Moving Security Enforcement into the Heart of the Network
Download
Report
Transcript Moving Security Enforcement into the Heart of the Network
Moving Security Enforcement
into the Heart of the Network
Peter Benson
CEO
Security-Assessment.com
October, 2005
Copyright Security-Assessment.com, Qualys
Inc, 2005
Agenda
• Evolution of Threats
• Why Network Access Control Matters
• The Laws of Vulnerabilities
• Network Access Control Architectures
• Summary and Action
Copyright Security-Assessment.com 2005
Security Trend Indicators
•
•
•
•
Malicious Code (↑)
Vulnerabilities (↑)
Spam and Spyware (↑)
Phishing and Identity Theft (↑)
….and
• Time to Exploitation (↓)
Copyright Security-Assessment.com 2005
Where are the issues ?
• A Multitude of insecure Protocols and Services
– telnet, ftp, snmp
• Known default settings
– Passwords, SNMP community strings
• System Design Errors
– Setup and Access control errors
• Software Implementation Flaws
– Input validation, lack of sanity checks
• User Triggered Issues
– Email and Browser related
Copyright Security-Assessment.com 2005
First Generation Threats
•
•
•
•
Spreading mostly via email, file-sharing
Human Action Required
Virus-type spreading / No vulnerabilities
Examples: Melissa Macro Virus, LoveLetter
VBScript Worm
• Replicates to other recipients
• Discovery/Removal: Antivirus
Copyright Security-Assessment.com 2005
Second Generation Threats
• Active worms
• Leveraging known vulnerabilities
• Low level of sophistication in spreading
strategy (i.e. randomly)
• Non Destructive Payloads
• Remedy: Identify and Fix Vulnerabilities
Copyright Security-Assessment.com 2005
Third Generation Threats
• Automated Attacks Leveraging Known and
Unknown Vulnerabilities
• Collaboration of Social Engineering and Automated
Attacks
• Multiple Attack Vectors
– Email, Web, IM, Vulnerabilities,…
• Active Payloads
• Remedy: Security Enforcement / Network Access
Control
Copyright Security-Assessment.com 2005
Evolution of Network Access Control
• Today:
– Static network access
– Every device is permitted
– Infected or unhealthy devices are frequently
the root of an outbreak
• Tomorrow:
– Dynamic network access based on policies
– Screening devices before granting access
– Infected or unhealthy devices should be treated
separately
Copyright Security-Assessment.com 2005
“Anyone can build a stop sign – or even a traffic
light – but it takes a different mind-set entirely
to conceive of a city-wide traffic control
system.”
Bruce Schneier – Beyond Fear
Copyright Security-Assessment.com 2005
Building Blocks of Network Access
Control
•
•
•
•
Assessment of Endpoint Security
Decision making based on policy compliance
Admission Enforcement at Network infrastructure
Quarantining/Remediation of unhealthy devices
Copyright Security-Assessment.com 2005
A Common Framework for Network
Access ControlNetwork
Access
Infrastructure
Quarantine
Network
Client
Main
Network
Copyright Security-Assessment.com 2005
Policy
Manager
Why Network Access Control Matters
• Objective: Understanding prevalence of critical
vulnerabilities over time in real world
• Timeframe: January 2002 - Ongoing
• Data Source:
– 70% Global Enterprise networks
– 30 % Random trials
• Methodology: Automatic Data collection with
statistical data only – no possible correlation to
individual user or systems
Copyright Security-Assessment.com 2005
Raw Results
• Largest collection of global real-world vulnerability data:
–
–
14,818,000 IP-Scans since begin 2002
2,275 out of 3,374 unique vulnerabilities detected in the real world
–
–
3,834,000 total critical* vulnerabilities found
1,031 out of 1,504 unique critical vulnerabilities detected in the real world
•Analysis Performed:
–
–
–
–
–
Identifying Window of Exposure
Lifespan of Critical Vulnerabilities
Resolution Response
Trend over Time
Vulnerability Prevalence
Providing an attacker the ability to gain full control of the system,
and/or leakage of highly sensitive information. For example, vulnerabilities
may enable full read and/or write access to files, remote execution of
commands, and the presence of backdoors.
