Ins
`
`1
`
`de Network
`
`Per
`
`1meter
`
`Seeur
`
`1w
`
`Stephen Northcutt
`am
`
`13mmme
`LSK
`naem:
`V/Wn
`
`Ronald
`
`W.
`
`Ritchey
`
`Second Ed
`
`lfion
`
`s,A»,
`
`.1?,,s:a?4«,V>1:kis:,\
`
`
`
`
`
`fin»:fig“:,o,«2,3,.)‘.2545,
`
`
`
`VMWARE 1011
`
`
`

`

`Inside Network
`Perimeter Security
`
`
`
`Second Edition
`
`VMWARE 1011
`
`

`

`Inside Network
`
`Perimeter Security
`
`Second Edition
`
`Stephen Northcutt, Lenny Zeltser, Scott Winters,
`Karen Kent, and Ronald W Ritchey
`
`Sams Publishing, 800 East 96th Street, Indianapolis, Indiana 46240 USA
`
`VMWARE 1011
`
`

`

`
`
`
`
`Acquisitions Editor
`Linda Bump Harrison
`
`Development Editor
`Songlin Qiu
`
`Managing Editor
`Charlotte Clapp
`
`Project Editor
`George E. Nedeff
`
`Copy Editor
`Bart Reed
`
`Indexer
`
`Ken Johnson
`
`Proofreader
`
`Kathy Bidwell
`
`Technical Editors
`
`Todd Chapman
`Anton Chuvakin
`
`Dan Goldberg
`
`John Spangler
`
`Publishing Coordinator
`Vanessa Evans
`
`Book Designer
`
`Gary Adair
`
`Page Layout
`
`Kelly Maish
`
`f,
`
`Inside Network Perimeter Security
`
`Copyright © 2005 by Sams Publishing
`All rights reserved. No part of this book shall be reproduced, stored
`in a retrieval system, or transmitted by any means, electronic,
`mechanical, photocopying, recording, or otherwise, without written
`permission from the publisher. No patent liability is assumed with
`respect to the use of the information contained herein.Although
`every precaution has been taken in the preparation of this book, the
`publisher and author assume no responsibility for errors or omis—
`sions. Nor is any liability assumed for damages resulting from the use
`of the information contained herein.
`
`International Standard Book Number: 0—672—32737—6
`
`Library of Congress Catalog Card Number: 2004096804
`
`Printed in the United States of America
`
`Trademarks
`
`All terms mentioned in this book that are known to be trademarks
`or service marks have been appropriately capitalized. Sams
`Publishing cannot attest to the accuracy of this information. Use of a
`term in this book should not be regarded as affecting the validity of
`
`any trademark or service mark.
`
`Warning and Disclaimer
`Every effort has been made to make this book as complete and as
`accurate as possible, but no warranty or fitness is implied.The infor—
`mation provided is on an “as is” basis.
`
`Bulk Sales
`
`Pearson offers excellent discounts on this book when ordered in
`quantity for bulk purchases or special sales. For more information,
`please contact
`
`U.S. Corporate and Government Sales
`1—800—382—3419
`
`corpsales@pearsontechgroup.com
`
`For sales outside of the US, please contact
`
`International Sales
`
`international@pearsoned.com
`
`VMWARE 1011
`
`

`

` 2PacketFlltermg2
`
`3Statefulfirewalls
`
`
`
`VMWARE 1011
`
`

`

`
`
`
`"*4
`
`IV{Maintainingyyafid,:Monitbfing. §éfiffiété£
`Security
`3
`‘
`‘V
`
` V. 19Mamtammg aSecurlty Perlmeter 471
`:20Network Log 131113137515 497
`
`
`21Troubleshootmg DefenseComponentg 51';
`
`22 AssessmentTechmques , 551
`T
`I
`V
`I L 323DeugnUnder Fxre 589 I
`‘
`a.
`._ 2.4A Umfied Securlty Penmeter TheImportance of
`Defense in Depth 619
`,
`,
`.
`~
`17'1"-
`
`
`
`.
`
`I
`
`
`
`
`
`
`
`
`B Crypto101657
`'
`'
`'
`*
`'
`'
`'
`
`
`
`A C1sco Accesg Lrst SampleConfiguramons 641
`
`3,
`
`Index663 '
`
`
`
`VMWARE 1011
`
`

