copyright security-assessment.com, qualys inc, 2005 moving security enforcement into the heart of...
Post on 19-Dec-2015
214 views
TRANSCRIPT
Copyright Security-Assessment.com, Qualys Inc, 2005
Moving Security Enforcement
into the Heart of the Network
Peter Benson
CEOSecurity-Assessment.com
October, 2005
Copyright Security-Assessment.com 2005
Agenda• Evolution of Threats
• Why Network Access Control Matters
• The Laws of Vulnerabilities
• Network Access Control Architectures
• Summary and Action
Copyright Security-Assessment.com 2005
Security Trend Indicators • Malicious Code (↑) • Vulnerabilities (↑) • Spam and Spyware (↑) • Phishing and Identity Theft (↑)
….and• Time to Exploitation (↓)
Copyright Security-Assessment.com 2005
Where are the issues ?
• A Multitude of insecure Protocols and Services– telnet, ftp, snmp
• Known default settings– Passwords, SNMP community strings
• System Design Errors– Setup and Access control errors
• Software Implementation Flaws– Input validation, lack of sanity checks
• User Triggered Issues– Email and Browser related
Copyright Security-Assessment.com 2005
First Generation Threats
• Spreading mostly via email, file-sharing• Human Action Required• Virus-type spreading / No vulnerabilities• Examples: Melissa Macro Virus, LoveLetter
VBScript Worm• Replicates to other recipients• Discovery/Removal: Antivirus
Copyright Security-Assessment.com 2005
Second Generation Threats
• Active worms• Leveraging known vulnerabilities• Low level of sophistication in spreading
strategy (i.e. randomly)• Non Destructive Payloads• Remedy: Identify and Fix Vulnerabilities
Copyright Security-Assessment.com 2005
Third Generation Threats• Automated Attacks Leveraging Known and
Unknown Vulnerabilities• Collaboration of Social Engineering and
Automated Attacks• Multiple Attack Vectors
– Email, Web, IM, Vulnerabilities,…• Active Payloads• Remedy: Security Enforcement / Network Access
Control
Copyright Security-Assessment.com 2005
Evolution of Network Access Control• Today:
– Static network access– Every device is permitted– Infected or unhealthy devices are frequently
the root of an outbreak
• Tomorrow:– Dynamic network access based on policies– Screening devices before granting access– Infected or unhealthy devices should be
treated separately
Copyright Security-Assessment.com 2005
“Anyone can build a stop sign – or even a traffic light – but it takes a different mind-set entirely
to conceive of a city-wide traffic control system.”
Bruce Schneier – Beyond Fear
Copyright Security-Assessment.com 2005
Building Blocks of Network Access Control• Assessment of Endpoint Security • Decision making based on policy compliance• Admission Enforcement at Network infrastructure• Quarantining/Remediation of unhealthy devices
Copyright Security-Assessment.com 2005
A Common Framework for Network Access Control
Network Access
Infrastructure
Policy Manager
Client
Main
Network
Quarantine
Network
Copyright Security-Assessment.com 2005
Why Network Access Control Matters• Objective: Understanding prevalence of critical
vulnerabilities over time in real world• Timeframe: January 2002 - Ongoing• Data Source:
– 70% Global Enterprise networks– 30 % Random trials
• Methodology: Automatic Data collection with statistical data only – no possible correlation to individual user or systems
Copyright Security-Assessment.com 2005
Raw Results• Largest collection of global real-world vulnerability data:
– 14,818,000 IP-Scans since begin 2002– 2,275 out of 3,374 unique vulnerabilities detected in the real world
– 3,834,000 total critical* vulnerabilities found– 1,031 out of 1,504 unique critical vulnerabilities detected in the real
world
•Analysis Performed:– Identifying Window of Exposure– Lifespan of Critical Vulnerabilities– Resolution Response– Trend over Time– Vulnerability Prevalence
* Providing an attacker the ability to gain full control of the system,and/or leakage of highly sensitive information. For example, vulnerabilities may enable full read and/or write access to files, remote execution of commands, and the presence of backdoors.
