3.1.1 Defending your system integrity 3.1.1.1 Setting up a secure environment 3.1.1.2 Establishing access controls 3.1.1.3 Application security 3.1.1.4 Auditing - reactive and proactive measures 3.1.2 Defending your data confidentiality 3.1.3 Defending your network availability 3.1.3.1 Guidelines to defensive routing 3.1.3.2 Tracing: capabilities and problems 3.2 Problem specific protection 3.2.1 Protecting against viruses 3.2.2 Using Intrusion detection systems 3.2.3 Backdoors and trojan horses 3.3 Conclusions about present security technology

A long-term approach 4 Proposed future security architecture improvements 4.1 Improving incident response capabilities 4.1.1 A new approach to incident consulting 4.1.2 Incident response and law enforcement 4.1.3 Establishing an incident response infrastructure 4.2 Operating systems 4.2.1 Privilege separation and kernel-based security 4.2.2 Kernel-based authentication 4.2.3 Privilege and permission separation 4.2.3.1 Sand boxes versus protective cages 4.2.3.2 Differentiated access permissions 4.2.4 Auditing requirements 4.3 Auditing software 4.3.1 Evolving intrusion detection 4.3.2 Evolving proactive auditing technology 4.4 Networking architecture 4.4.1 Routing security 4.4.1.1 Improving availability 4.4.1.2 Improving access controls and authenticity 4.4.2 Protocol security 4.4.3 Public Key Infrastructure 4.5 Improving software design 4.5.1 Technology standards 4.5.2 Network application security 4.5.3 Software development security design methodology

5 Final words 6 Footnotes: technical background, definitions and explanations

0 About this paper

0.1 Copyright

This document was written by Mixter . Technical

solutions, ideas and concepts in this document have mostly been developed by the author unless referenced or acknowledged otherwise. This paper by Mixter, named 'Protecting against the unknown', is a candidate entry for the Packet Storm Security Competition 'Storm Chaser 2000'. The author hereby represents his eligibility to participate in the Competition and to satisfy all requirements specified in the Competition Rules issued by Packet Storm. The author presents that he independently created the document and waives his intellectual property rights in the Competition entry. Furthermore, the author has acknowledged, signed and agreed to all terms of the Packet Storm Affidavit of Eligibility and Liability and Publicity Release, which has been attached to the submission.

0.2 Disclaimer

This document and the information contained herein is provided on an 'as is' basis and the author disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties of merchantability or fitness for a particular purpose.

Please note that the author's native language is not English. My apologies in advance in case you should find any formal mistakes in this document.

0.3 Acknowledgements

This paper was improved by many insights I have been able to gain from a large number of people engaged in the security community. Although the paper was completely written by myself, knowledge and experience I gained from these sources were needed to make it possible for me to compose this document. Some of these sources that I would like to specifically acknowledge are: Bugtraq Security Mailing List / SecurityFocus, BufferOverflow / Hackernews, many of the detailed articles from authors of Phrack Magazine, OpenSEC contributors, site maintainers of security archives and security related sites, authors of open source security software (no advertisement here, you know who you are) as well as the authors of publications and texts referenced in the footnotes section.