*
Copyright Security-Assessment.com 2005
/2
4/ 00
12 3
/2
4/ 00
26 3
/2
5/ 00
10 3
/2
5/ 00
24 3
/2
0
6/ 03
7/
20
6/
21 03
/2
0
7/ 03
5/
20
7/
19 03
/2
0
8/ 03
2/
20
8/
16 03
/2
8/ 00
30 3
/2
9/ 00
13 3
/2
9/ 00
27 3
10 /20
/1 03
1
1 0 /2 0
/2 03
5/
2
11 00
/8 3
/
11 20
/2 03
2/
2
12 00
/6 3
/
12 20
/2 03
0/
20
1/ 03
3/
2
1/ 00
17 4
/2
1/ 00
31 4
/2
2/ 00
14 4
/2
2/ 00
28 4
/2
3/ 00
13 4
/2
3/ 00
27 4
/2
4/ 00
10 4
/2
4/ 00
24 4
/2
0
5/ 04
8/
20
5/
22 04
/2
0
6/ 04
5/
20
6/
19 04
/2
0
7/ 04
3/
20
04
3/
29
3000
Microsoft WebDAV Vulnerability
2500
WebDAV CAN-2003-0109
1000
500
0
Copyright Security-Assessment.com 2005
Microsoft Windows 2000
IIS WebDAV Buffer
Overflow Vulnerability
2000
CAN-2003-0109
Qualys ID 86479
1500
Released: March 2003
Copyright Security-Assessment.com 2005
7/3/2004
6/19/2004
6/5/2004
5/22/2004
5/8/2004
4/24/2004
4/10/2004
3/27/2004
3/13/2004
2/28/2004
2/14/2004
1/31/2004
1/17/2004
1/3/2004
12/20/2003
12/6/2003
11/22/2003
11/8/2003
10/25/2003
10/11/2003
9/27/2003
9/13/2003
8/30/2003
8/16/2003
8/2/2003
7/19/2003
7/5/2003
6/21/2003
6/7/2003
5/24/2003
5/10/2003
4/26/2003
4/12/2003
3/29/2003
3/15/2003
3/1/2003
2/15/2003
2/1/2003
1/18/2003
1/4/2003
12/21/2002
12/7/2002
11/23/2002
WU-FTPd File Globbing Heap Corruption
Vulnerability
600
500
WU-FTPd File Globbing
Heap Corruption
Vulnerability
WU FTPd CVE-2001-0550
400
CVE-2001-0550
Qualys ID 27126
300
Released: November 2001
200
100
0
Microsoft Windows ASN.1 Library Integer
Handling Vulnerability
18000
Microsoft Windows ASN.1
Library Integer Handling
Vulnerability
16000
14000
Microsoft ASN.1 CAN-2003-0818
CAN-2003-0818
Qualys ID 90103
12000
10000
Released: February 2004
8000
6000
4000
2000
0
/
21
2/
0
20
4
/
28
2/
0
20
4
6/
3/
04
20
/
13
3/
0
20
4
/
20
3/
0
20
4
/
27
3/
0
20
4
3/
4/
04
20
/
10
4/
0
20
4
/
17
4/
0
20
4
/
24
4/
0
20
4
1/
5/
Copyright Security-Assessment.com 2005
04
20
8/
5/
04
20
/
15
5/
0
20
4
/
22
5/
0
20
4
/
29
5/
0
20
4
5/
6/
04
20
/
12
6/
0
20
4
/
19
6/
0
20
4
/
26
6/
0
20
4
3/
7/
04
20
70000
Buffer overflow in Microsoft Local Security Authority
Subsystem Service (LSASS)
60000
Microsoft LSASS CAN-2003-0533
Buffer overflow in Microsoft
Local Security Authority
Subsystem Service
(LSASS)
50000
CAN-2003-0533
Qualys ID 90108
40000
Released: April 2004
30000
20000
10000
20
04
7/
3/
/2
00
4
6/
26
/2
00
4
6/
19
20
04
/2
00
4
6/
12
Copyright Security-Assessment.com 2005
6/
5/
/2
00
4
5/
29
/2
00
4
5/
22
/2
00
4
5/
15
20
04
5/
8/
20
04
5/
1/
/2
00
4
4/
24
4/
17
/2
00
4
0
External vs. Internal Vulnerabilities
100%
75%
For a critical vulnerability every
21 days (62 days on internal networks)
50 % of vulnerable systems
are being fixed
50%
25%
21 days 42 days 63 days 84 days 105 days 126 days 147 days 168 days 189 days
Copyright Security-Assessment.com 2005