Copyright Security-Assessment.com 2005
0
500
1000
1500
2000
2500
3000
3/29
/200
3
4/12
/200
3
4/26
/200
3
5/10
/200
3
5/24
/200
3
6/7/
2003
6/21
/200
3
7/5/
2003
7/19
/200
3
8/2/
2003
8/16
/200
3
8/30
/200
3
9/13
/200
3
9/27
/200
3
10/1
1/20
03
10/2
5/20
03
11/8
/200
3
11/2
2/20
03
12/6
/200
3
12/2
0/20
03
1/3/
2004
1/17
/200
4
1/31
/200
4
2/14
/200
4
2/28
/200
4
3/13
/200
4
3/27
/200
4
4/10
/200
4
4/24
/200
4
5/8/
2004
5/22
/200
4
6/5/
2004
6/19
/200
4
7/3/
2004
WebDAV CAN-2003-0109
Microsoft WebDAV Vulnerability
Microsoft Windows 2000 IIS WebDAV Buffer
Overflow Vulnerability
CAN-2003-0109Qualys ID 86479
Released: March 2003
Microsoft Windows 2000 IIS WebDAV Buffer
Overflow Vulnerability
CAN-2003-0109Qualys ID 86479
Released: March 2003
Copyright Security-Assessment.com 2005
0
100
200
300
400
500
600
11
/23
/20
02
12
/7/2
00
2
12
/21
/20
02
1/4
/20
03
1/1
8/2
00
3
2/1
/20
03
2/1
5/2
00
3
3/1
/20
03
3/1
5/2
00
3
3/2
9/2
00
3
4/1
2/2
00
3
4/2
6/2
00
3
5/1
0/2
00
3
5/2
4/2
00
3
6/7
/20
03
6/2
1/2
00
3
7/5
/20
03
7/1
9/2
00
3
8/2
/20
03
8/1
6/2
00
3
8/3
0/2
00
3
9/1
3/2
00
3
9/2
7/2
00
3
10
/11
/20
03
10
/25
/20
03
11
/8/2
00
3
11
/22
/20
03
12
/6/2
00
3
12
/20
/20
03
1/3
/20
04
1/1
7/2
00
4
1/3
1/2
00
4
2/1
4/2
00
4
2/2
8/2
00
4
3/1
3/2
00
4
3/2
7/2
00
4
4/1
0/2
00
4
4/2
4/2
00
4
5/8
/20
04
5/2
2/2
00
4
6/5
/20
04
6/1
9/2
00
4
7/3
/20
04
WU FTPd CVE-2001-0550
WU-FTPd File Globbing Heap Corruption Vulnerability
WU-FTPd File Globbing Heap Corruption
Vulnerability
CVE-2001-0550Qualys ID 27126
Released: November 2001
WU-FTPd File Globbing Heap Corruption
Vulnerability
CVE-2001-0550Qualys ID 27126
Released: November 2001
Copyright Security-Assessment.com 2005
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
2/21
/200
4
2/28
/200
4
3/6/
2004
3/13
/200
4
3/20
/200
4
3/27
/200
4
4/3/
2004
4/10
/200
4
4/17
/200
4
4/24
/200
4
5/1/
2004
5/8/
2004
5/15
/200
4
5/22
/200
4
5/29
/200
4
6/5/
2004
6/12
/200
4
6/19
/200
4
6/26
/200
4
7/3/
2004
Microsoft ASN.1 CAN-2003-0818
Microsoft Windows ASN.1 Library Integer Handling Vulnerability
Microsoft Windows ASN.1 Library Integer Handling
Vulnerability
CAN-2003-0818Qualys ID 90103
Released: February 2004
Microsoft Windows ASN.1 Library Integer Handling
Vulnerability
CAN-2003-0818Qualys ID 90103
Released: February 2004
Copyright Security-Assessment.com 2005
0
10000
20000
30000
40000
50000
60000
70000
4/17
/200
4
4/24
/200
4
5/1/
2004
5/8/
2004
5/15
/200
4
5/22
/200
4
5/29
/200
4
6/5/
2004
6/12
/200
4
6/19
/200
4
6/26
/200
4
7/3/
2004
Microsoft LSASS CAN-2003-0533
Buffer overflow in Microsoft Local Security Authority Subsystem Service (LSASS)
Buffer overflow in Microsoft Local Security Authority
Subsystem Service (LSASS)
CAN-2003-0533Qualys ID 90108
Released: April 2004
Buffer overflow in Microsoft Local Security Authority
Subsystem Service (LSASS)
CAN-2003-0533Qualys ID 90108
Released: April 2004
Copyright Security-Assessment.com 2005
