Wiley Publishing, Inc.

Annlee Hines

Planning for SurvivableNetworks:

Ensuring Business Continuity

0123284X FM.F 6/28/02 9:36 AM Page iii

c1jpeg.jpg

0123284X FM.F 6/28/02 9:36 AM Page ii

Planning for Survivable Networks:

Ensuring Business Continuity

0123284X FM.F 6/28/02 9:36 AM Page i

0123284X FM.F 6/28/02 9:36 AM Page ii

Wiley Publishing, Inc.

Annlee Hines

Planning for SurvivableNetworks:

Ensuring Business Continuity

0123284X FM.F 6/28/02 9:36 AM Page iii

Publisher: Robert IpsenEditor: Carol A. LongDevelopmental Editor: Adaobi ObiManaging Editor: Micheline FrederickText Design & Composition: Wiley Composition Services

Designations used by companies to distinguish their products are often claimed as trade-marks. In all instances where Wiley Publishing, Inc., is aware of a claim, the productnames appear in initial capital or ALL CAPITAL LETTERS. Readers, however, should con-tact the appropriate companies for more complete information regarding trademarks andregistration.

This book is printed on acid-free paper.

Copyright 2002 by Annlee Hines. All rights reserved.

Published by Wiley Publishing, Inc., Indianapolis, IndianaPublished simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, or transmittedin any form or by any means, electronic, mechanical, photocopying, recording, scanning, orotherwise, except as permitted under Section 107 or 108 of the 1976 United States CopyrightAct, without either the prior written permission of the Publisher, or authorization throughpayment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rose-wood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470. Requests to the Pub-lisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc.,10475 Crosspointe Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-mail:permcoordinator@wiley.com.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used theirbest efforts in preparing this book, they make no representations or warranties with respectto the accuracy or completeness of the contents of this book and specifically disclaim anyimplied warranties of merchantability or fitness for a particular purpose. No warranty maybe created or extended by sales representatives or written sales materials. The advice andstrategies contained herein may not be suitable for your situation. You should consult witha professional where appropriate. Neither the publisher nor author shall be liable for anyloss of profit or any other commercial damages, including but not limited to special, inci-dental, consequential, or other damages.

For general information on our other products and services please contact our CustomerCare Department within the United States at (800) 762-2974, outside the United States at(317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appearsin print may not be available in electronic books.

Library of Congress Cataloging-in-Publication Data:

ISBN: 0-471-23284-X

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

23284X FM.F 6/28/02 4:42 PM Page iv

For Eric and Aylyffe

sine qua non

0123284X FM.F 6/28/02 9:36 AM Page v

0123284X FM.F 6/28/02 9:36 AM Page vi

Foreword xiii

Chapter 1 Introduction 1Network Continuity 2Define Survival 3In Defense of Paranoia 4By the Numbers 5Borrow from Einstein 6Think the Unthinkable 8Plan to Survive 8Choice versus Chance 10

Chapter 2 Network Threats 11Kinds of Attacks 12

Immature Hands 13Voyeurs 14Testers 18

Deliberate Attackers 19Mature Hands 26

Industrial Espionage 27Fraud/Theft 29Record Alteration 31Extortion 33

Externalities 33

Chapter 3 Tactics of Mistake 35TCP/IP 36Probes 43Viruses 45

Contents

vii

0123284X FM.F 6/28/02 9:36 AM Page vii

Worms 46Trojan Horses 48Denial of Service/Distributed DoS 49Sample Attack 51

Means 55Opportunity 56

Chapter 4 Murphys Revenge 57System Is Not a Dirty Word 57

Complexity 58Interaction 58Emergent Properties 59Bugs 59

Where Opportunity Knocks 60Top General Vulnerabilities 61

#1: Default Installations 61#2: Accounts with Weak/No Passwords 62#3: Nonexistent or Incomplete Backups 63#4: Large Numbers of Open Ports 63#5: Not Filtering for Correct Ingress/Egress Addresses 64#6: Nonexistent or Incomplete Logging 64#7: Vulnerable CGI Programs 65

Top Windows Vulnerabilities 65#1: Unicode Vulnerability 66#2: ISAPI Extension Buffer Overflows 66#3: IIS RDS Exploit 66#4: NETBIOSUnprotected Windows Networking Shares 66#5: Information Leakage via Null Session Connections 67#6: LM Hash 67

Top UNIX Vulnerabilities 68#1: Buffer Overflows in RPC Services 68#2: Sendmail Vulnerabilities 68#3: BIND Weaknesses 68#4: r Commands 69#5: LPD 69#6: sadmind and mountd 69#7: Default SNMP Strings 70

Common Threads 70Design Your Way Out of Trouble 72

Topology 72Physical Topologies 72Logical Topologies 73

Defense in Depth 75The Price of Defense 78

Olive-Drab Networks 80Benefits 80Costs 81

viii Contents

0123284X FM.F 6/28/02 9:36 AM Page viii

Converged Networks 82The Catch 84

Operator Error 85

Chapter 5 CQD ... MGY 87A Classic Disaster 88Lessons from Failure 90

A Trophy Property 90Warning Noted . . . 92Train the Way You Will Fight 92What Did You Say? 93A Scarcity of Heroes 94

