100 slides Pondering and Patrolling Network Perimeters Bill Cheswick [email protected] .
1 of 137Internet Mapping, Columbia. 137 slides Clear and Present Dangers Bill Cheswick Lumeta Corp....
-
date post
19-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of 1 of 137Internet Mapping, Columbia. 137 slides Clear and Present Dangers Bill Cheswick Lumeta Corp....
1 of 137Internet Mapping, Columbia
137 slides
Clear and Present Dangers
Perimeter Leaks
Poor host security
137 slides
Mapping the Internet and
IntranetsBill Cheswick
http://www.cheswick.com
5 of 137Internet Mapping, Columbia
Motivations
• Intranets are out of control– Always have been
• Highlands “day after” scenario
• Panix DOS attacks– a way to trace
anonymous packets back!
• Internet tomography
• Curiosity about size and growth of the Internet
• Same tools are useful for understanding any large network, including intranets
6 of 137Internet Mapping, Columbia
Related Work
• See Martin Dodge’s cyber geography page
• MIDS - John Quarterman
• CAIDA - kc claffy
• Mercator
• “Measuring ISP topologies with rocketfuel” - 2002– Spring, Mahajan, Wetherall
• Enter “internet map” in your search engine
7 of 137Internet Mapping, Columbia
The Goals
• Long term reliable collection of Internet and Lucent connectivity information– without annoying
too many people
• Attempt some simple visualizations of the data
– movie of Internet growth!
• Develop tools to probe intranets
• Probe the distant corners of the Internet
8 of 137Internet Mapping, Columbia
Methods - data collection
• Single reliable host connected at the company perimeter
• Daily full scan of Lucent
• Daily partial scan of Internet, monthly full scan
• One line of text per network scanned– Unix tools
9 of 137Internet Mapping, Columbia
Methods - network scanning
• Obtain master network list– network lists from Merit, RIPE, APNIC, etc.– BGP data or routing data from customers– hand-assembled list of Yugoslavia/Bosnia
• Run a traceroute-style scan towards each network
• Stop on error, completion, no data– Keep the natives happy
10 of 137Internet Mapping, Columbia
TTL probes
• Used by traceroute and other tools
• Probes toward each target network with increasing TTL
• Probes are ICMP, UDP, TCP to port 80, 25, 139, etc.
• Some people block UDP, others ICMP
11 of 137Internet Mapping, Columbia
TTL probes
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
12 of 137Internet Mapping, Columbia
Send a packet with a TTL of 1…
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
13 of 137Internet Mapping, Columbia
…and we get the death notice from the first hop
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
14 of 137Internet Mapping, Columbia
Send a packet with a TTL of 2…
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
15 of 137Internet Mapping, Columbia
… and so on …
Application level
TCP/UDP
IP
Hardware
Client
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
IP
Hardware
Router
Application level
TCP/UDP
IP
Hardware
Server
Hop 1 Hop 2 Hop 3
Hop 3Hop 4
16 of 137Internet Mapping, Columbia
Advantages
• We don’t need access (I.e. SNMP) to the routers
• It’s very fast
• Standard Internet tool: it doesn’t break things
• Insignificant load on the routers
• Not likely to show up on IDS reports
• We can probe with many packet types
17 of 137Internet Mapping, Columbia
Limitations
• Outgoing paths only
• Level 3 (IP) only– ATM networks appear as a single node– This distorts graphical analysis
• Not all routers respond
• Many routers limited to one response per second
18 of 137Internet Mapping, Columbia