Copyright Security-Assessment.com 2005
6/26/2004
6/12/2004
5/29/2004
5/15/2004
5/1/2004
4/17/2004
4/3/2004
3/20/2004
3/6/2004
2/21/2004
2/7/2004
1/24/2004
1/10/2004
12/27/2003
12/13/2003
11/29/2003
11/15/2003
11/1/2003
10/18/2003
10/4/2003
9/20/2003
9/6/2003
8/23/2003
8/9/2003
7/26/2003
7/12/2003
6/28/2003
6/14/2003
5/31/2003
5/17/2003
5/3/2003
4/19/2003
4/5/2003
3/22/2003
3/8/2003
1200
SSL Server Allows Cleartext
Communication
1000
SSL Server Allows
Cleartext Communication
SSL Allows Cleartext
800
Qualys ID 38143
600
400
200
0
SQL Slammer Vulnerability
600
MS-SQL 8.0 UDP
Slammer Worm Buffer
Overflow Vulnerability
500
SQL Slammer Vulnerability
400
CAN-2002-0649
Qualys ID 19070
300
Released: July 2002
200
100
Copyright Security-Assessment.com 2005
6/8/2004
5/8/2004
4/8/2004
3/8/2004
2/8/2004
1/8/2004
12/8/2003
11/8/2003
10/8/2003
9/8/2003
8/8/2003
7/8/2003
6/8/2003
5/8/2003
4/8/2003
3/8/2003
2/8/2003
0
7/
2
0
1/ 03
3/
2
1/ 004
10
/2
1/ 004
17
/2
1/ 004
24
/2
1/ 004
31
/2
0
2/ 04
7/
2
2/ 004
14
/2
2/ 004
21
/2
2/ 004
28
/2
0
3/ 04
6/
20
3/
0
13 4
/2
0
3/
0
20 4
/2
3/ 004
27
/2
0
4/ 04
3/
2
4/ 004
10
/2
4/ 004
17
/2
4/ 004
24
/2
0
5/ 04
1/
20
5/ 04
8/
2
5/ 004
15
/2
5/ 004
22
/2
5/ 004
29
/2
0
6/ 04
5/
2
6/ 004
12
/2
6/ 004
19
/2
6/ 004
26
/2
0
7/ 04
3/
20
04
12
/2
A Continuous Cycle of Infection
70
60
50
Sasser
CodeRed
Nachi
Blaster
40
30
20
10
0
Copyright Security-Assessment.com 2005
Vulnerability Lifespan
100%
The lifespan of
some vulnerabilities
and worms is unlimited
75%
50%
25%
21 days
42 days
Copyright Security-Assessment.com 2005
63 days
84 days 105 days 126 days
The Impact of an Exploit
100%
80% of worms and automated exploits
are targeting the first two half-life periods
of critical vulnerabilities
75%
50%
25%
21 days
42 days
Witty, Sasser, Blaster
Copyright Security-Assessment.com 2005
63 days
84 days 105 days 126 days
Mapping Vulnerability Prevalence
Vulnerability Prevalence
700000
600000
500000
400000
300000
200000
100000
0
Individual Vulnerabilities
Copyright Security-Assessment.com 2005
The Changing Top of the Most Prevalent
Jan-04
Jul04
CVE
Jul-02
Apache Mod_SSL Buffer Overflow Vulnerability
CVE-2002-0082
x
Microsoft Exchange 2000 Malformed Mail Attribute DoS Vulnerability
CVE-2002-0368
x
Microsoft Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability
CVE-2001-0500
x
x
Microsoft IIS FTP Connection Status Request Denial of Service Vulnerability
CVE-2002-0073
x
x
Microsoft IIS Chunked Encoding Transfer Heap Overflow Vulnerability
CVE-2002-0079
x
x
Microsoft IIS HTR ISAPI Extension Heap Overflow Vulnerability
CVE-2002-0364
x
x
Microsoft IIS 4.0/5.0 Extended UNICODE Remote Execution Vulnerability
CVE-2000-0884
x
x
x
Microsoft IIS CGI Filename Decode Error Vulnerability
CVE-2001-0333
x
x
x