External vs. Internal Vulnerabilities
21 days
25%
50%
75%
100%
42 days 63 days 84 days 105 days
For a critical vulnerability every 21 days (62 days on internal networks)
50 % of vulnerable systems are being fixed
For a critical vulnerability every 21 days (62 days on internal networks)
50 % of vulnerable systems are being fixed
126 days 147 days 168 days 189 days
Copyright Security-Assessment.com 2005
SSL Server Allows Cleartext Communication
0
200
400
600
800
1000
1200
3/8
/20
03
3/2
2/2
00
3
4/5
/20
03
4/1
9/2
00
3
5/3
/20
03
5/1
7/2
00
3
5/3
1/2
00
3
6/1
4/2
00
3
6/2
8/2
00
3
7/1
2/2
00
3
7/2
6/2
00
3
8/9
/20
03
8/2
3/2
00
3
9/6
/20
03
9/2
0/2
00
3
10
/4/2
00
3
10
/18
/20
03
11
/1/2
00
3
11
/15
/20
03
11
/29
/20
03
12
/13
/20
03
12
/27
/20
03
1/1
0/2
00
4
1/2
4/2
00
4
2/7
/20
04
2/2
1/2
00
4
3/6
/20
04
3/2
0/2
00
4
4/3
/20
04
4/1
7/2
00
4
5/1
/20
04
5/1
5/2
00
4
5/2
9/2
00
4
6/1
2/2
00
4
6/2
6/2
00
4
SSL Allows Cleartext
SSL Server Allows Cleartext Communication
Qualys ID 38143
SSL Server Allows Cleartext Communication
Qualys ID 38143
Copyright Security-Assessment.com 2005
0
100
200
300
400
500
600
2/8/
2003
3/8/
2003
4/8/
2003
5/8/
2003
6/8/
2003
7/8/
2003
8/8/
2003
9/8/
2003
10/8
/200
3
11/8
/200
3
12/8
/200
3
1/8/
2004
2/8/
2004
3/8/
2004
4/8/
2004
5/8/
2004
6/8/
2004
SQL Slammer Vulnerability
SQL Slammer Vulnerability
MS-SQL 8.0 UDP Slammer Worm Buffer Overflow Vulnerability
CAN-2002-0649Qualys ID 19070
Released: July 2002
MS-SQL 8.0 UDP Slammer Worm Buffer Overflow Vulnerability
CAN-2002-0649Qualys ID 19070
Released: July 2002
Copyright Security-Assessment.com 2005
A Continuous Cycle of Infection
0
10
20
30
40
50
60
70
Sasser
CodeRed
Nachi
Blaster
Copyright Security-Assessment.com 2005
Vulnerability Lifespan
21 days
25%
50%
75%
100%
42 days 63 days 84 days 105 days
The lifespan of some vulnerabilities
and worms is unlimited
The lifespan of some vulnerabilities
and worms is unlimited
126 days
Copyright Security-Assessment.com 2005
The Impact of an Exploit
21 days
25%
50%
75%
100%
42 days 63 days 84 days 105 days
80% of worms and automated exploits are targeting the first two half-life periods
of critical vulnerabilities
80% of worms and automated exploits are targeting the first two half-life periods
of critical vulnerabilities
Witty, Sasser, Blaster
126 days
Copyright Security-Assessment.com 2005
Mapping Vulnerability Prevalence
Vul
nera
bilit
y P
reva
lenc
e
Individual Vulnerabilities0
100000
200000
300000
400000
500000
600000
700000
Copyright Security-Assessment.com 2005
The Changing Top of the Most Prevalent
Vulnerability CVE Jul-02 Jan-03 Jul-03Jan-04 Jul-04
Apache Mod_SSL Buffer Overflow Vulnerability CVE-2002-0082 x
Microsoft Exchange 2000 Malformed Mail Attribute DoS Vulnerability CVE-2002-0368 x
Microsoft Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability CVE-2001-0500 x x
Microsoft IIS FTP Connection Status Request Denial of Service Vulnerability CVE-2002-0073 x x