1 Introduction

1.1 Preface

Since the Internet has begun evolving from an academic and military resource to a public world-wide computer network utilized by numerous commercial and non-commercial organizations and individuals, and on which modern society is becoming increasingly more dependent, there have been many security [1] issues, some of them exposing weaknesses in the security model of the Internet itself. While the importance of computing will advance in our society, one of the first and biggest problems concerning the evolution of computing is the improvement of applied Internet security technology. With increasing speed and complexity of technology and software development, the number of security issues as well as their severity and impact on the Internet community is tending to grow drastically, and so are the security incidents caused by the growing number of intruders that are actively exploiting weaknesses in current security models and by intrusion software [2] becoming more sophisticated. While defense against specific intrusion software is futile, because private attacking software and techniques can be developed that either can hardly be identified or possess no methodological weaknesses which could be used to stop them, the security problem has to be conquered using coherent, logically applied, systematic security improvement and protection efforts. This paper attempts to define the problem and answer the question: What pure or applied technical measures can be taken to protect the Internet against future forms of attack? In order to develop a defense strategy against future threats, one has to take into account that the proposed solution needs to include effective countermeasures against an unknown threat potential. An approach to this solution needs to be formed upon a differentiated set of measures against current weaknesses and threats, and against upcoming security issues, extrapolated by analyzing existent weaknesses and core problems in the security infrastructure of the Internet. It has to be regarded that current threats like distributed attack tools [3] do not represent security vulnerabilities themselves, but multiply and visualize the potential of existent problems present in the current security architecture model.

1.2 Document scope and structure

The security improvement measures described in this document are designed to provide guidance to everyone who needs to improve the security of his network or machine that is publicly accessible over the Internet, including ISP and corporate technicians, executive managers, government and military executives, network administrators, security consultants and all other individuals requiring or wanting to improve their computer security. Covered topics include problem and threat definition, potential security issues and active countermeasures, concrete technical requirements and

methods, as well as conceptual and procedural security measures. To provide a coherent security solution to upcoming and partially yet unidentified security problems means to design a new security architecture, instead of trying to solve issues by designing reactive solutions to known problems. Therefore, this document includes both technical and conceptual aspects that need to be regarded for the design of a coherent security architecture.

Since the upcoming threats are serious and imminent, a fast and concrete solution, which should be practical for everyone is needed. Therefore, the first part of this paper deals with short-term measures that can immediately be taken, using the current infrastructure and technological standards. But it must also be regarded that information technology in general is still in its infancy, and that a better approach to upcoming, yet unidentifiable problems and threats has to be realized with long-term measures aimed at programmers, vendors, corporations, and further instances responsible for the design of a future information security architecture. Therefore, the second part of this paper is about such long-term measures that should be taken to implement future security features and models. To enhance comprehensiveness of the technical issues, technical definitions and background explanations have been added in form of footnotes at the end of the paper. The reader is advised to consult these to help understanding the definitions and technical subjects mentioned in this paper.

1.3 Problem description 1.3.1 Security threats summary

Before focusing on the problem definition, I would like to summarize the current actual threats to security and the causes of active security breaches, possibly correcting or at least questioning some popular viewpoints. Analyzing opinions shared by authorities and the media, one comes to the conclusion that malicious software (viruses/worms, trojans, intrusion software) and intruders which actively spread or use this software are the cause of all security incidents and therefore represent the major threat to the Internet.

This is in my opinion a simplistic view of the problem. Imagine the Internet would consist of 90% vanilla WinNT 4.0 machines (a scary thought..), but no public exploits existed against them, and no known security weaknesses or incidents were reported to any authorities. According to the above viewpoint, there would be no 'threats', even though a single person with appropriate knowledge would be able to compromise or shut down the majority of the worlds computers by exploiting just one of the given unidentified weaknesses. I hope you understood my point that the threat to security should not be seen in the currently existing malicious software and individuals that take advantage of mostly known weaknesses to wreak havoc. The threat should be considered as the damage and incident potential caused by resources [4] lacking overall security architecture and applied protection. This potential is also multiplied by the value and possibilities a resource provides to a potential intruder, once its security is compromised. A compromised web server for example provides access to all web documents and potentially to gaining higher privileges on the system. A compromised mail or ftp server usually provides root access (read: in most cases nearly complete access to all of the systems capabilities, hardware, network interfaces, hard disk

content, etc.). Observing future trends in the development of the Internet, we could extend our examples to a compromised gigabit ethernet / wdm routing device, giving the advantage of taking up a small countries bandwidth, or a compromised digital wiretapping device used by law enforcement, giving access to privately transmitted information from millions of persons. To conclude, the value and power of resources are a multiplying factor to the potential of an existing threat, which means that different kinds of resources need different protection, and that delegating resources to a task or service should be done with utmost prudence and care. However, the origin of security threats can only be seen in the lack of security given for any resource. Such threats include the potential lack of security, in form of uneducated administration personnel, insufficient scrutiny while applying security guidelines and vulnerability to known methods of security compromises [5].