Microsoft IIS Malformed HTR Request Buffer Overflow Vulnerability
CVE-2002-0071
x
x
x
Microsoft IIS HTR Chunked Encoding Transfer Heap Overflow Vulnerability
CVE-2002-0364
x
x
x
x
Apache Chunked-Encoding Memory Corruption Vulnerability
CVE-2002-0392
x
x
x
x
x
OpenSSH Challenge-Response Authentication Integer Overflow Vulnerability
CVE-2002-0639
x
x
x
x
x
Multiple Vendor SNMP Request And Trap Handling Vulnerabilities
CAN-2002-0012
x
x
x
ISC BIND SIG Cached Resource Record Buffer Overflow (sigrec bug) Vulnerability
CAN-2002-1219
x
x
x
Microsoft Windows 2000 IIS WebDAV Buffer Overflow Vulnerability
CAN-2003-0109
x
x
x
Sendmail Address Prescan Possible Memory Corruption Vulnerability
CAN-2003-0161
x
x
x
Microsoft SMB Request Handler Buffer Overflow Vulnerability
CAN-2003-0345
x
x
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
CAN-2003-0352
x
x
x
Microsoft DCOM RPCSS Service Vulnerabilities
CAN-2003-0528
x
x
Microsoft Messenger Service Buffer Overrrun Vulnerability
CAN-2003-0717
x
Buffer Overflow in Microsoft Local Security Authority Subsystem Service (LSASS)
CAN-2003-0533
x
Microsoft RPCSS Code Execution Variant
CAN-2003-0813
x
Microsoft Windows ASN.1 Library Integer Handling Vulnerability
CAN-2003-0818
x
50% of the most prevalent
and critical vulnerabilities
are being replaced by new
vulnerabilities on an annual basis
Copyright Security-Assessment.com 2005
Jan-03
Jul03
Vulnerability
Top 10 External (Most Prevalent and Critical
Vulnerabilities) as of June, 2005
Title
Qualys ID
Microsoft Windows ntdll.dll Buffer Overflow Vulnerability
86479
Buffer overflow in Microsoft Local Security Authority Subsystem Service (LSASS)
90108
Buffer Management Vulnerability in OpenSSH
38217
Sendmail Prescan() Variant Remote Buffer Overrun Vulnerability
50080
Microsoft Windows RPC Runtime Library Vulnerability
68528
Microsoft Windows ASN.1 Library Integer Handling Vulnerability
90103
Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities
09244
Writeable SNMP Information
78031
Unauthenticated Access to FTP Server Allowed
SSL Server Allows Cleartext Communication Vulnerability
Copyright Security-Assessment.com 2005
CVE Reference
External Reference
CAN-2003-0109
MS03-007
CAN-2003-0533
MS04-011
CAN-2003-0693
CA-2003-24
CAN-2003-0694
CA-2003-25
CAN-2003-0813
MS04-012
CAN-2003-0818
MS04-007
CAN-2005-0048
MS05-019
N/A
N/A
27210
N/A
N/A
38143
N/A
N/A
Top 10 Internal (Most Prevalent and
Critical Vulnerabilities) as of June, 2005
Title
Qualys ID
CVE Reference
External Reference
Microsoft SQL Weak Database Password
19001
CAN-2000-1209
N/A
Buffer overflow in Microsoft Local Security Authority Subsystem Service
90108
CAN-2003-0533
MS04-011
Microsoft Messenger Service Buffer Overrun Vulnerability
70032
CAN-2003-0717
MS03-043
Microsoft Windows RPC Runtime Library Vulnerability