Microsoft IIS Chunked Encoding Transfer Heap Overflow Vulnerability CVE-2002-0079 x x
Microsoft IIS HTR ISAPI Extension Heap Overflow Vulnerability CVE-2002-0364 x x
Microsoft IIS 4.0/5.0 Extended UNICODE Remote Execution Vulnerability CVE-2000-0884 x x x
Microsoft IIS CGI Filename Decode Error Vulnerability CVE-2001-0333 x x x
Microsoft IIS Malformed HTR Request Buffer Overflow Vulnerability CVE-2002-0071 x x x
Microsoft IIS HTR Chunked Encoding Transfer Heap Overflow Vulnerability CVE-2002-0364 x x x x
Apache Chunked-Encoding Memory Corruption Vulnerability CVE-2002-0392 x x x x x
OpenSSH Challenge-Response Authentication Integer Overflow Vulnerability CVE-2002-0639 x x x x x
Multiple Vendor SNMP Request And Trap Handling Vulnerabilities CAN-2002-0012 x x x
ISC BIND SIG Cached Resource Record Buffer Overflow (sigrec bug) Vulnerability CAN-2002-1219 x x x
Microsoft Windows 2000 IIS WebDAV Buffer Overflow Vulnerability CAN-2003-0109 x x x
Sendmail Address Prescan Possible Memory Corruption Vulnerability CAN-2003-0161 x x x
Microsoft SMB Request Handler Buffer Overflow Vulnerability CAN-2003-0345 x x
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability CAN-2003-0352 x x x
Microsoft DCOM RPCSS Service Vulnerabilities CAN-2003-0528 x x
Microsoft Messenger Service Buffer Overrrun Vulnerability CAN-2003-0717 x
Buffer Overflow in Microsoft Local Security Authority Subsystem Service (LSASS) CAN-2003-0533 x
Microsoft RPCSS Code Execution Variant CAN-2003-0813 x
Microsoft Windows ASN.1 Library Integer Handling Vulnerability CAN-2003-0818 x
50% of the most prevalent
and critical vulnerabilities
are being replaced by new
vulnerabilities on an annual basis
50% of the most prevalent
and critical vulnerabilities
are being replaced by new
vulnerabilities on an annual basis
Copyright Security-Assessment.com 2005
Top 10 External (Most Prevalent and Critical Vulnerabilities) as of June, 2005
Title Qualys ID CVE Reference External Reference
Microsoft Windows ntdll.dll Buffer Overflow Vulnerability 86479CAN-2003-0109 MS03-007
Buffer overflow in Microsoft Local Security Authority Subsystem Service (LSASS) 90108CAN-2003-0533 MS04-011
Buffer Management Vulnerability in OpenSSH 38217CAN-2003-0693 CA-2003-24
Sendmail Prescan() Variant Remote Buffer Overrun Vulnerability 50080CAN-2003-0694 CA-2003-25
Microsoft Windows RPC Runtime Library Vulnerability 68528CAN-2003-0813 MS04-012
Microsoft Windows ASN.1 Library Integer Handling Vulnerability 90103CAN-2003-0818 MS04-007
Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities 09244CAN-2005-0048 MS05-019
Writeable SNMP Information 78031N/A N/A
Unauthenticated Access to FTP Server Allowed 27210 N/A N/A
SSL Server Allows Cleartext Communication Vulnerability 38143 N/A N/A
Copyright Security-Assessment.com 2005
Top 10 Internal (Most Prevalent and Critical Vulnerabilities) as of June, 2005Title Qualys ID CVE Reference External Reference