Lessons from Success 94Organization 95Training 96Attitude 97A Plan 98

What Are You Planning For? 99Adequate Warning 99

Not Just Hurricanes 102Major Storm Effects 103

Modest Warning 105No Real Warning at All 107

Its a Scary World, Isnt It? 113

Chapter 6 The Best-Laid Plans 115Three Main Points 115

Operational Continuity 116Twenty Questions 117A Few More Questions 122

Getting the People Out 124Off-Site 124On-Site 125

Network Assets 126Example: Data Services 129

Lessons Actually Learned 135Topology 136Facilities 136Configuration Control 136The Right Tools for the Job 137

Lessons Potentially Learned 138Kudos 138

Extending the Example 139

Chapter 7 Unnatural Disasters (Intentional) 143Physical Attacks 146

Bombs 147Electromagnetic Pulse 147

Contents ix

0123284X FM.F 6/28/02 9:36 AM Page ix

Sabotage 148CBR Attacks 149

World Trade Center Examples 153Successes 154

NYBOT 154The Wall Street Journal 156Lehman Brothers 158

Lost Access 159Less Than Successes 162

The Local Loop 162New York City OEM 164The U.S. Secret Service 165

Cyber-Attacks 166Cyber-Kidnapping 166Extortion 167Easier Targets 167

Combined Attacks 168

Chapter 8 Unnatural Disasters (Unintentional) 171Unfortunate Opportunities 171

Reportable Outages: Theyre Everywhere 172Route Diversity in Reality 175Fire 175Required Evacuations 178

Unfortunate Planning 178Yours 178Theirs 181

Unfortunate Implementation 186Equipment 1, Plan 0 186Solving the Wrong Problem 188

Candidates 188

Chapter 9 Preparing for Disaster 191Define Survival 191

What Must Roll Downhill 192Survival Requirements 194

Network Continuity Requirements 195Threat Analysis 202

Physical Threats 202Cyber-Threats 204

Operational Analysis 206Survival Planning 207

Fixes 207Remedies 210Procedures 211

x Contents

0123284X FM.F 6/28/02 9:36 AM Page x

Survivability Today 213Dont Get Too Close 214Talk Is Cheap 215Data Currency 217

Trade-offs 218

Chapter 10 Returning from the Wilderness 219Cyber-Recovery 220

Operational Procedures 220Forensic Procedures 221

Physical Recovery 226Immediate Operations 226Sustained Operations 227

Restoration 228Undress Rehearsal 231

Exercise Scenario 1: Cyber-Problems 234Exercise Scenario 2: Physical Problems 235

Evolution 236

Chapter 11 The Business Case 243Understanding Costs 244

Fixed and Variable Costs 244Direct Costs versus Indirect Costs 245Explicit and Implicit Costs 247Valid Comparisons 247

Understanding Revenues 249Expected Values 250Presenting Your Case 252CDG Example 255

Alternatives Considered 256Disaster Summary 256Alternatives Summary 259Risks Not Mitigated 260

Finally 262

Chapter 12 Conclusion 263Necessity 264

Basic Defenses You Must Implement 265The Deck Is Stacked Against You 266

Catastrophes Happen 267Your Recovery 268Trade-offs 270

Systemic Behavior 270Standardization versus Resiliency 272Pay Me Now or Pay Me Later 273

Contents xi

0123284X FM.F 6/28/02 9:36 AM Page xi

Appendix A References 275

Appendix B Questions to Ask Yourself 281

Appendix C Continuity Planning Steps 285

Appendix D Post-Mortem Questions 289

Appendix E Time Value of Money 291

Appendix F Glossary 293

Index 299

xii Contents

0123284X FM.F 6/28/02 9:36 AM Page xii

Its true that the events of September 11, 2001 crystallized my thoughtsabout network survivability, but the thoughts go back much further thanthat. I became very interested in terrorism while serving in the USAF inEurope, where it was a very real threat, especially to those of us in anAmerican uniform. That interest had been somewhat dormant, but it neverreally went away. I stayed aware of the threats and how they were evolv-ing; where once terrorists struck only where they could melt away into thepopulace to live and strike another day, they no longer care about that. Thisis a watershed, for it changes the nature of the threat: Delivery need nolonger be safe for the deliverer. That turns previously untouchable loca-tions into targets.

Since I left the service, I have become a network engineer after owningtwo businesses, and the bottom-line responsibility I held there changed theway I thought about business; it has also affected how I look at networkoperations. The network exists only because it brings value to its business.But if it brings value, that value must continue or the business itself maysuffer such a degradation of its financial condition that it is in danger offailing. That statement was not always true, but it has become true in thepast two decades. Almost unnoticed, networks have indeed become inte-gral to the operations of all major businesses, all around the world.

What is more, we do operate in a global economy, with costs held to theirbarest minimum in the face of competition from other companies, some ofwhom operate in other countries, where cost structures are different. If thenetwork is a major factor in your firms competitiveness, whether from a

Foreword

xiii

It is a mistake to try to look too far ahead. The chain of destiny can only be grasped one link at a time.

Winston Churchill

0123284X FM.F 6/28/02 9:36 AM Page xiii