Welcome to Volume 4, Issue 1 of The Internet Security Conference newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is this newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
In an Internet-influenced society, resolutions to become better Internet Citizens (netizens) ought to be part of any organization's first orders of business. January is a perfect time to implement some of the proactive measures you've been putting off. Hopefully, you have a more generous budget for security measures in 2002. What should you do?
A good place to begin is to review the major sources of security pain and suffering from last year. A quick scan of the BugTraq archive, security alerts newsletters, CERT advisories and SANS Top 10 lists tell me that worms, DNS attacks, DDOS attacks, SPAM, and assorted unicode/application stream attacks on web servers paint a pretty bleak picture for security, and create lots of work for security administrators.
Having identified sources of security pain and suffering, perhaps your first action should be to take measures to prevent your own systems from becoming sources of other administrators' pain and suffering. In this spirit, Mark Edmead reminds us of how a simple act like Egress Filtering can go a long way to eliminating thorns in your paws as well as the paws of others.
When implementing perimeter security on a network, one of the first things the security architect will do is configure the firewalls and edge (Internet access) routers. Since the main purpose of the "Internet" firewall is to protect the internal or trusted network from the external public Internet, the firewall rule set traditionally focuses on ingress filtering, that is, filters to inspect the incoming data, and block or deny any unwanted packets. What organizations often forget to consider is the filtering of unwanted "outgoing" network traffic, or egress filtering.
You might be asking yourself why would you care about outgoing traffic. Isn't the whole idea of a firewall and/or router to stop unwanted traffic from the un-trusted Internet from coming into your network? Then the goal should be to protect your private network from attacks, correct? This is true, but without the proper security controls in place, an attacker could use your network to siphon sensitive information from a system he's compromised through a worm or backdoor, or attack systems on other trusted networks under your administration. The attacker can also put systems on your trusted networks to use as agents for DDOS attacks, or to perpetrate all manner of attacks against other networks and e-merchant sites, leaving the evidence trail pointing to you.
The main purposes for implementing egress filtering are to (a) prevent packets that contain invalid or incorrect addresses from leaving your site, and (b) prevent communication to unauthorized or questionable TCP and UDP ports from valid addresses. While these packets could be originating from a misconfigured router, it is quite likely that they are coming from a Trojan or backdoor program on a compromised system on your trusted network. This compromised system could also be running a distributed denial of service (DDoS) tool, such as Tribal Flood Network and Trinoo. The actual method of how the DDoS client is not important for our discussions here. What is important is that once compromised, your system becomes an unwilling participant in an attacker's plan to attack and possibly bring down other systems. Egress address filtering makes it harder for attackers to use your system as a relay site, and similarly careful port filtering can render many backdoors ineffective as well
Egress address filtering works by denying all directed broadcast packets from being forwarded, and by allowing those only IP addresses assigned by the network administrator to trusted hosts to pass through the firewall. Lets take ICMP packets as an example. Directed broadcasts are a result of ICMP packets being sent to a network's broadcast address. All of the hosts connected to the subnet will respond to the broadcast. If there were 10 hosts on the network, there would be 10 sets of replies set out in response to that one ICMP packet. If those responses are allowed to pass through your firewall and onto the Internet, they can be directed to an unsuspecting victim's machine on some remote network. All of a sudden, some poor host is getting bombarded with ICMP packet replies from someone on the Internet. Maybe 10 sets of replies is not a big deal, but imagine this attack being performed against this one host from several hundreds or even thousands of other sites, at the same time. The unsuspecting victim doesn't stand a chance.
Egress port filtering works by denying all traffic forwarded to ports other than a specific list of "well-known" ports you as the administrator permit, according to your organization's appropriate use policy. For example, your organization may permit employee's use of HTTP (TCP 80), POP/SMTP (TCP 110, 25), and DNS (UDP 53). If your egress port filtering denies all other ports, then attempts by malicious code to communicate over any temporarily assigned or ephemeral port will be blocked. Reviewing the firewall logs for all denied egress port traffic will help you determine if an application is trying to send data outside your network.
The first thing you should do is confirm that egress address filtering has been set up correctly on your routers. MITRE has released a freeware tool that allows a company to check the configuration of their Internet point-of-presence router. The tool helps companies determine whether their routers are configured to prevent your systems from being used as the source of DDoS attacks. At a minimum, an outbound traffic rule set should be created to ensure that only your assigned IP addresses are allowed outside your network. Many firewalls allow you to begin the rule set with a filter that denies all outbound traffic to all ports. Then you can explicitly allow traffic to the desired ports. To verify that your egress port filtering policy is implemented correctly, run any port scanner through the entire port range (both UDP and TCP) at a public IP address so that you put your firewall to the test. Enabling logging at your firewall for all denied packets will help you verify you've implemented egress filtering correctly.
There are several DDoS vulnerability scanners available to help you determine if any DDoS clients are installed on your machines. A tool called the NIPC DDoS detection tool can detect the several DDoS tools on your system including Trinoo, Tribal Flood Network, and Stacheldraht. TheoryGroup's Remote Intrusion Detector (RID) is another tool that can be used to detect DDoS clients on machines.
Establishment of egress filtering in your perimeter security is just as important as implementing the incoming traffic rule sets. It won't stop all DDoS attacks or backdoors, but it gives you the ability to control what is coming out of your network, and to monitor appropriate use. And you will be doing your part as a good net-izen in preventing the wide-spread epidemic of DDoS and other network attacks.
Mitre's Egressor tool for checking router configurations
National Infrastructure Protection Center (NIPC) DDoS detection tool
TheoryGroup's Remote Intrusion Detector (RID)
Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks
© 2002 - 2006 Core Competence & Mactivity, Inc.