`

`
`
`VMWARE 1011
`
`

`

`
`
`VMWARE 1011
`
`

`

`
`
`VMWARE 1011
`
`

`

`
`
`IIForufylngtheSecurity Perlmeter : 6365 5
`
`The RolekofaRouter 125
`31.:
`_
`3
`i
`
`TheRouterasa PeumeterDewce _ 125 _,
`. _ i
`
`
`
`_
`‘Setulei‘DYLIlllCRouting128
`x
`,
`fy‘yThe Routex as a SecuntyDance, 130
`
`The Router as a Part of Defensem DCpth 130 :_
`
`
`.
`
`,_:
`
`
`
`,
`
`
`
`Internet ControlMessageProtdcc)
`Biockmg 153
`_
`_
`_
`
`,
`
`
`
`
`16 j
`
`VMWARE 1011
`
`

`

`_
`
`i
`
`V
`
`-.'
`
`:.»
`
`Comparlson ofPPTP LZTP and IPSec«
`
`PPTP andLZTP Emlples , 195 1
`
`VMWARE 1011
`
`

`

`i Eddie-fits
`
`
` ’Usmg anIDS Management
`
`
`Mamtmmng Sensor Securlty
`
`H CaseStud1es 217
`
`LVCase Study1:81111p1eNetwork
`
`infrastructure ,217 '
`
`
`
`Case Study 2:Mu1t1ple Ext
`I Access Pomts :218
`
`'
`
`*
`
`~
`
`_
`
`-
`
`‘ x1135:
`
`,1-
`
`:
`
`
`
`
`
`
`
`Case Study 3;Unrest11cted Enmionment 220
`Summmy 222 _,
`z
`
`
`
`,-
`
`_
`
`1,:
`
`2'”:
`
`2'
`
`1
`
`
`
`9 Host Hardening223
`:'_~ The Need for Host Hardemn "
`
`L‘
`
`VMWARE 1011
`
`

`

`
`
`VMWARE 1011
`
`

`

`
`
`.pntoxmg Filelntegnty
`
`VMWARE 1011
`
`

`

`
`
`VMWARE 1011
`
`

`

`
`
`VMWARE 1011
`
`

`

`.,may»?
`
`
`
`VMWARE 1011
`
`

`

`-
`
`
`
`'; Xvi“
`fib’ntehtsv ‘
`~
`'5
`
`
`
`337518Sample Des1gns 447
`
`1
`
`,
`
`C336 Study3. A Small E»(,omn‘161<:eSite _-
`=
`
`
`':_:°‘,Case Study 4A ComplexE»Commerce
`
`
`
`VMWARE 1011
`
`

`

`
`
`,_
`
`Analyzmgi’Network Brewed} Logs5Q,
`
`("13m PIXLogs 509
`.
`-
`_
`V
`2
`Check Point FlreWaIl1 Logs 510
`’
`"
`IPTables Logs 511
`' u,’ '-
`,
`'V Analyzmg Host~Based firewalland ID“; Logs 512
`Zone-Alarm 519
`
`
`
`‘ M
`
`,
`
`'2 -TI1‘e Process ofTroubleshootmg 517
`I CoflectmgSym toms SIS
`
`RevxewmgRecent’Changes 518 ; I
`Fonmng 21 Hypothesw 319
`"
`I
`
` ‘L
`
`
`
`
`
`
`
`
`
`TestmgtheHypothesm 519
`Analyzmgthe Results 519
`Repeatmg If Necessary519
`,
`_ _,
`,_
`,
`'1‘":Troubleshooung Rules ofThumb 520
`Make OnlyOne Change 211: aTlme 520 *y
`Keep an OpenMmd 520
`'
`‘
`‘ Cet aSecond Opnnon520
`
`
`
`-
`
`
`
`Apphcatjon Layer Troublesho
`
`
`
`L
`
`,-
`
`
`
`
`
`yiOverlooked 521 ,_
`,lr'DocurnentDocument’Docume
`
`The TroubleghootersToolbox 522 ‘
`
`
`Other Useful Ut111t1es 52o
`
`VMWARE 1011
`
`