Limitations
• View is from scanning host only
• Takes a while to collect alternating paths
• Gentle mapping means missed endpoints
• Imputes non-existent links
19 of 137Internet Mapping, Columbia
The data can go either way
A
E F
D
B C
20 of 137Internet Mapping, Columbia
The data can go either way
A
E F
D
B C
21 of 137Internet Mapping, Columbia
But our test packets only go part of the way
A
E F
D
B C
22 of 137Internet Mapping, Columbia
We record the hop…
A
E F
D
B C
23 of 137Internet Mapping, Columbia
The next probe happens to go the other way
A
E F
D
B C
24 of 137Internet Mapping, Columbia
…and we record the other hop…
A
E F
D
B C
25 of 137Internet Mapping, Columbia
We’ve imputed a link that doesn’t exist
A
E F
D
B C
26 of 137Internet Mapping, Columbia
Data collection complaints
• Australian parliament was the first to complain
• List of whiners (25 nets)
• Military noticed immediately– Steve Northcutt– arrangements/warnings to DISA and CERT
• These complaints are mostly a thing of the past– Internet background radiation
predominates
27 of 137Internet Mapping, Columbia
Visualization goals
• make a map– show interesting features– debug our database and collection
methods– hard to fold up
• geography doesn’t matter
• use colors to show further meaning
28 of 137Internet Mapping, Columbia
29 of 137Internet Mapping, Columbia
30 of 137Internet Mapping, Columbia
Infovis state-of-the-art in 1998
• 800 nodes was a huge graph
• We had 100,000 nodes
• Use spring-force simulation with lots of empirical tweaks
• Each layout needed 20 hours of Pentium time
31 of 137Internet Mapping, Columbia
137 slides
Visualization of the layout algorithm
Laying out the Internet graph
33 of 137Internet Mapping, Columbia
137 slides
Visualization of the layout algorithm
Laying out an intranet
35 of 137Internet Mapping, Columbia
36 of 137Internet Mapping, Columbia
A simplified map
• Minimum distance spanning tree uses 80% of the data
• Much easier visualization
• Most of the links still valid
• Redundancy is in the middle
37 of 137Internet Mapping, Columbia
Colored byAS number
38 of 137Internet Mapping, Columbia
Map Coloring
• distance from test host
• IP address– shows communities
• Geographical (by TLD)
• ISPs
• future– timing, firewalls, LSRR blocks
39 of 137Internet Mapping, Columbia
Colored by IP address!
40 of 137Internet Mapping, Columbia
Colored by geography
41 of 137Internet Mapping, Columbia
Colored by ISP
42 of 137Internet Mapping, Columbia
Colored by distancefrom scanning host
43 of 137Internet Mapping, Columbia
US militaryreached by ICMP ping
44 of 137Internet Mapping, Columbia
US military networksreached by UDP
45 of 137Internet Mapping, Columbia
46 of 137Internet Mapping, Columbia
137 slides
Yugoslavia
An unclassified peek at a new battlefield
48 of 137Internet Mapping, Columbia
137 slides
Un film par Steve “Hollywood” Branigan...
50 of 137Internet Mapping, Columbia
137 slides
fin
52 of 137Internet Mapping, Columbia
Routers in New York Citymissing generator fuel
1000
1100
1200
1300
1400
9/11 9/12 9/13 9/14 9/15 9/16 9/17 9/18 9/19 9/20 9/21 9/22
Date
# R
ou
ters
137 slides
Intranets
54 of 137Internet Mapping, Columbia
We partition our networks to get out of the game
• Companies, governments, departments, even families hide in enclaves to limit connectivity to approved services
• These are called intranets
• The decentralized, cloud-like nature of internets makes them hard to manage at a central point
• My company explores the extent of intranets and their interconnections with other networks.
