高存活网路之设计与实现

DesignandImplementationofHighlySurvivableNetworkSystem

高存活網路之設計與實現

Wai-TakWong,Ph.D.(王偉德)Email:wtwong@.twTel:03-518-60501/13/20231SurvivabilityTheabilityofasystemtofulfillitsmission,inatimelymanner,inthepresenceofattacks,failures,oraccidents.

SecuritySecurityisNotEnoughTheNetworkEnvironment

Cyberspace-InternetBorderless,Dynamic,Anonymous,Accessible

CriticalInfrastructuresDistributedandComplex,Interdependent,International,DataRichEnvironment,VulnerableAttacksCyberAttackPhysicalAttackCyberAttackCybercrime

Thedeliberatemisuseofdigitaldataorinformationflows.CyberterrorThedeliberateofdestruction,disruptionordistortionofdigitaldataorinformationflowswithwidespreadeffectforpolitical,religiousorideologicalreasons.TheResultsFromCyberAttackIndividualsmaylosetheirsocialidentityArmiesmayceasetomarchStockmaylosehundredspointsBusinessesmaybebankruptedThreatsnotfromnoviceteenagers,butpurposefulmilitary,political,andcriminalorganizationsTheImpact–RealandPotential

LossofCriticalServices

LossofPublicConfidenceDirectimpactonabilitytogovern

CostsofReactiontoThreatDeterminingvulnerabilitiesAssessingmostlikelythreatAdapting/ChangingpoliciesModifyingnetworkarchitecturesandconfigurationsFinding/acquiringthenecessaryexpertiseImpactsPoliticalTechnicalEconomicSocialImpactsareSocial,Economic,PoliticalaswellasTechnicalWhoShouldConcern?TelecommunicationsFinancialServiceEnergyEmergencyServicesGovernmentServicesTransportationInformationSophisticationofCybercrimeSimpleUnstructuredIndividualsorgroupsworkingwithlittlestructure,forethoughtorpreparationAdvancedStructuredGroupsworkingwithsomestructure,butlittleforethoughtorpreparationComplexCoordinatedGroupsworkingwithadvancepreparationwithspecifictargetsandobjectivesAttackSophisticationvs.

IntruderTechnicalKnowledgeHighLow19801985199019952000passwordguessingself-replicatingcodepasswordcrackingexploitingknownvulnerabilitiesdisablingauditsbackdoorshijackingsessionssweeperssnifferspacketspoofingGUIautomatedprobes/scansdenialofservicewwwattacksToolsAttackersIntruderKnowledgeAttackSophistication“stealth”/advancedscanningtechniquesburglariesnetworkmgmt.diagnosticsdistributedattacktoolsCrosssitescriptingDefenseinDepthSophisticatedCyberAttackOut-of-the-boxLinuxPChookedtoInternet

[30seconds]Firstserviceprobes/scansdetected[1hour]Firstcompromiseattemptsdetected[12hours]PCfullycompromised:

AdministrativeaccessobtainedEventloggingselectivelydisabledSystemsoftwaremodifiedtosuitintruderAttacksoftwareinstalledPCactivelyprobingfornewhoststointrudeTheTacticsusedforAttacksProbingFindtheunlockeddoororopenwindowPing–scanIPaddressWardialer–dialamodemWardriving–scanwirelessnetworkTheTacticsusedforAttacksViruses&WormsViruses–capturecontrolofanexistingprogramtoexecutetheircommandsWorms–executetheircommandsindependentlyCanbringdownanetwork,corruptfiles,copyandstorecriticalinformationforlaterretrieval,…TheTacticsusedforAttacksTrojanHorsesTheyarebroughtintoasystemviaanotherprogram.Theynestlethemselvesin,unnoticed,typicallyawaitingapreprogrammedtimeorasignaltobeactivated.Theyareofteninsertedaspartoftheprobingprocess.Createbackdoors,plantbombs,collectinginformation,deletingcriticalfiles,dial900number,weakenencryptionpackagesTheTacticsusedforAttacksDenialofServices/DistributedDosAfloodattackgenerallyfallintooneofthreecategories:TCPfloods(SYN,ACK,RSTmessage)UDPfloodsPingfloods(ICMPECHO_REQUESTandECHOREPLYmessage)Aseriesofhundreds/thousandsofpacketstoconsumethetarget’sprocessingpowerTrojanshavebecomeatoolusedinDos/DDosTypicalIntruderAttackDistributedCoordinatedAttackDistributedCoordinatedAttackTopGeneralVulnerabilitiesItmakesnodifferencewhatOSyourun;youarevulnerabletothesesevengeneralvulnerabilitiesDefaultinstallationsIncludeextraneousservicestomanyusersAccountswithweak/nopasswordThecommonaccountpasswordinNorthAmericais“password”Don’tusethedefaultpasswordonanadmin/rootlevelaccountTopGeneralVulnerabilitiesNonexistentorincompletebackupsMakebackupsandknowhowtorestorefromthemThebackupsshouldbeoff-siteLargenumberofopenportsRealizethenumberofopenportsinyoursystemandcloseasmanyaspossible.Notfilteringforcorrectingress/egressaddressesIngresstrafficshouldn’thaveanyIPofyournetworkEgresstrafficshouldn’thaveanyIPotherthanyournetworkCommonAbusedPortsTopGeneralVulnerabilitiesNonexistentorincompleteloggingLogswillhelpyoudetecttheattackinthefirstplacebyprovidinginformationaboutthenormalactivityonthenetwork.LogsareafrequenthackertargetVulnerableCGIprogramsCGIprogramsmustbeabletoactontheserver,theyoftencarryextensiveprivileges,makingthemanattractivetargetTopWindowVulnerabilitiesUnicodevulnernabilityDirectorytraversalattacktoanIISserverInternetServicesApplicationProgrammingInterface(ISAPI)extensionbufferoverflowsWhentheinputbufferisoverflowedforthescriptswritteninISAPIrunningintheIISserver,theresultisoftenacompletecompromiseIISRemoteDataService(RDS)RDSisameansofmanaginganIISserverremotely;itcanbeattackedandcompromisedTopWindowVulnerabilitiesNetbios–unprotectedwindownetworkingsharesDirectorytraversalattacktoanIISserverInformationleakagevianullsessionconnectionsWhenWindowNTandWindows2000computersneedinformationfromeachother,theyopenanullsessionbetweenthem.Attackershijackthisfunctiontopenetrateahostandgainprivilegedaccesstoit.TopWindowVulnerabilitiesLMHashNTandWin2000havemaintainedacertainlevelofbackwardcompatibilitywithit.OneofthemisthatitstorestheLANManager(anoutdatedLANsoftware)hashedpasswordsontheNTorWin2000server.ThesepasswordscanbebrokenfairlyeasilybecausetheLMhashingisveryweak.TopUNIXVulnerabilitiesBufferoverflowsinRPCservicesMultipleDDosattackshaveusedRPCtocreatetheirzombies.Youshouldapplythemostcurrentpatchesforthem.SendmailvulnerabilitiesSendmailhasmanyandvariousflaws.Sendmailmusthavethemostcurrentversionpossibleandbefullypatched.Thedaemonmodeversionshouldbeturnedoffunlessactuallyneeded(relayserverorsendmailserver)TopUNIXVulnerabilitiesBINDWeaknessBerkeleyInternetNameDomainisaDNSpackagethatisverywidelydeployed.ItisknowntohavemultipleweaknessDefaultinstallationsofUNIXpackagesoftenincludetheBINDdaemon;disableitunlessthisisactuallyanameserverrCommandrlogin,rsh,…allowasingleadministratortomanagemultiplehostsatdifferentphysicallocations.Ifanattackergainsaccess,oneoftheearlystepstheywilltakeistoenablercommandsTopUNIXVulnerabilitiesLPDTheLinePrinterDaemonissubjecttobufferoverflow.Ifitishandedtoomanyprintjobsintoolittletime,itwilleithercrashorrunarbitrarycodewithelevatedprivileges.Disableitifitdoesnotneedtobeaprintserver.TopUNIXVulnerabilitiessadmindandmountdsadmindisasystemadmindaemonthatprovideremoteadministrationofSolarishostsviaaGUI.mountdisthefile-mountingdaemon.Bufferoverflowscanresultinattackersgainingaccesswithrootprivileges.TheyshouldnotberunningonhostsaccessiblefromtheInternet.TopUNIXVulnerabilitiesDefaultSNMPstringSimpleNetworkManagementProtocol(SNMP)revealsagreatdealofinformationofwhatgoesoninthenetwork.Itcanmanagedevicesonthenetworktoo.Theonlymeansofauthenticationisanunencryptedcommunitystringanditisinsecure.FilterSNMPatyouringressrouters.MakeyourManagementInformationBasePackets(MIBs)readonly.PhysicalAttackNaturaldisasterUnnaturaldisaster(intentional)Unnaturaldisaster(un-intentional)NaturalDisasterDisasterwithadequatewarningMajorweathereventssuchashurricanes,typhoons,andcyclones,alongwithmajorwinterstormsIfyourpropertiesareinthisarea,youshouldhaveaplanthatencompasshowtoensureyournetworkkeepsfunctioningintheseevents.BasementfloodingLargequantitiesofwind-blownraintoenterwhenwindowsbrokenNaturalDisasterDisasterwithmodestwarningMan-madefloodingintobuildingDebrisflowsLandslidesFiresNaturalDisasterDisasterWithNoRealWarningEarthquakesVolcaniceruptionsUnnaturaldisaster(Intentional)Terroristshaveaveryhighsuccessrateinmeetingtheirimmediategoals,butaterribleoneinachievinganyformoflong-termsuccessPhysicalattackandCyberattackUnnaturaldisaster(Intentional)PhysicalattackBombPhysicaldestructiontobuildingsandtheircontentsElectromagneticPulsebomb(EMB)Asurgeofelectromagneticforcethattransfersomeofitsenergytoanyelectricitycarryingmediumitpassesthrough.Ifthepulseislarge,thecircuitrycanbemelted.Ifnot,itflowsdownthecircuitunititmeetsaninterfaceincapableofcarryingtheload,atwhichpointdamageoccurs.Unnaturaldisaster(Intentional)Chemical,biological,and/orradiologicalattack(CBR)Toxic,Contamination,sowconfusionanddoubtUnnaturaldisaster(Intentional)CyberattackobjectivesCyber-kidnappingTheremovaloffilesandbackup,suchascriticalinformationonaresearchprojectornewproductStealingthesourcecodesExtortionThreateningtodamageyoursystem,toremovethosecriticalfiles,toselltheinformationtoyourcompetitorsorexposethedataunlessyoupayUnnaturaldisaster(Intentional)CombinedAttacksImagineaphysicalattackinamajorpopulationcenterandaddacyber-attackthatclogstheInternetduetoawormorDDosattackUnnaturalDisaster(Unintentional)Serviceoutages(temporaryterminated)Accidents:Fiberspur(branch)linecutbyboring(drilling)equipment,…PoordesignPoorinfrastructureMisconfiguringroutingequipmentSoftwarecausedproblemsTheUnsinkableShipSankSurvivabilityModernsocietyisirreversiblydependentonlarge-scalecriticalinfrastructuresystemstosustainqualityoflife,economicgrowth,andnationalsecurity.Asaresult,societyfacesuncountable,butgenerallyacknowledgedassubstantial,risksofsystemfailureorcompromisewithpotentiallyseriousconsequences.SurvivabilitySurvivabilityfocusisonthesystemmissionAssumeimperfectdefensesandcomponentfailureAnalyzemissionrisksandtradeoffsIdentifydecisionpointswithsurvivabilityimpactProviderecommendationswithbusinessjustificationSurvivabilityDefinedSurvivabilityAsanemergingdiscipline,survivabilitybuildsonrelatedfieldsofstudy(e.g.,security,faulttolerance,safety,reliability,reuse,performance,verification,andtesting)andintroducesnewconceptsandprinciples.Survivabilityfocusesonpreservingessentialservices,evenwhensystemsarepenetratedandcompromisedSurvivabilitySurvivabilitydesignappliesresistance,recognition,andrecoverystrategiestomaintainessential-serviceworkflowswherepossibledespitecompromisedcomponents.The“ThreeRs”ofSurvivabilitySurvivabilityAsurvivablesystemisonethatsatisfiesitssurvivabilityspecificationofessentialservicesandadverseenvironments.Onthesystemside,survivabilityspecificationscanbedefinedbyessential-servicetracesthatmapessential-serviceworkflows,derivedfromuserrequirements,intosystemcomponentdependenciesandrequiredsurvivabilityattributes.SurvivabilityOntheenvironmentside,survivabilityspecificationscanbedefinedbyintrusiontracesthatmapintruderworkflows,derivedfromattackpatterns,intocompromisablesystemcomponents.Bothessential-serviceandintruderworkflowscaninducethedefinitionofevaluationmodelsforsurvivabilitytesting.SurvivableNetworkAnalysisSNAMethodSentinelSurvivabilityMapSentinelSurvivabilityMapSurvivabilityRequirementsImpactSurvivabilityImpact-1SurvivabilityImpact-2NewApproachToSurvivabilityFigure1depictsthedual-thread,three-stageapproachtosurvivabilityresearchanddevelopment.Thesurvivabilityisaddressedfromboththesystemside,intermsofspecificationanddesignforessential-servicepreservation,andfromtheenvironmentside,intermsofintrusionspecificationandanalysis.NewApproachToSurvivabilityNewApproachToSurvivabilityFigure2depictstherelationshipofsurvivabilityactivitiesandworkproductstotheoveralldevelopmentlifecycle.Servicetraces,intrusiontraces,andevaluationmodelsareembeddedwithinandsupportthelargeractivitiesofsystemspecification,design,andtesting.Survivabilityrequirementsandattackpatternsdrivethedefinitionofessential-serviceandintruderworkflows,respectively.NewApproachToSurvivabilityTheseworkflowsare,inturn,expandedintoarchitecturetraces,whichdrivetheselectionandintegrationofsurvivabilitystrategiesindesignandcontributetothedefinitionofthetestingenvironment.NewApproachToSurvivabilityTheOperationalContinuityPlanRedundancyisexpensiveNotbeingredundantisevenmoreexpensiveDesignYourWayOutofTroubleSinglepointfailureHighercostformoreconnectionAvoidsinglepointfailureCanreacheachrouterfromthecenterrouterDesignYourWayOutofTroubleTreestructureDesignYourWayOutofTroubleTreestructurewithmultipleconnectionsDefenseInDepthThefirstlineofdefenseareyourknowledgeableISstaffandemployeeTheexternalrouters(withfilter:accesslists)areyoursecondlineofdefenseFirewallsaremorelikelythethirdDesignYourWayOutofTroubleMorepracticaltopologyPublicAreaSecondlinedefenseThirdlinedefenseThePriceofDefensePerformance(suffering)orThecostofPerformance(Networkequipments)TheOperationalContinuityPlanToprepareforoperationalcontinuity,youmustanswersomequestionsWhatNetwork’scapabilitiesarecritical?Whatfacilitiesprovidethosecapability?Willtheentirecapabilitiesneedtobereplaced?Canotherexistingfacilitiesprovidethosefunctionsnow?Doeseveryoneknowwhowillgetwhat?Doestheredundantlocationhavetheinformationneededtofunction?TheOperationalContinuityPlanDoeseveryoneknowhowtoactivatetheredundancy?Hastheprocedureeverbeentested?Wasitretestedtocheckthefixes?Isthereacriticalpersonhere?Whatistheprobablecostifyounotprovideredundancy(nomoreservices)?Howlongcanyouoperateinthismode?WhomustbenotifiedinternallyandexternallyOnSeptember11SuccessStoryAfterSeptember11LehmanBrothersAmajorfinancialservicesfirm.Itsheadquarterswerein1,2,and3WorldFinancialCenterandinTowerOne.Duringthechaos,theCTOtriggeredLehman’sdisasterrecoveryplanandalertedtheCIO,whowasworkingfromLondononSeptember11.Lehmanlostatotalof5,000desktops,itsentireNewYorkdatacenter,andalltheassociatednetworkingequipment.SuccessStoryAfterSeptember11However,thecompanylostnoinformationLehman’sdisasterplanallowedforthecompletelossofeitherofthetwodatacenters.ThedisasterrecoveryplanensuredcompleteredundancyassuredLehman’scontinuity..SuccessStoryAfterSeptember