`

`V
`
`'
`
`‘L
`
`
`
`
`,7 QTrgnsportLayer’T,
`.bleshootmg527
`
`_NetworkLayerT 'yubleshooung S40
`
`
`Réf afiéés"
`
`' IRAssessment'TechmquesSS1
`.
`
`Roadinap for ASSESSII ‘7 th” Securlty0{Yo_ur
`
`I,
`IgujNetwork551
`
`
`I
`Planmno353
`
`
`
`VMWARE 1011
`
`

`

`
`
`V
`
`-,;,_
`
`
`
`
`
`{24 AUmfied SecurltyPerimeter I
`
`
`
`
`
` Defense011 theInmde
`_
`,
`* I,-Absorbent Permeters63°
`9
`Honeypots 632
`
`9
`
`
`
`RateLmutmg 633
`
`
`Fallover,’635
`[Defense1nDepthw1thInformauon6,635
`The Problem oflefuswn 636
`
`,
`
`,1, I APPendIXes
`
`
`
`
`V,
`
`9
`
`'
`
`*__
`i,
`
`,
`
`‘
`
`~
`I,
`
`I
`
`. _ 663,966,;stcoAccess List Sample
`
`,
`:
`,_
`'
`_i '36‘9Configuranons641
`
`': Complete Access List fora anate—Only
`~12Network 641
`'
`-
`*
`'
`Complete Access Llstf6ra Screened SubnetNetwork
`, ThatAllowsPublic Sewer Internet Access645
`-
`__, Example ofa Router; Configuxattonas Generated by
`the CISCO Auto secure Feature 650
`BCrypto 101657
`'9
`Engryptmn Algorlthms657
`
`.
`.
`bhmed f" yifSynmletrlc658 L
`Pub11c-P11vateKey Asynnnetnc. 659
`ngltal Slgnatures and HashAlgorithms
`,.
`References 661
`I
`" “
`3
`"
`
`
` Index 663
`
`I
`
`_
`
`,_
`
`
`
`VMWARE 1011
`
`

`

`About the Authors .
`Stephen Northcutt is a graduate of Mary Washington College. Before entering the
`field of computer security, he worked as a Navy helicopter search and rescue crewman,
`whitewater raft guide, chef, martial arts instructOr, cartographer, and network designer.
`Stephen is author/coauthor of Incident Handling Step-by—Step, Intrusion Signatures and
`Analysis, Inside Network Perimeter Security, 2nd Edition, IT Ethics Handbook, SANS Security
`Essentials, SANS Security Leadership Essentials, and Network Intrusion Detection, 3rd Edition.
`He was the original author of the Shadow Intrusion Detection System before accepting
`the position of Chief for Information Warfare at the Ballistic Missile Defense
`Organization. Stephen currently serves as Director of the SANS Institute.
`Lenny Zeltser’s work in information security draws upon experience in system admin—
`istration, software architecture, and business administration. Lenny has directed security
`efforts for several organizations, co—founded a software company, and consulted for a
`major financial institution. He is a senior instructor at the SANS Institute, having written
`and taught a course on reverse—engineering malware. Lenny is also a coauthor of books
`such as SANS Security Essentials and Malware: Fighting Malicious Code. He holds a number
`of professional certifications, including CISSP and G813, and is an incident handler at
`SANS Internet Storm Center. Lenny has earned a bachelor of science in engineering
`degree from the University of Pennsylvania and a master in business administration
`degree from MIT. More information about Lenny’s projects and interests is available at
`www. zelts er. c om.
`Scott Winters has been working in all aspects ofnetworking and computer security for
`over 14 years. He has been an Instructor, Network‘Engineer, and Systems Administrator
`and is currently employed as‘a Senior Consultant for Unisys at the Commonwealth of
`Pennsylvania Enterprise Server Farm. He has SANS GIAC Firewalls and Incident
`Handling certifications,ias well as MCSE, CNE, Cisco CCNP, CCDP, and other industry
`certifications. Other accomplishments include authoring and editing of SANS GIAC
`Training and Certification course content, as well as exam content. He was a primary
`author of the first edition of Inside Network Perimeter Security and a contributing author
`for SANS Security Essentials with CISSP CBK. He has also been involved in the SANS
`GIAC Mentoring program and has served on the SANS GCFW Advisory Board.
`Karen Kent is an Associate with Booz Allen Hamilton, where she provides guidance to
`Federal agencies on a broad range of information assurance concerns, including incident
`handling, intrusion detection,VPNs, log monitoring, and host security. Karen has earned
`a bachelor’s degree in computer science from the University ofWisconsin—Parkside and a
`master’s degree in computer science from the University of Idaho. She holds the CISSP
`certification and four SANS GIAC certifications. Karen has contributed to several books,
`including Intrusion Signatures and Analysis, published numerous articles on security, and
`coauthored several publications for the National Institute of Standards and Technology
`(NIST), including NIST Special Publication 800—61: Computer Security Incident
`Handling Guide.
`
`VMWARE 1011
`
`