137 slides
Intranets: the rest of the Internet
56 of 137Internet Mapping, Columbia
57 of 137Internet Mapping, Columbia
58 of 137Internet Mapping, Columbia
59 of 137Internet Mapping, Columbia
60 of 137Internet Mapping, Columbia
61 of 137Internet Mapping, Columbia
This wasSupposedTo be aVPN
62 of 137Internet Mapping, Columbia
63 of 137Internet Mapping, Columbia
137 slides
Anything large enough to be called
an “intranet” isout of control
65 of 137Internet Mapping, Columbia
Case studies: corp. networksSome intranet statistics
Min MaxIntranet sizes (devices) 7,900 365,000Corporate address space 81,000 745,000,000% devices in unknown address space 0.01% 20.86%
% routers responding to "public" 0.14% 75.50%% routers responding to other 0.00% 52.00%
Outbound host leaks on network 0 176,000% devices with outbound ICMP leaks 0% 79%% devices with outbound UDP leaks 0% 82%
Inbound UDP host leaks 0 5,800% devices with inbound ICMP leaks 0% 11%% devices with inbound UDP leaks 0% 12%% hosts running Windows 36% 84%
66 of 137Internet Mapping, Columbia
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• A sends packet to B, with spoofed return address of D
• If B can, it will reply to D with a response, possibly through a different interface
67 of 137Internet Mapping, Columbia
Leak Detection
Internet intranet
Mapping hostA
Test hostB
mittD
C
• Packet must be crafted so the response won’t be permitted through the firewall
• A variety of packet types and responses are used
• Either inside or outside address may be discovered
• Packet is labeled so we know where it came from
68 of 137Internet Mapping, Columbia
Existence proofs of intranet leaks: the slammer worm
• It’s a pop-quiz on perimeter integrity
• The best run networks (e.g. spooks’ nets) do not get these plagues– Internal hosts may be susceptible
69 of 137Internet Mapping, Columbia
Some Lumeta lessons
• Reporting is the really hard part– Converting data to information
• “Tell me how we compare to other clients”
• Offering a service was good practice, for a while
• The clients want a device
• We have >70 Fortune-200 companies and government agencies as clients
• Need-to-have vs. want-to-have
70 of 137Internet Mapping, Columbia
Honeyd – network emulation
• Anti-hacking tools by Niels Provos at citi.umich.edu
• Can respond as one or more hosts
• I am configuring it to look like an entire client’s network
• Useful for testing and debugging
• Product?
71 of 137Internet Mapping, Columbia
History of the Project
• Started in August 1998 at Bell Labs
• April-June 1999: Yugoslavia mapping
• July 2000: first customer intranet scanned
• Sept. 2000: spun off Lumeta from Lucent/Bell Labs
• June 2002: “B” round funding completed
• 2003: sales >$4MM
72 of 137Internet Mapping, Columbia
137 slides
Mapping the Internet and
IntranetsBill Cheswick
http://www.cheswick.com
137 slides
My Dad’s Computer and the Future of Internet Security
Bill Cheswick
http://www.lumeta.com
75 of 137Internet Mapping, Columbia
137 slides
My Dad’s computer
Skinny-dipping with Microsoft
77 of 137Internet Mapping, Columbia
Case study:My Dad’s computer
• Windows XP, plenty of horsepower, two screens
• Applications:– Email (Outlook)– “Bridge:” a fancy stock market monitoring
system– AIM
78 of 137Internet Mapping, Columbia
Case study:My Dad’s computer
• Cable access
• dynamic IP address
• no NAT
• no firewall
• outdated virus software
• no spyware checker
79 of 137Internet Mapping, Columbia
This computer was a software toxic waste dump
• It was burning a liter of oil every 500 km
• The popups seemed darned distracting to me
80 of 137Internet Mapping, Columbia
My Dad’s computer: what the repair geek found
• Everything
• “Viruses I’ve never heard off”
• Constant popups
• Frequent blasts of multiple web pages, all obscene
• Dad: why do I care? I am getting my work done
81 of 137Internet Mapping, Columbia
Dad’s computer: how did he get in this mess?
• He doesn’t know what the popup security messages mean
• Email-born viruses
• Unsecured network services
• Executable code in web pages from unworthy sites
82 of 137Internet Mapping, Columbia
He is getting his work done
• Didn’t want a system administrator to mess up his user interface settings
• Truly destructive attacks are rare– They aren’t lucrative or much fun– They are self-limiting
83 of 137Internet Mapping, Columbia
Recently
• An alien G-rated screen saver for an X-rated site appeared
• Changing the screen saver worked!
• The screen saver software removed in the correct way!
• Still, this should never have happened
137 slides
Skinny Dipping on the Internet
85 of 137Internet Mapping, Columbia
I’ve been skinny dipping on the Internet for years
• FreeBSD and Linux hosts
• Very few, very hardened network services
• Single-user hosts
• Dangerous services placed in sandboxes
• No known breakins
• No angst
137 slides
“Best block is not be there”
-Karate Kid
87 of 137Internet Mapping, Columbia
Angst and the Morris Worm
• Did the worm get past my firewall?
• No. Why?– Partly smart design– Partly luck…removing fingerd
• Peace of mind comes from staying out of the battle altogether
137 slides
“You’ve got to get out of the game”
-Fred Grampp
137 slides
Can my Dad (and millions like him)
get out of the game?
