Copyright Security-Assessment.com, Qualys Inc, 2005 Moving Security Enforcement into the Heart of...

Copyright Security-Assessment.com, Qualys Inc, 2005

Moving Security Enforcement

into the Heart of the Network

Peter Benson

CEOSecurity-Assessment.com

October, 2005

Copyright Security-Assessment.com 2005

Agenda• Evolution of Threats

• Why Network Access Control Matters

• The Laws of Vulnerabilities

• Network Access Control Architectures

• Summary and Action


Security Trend Indicators • Malicious Code (↑) • Vulnerabilities (↑) • Spam and Spyware (↑) • Phishing and Identity Theft (↑)

….and• Time to Exploitation (↓)


Where are the issues ?

• A Multitude of insecure Protocols and Services– telnet, ftp, snmp

• Known default settings– Passwords, SNMP community strings

• System Design Errors– Setup and Access control errors

• Software Implementation Flaws– Input validation, lack of sanity checks

• User Triggered Issues– Email and Browser related


First Generation Threats

• Spreading mostly via email, file-sharing• Human Action Required• Virus-type spreading / No vulnerabilities• Examples: Melissa Macro Virus, LoveLetter

VBScript Worm• Replicates to other recipients• Discovery/Removal: Antivirus


Second Generation Threats

• Active worms• Leveraging known vulnerabilities• Low level of sophistication in spreading

strategy (i.e. randomly)• Non Destructive Payloads• Remedy: Identify and Fix Vulnerabilities


Third Generation Threats• Automated Attacks Leveraging Known and

Unknown Vulnerabilities• Collaboration of Social Engineering and

Automated Attacks• Multiple Attack Vectors

– Email, Web, IM, Vulnerabilities,…• Active Payloads• Remedy: Security Enforcement / Network Access

Control


Evolution of Network Access Control• Today:

– Static network access– Every device is permitted– Infected or unhealthy devices are frequently

the root of an outbreak

• Tomorrow:– Dynamic network access based on policies– Screening devices before granting access– Infected or unhealthy devices should be

treated separately


“Anyone can build a stop sign – or even a traffic light – but it takes a different mind-set entirely

to conceive of a city-wide traffic control system.”

Bruce Schneier – Beyond Fear


Building Blocks of Network Access Control• Assessment of Endpoint Security • Decision making based on policy compliance• Admission Enforcement at Network infrastructure• Quarantining/Remediation of unhealthy devices


A Common Framework for Network Access Control

Network Access

Infrastructure

Policy Manager

Client

Main

Network

Quarantine

Network


Why Network Access Control Matters• Objective: Understanding prevalence of critical

vulnerabilities over time in real world• Timeframe: January 2002 - Ongoing• Data Source:

– 70% Global Enterprise networks– 30 % Random trials

• Methodology: Automatic Data collection with statistical data only – no possible correlation to individual user or systems


Raw Results• Largest collection of global real-world vulnerability data:

– 14,818,000 IP-Scans since begin 2002– 2,275 out of 3,374 unique vulnerabilities detected in the real world

– 3,834,000 total critical* vulnerabilities found– 1,031 out of 1,504 unique critical vulnerabilities detected in the real

world

•Analysis Performed:– Identifying Window of Exposure– Lifespan of Critical Vulnerabilities– Resolution Response– Trend over Time– Vulnerability Prevalence

* Providing an attacker the ability to gain full control of the system,and/or leakage of highly sensitive information. For example, vulnerabilities may enable full read and/or write access to files, remote execution of commands, and the presence of backdoors.