`

`
`
`Ronald W Ritchey has an active interest in secure network design and network intru—
`sion techniques. He gets to exercise this interest regularly by conducting penetration
`testing efforts for Booz Allen Hamilton, where he has had the opportunity to learn first—2
`hand the real—world impact of network vulnerabilities. He is also an active researcher in
`the field with peer—reviewed publications in the area of automated network security
`analysis. Ronald has authored courses on computer security that have been taught across
`the country, and he periodically teaches graduate—level courses on computer security.
`Ronald holds a masters degree in computer science from George Mason University and
`is currently pursuing his PhD. in information technology at their School of Information
`Technology and Engineering. His doctoral research involves automating network securi—
`ty analysis.
`
`VMWARE 1011
`
`

`

`About the Technical Editors
`Todd Chapman has 10+ years of experience delivering IT services as varied as systems
`management, security, networking, clustering, Perl programming, and corporate develop—
`ment and training. Currently, Todd is a consultant for gedas USA, Inc., in Auburn Hills,
`Michigan, where he provides security consulting services forVolkswagen/Audi of
`America. For the last three years Todd has been an active member of the SANS GCFW
`advisory board and has written SANS certification exam questions in a number of disci—
`plines.Todd’s certifications include Red Hat Certified Engineer (RHCE), Microsoft
`Certified Systems Engineer (MCSE), GIAC Certified Firewall Analyst (GCFVV), GIAC
`Certified Intrusion Analyst (GCIA), and GIAC Systems and Network Auditor (GSNA).
`Anton Chuvakin, Ph.D., GCIA, GCIH, is a Security Strategist with netForensics, a
`security information management cOmpany, where he is involved with designing the
`product, researching potential new. security features, and advancing the security roadmap.
`His areas of infosec expertise include intrusion detection, UNIX security, forensics, hon—
`eypots, and more. He is the author of the book Security I/Varrior (O’Reilly, January 2004)
`and a contributor to “Know Your Enemy II” by the Honeynet Project (AWL,]une 2004)
`and “Information Security lVlanagement Handbook” (CRC,April 2004). In his spare
`time he maintains his security portal www.info~secure.org website.
`Dan Goldberg recently created MADJiC Consulting, Inc., to provide network design
`and architecture reviews, intrusion detection and response, and vulnerability assessments
`in CentralVirginia. He also works on research and writing projects for the SANS
`Institute and as technical director for Global Information Assurance Certification
`(GIAC).When not occupied by these activities, you may find him riding a mountain
`bike in the Blue Ridge Mountains.
`John Spangler is a freelance Network Systems Engineer. Having over 10 years of expe—
`rience, he has worked on everything from small office systems to large enterprise and
`ISP networks.]ohn has worked as a technical editor for Cisco certification manuals.
`’
`
`'
`
`VMWARE 1011
`
`

