anywhere, at anytime. Which is why I rely on a

network that delivers more, faster. A data network from Equant. The

recognized global leader in data, IP and e-business. Who can connect me in

220 countries. Provide local support in 145 of them. And offer the deepest

portfolio of managed data products and services anywhere. Begin

creating answers together at www.equant.com

‘Outside help’, a form of ‘outsourcing’, is standardpractice in many fields that are unrelated tocomputing. In order to preserve and demonstrate theintegrity of their finances, publicly traded companiesmust hire outside accountants to audit their books.Failure to perform this task properly has seriousconsequences. In June 2001, the accountingcompany Arthur Andersen paid US$7 million tosettle federal charges after filing false and misleadingaudits of Waste Management Inc. During the last fewyears, hiring companies to provide auditing,vulnerability assessment and penetration testing hasbecome a routine practice. Government regulation,such as the Health Insurance Portability andAccountability Act 1996 (HIPAA) and the Gramm-Leach-Bliley Act 1999 (GLB) are prodding medicaland finance companies towards outsourcing thesesecurity tasks.

The third element of awareness is the observation,recognition and understanding of network activity.Experienced network engineers may have troublewith the subtle security-related aspects of suspicioustraffic. In addition, the employment of multipleOSs, offering numerous services collectively, raisesthe stakes. If it is difficult to be skilled sufficiently inproper configuration of Windows, Linux, Solarisand FreeBSD platforms, it is harder to understandhow each OS and application communicates withits peers. The straw that breaks the camel’s back isthe attacker’s tendency to manipulate protocols and processes outside of their documented andexpected forms.

The consequences of not observing, recognisingand understanding network activity are plain: long-term, undetected and increasingly damagingcompromises. As reported in July 2001 by NedStafford of www.newsbytes.com, Switzerland’sthird largest Internet service provider (ISP)discovered attackers had access to thousands of usernames and passwords, including some for theembassies of France, Sweden and Israel. Theperpetrators roamed SwissOnline for months, withthe capability to read, alter, delete or copy e-mail at will. The infiltrators were only detected whenthey announced their presence by sendingSwissOnline a CD-ROM containing 185,000accounts and 250,000 e-mail addresses.

An increasingly accepted way in which to meet thechallenge of detecting and reacting to suspiciousnetwork activity is managed network securitymonitoring (NSM). The analogue equivalent of thisservice, the manned security camera, is found inincreasing numbers of banks, convenience stores,restaurants and other places of business. In addition,casinos require experienced observers to detect themost subtle of cheats. Similarly, well-equipped,

managed NSM operations leverage their expertise forthe benefit of all client enterprises. The best NSMproviders offer expertise across multiple OSs andarchitectures, with knowledge of protocols andservices and ways to defeat them. Managed NSMcompanies also offer early warning services withintheir field of view, which can far exceed that of eachindividual client. For example, if the NSM operationdetects a new exploit in use against a client inBoston, it can ensure that its other clients prepare forprobable attack.

For small to mid-sized enterprises, managed NSMoperations are far cheaper to hire than theequivalent in-house capability. In a sense, hiring amanaged NSM provider is similar to investingthrough mutual funds. Serious researching,purchasing and performance monitoring of stockscould be a full-time job for the individual investor.Alternatively, for a miniscule fee, individuals buythe expertise of a fund manager with a wide view of the investing landscape, and the time and skill to make informed financial decisions. Largerenterprises with numerous points of Internetpresence and the resources to hire the dozen or so skilled professionals that are needed forconstant staffing may elect to pass on managedNSM companies. Such large companies are similarto wealthy families who can afford to hire personal accountants, lawyers, tax advisors andinvestment assistants.

As the modern networking environment will onlybecome more complex, security professionals mustcompensate for the lack of simplicity by seekingincreased awareness. Since staying responsive todevelopments in applications, protocols and OSs is progressively more difficult, enterprises arerecognising the need to employ specialists selectivelyto enhance their security posture.

In the same way that the division of labour hashelped modern society to achieve greater prosperityand productivity, so outsourcing can furtherenhance security postures. It is vital to rememberthat security itself cannot be ‘outsourced’. Rather,tasks that contribute to enhanced security can beoutsourced. Security professionals should seek toimplement as much simplicity and awareness as theirpositions allow.

While one focus of this article has been on theadministrator’s attentiveness to his or herenterprise’s traffic, awareness should also be arequired skill for users. The demystification ofcomputing will undoubtedly continue as peoplewho are born after the creation of the World WideWeb (WWW) reach the corporate workforce in thecoming years. ■42

Managed SecurityManaged Security

B U S I N E S S B R I E F I N G : G L O B A L I N F O S E C U R I T Y 2 0 0 2