0

500

1000

1500

2000

2500

3000

3/29

/200

3

4/12

/200

3

4/26

/200

3

5/10

/200

3

5/24

/200

3

6/7/

2003

6/21

/200

3

7/5/

2003

7/19

/200

3

8/2/

2003

8/16

/200

3

8/30

/200

3

9/13

/200

3

9/27

/200

3

10/1

1/20

03

10/2

5/20

03

11/8

/200

3

11/2

2/20

03

12/6

/200

3

12/2

0/20

03

1/3/

2004

1/17

/200

4

1/31

/200

4

2/14

/200

4

2/28

/200

4

3/13

/200

4

3/27

/200

4

4/10

/200

4

4/24

/200

4

5/8/

2004

5/22

/200

4

6/5/

2004

6/19

/200

4

7/3/

2004

WebDAV CAN-2003-0109

Microsoft WebDAV Vulnerability

Microsoft Windows 2000 IIS WebDAV Buffer

Overflow Vulnerability

CAN-2003-0109Qualys ID 86479

Released: March 2003

Microsoft Windows 2000 IIS WebDAV Buffer

Overflow Vulnerability

CAN-2003-0109Qualys ID 86479

Released: March 2003


0

100

200

300

400

500

600

11

/23

/20

02

12

/7/2

00

2

12

/21

/20

02

1/4

/20

03

1/1

8/2

00

3

2/1

/20

03

2/1

5/2

00

3

3/1

/20

03

3/1

5/2

00

3

3/2

9/2

00

3

4/1

2/2

00

3

4/2

6/2

00

3

5/1

0/2

00

3

5/2

4/2

00

3

6/7

/20

03

6/2

1/2

00

3

7/5

/20

03

7/1

9/2

00

3

8/2

/20

03

8/1

6/2

00

3

8/3

0/2

00

3

9/1

3/2

00

3

9/2

7/2

00

3

10

/11

/20

03

10

/25

/20

03

11

/8/2

00

3

11

/22

/20

03

12

/6/2

00

3

12

/20

/20

03

1/3

/20

04

1/1

7/2

00

4

1/3

1/2

00

4

2/1

4/2

00

4

2/2

8/2

00

4

3/1

3/2

00

4

3/2

7/2

00

4

4/1

0/2

00

4

4/2

4/2

00

4

5/8

/20

04

5/2

2/2

00

4

6/5

/20

04

6/1

9/2

00

4

7/3

/20

04

WU FTPd CVE-2001-0550

WU-FTPd File Globbing Heap Corruption Vulnerability

WU-FTPd File Globbing Heap Corruption

Vulnerability

CVE-2001-0550Qualys ID 27126

Released: November 2001

WU-FTPd File Globbing Heap Corruption

Vulnerability

CVE-2001-0550Qualys ID 27126

Released: November 2001


0

2000

4000

6000

8000

10000

12000

14000

16000

18000

2/21

/200

4

2/28

/200

4

3/6/

2004

3/13

/200

4

3/20

/200

4

3/27

/200

4

4/3/

2004

4/10

/200

4

4/17

/200

4

4/24

/200

4

5/1/

2004

5/8/

2004

5/15

/200

4

5/22

/200

4

5/29

/200

4

6/5/

2004

6/12

/200

4

6/19

/200

4

6/26

/200

4

7/3/

2004

Microsoft ASN.1 CAN-2003-0818

Microsoft Windows ASN.1 Library Integer Handling Vulnerability

Microsoft Windows ASN.1 Library Integer Handling

Vulnerability

CAN-2003-0818Qualys ID 90103

Released: February 2004

Microsoft Windows ASN.1 Library Integer Handling

Vulnerability

CAN-2003-0818Qualys ID 90103

Released: February 2004


0

10000

20000

30000

40000

50000

60000

70000

4/17

/200

4

4/24

/200

4

5/1/

2004

5/8/

2004

5/15

/200

4

5/22

/200

4

5/29

/200

4

6/5/

2004

6/12

/200

4

6/19

/200

4

6/26

/200

4

7/3/

2004

Microsoft LSASS CAN-2003-0533

Buffer overflow in Microsoft Local Security Authority Subsystem Service (LSASS)