`

`
`
`Acknowledgments
`Creating a book of this breadth and depth would not have been possible without the
`support of our colleagues, families, and friends.We would like to express our humble
`thanks to the individuals who helped make this book a reality.
`Our acquisitions editor, Linda Harrison, and ourdevelopment editor, Songlin Qiu,
`have meticulously guided us through the process of creating and revising this book.They,
`and the staff at Sams Publishing, have been wonderful partners in this Venture.
`This edition’s technical editors,Todd Chapman, Anton Chuvakin, Dan Goldberg, and
`john Spangler, have carefully examined each chapter’s draft to ensure the accuracy Of the
`book’s content. We thank them for the time they’ve devoted to the project, and for the
`expertise they’ve loaned to this book.
`
`ing the previous edition of this book.Their expertise, thoughtfulness, and attention to
`detail have already assisted thousands of readers in protecting their network’s perimeter.
`First edition Contributing authors:
`Brent Deterding
`
`Mark Edmead
`
`Dr. Neil Ejohnson
`
`Brian O’Berry
`
`Daniel Martin
`
`First edition technical editors:
`Bill Bauer
`
`Sam Campbell
`
`Clement Dupuis
`
`jeff Stevenson
`
`Sergei Ledovskij
`
`Lastly, we thank our families and friends for their incredible patience while we worked
`on this project. Their support, love, and understanding helped make this book possible.
`
`VMWARE 1011
`
`

`

`
`
`x
`
`We Want to Hear from You!
`As the reader of this book, you are our most important critic and commentator.We value
`your opinion and want to know what we’re doing right, what we could do better, what '
`areas you’d like to see us publish in, and any other words of wisdom you’re willing to
`pass our way.
`,
`‘
`You can email or write me directly to let me know what you did or didn’t like about
`this book—as well as what we can do to make our books stronger.
`Please note that I cannot help you with. technical problems related to the topic (f this book, and
`that due to the high volume of mail I receive, I might not be able to reply to every message.
`When you write, please be sure to include this book’s title and author as well as your
`name and phone or email address. I will carefully review your comments and share them
`with the author and editors who worked on the book.
`E—mail:
`networking@samspublishing.com
`Mail:
`Mark Taber
`Associate Publisher
`
`'
`
`Sams Publishing
`800 East 96th Street
`Indianapolis, IN 46240 USA
`
`Reader Services
`For more information about this book or another Sams Publishing title, visit our website
`at www.samspub]ishing.com.Type the ISBN (excluding hyphens) or the title of a book
`in the Search field to find the page you’re looking for.
`
`VMWARE 1011
`
`

`

`
`
`Preface
`
`The flight from Lihue to San Francisco is about five and a half hours and allows me
`some of my most productive work time. The phone doesn’t ring, the dog doesn’t ask to
`go outside, and my personal firewall doesn’t start blinking because someone is trying to
`scan my computer. The flight attendant creWs are starting toknow me; I don’t want any
`airplane food, I brought my own recycled water bottle filled with water from my own
`reverse osmosis filter, just let me write. I am very thankful for a bit of understanding ,
`from the crew of United FLT 30 for the time to write this preface. If any of my words
`give you insight into the current state of afl"airs with perimeter and internal network
`management, don’t attribute that to me. I rely more each day of my life on the words in
`James 1:5;I am just the messenger.
`I was enjoying working on the second edition of this book when a scene on the air—
`plane entertainment televisions caught my eye. It was a video history of United Airlines,
`which started by delivering airmail in rickety old airplanes with exposed cockpits. Today,
`modern, fast, sophisticated aircraft have an incredible safety record.The airline industry
`has gone from an oddity~—a great tool to entertain the crowds at county fairs—to an
`industry that is crucial to our way of life and economy The airlines in the United States
`were essentially grounded for about three days following the terrorist attacks of
`September 11, 2001.The US. Congress debated whether to give the airlines money;
`they decided against it and United is now in chapter 1 1.
`By exploring what has changed in the airline world, you will see both the past and
`the future of our industry, information technology (IT). Like the airline industry, IT has
`historically been accomplished on rickety platforms.We have benefited from rapid
`advances in technology We have seen a decline in personal service.We are headed for
`continuous inspections, a defense—in—depth approach, and we are every bit as vulnerable
`and at the same time crucial to the economy
`
`Rickety Planes
`What if we flew in computers? That gives “crash” a whole new meaning, doesn’t it?
`Well, if we did, I am sure you would agree that we would all be dead. I would love to
`say operating systems are really improving, but it isn’t so. I installed XP SP2 beta, one of
`the'least—rickety operating systems I have worked with in a long time, on a clone of my
`primary laptop a couple months ago, and it has been interesting. As soon as I submit the
`remainder of my chapters for this book, I will upgrade my production box. As I write
`this, the Windows update version has still not been released, and it will be very interest—
`ing to see what breaks when the home users get upgradedA lot of people died in the
`early days of the airline industry, and as I say, if we flew in those early planes today, most
`of us would be dead.
`4‘
`
`VMWARE 1011
`
`