68528
CAN-2003-0813
MS04-012
Microsoft Windows ASN.1 Library Integer Handling Vulnerability
90103
CAN-2003-0818
MS04-007
Microsoft Buffer Overrun in JPEG Processing
90176
CAN-2004-0200
MS04-028
Adobe Acrobat Reader Format String Vulnerability
38385
CAN-2004-1153
N/A
Microsoft Server Message Block Remote Code Execution
90230
CAN-2005-0045
MS05-011
Microsoft Internet Explorer Multiple Vulnerabilities
100025
CAN-2005-0553
MS05-020
Microsoft Word Vulnerability Could Allow Remote Code Execution
110031
CAN-2005-0558
MS05-023
Copyright Security-Assessment.com 2005
Goal: Shortening the Half-Life of Critical
Vulnerabilities for Internal systems to 40 days
• Awareness
• Prioritization
• Enforcement
100%
75%
2004
50%
25%
2005
62 days 124 days
Copyright Security-Assessment.com 2005
186 days 248 days 310 days 372 days
Network Access Control Industry
Initiatives
• Cisco Network Admission Control (NAC)
– Leveraging Cisco Networking devices to control
access
– Evaluation of devices via agent (CTA) or agentless
• Microsoft Network Access Protection (NAP)
– Client side system health agent
– Server side system health validator
• TCG Trusted Network Connect (TNC)
– Open software architecture for policy based
access
– Cross vendor architecture
Copyright Security-Assessment.com 2005
Cisco NAC Architecture
Hosts
Attempting
Network
Access
Network
Access
Devices
1
2
AAA Server
(ACS)
Vendor
Servers
2a
Credentials
Credentials
Credentials
EAP/UDP,
RADIUS
HTTPS
EAP/802.1x
Access
Rights
Notification
Cisco
Trust
Agent
Policy Server
Decision
Points
4
6
Comply?
3
Enforcement
5
Source: Cisco
Copyright Security-Assessment.com 2005
Microsoft NAP Architecture
Source: Microsoft
Copyright Security-Assessment.com 2005
TCG Trusted Network Connect
Architecture
Source: Trusted Computing Group
Copyright Security-Assessment.com 2005
Vernier Networks EdgeWall
Architecture
Patch Management,
Vulnerability Servers
Authentication
Service
EdgeWall
4) Integrity data
2) Authentication
1) Credentials
3) Local compliance check
5) User access rights
Control Server
Source: Vernier Networks
Copyright Security-Assessment.com 2005
Network Access Control Challenges
• Impact/Interoperability with existing
infrastructure
• Agent-based vs. agent-less approaches
• Continuous vs. Initial device evaluation
• Interoperability between different architectures
Copyright Security-Assessment.com 2005
Why Network Access Control is
important
• Reduced risk of outbreak due to infected endpoints
• Safe access to networks through VPN access
• Controlled remediation and patching of unhealthy
endpoints
• Increased security of corporate resources
• Increased compliance with regulatory requirements
Copyright Security-Assessment.com 2005
Thank You
Q&A
[email protected]
Copyright Security-Assessment.com 2005