137 slides
Arms Races
91 of 137Internet Mapping, Columbia
Virus arms race
• Early on, detectors used viral signatures
• Virus encryption and recompilation (!) has thwarted this
• Virus detectors now simulate the code, looking for signature actions
• Virus writers now detect emulation and behave differently
• Virus emulators are slowing down, even with Moore’s Law.
92 of 137Internet Mapping, Columbia
Virus arms race
• I suspect that virus writers are going to win the detection battle, if they haven’t already– Emulation may become too slow– Even though we have the home-field advantage– Will we know if an undetectable virus is released?
• Best defense is to get out of the game.– Don’t run portable programs, or– Improve our sandbox technology
• People who really care about this worry about Ken Thompson’s attack– Read and understand “On Trusting Trust”
93 of 137Internet Mapping, Columbia
Getting out of the virus game
• Don’t execute roving programs of unknown provenance
• Trusted Computing can fix the problem, in theory
94 of 137Internet Mapping, Columbia
Password sniffing and cracking arms race
• Ethernet has always been sniffable
• WiFi is the new Ethernet
95 of 137Internet Mapping, Columbia
Password sniffing and cracking arms race
• Password cracking works 3% to 60% of the time using offline dictionary attacks– More, if the hashing is misdesigned (c.f.
Microsoft)
• This will never get better, so…
• We have to get out of the game
96 of 137Internet Mapping, Columbia
Password sniffing and cracking arms race
• This battle is mostly won, thanks to SSL, IP/SEC, and VPNs.
• There are many successful businesses using these techniques nicely.
97 of 137Internet Mapping, Columbia
Password sniffing is not a problem for Dad
• SSL fixes most of it
• AIM is interceptible– Fixable…will it be?
98 of 137Internet Mapping, Columbia
Authentication/Identification Arms races
• Password/PIN selection vs. cracking
• Human-chosen passwords and PINs can be ok if guessing is limited, and obvious choices are suppressed
• Password cracking is getting better, thanks to Moore’s Law and perhaps even botnets
99 of 137Internet Mapping, Columbia
We don’t know how to leave the user in charge of security decisions, safely.
100 of 137Internet Mapping, Columbia
User education vs. user deception
• We will continue losing this one
• Even experts sometimes don’t understand the ramifications of choices they are offered
101 of 137Internet Mapping, Columbia
Authentication arms race:predictions
• USA needs two factor authentication for social security number. (Something better than MMN or birth date.)
• I don’t see this improving much, but a global USB dongle would do it
• Don’t wait for world-wide PKI.
102 of 137Internet Mapping, Columbia
Arms race (sort of)hardware destruction
• IBM monochrome monitor
• Some more recent monitors– Current ones?
• Hard drives? Beat the heads up?
• EEPROM write limits– Viral attack on .cn and .kr PC
motherboards– Other equipment
• Anything that requires a hardware on-site service call
103 of 137Internet Mapping, Columbia
Arms race (sort of)hardware destruction
• Rendering the firmware useless– This can be fixed (mostly) with a secure
trusted computing base.
104 of 137Internet Mapping, Columbia
Software upgrade race: literally a race
• Patches are analyzed to determine the weakness
• Patch-to-exploit time is now down below 10 hours– NB: spammers have incentive to do this
work
• Now the good guys are trying to obfuscate code!
• Future difficult to say: dark side obscures everything.
105 of 137Internet Mapping, Columbia
Arms Races: deception
• Jails– Cliff Stoll and SDInet
• Honeypots– Honeynet– honeyd
• The deception toolkit---Fred Cohen
137 slides
Microsoft client security
It has been getting worse: can they skinny-dip safely?