`

`
`
`xxviii
`
`Preface
`
`A
`
`Now here is the kicker: IPS systems and intelligent switches are nothing but software
`applications or ASICs that are built on these rickety operating systems. One of the pri-
`mary themes of this book is never to trust the operating system, to expect perimeter
`components to fail.This book will show you techniques for failover, layering defense
`components, segmenting internal networks, using instrumentation to detect anomalies,
`and troubleshooting. In the early days of perimeter defense, the only choice that infor—
`mation security practitioners had was to layer their perimeter software on these rickety
`operating systems.
`
`Fires in the West
`For years, I was a network builder for the Department of Defense, which uses large,
`high~end, fast networks.The most effective security mechanism for separation of sensi—
`tive information was implemented. with a physical solution—an airgap. If you want to
`protect one network from another, just don’t connect them together. Worms such as
`Blaster taught us that many networks that supposedly were not connected to the
`Internet actually were in one way or another, but if you audit carefully and never allow
`an exception, airgaps work.
`The problem with an airgap is the two networks cannot interoperate, a concept
`directly in contradiction with the Internet philosophy and electronic business.The past
`few years have been a bad time for the U.S.West, as rain has been minimal, with fires
`starting earlier and earlier each year it seems. One of the most effective tools for manag—
`ing fires is a firebreak; it isn’t as powerful as an airgap (sometimes the fire will bridge it),
`but segmenting the forest into zones is a powerful technique. The information technolo—
`gy analog for a firebreak is to segment the internal network.This can be done with
`internal intelligent Network Intrusion Prevention Switches (NIPS), with some elbow
`grease using current generation switches and applying access control to VLANs, or with
`low—cost appliance—type firewalls used on the internal network. It can even be done
`manually using anomaly IDS to detect switch ports heating up, which is usually a signa—
`ture of a worm, and shutting down the switch. Segmenting internal networks with “fire—
`breaks” allows us to have the interoperability and reduce the risk of losing all our inter-
`nal systems to a destructive worm “wildfire.”
`This book discusses a number of perimeter and internal network designs. Some are
`more focused on security, whereas others are focused on performance. Some focus on
`uptime and help you to understand how to choose these designs based on your organi—
`zation’s requirements.
`
`Note
`One of the reasons that early airplanes were so dangerous is that a large number of them were hand built.
`Even if the planes were built in a factory. after a couple of years, they might as well be hand built because
`of the number of times they were repaired and modified.
`
`
`
`VMWARE 1011
`
`

`

`
`
`Preface
`
`xxjx
`
`
`
`Can you see how similar the early airplanes are to our server and desktop operating systems? We all agree
`that patching to reduce the vulnerability footprint is critical, but if no two servers are alike, exactly how do
`you test the patch? Repeatable builds give an IT shop a major increase in security just like factory—built air—
`craft.
`'
`
`So do appliance‘firewalls. They are factOry built, plug and go. it's not guaranteed that their OS is hardened,
`but you do know that the OS on the appliance is factory built, consistent, and probably stripped of unneed—
`ed programs. These low—cost appliances are very useful for segmenting an internal network.
`
`Rapid Advances in Technology
`Modern aircrafts have wings, fly through the air, and land on the ground——and that is
`about all they have in common with the first airplanes.The advances in airframe design,
`materials, avionics, navigation and route selection, and airport ope-rations make it difficult
`to believe that people ever considered getting into the early airplanes.
`I would love to say that modern perimeter systems are so advanced that it is incon—
`ceivable that we .ever tried to protect our systems with those early firewalls, but we
`haven’t made that much progress yet. However, hope prevails, and we certainly see evi—
`dence of improvement. Perimeter defense systems have come way down in price for any
`given bandwidth point; many can be upgraded by just downloading a new image.
`Deep packet inspection at gigabit speed is possible right now for the well—funded
`organization. Subscription models that update daily or weekly are the norm and support
`an architecture of perimeter components to create hybrid systems that combine classic
`perimeter defense, reporting sensors, and possibly even vulnerability assessments that
`allow performing internal correlation.
`This book discusses the importance of using the information collected by perimeter
`devices to help defend the network.The data collected and reported by these deVices
`fuels the most advanced analysis capability in the world——the Internet Storm Center
`(ISC). Organizations such as ISC and Internet Security Systems’s X—Force are often the '
`first groups to detect a new worm beginning to cause trouble on the Internet. One of
`the upcoming models for security is continuous reporting, or operational readiness, and
`this requires sensors all over the network to constantly report in. The technology of net—
`work security is dynamic. It’s important to have constant updates to maintain security in
`the face of the ever—changing threat.
`It is worth mentioning that ease of use and good security might be orthogonal. If it
`were as easy to get into an airplane and fly as it is to get into a car and drive, the skies
`would be a dangerous place. Appliance wireless access points often aggregate all wireless
`and built—in wired ports into the same broadcast domains. Possibilities for attacks exist
`based on MAC address spoofing, sniffing the internal traffic from outside the plant in the
`parking lot, the use of rogue, unapproved access points bought at Best Buy and plugged
`into the Net, access points with a bit more povver than the FTC allows being broadcast
`
`VMWARE 1011
`
`