Buffer overflow in Microsoft Local Security Authority

Subsystem Service (LSASS)

CAN-2003-0533Qualys ID 90108

Released: April 2004

Buffer overflow in Microsoft Local Security Authority

Subsystem Service (LSASS)

CAN-2003-0533Qualys ID 90108

Released: April 2004


External vs. Internal Vulnerabilities

21 days

25%

50%

75%

100%

42 days 63 days 84 days 105 days

For a critical vulnerability every 21 days (62 days on internal networks)

50 % of vulnerable systems are being fixed

For a critical vulnerability every 21 days (62 days on internal networks)

50 % of vulnerable systems are being fixed



SSL Server Allows Cleartext Communication

0

200

400

600

800

1000

1200

3/8

/20

03

3/2

2/2

00

3

4/5

/20

03

4/1

9/2

00

3

5/3

/20

03

5/1

7/2

00

3

5/3

1/2

00

3

6/1

4/2

00

3

6/2

8/2

00

3

7/1

2/2

00

3

7/2

6/2

00

3

8/9

/20

03

8/2

3/2

00

3

9/6

/20

03

9/2

0/2

00

3

10

/4/2

00

3

10

/18

/20

03

11

/1/2

00

3

11

/15

/20

03

11

/29

/20

03

12

/13

/20

03

12

/27

/20

03

1/1

0/2

00

4

1/2

4/2

00

4

2/7

/20

04

2/2

1/2

00

4

3/6

/20

04

3/2

0/2

00

4

4/3

/20

04

4/1

7/2

00

4

5/1

/20

04

5/1

5/2

00

4

5/2

9/2

00

4

6/1

2/2

00

4

6/2

6/2

00

4

SSL Allows Cleartext


Qualys ID 38143


Qualys ID 38143


0

100

200

300

400

500

600

2/8/

2003

3/8/

2003

4/8/

2003

5/8/

2003

6/8/

2003

7/8/

2003

8/8/

2003

9/8/

2003

10/8

/200

3

11/8

/200

3

12/8

/200

3

1/8/

2004

2/8/

2004

3/8/

2004

4/8/

2004

5/8/

2004

6/8/

2004

SQL Slammer Vulnerability

SQL Slammer Vulnerability

MS-SQL 8.0 UDP Slammer Worm Buffer Overflow Vulnerability

CAN-2002-0649Qualys ID 19070

Released: July 2002

MS-SQL 8.0 UDP Slammer Worm Buffer Overflow Vulnerability

CAN-2002-0649Qualys ID 19070

Released: July 2002


A Continuous Cycle of Infection

0

10

20

30

40

50

60

70

Sasser

CodeRed

Nachi

Blaster


Vulnerability Lifespan

21 days

25%

50%

75%

100%


The lifespan of some vulnerabilities

and worms is unlimited

The lifespan of some vulnerabilities

and worms is unlimited

126 days


The Impact of an Exploit

21 days

25%

50%

75%

100%


80% of worms and automated exploits are targeting the first two half-life periods

of critical vulnerabilities

80% of worms and automated exploits are targeting the first two half-life periods

of critical vulnerabilities

Witty, Sasser, Blaster

126 days


Mapping Vulnerability Prevalence

Vul

nera

bilit

y P

reva

lenc

e

Individual Vulnerabilities0

100000

200000

300000

400000

500000

600000

700000


The Changing Top of the Most Prevalent

Vulnerability CVE Jul-02 Jan-03 Jul-03Jan-04 Jul-04

Apache Mod_SSL Buffer Overflow Vulnerability CVE-2002-0082 x

Microsoft Exchange 2000 Malformed Mail Attribute DoS Vulnerability CVE-2002-0368 x

Microsoft Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability CVE-2001-0500 x x

Microsoft IIS FTP Connection Status Request Denial of Service Vulnerability CVE-2002-0073 x x

Microsoft IIS Chunked Encoding Transfer Heap Overflow Vulnerability CVE-2002-0079 x x