107 of 137Internet Mapping, Columbia
Windows MEActive Connections - Win ME
Proto Local Address Foreign Address State TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING TCP 223.223.223.10:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:31337 *:* UDP 0.0.0.0:162 *:* UDP 223.223.223.10:137 *:* UDP 223.223.223.10:138 *:*
108 of 137Internet Mapping, Columbia
Windows 2000
Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING TCP 0.0.0.0:1086 0.0.0.0:0 LISTENING TCP 0.0.0.0:6515 0.0.0.0:0 LISTENING TCP 127.0.0.1:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1038 *:* UDP 0.0.0.0:6514 *:* UDP 0.0.0.0:6515 *:* UDP 127.0.0.1:1108 *:* UDP 223.223.223.96:500 *:* UDP 223.223.223.96:4500 *:*
109 of 137Internet Mapping, Columbia
Windows XP, this laptop Proto Local Address Foreign Address State TCP ches-pc:epmap ches-pc:0 LISTENING TCP ches-pc:microsoft-ds ches-pc:0 LISTENING TCP ches-pc:1025 ches-pc:0 LISTENING TCP ches-pc:1036 ches-pc:0 LISTENING TCP ches-pc:3115 ches-pc:0 LISTENING TCP ches-pc:3118 ches-pc:0 LISTENING TCP ches-pc:3470 ches-pc:0 LISTENING TCP ches-pc:3477 ches-pc:0 LISTENING TCP ches-pc:5000 ches-pc:0 LISTENING TCP ches-pc:6515 ches-pc:0 LISTENING TCP ches-pc:netbios-ssn ches-pc:0 LISTENING TCP ches-pc:3001 ches-pc:0 LISTENING TCP ches-pc:3002 ches-pc:0 LISTENING TCP ches-pc:3003 ches-pc:0 LISTENING TCP ches-pc:5180 ches-pc:0 LISTENING UDP ches-pc:microsoft-ds *:* UDP ches-pc:isakmp *:* UDP ches-pc:1027 *:* UDP ches-pc:3008 *:* UDP ches-pc:3473 *:* UDP ches-pc:6514 *:* UDP ches-pc:6515 *:* UDP ches-pc:netbios-ns *:* UDP ches-pc:netbios-dgm *:* UDP ches-pc:1900 *:* UDP ches-pc:ntp *:* UDP ches-pc:1900 *:* UDP ches-pc:3471 *:*
110 of 137Internet Mapping, Columbia
FreeBSD partition, this laptop(getting out of the game)
Active Internet connections (including servers)Proto Recv-Q Send-Q Local Address tcp4 0 0 *.22 tcp6 0 0 *.22
137 slides
It is easy to dump on Microsoft, but many others have made the
same mistakes before
112 of 137Internet Mapping, Columbia
ftp stream tcp nowait root /v/gate/ftpdtelnet stream tcp nowait root /usr/etc/telnetdshell stream tcp nowait root /usr/etc/rshdlogin stream tcp nowait root /usr/etc/rlogind exec stream tcp nowait root /usr/etc/rexecd finger stream tcp nowait guest /usr/etc/fingerd bootp dgram udp wait root /usr/etc/bootp tftp dgram udp wait guest /usr/etc/tftpd ntalk dgram udp wait root /usr/etc/talkd tcpmux stream tcp nowait root internalecho stream tcp nowait root internaldiscard stream tcp nowait root internalchargen stream tcp nowait root internaldaytime stream tcp nowait root internaltime stream tcp nowait root internalecho dgram udp wait root internaldiscard dgram udp wait root internalchargen dgram udp wait root internaldaytime dgram udp wait root internaltime dgram udp wait root internalsgi-dgl stream tcp nowait root/rcv dglduucp stream tcp nowait root /usr/lib/uucp/uucpd
Default servicesSGI workstation
113 of 137Internet Mapping, Columbia
More default services
mountd/1 stream rpc/tcp wait/lc root rpc.mountdmountd/1 dgram rpc/udp wait/lc root rpc.mountdsgi_mountd/1 stream rpc/tcp wait/lc root rpc.mountdsgi_mountd/1 dgram rpc/udp wait/lc root rpc.mountdrstatd/1-3 dgram rpc/udp wait root rpc.rstatd walld/1 dgram rpc/udp wait root rpc.rwalld rusersd/1 dgram rpc/udp wait root rpc.rusersd rquotad/1 dgram rpc/udp wait root rpc.rquotad sprayd/1 dgram rpc/udp wait root rpc.sprayd bootparam/1 dgram rpc/udp wait root rpc.bootparamdsgi_videod/1 stream rpc/tcp wait root ?videod sgi_fam/1 stream rpc/tcp wait root ?fam sgi_snoopd/1 stream rpc/tcp wait root ?rpc.snoopd sgi_pcsd/1 dgram rpc/udp wait root ?cvpcsd sgi_pod/1 stream rpc/tcp wait root ?podd tcpmux/sgi_scanner stream tcp nowait root ?scan/net/scannerdtcpmux/sgi_printer stream tcp nowait root ?print/printerd 9fs stream tcp nowait root /v/bin/u9fs u9fswebproxy stream tcp nowait root /usr/local/etc/webserv
137 slides
Firewalls and intranets try to get
us out of the network services
vulnerability game
115 of 137Internet Mapping, Columbia
137 slides
What my dad(and most of you)
really needs
137 slides
Most of my Dad’s problems are caused by weaknesses in
features he never uses or needs.