`

`XXX
`
`Preface
`
`into the internal network from the parking lot, and failures of the authentication system.
`The most common reason for aircraft crashes today is poor maintenance, and we are
`going to see the same thing with wireless implementations as better security technology
`becomes available.
`
`Decline in Personal Service
`More has changed on the human side of the airline equation than just the name change
`from stewardesses to flight attendants. First class isn’t first class, and it goes downhill from
`there.The airlines seem to be testing the limits to see just how much abuse people will
`take—-and they wonder why they occasionally deal with passenger rage. Sadly, the IT
`industry has never been big on personal service. There were exceptions, back in the
`glory days of big blue.We had a bit of trouble with an IBM mainframe, and they tossed a
`squad of technicians into an airplane and dropped them by parachute into our parking
`lot. Until the technicians dropped on target, vice presidents would call every 15 minutes
`to apprise us of the location of the plane. Okay, I am kidding, but not by much.Those of
`us in IT security should take heed. I hope you understand what your CEO is thinking
`right now. He gave you money for security after 9/11 because it seemed to be the right
`thing to do.You still got hit by worms. He increased ITSEC to 5% of the IT budget.You
`still got hit by worms. Now you are in a meeting thinking about asking the CEO for
`unplanned money to implement a NIPS or HIPS solution. I strongly suggest you invest
`time in looking at your requirements, making sure that you choose the beSt technology
`for your needs and that customer service is part of the budget request so the people
`impacted by the active defense layer you are thinking about implementing will have
`someone intelligent and caring to call.
`‘
`'
`Nowadays, the IT industry has two primary features: bad software and worse service.
`One of the advantages of this book is that the entire author team has pragmatic experi—
`ence with most of the commercial and freeware perimeter products on the market,
`including the rapidly changing personal firewall market.We can’t do much to help you
`with the bad software, and we never intend to bash any vendor—each has its foibles.
`However, we can help you in finding ways to meet your mission goals despite the flaws
`in the technology we each use.We devote an entire chapter of the book to implement—
`ing defense components, such as personal firewalls at a host level, to help you avoid some
`of the common pitfalls and know what technology is available.The latest generation of
`Host Intrusion Protection Systems (HIPS), which are essentially personal firewalls with
`operating system shims to trap dangerous operating system interrupts, have already
`proved themselves in production and are an important and valuable layer of defense.
`
`Continuous Inspections
`One of the primary reasons the aircraft industry has been able to make gigantic leaps
`in improving safety is the rigorous, complete, and continuous inspections for every
`
`VMWARE 1011
`
`