Not existing malicious software, or individuals with malicious intent represent the threats against information systems, but the vulnerability and threat potential that exists in the resources that are to be protected. This shows that responsibility for eliminating security threats lies in the hands of those who are responsible for designing and implementing security.

1.3.2 Problem definition

Taking a look at the current state of security on the Internet, and at the kind of incidents that we have experienced so far, it shows that all serious intrusions, those which involve remote compromise of confidential information, system access and privileges, have all been made possible due to insecure design and implementation of applications or operating system functions and the protocols they use. These problems are present in the input handling, access control, configuration and sometimes the amount of privileges a program requires in order to fulfill its task. While these weaknesses may seem relatively predictable, the cause of intrusions that are and will be frequently occurring has to be seen in a bigger scope. Consider that actually a high percentage of available servers are secure, and some of them, especially open-source products have been well-audited for several years. There are at least two main reasons that the relatively few programs whose current versions are vulnerable at the same can still be used by intruders to gain access to a huge number of systems:

- Weak configuration and inexperienced users. Today's systems and software that look easy to install and configure are often actually the hardest to establish a secure configuration on, and insufficiently error tolerant (while intolerance to errors means in this context silently creating a major security hole while operating just fine), and either lacks documentation or comes with documentation so complex that the average user does not read it or take the sufficient time to get familiar with the software's functions. This problematic trend causes users and administrators to lack basic experience and understanding of their system programs, including the services running by default on many operating system distributions. Since those systems and their services can be run prior to acquiring information about them, people fail to recognize whether they need particular services or not. Since people can run all these services without spending time with the configuration and documentation, they fail to recognize even simple and well known known vulnerabilities and do not inform themselves about updates or patches.

- Mono-cultural network structures. Another phenomenon that multiplies the chances for intruders and the risks is the fact that a few number of operating

system distributions out that come with a static set of applications are widely spread and used, and as a side effect also spread the same known and the yet undiscovered vulnerabilities to a large audience; as a result, one known vulnerability in the today's relatively homogeneous computing environment can become a threat to a large number of similar systems with similar configurations.

Beyond the issues regarding weak operating systems and applications, a further factor that contributes to the problem is the approach of the currently accepted solutions for conceptual software development and security improvement. Today's security measures, applications and protocols are often being standardized with only merchantability, performance and such aspects in mind, and therefore, no coherent systematic design approach is made that includes necessary minimum security standards. With current approaches to technology standardization, other issues like security education of end-users, and extendibility are also being disregarded, which makes it more difficult for software developers to maintain programs complying to those standards, and consequently more difficult to design secure software. Additionally, ineffective and incoherent concepts to achieving protection against attacks can imply a false sense of security and also represent new opportunities to attackers that are able to find weaknesses in those concepts. For example, security through obscurity empowers those who are able to crack and reverse engineer software. Relying on law enforcement gives an opportunity to those who can withdraw from law enforcement. Extensive intrusion pattern logging, and origin tracing can be a disadvantage to inexperienced intruders but an advantage to the intruders that use private exploits and have enough compromised machines at their disposal to obscure their origin. Only implementation of all basic and systematic protection measures can effectively withstand all current and upcoming threats.