11ThebackupfacilityisinNewJersey.AfiberlinkconnectedToweronewiththeofficesintheWFCandcontinuedtothebackupsite.Thewide-arealinkswereredundant,andthebackupsitehadadatacenteridenticaltotheoneinTowerOne.Allbranchofficesconnectedtobothdatacenters,andthecentersreplicatedtoeachotherautomatically.PreparingforDisasterThedefinitionofsurvivaldependsonthebusiness’sneeds.Oncethebusiness’sneedsareunderstood,youcantaketheprocesstothenextstepanddefinewhatyournetworkmustbeabletodotosupportthebusiness’ssurvivalIfthebusinessdoesnotcontinue,keepingthenetworkgoingisnotimportant.However,alackofcontinuityensurestheabsenceinbusiness.PreparingforDisasterSurvivalRequirementofNetworkContinuityWhatthebusinessrequirestocontinueinoperationWhatitmustdeliverTowhomWhatdegreeofreponsivenessWhenthosecapabilitiesmustbepresentHowtoprovideitPreparingforDisasterExampleSTLNetworkServicesInc.AnetworkserviceproviderProvideacompleteexternalconnectivitytoitsbusinesscustomersServesasanISP,providingWANconnectivitybetweencustomersites,managedextranetsamongitscustomers,VPNs.STLwantstooffernetworkcontinuity,evenintheeventofadisaster,asapremiumservice.SurvivableNetworkAnalysisDefinethemissionoftheSTLnetworkintermsofhigh-levelessentialservicesProvidenetworkcontinuitywithintheSTLmanagementnetworkProvidethefollowingservicestoSTLcustomers:ISPservicesVPNservicesWANservicesSurvivableNetworkAnalysisProvidetheseinternalandcustomerservicesonanuninterruptedbasiswithintheSTLnetworkProvideuninterruptedaccesstoexternalnetworkswhenthetraffic’sdestinationliesbeyondSTL’sdirectconnectivitySurvivableNetworkAnalysisSurvivableNetworkAnalysisDecomposethehigh-levelservicesintotheirconstituentservicesuntiltheleveloffundamentalprocessesonthenetworkelements.Eachfundamentalprocesseswillhavemission-criticalattributes(quantitativeandqualitative)relatedtosecurity,safety,reliability,performance,and/orusability.SurvivableNetworkAnalysisSurvivableNetworkAnalysisSTLisprovidingfourhigh-levelservices:ContinuityofitsnetworkmanagementabilityISPservicesVPNservicesWANservicesSurvivableNetworkAnalysisContinuityofitsnetworkmanagementabilityAseparatenetworksubsystemsmustbeused;atleastaprioritizationsystemmaybeusedISPservicesThesubordinateservicesincludeInternetconnectivity,DHCPaddressassignmentforbusinessesthatdonotwanttoadministeritthemselves,DNS,andWebhostingservicesSTLprovideseachoftheISPservicesitsownattributesSurvivableNetworkAnalysisVPNservicesTheessentialservicesaretunnelingandencryptionsupportAttributesinbothcasesemphasizethesecurityofthecustomer’straffic,thereliabilityofthenetworkservice,andtheperformance–securitymustnotseriouslydelaythroughputSurvivableNetworkAnalysisWANservicesProvideaseriesofpoint-to-pointlinksbetweenofficesofcustomers,betweenthemandparentorganizations,andbetweencustomer’sofficesandtheirextranetpartners.Nosubordinatesservices;essentialattributesfocusonreliabilityandperformanceReturningfromtheWildernessCyber-RecoveryTwoeffortsmustproceedsimultaneouslyOperationalProceduresForensicProceduresReturningfromtheWildernessOperationalProceduresPrimarytasksaretodetermineWherethesystemsarecompromisedThenatureofthecompromiseUndothedamageReturningfromtheWildernessSecondtasksDeterminetheextenttowhichwormhasalreadyreachedsothatthelogicalareacanbecontainedincyber-quarantine.EnsurethathostsinthepathofinfectionarevaccinatedAnti-virussoftwarehasthelatestupdatesOSandapplicationsoftwarehavethelatestpatchesUnnecessaryserviceshavebeenremovedReturningfromtheWildernessForensicProceduresMaytakealegalactionCollectthecyberattackinformationandprovehowyoucollecteditislegallyimportant.Nottodisclosetomanypeoplealloftheinformationyoucollect.YouwillneedtheanswerstothefollowingquestionsHowyouwerepenetratedWhenyouwerepenetratedReturningfromtheW