137 slides
A proposal:Windows OK
119 of 137Internet Mapping, Columbia
Windows OK
• Thin client implemented with Windows
• It would be fine for maybe half the Windows users– Students, consumers, many corporate
and government users
• It would be reasonable to skinny dip with this client– Without firewall or virus checking
software
120 of 137Internet Mapping, Columbia
Windows OK
• No network listeners– None of those services are needed, except
admin access for centrally-administered hosts
• Default security settings
• All security controls in one or two places
• Security settings can be locked
121 of 137Internet Mapping, Columbia
Windows OK (cont)
• There should be nothing you can click on, in email or a web page, that can hurt your computer– No portable programs are executed ever,
except…
• ActiveX from approved parties– MSFT and one or two others. List is
lockable
122 of 137Internet Mapping, Columbia
Windows OK
• Reduce privileges in servers and all programs
• Sandbox programs– Belt and suspenders
123 of 137Internet Mapping, Columbia
Office OK
• No macros in Word or PowerPoint. No executable code in PowerPoint files
• The only macros allowed in Excel perform arithmetic. They cannot create files, etc.
124 of 137Internet Mapping, Columbia
Vulnerabilities in OK
• Buffer overflows in processing of data (not from the network)
• Stop adding new features and focus on bug fixes
• Programmers can clean up bugs, if they don’t have a moving target– It converges, to some extent
137 slides
XP SP2
Bill Gets It
126 of 137Internet Mapping, Columbia
Microsoft’s Augean Stables:a task for Hercules
• 3000 oxen, 30 years, that’s roughly one oxen-day per line of code in Windows
• It’s been getting worse since Windows 95
127 of 137Internet Mapping, Columbia
XP SP2: Bill gets it
• “a feature you don’t use should not be a security problem for you.”
• “Security by design”– Too late for that, its all retrofitting now
• “Security by default”– No network services on by default
• Security control panel– Many things missing from it– Speaker could not find ActiveX security settings
• There are a lot of details that remain to be seen.
128 of 137Internet Mapping, Columbia
Microsoft really means it about improving their security
• Their security commitment appears to be real
• It is a huge job
• Opposing forces are unclear to me
• It’s been a long time coming, and frustrating
129 of 137Internet Mapping, Columbia
Microsoft secure client arms race
• We are likely to win, but it is going to be a while
130 of 137Internet Mapping, Columbia
SP2 isn’t going to be easy to deploy
• Many people rely on unsafe configurations, even if they don’t realize it
• Future SPs won’t be easy either, especially if they follow my advice
131 of 137Internet Mapping, Columbia
Windows XP SP2
• Candidate 2 release is available
• Read the EULA…it is interesting and a bit different
132 of 137Internet Mapping, Columbia
133 of 137Internet Mapping, Columbia
134 of 137Internet Mapping, Columbia
SP2 is just a start: more work is needed
• Security panel and ActiveX permissions– Also, list of trusted signers needed
• Still too many network services– They may not be reachable from outside
the box
• Clicking may still be dangerous
135 of 137Internet Mapping, Columbia
Conclusions: we ought to win these battles
• We control the playing field
• DOS is the worse they can do, in theory
• We can replicate our successes
• We can converge on a secure-enough environment
136 of 137Internet Mapping, Columbia
Conclusions: problems
• The business models to achieve these successes seem surprisingly elusive to me
• Security devices, and stand-alone devices, are close to meeting our needs– Except full-functioned routers
• General purpose computers are the big problem– Apparently features are more important
than security, to the customers– Is this really true?
137 slides
My Dad’s Computer and the Future of Internet Security
Bill Cheswick
http://www.lumeta.com