1.4 Basic concepts

Before coming to applied security measures, I want to briefly describe some of the basic concepts that can be used to assess a solution and which can be applied to design a systematic approach. To start off, it is advisable to find the lowest layer of information processing to which security measures can be applied to. Excluding physical security and hardware design, the lowest layer of security has to be established at the operating system level; for the existence of access control [6] to any resource and system capability, it is required that this control can be securely enforced by the operating system on which it is implemented. The next layer is the secure transmission and storage of data in general - locally and remotely. Note that access control has to be in place for this layer to effectively work [7]. An effective additional measure to harden this security layer can be cryptography, because of its universal applicability. Further security layers are problem specific, in this case network specific. The third layer of network security is the stability and security of any points of access [8] to a network, single machine or higher privileges.

Only by ensuring presence of such a consecutive row of security layers to protect against a problem, it is possible to construct a scalable solution, whose protection can then be improved at its weakest layer, if necessary. Another paradigm for establishing a long-term security solution is easy implementation feasibility, realized by avoiding unnecessary complexity and minimizing the efforts needed to individually adapt the solution. To achieve

this, steps have to be taken to design standards which are more comprehensible and easier to implement, especially regarding recommended use of programming style and functions, and the design of security API, system security capabilities, protocols features and other security interfaces.

2 Conceptual security measures

2.1 Taking the systematic approach

People are well advised to put their efforts into achieving one goal: optimizing network security to mitigate the vulnerability potential over a maximum period of time. The second rule to follow is to use common sense and apply logical concepts. An untrusted system, i.e. a system that could already potentially have been compromised cannot totally be 'secured'. Refrain from connecting a vanilla (out-of-the-box, as some people say) system to any network, before applying basic security guidelines. An intruder could theoretically be getting into it while you are in the process of securing it, rendering all your efforts worthless. And if we are talking about a high profile system or a popular attack target, this applies even more. Either a system has been secured from the beginning or it can never be considered to be fully trusted. Things that should be established from the beginning on also include some form of backup/recovery system, at least for unique data, and some kind of checksums or change logs, preferably cryptographic, which will later be valuable resources to compare the systems current state with its original state reliably.

In order to eliminate vulnerabilities efficiently, try compiling a vulnerability checklist, ordered by priority. Security threats considered as critical to a systems survival have to be eliminated at all costs. Do not take easily preventable risks either (e.g. by not updating software versions or configuration to latest standards). A good administrator should try to imagine worst case situations. If someone could be interested in gaining as much access to your network as possible, don't be scared to imagine what could happen if someone would successfully run a sniffer. Measures like using switched ethernet are easy to apply and should be mandatory (although be warned that this might only raises the difficulty level; using ARP cache poisoning, sniffing is still feasible), and critical devices such as switches, routers, gateways and other packet forwarding devices, as well as log hosts and other hosts that serve the function to preserve your network / data integrity should not be accessed remotely at all; ideally they have no open ports at all and must be accessed via console. A few weeks earlier I would've suggested running ssh as only service, but since a working exploit against a current version of ssh is out... well, by assuming the worst case in all situations applicable to your network, you cannot be wrong.

2.2 Designing a security model

Just like a single host that has to be protected prior to using it in a

network environment, internal structural design of your network(s) has to be completed before exposing them to the Internet. Taking a look at the latest threats, and upcoming possibilities of intruders, I would strongly advise a decentralized task security model. This means to avoid single, big resources that share many points of access. On one hand, hosts that run a concentrated amount of services can be easier compromised because an intruder can select from a variety of services which to exploit, and on the other hand, by having a single, big machine compromised or penetrated with Denial Of Service [9] attacks over a long time, you would

lose a lot of services at a time, which possibly many users or critical network processes depend on.

Consider using a higher bandwidth on your local network than you have overall bandwidth to your uplink(s), so you still would have the possibility of internal process and user communication when your network gets hit by DoS from the outside.