Microsoft SQL Weak Database Password 19001 CAN-2000-1209 N/A
Buffer overflow in Microsoft Local Security Authority Subsystem Service 90108 CAN-2003-0533 MS04-011
Microsoft Messenger Service Buffer Overrun Vulnerability 70032 CAN-2003-0717 MS03-043
Microsoft Windows RPC Runtime Library Vulnerability 68528 CAN-2003-0813 MS04-012
Microsoft Windows ASN.1 Library Integer Handling Vulnerability 90103 CAN-2003-0818 MS04-007
Microsoft Buffer Overrun in JPEG Processing 90176 CAN-2004-0200 MS04-028
Adobe Acrobat Reader Format String Vulnerability 38385 CAN-2004-1153 N/A
Microsoft Server Message Block Remote Code Execution 90230 CAN-2005-0045 MS05-011
Microsoft Internet Explorer Multiple Vulnerabilities 100025 CAN-2005-0553 MS05-020
Microsoft Word Vulnerability Could Allow Remote Code Execution 110031 CAN-2005-0558 MS05-023
Copyright Security-Assessment.com 2005
Goal: Shortening the Half-Life of Critical Vulnerabilities for Internal systems to 40 days
62 days
25%
50%
75%
100%
124 days 186 days 248 days 310 days
2005
2004
372 days
• Awareness• Prioritization• Enforcement
Copyright Security-Assessment.com 2005
Network Access Control Industry Initiatives• Cisco Network Admission Control (NAC)
– Leveraging Cisco Networking devices to control access
– Evaluation of devices via agent (CTA) or agent-less• Microsoft Network Access Protection (NAP)
– Client side system health agent– Server side system health validator
• TCG Trusted Network Connect (TNC)– Open software architecture for policy based access– Cross vendor architecture
Copyright Security-Assessment.com 2005
Cisco NAC Architecture
AAA Server (ACS) Vendor
Servers
Hosts Attempting
Network Access
Network Access Devices
Policy Server Decision
Points
Credentials Credentials
EAP/UDP,
EAP/802.1x
RADIUS
Credentials
HTTPS
Access Rights
Notification
Cisco Trust Agent
1 2
4
5
6
2a
Comply?
Enforcement
3
Source: Cisco
Copyright Security-Assessment.com 2005
Microsoft NAP Architecture
Source: Microsoft
Copyright Security-Assessment.com 2005
TCG Trusted Network Connect Architecture
Source: Trusted Computing Group
Copyright Security-Assessment.com 2005
Vernier Networks EdgeWall Architecture
EdgeWall
Control Server
1) Credentials
Authentication Service
Patch Management,Vulnerability Servers
2) Authentication
3) Local compliance check
4) Integrity data
5) User access rights
Source: Vernier Networks
Copyright Security-Assessment.com 2005
Network Access Control Challenges • Impact/Interoperability with existing
infrastructure• Agent-based vs. agent-less approaches• Continuous vs. Initial device evaluation• Interoperability between different architectures
Copyright Security-Assessment.com 2005
Why Network Access Control is important• Reduced risk of outbreak due to infected endpoints• Safe access to networks through VPN access• Controlled remediation and patching of unhealthy
endpoints• Increased security of corporate resources• Increased compliance with regulatory requirements