`

`
`
`Preface
`
`xxxi
`
`component and process related to flying. This is also the most important change that we
`need to make.When I teach at the SANS Institute, a security research and education
`organization, I often say, “Who reads the event logs every day?” Some hands go up. I try
`to memorize their faces and catch them alone at the break. Then I ask them, “What is in
`the logs? What recurring problems are, there?”They usually cannot answer. This book can
`help you deploy sensors and scanners. An entire Chapter is devoted to intrusion detec—
`tion. Even your organization’s software architecture is a security perimeter component, as
`you will learn in the software architecture chapter.
`If you were to ask me what the growth industry in IT was, I would answer that con—
`soles, sensors, and agents to collect and display information would be a strong candidate.
`Computer systems change rapidly. They are analogous to the barnstormer bi—planes that
`flew around county fairs.When something broke, a blacksmith, automobile mechanic, or
`seamstress fabricated a new part.We can add and uninstall software in a heartbeat, but
`when we do, we cannot get back to the place where we were before the change.We
`need to monitor for change continuously, and until we learn how to do this and rigor~
`ously enforce change control, flying in computers will be nearly certain death.
`
`Defense in Depth
`It is a tragedy when a single passenger plane crashes, worse when a plane full of people
`goes down, and an unspeakable horror when a plane is used as a weapon of terrorism.
`Today, airports are transforming into examples of defense in depth. Defense in depth is a
`primary focus of this book, and the concept is quite simple: Make it harder to attack at
`Chokepoint after Chokepoint. How many security systems or defensive layers would you
`have to defeat to rush through an airport race to a waiting, fueled, long—range jet, com-
`mandeer the plane, drive it out on the tarmac to take off, and use it as a missile? Many
`are obvious, such as security checkpoints, armed National Guard troops, locked doors,
`and tarmac controls. If you did manage to get the plane in the air, you would also have
`to defeat fighter aircraft. It isn’t impossible, but it is unlikely that you could defeat the
`defense in depth that is now employed at airports.
`Defense in depth is present in every chapter of this book, and it’s becoming easier to
`implement in information technology. High—speed programmable hardware boxes, such
`as UnityOne from TippingPoint, can help protect our network borders from worm out—
`breaks.Technologies we have already discussed in this preface, such as neXt—generation
`intelligent switches and HIPS, allow us to implement multiple layers for our perimeter
`and internal networks, albeit at a significant cost. No matter what role you play in your
`organization, it is important to read the intrusion prevention chapter and make sure the
`folks in charge of the budget know what is on the horizon.As you read this book, you
`will learn how to architect your network so that it is resistant to attack.As we evolve as
`an information—based society, the importance of protecting intellectual property assets
`continues to rise.
`
`VMWARE 1011
`
`

`

`
`
`xxxi i
`
`Preface
`
`Core Business Sector
`In less than a century, airplanes have gone from being an oddity to being vitally impor~
`tant to the economy. Information technology has done the same in less time and contin—
`ues to grow in importance.We have been more than a bit lazy. I often wonder what the
`effect of a worm with the infection rate of Blaster that overwrote (not deleted, over—
`wrote) every location on the hard drive of an infected computer four hours after infec—
`tion would be. If the Congress of the United States did not vote on a bailout package
`for the airline industry, IT should not expect one. One of the primary keys to survival in
`business over the next few years will be managing the flow of information so that
`resources are available when they are needed with full integrity, while the confidentiality
`of proprietary and sensitive information is maintained. It is a big task, so we had better
`get started.
`
`”Stephen Northcutt and the authoring team
`
`VMWARE 1011
`
`

`

`
`
`Introduction
`
`WELCOME,AND THANKYOU FOR CONSIDERING the second edition ofInside Network
`Perimeter Security. This book is a unique volume because it has a consistent phrasing and
`style, yet it consolidates the experience of more than a dozen information security pro—
`fessionals working together as a team of writers and reviewers. Our goal was to create a
`practical guide for designing, deploying, and maintaining a real—world network security
`perimeter. This is a crucial topic because robust network defenses» form the foundation of
`a reliable and trustworthy computing infrastructure.
`V
`As Richard Clarke, the former U.S. cyber—security czar, pointed out during a keynote
`address at a SANS Institute conference: “The perimeter is crumbling. Wireless technolo—
`gies, worms, and our gadget mentality are the reason.” Given the porous nature of the
`modern perimeter, protecting the network is not an easy task; it requires that you get to
`know diEerent types of technologies and understand how they relate to each other. This
`is why we discuss key perimeter security components, such as firewalls,VPNs, routers, as
`well as intrusion detection and prevention systems.We also exp