Try to retain the systematic aspect of design. Reliable audit trails are good, preventive measures against intrusions are much better. Do not rely on an extra mechanism if you know that your networks security would be lost without it. Once you have established basic security, extra packet filtering and intrusion detection rules can act as additional security layers if deemed necessary. Another subject worth mentioning is a mistake which I have observed is being frequently made. Yes, a DMZ is supposed to be exposed to the Internet more than the other sensitive parts of your network are. But that does not mean there is any reason in exposing hosts on the DMZ, preferably mail servers, bastion hosts, and gateways running a bulky mass of services, to preventable risks! This is something just too many people do, without considering that the DMZ hosts are very vital parts of your overall network security. I would bet that more than a half of all incidents have happened on those hosts, which have been poorly secured or not secured at all, while their protection is as important as protection of any other network components.

2.3 Problems in a corporate environment

A popular, generally accepted security solution for corporations is to establish a security policy, and then assign a team that is specially responsible for protecting the corporate resources and enforcing that policy. The problem is that a few people in control of security measures cannot guarantee this protection, while the rest of the employees possibly lack sufficient understanding of their software to care enough about security. The same way in which it is possible to demonstrate lack of security, but not its guaranteed existence, a security policy can be enforced with all technical measures, but cannot fully guarantee that employees lacking awareness find a way to circumvent it (or that the policy is not sufficient and people never find out about it). A better approach to corporate security is to define a minimum of security and of technical education for everyone, and educate everyone in an adaptive manner, suiting the individually present state of knowledge. Instead of possessing either expensive or insufficient security, corporate security needs to be designed to be comprehensible for everyone, and education that goes beyond basic mandatory guidelines should be acquired individually by self-education; that way, corporate security can be achieved by everyone without dedicating it huge amounts of money or time. Taking this approach, however, makes it necessary to observe how well it is individually adapted, rewarding knowledgeable employees with respect, and helping those who face problems gaining the sufficient knowledge, possibly by

assigning them to teams with more knowledgeable individuals.

2.4 Preparing against an incident

To be prepared against incidents like intrusions, intrusion attempts, and DoS coming from outside your local network, it is important to be able to correctly interpret the meaning of probes [10] and other unusual traffic to your network, and of course to have sufficient audit trails present that can be evaluated. Some essential precautions that should be taken are to enable network egress and ingress filtering [11], and setting up secure, impenetrable logging facilities, in form of a more or less isolated loghost [12]. By being able to recognize the kind of threat, you prevent unnecessary panic when you are facing futile intrusion attempts, and on the other side can take appropriate measures quickly, when your systems are really at risk. Preparation should generally start at network design, in form of separating important tasks of the network by delegating them to different machines with the aim to minimize the damage that can be caused by an incident. While in my humble opinion there are not many similarities between computer crime and conventional crime, one thing they have in common is that they can hardly be stopped by harder prosecution and better tracking. If an intruder wants to gain access to your network, and there is any possibility, he will. Like conventional crime, the better approach to mitigating the possibility that incidents occur is to make an intrusion into your network appear less inviting by hiding as much information about your network as possible. Approaches to this include using meaningless hostnames for different internal hosts that serve different purposes, denying external DNS zone transfer, configuring your servers to show bogus version information, or even slightly modifying your kernel to defeat remote OS identification [13]. While this tactic does not represent a factual security improvement, you will stop presenting a possible intruder information about where to find your internal DNS server, SQL databases, and other weak points on a golden plate. Note that the best method in making your host an uninviting target is of course to apply all possible security measures at your disposal. A final important preparation is to have some way of recovery, in form of incremental backups, site mirroring, or anything else you deem appropriate, and to possess necessary information to reestablish integrity of your critical data, in form of cryptographic checksums and/or system images of a trusted state of your systems, which have to be stored in a way that it is not possible for an intruder to remotely manipulate them.

2.5 Incident response 2.5.1 Reacting to an incident

If your router experiences large amounts of spoofed traffic, it is recommended to ask your uplink or backbone provider for assistance. In all other cases that represent a real threat to your network, you are well advised to directly contact the responsible technical or administrative authority of the attackers origin(s). While the current international chain of network information centers is undergoing structural changes, there are still reliable ways to find the proper authority to contact. A WHOIS hostname query to