Microsoft IIS HTR ISAPI Extension Heap Overflow Vulnerability CVE-2002-0364 x x

Microsoft IIS 4.0/5.0 Extended UNICODE Remote Execution Vulnerability CVE-2000-0884 x x x

Microsoft IIS CGI Filename Decode Error Vulnerability CVE-2001-0333 x x x

Microsoft IIS Malformed HTR Request Buffer Overflow Vulnerability CVE-2002-0071 x x x

Microsoft IIS HTR Chunked Encoding Transfer Heap Overflow Vulnerability CVE-2002-0364 x x x x

Apache Chunked-Encoding Memory Corruption Vulnerability CVE-2002-0392 x x x x x

OpenSSH Challenge-Response Authentication Integer Overflow Vulnerability CVE-2002-0639 x x x x x

Multiple Vendor SNMP Request And Trap Handling Vulnerabilities CAN-2002-0012 x x x

ISC BIND SIG Cached Resource Record Buffer Overflow (sigrec bug) Vulnerability CAN-2002-1219 x x x

Microsoft Windows 2000 IIS WebDAV Buffer Overflow Vulnerability CAN-2003-0109 x x x

Sendmail Address Prescan Possible Memory Corruption Vulnerability CAN-2003-0161 x x x

Microsoft SMB Request Handler Buffer Overflow Vulnerability CAN-2003-0345 x x

Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability CAN-2003-0352 x x x

Microsoft DCOM RPCSS Service Vulnerabilities CAN-2003-0528 x x

Microsoft Messenger Service Buffer Overrrun Vulnerability CAN-2003-0717 x

Buffer Overflow in Microsoft Local Security Authority Subsystem Service (LSASS) CAN-2003-0533 x

Microsoft RPCSS Code Execution Variant CAN-2003-0813 x

Microsoft Windows ASN.1 Library Integer Handling Vulnerability CAN-2003-0818 x

50% of the most prevalent

and critical vulnerabilities

are being replaced by new

vulnerabilities on an annual basis

50% of the most prevalent

and critical vulnerabilities

are being replaced by new

vulnerabilities on an annual basis


Top 10 External (Most Prevalent and Critical Vulnerabilities) as of June, 2005

Title Qualys ID CVE Reference External Reference

Microsoft Windows ntdll.dll Buffer Overflow Vulnerability 86479CAN-2003-0109 MS03-007

Buffer overflow in Microsoft Local Security Authority Subsystem Service (LSASS) 90108CAN-2003-0533 MS04-011

Buffer Management Vulnerability in OpenSSH 38217CAN-2003-0693 CA-2003-24

Sendmail Prescan() Variant Remote Buffer Overrun Vulnerability 50080CAN-2003-0694 CA-2003-25

Microsoft Windows RPC Runtime Library Vulnerability 68528CAN-2003-0813 MS04-012

Microsoft Windows ASN.1 Library Integer Handling Vulnerability 90103CAN-2003-0818 MS04-007

Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities 09244CAN-2005-0048 MS05-019

Writeable SNMP Information 78031N/A N/A

Unauthenticated Access to FTP Server Allowed 27210 N/A N/A

SSL Server Allows Cleartext Communication Vulnerability 38143 N/A N/A


Top 10 Internal (Most Prevalent and Critical Vulnerabilities) as of June, 2005Title Qualys ID CVE Reference External Reference

Microsoft SQL Weak Database Password 19001 CAN-2000-1209 N/A

Buffer overflow in Microsoft Local Security Authority Subsystem Service 90108 CAN-2003-0533 MS04-011

Microsoft Messenger Service Buffer Overrun Vulnerability 70032 CAN-2003-0717 MS03-043

Microsoft Windows RPC Runtime Library Vulnerability 68528 CAN-2003-0813 MS04-012

Microsoft Windows ASN.1 Library Integer Handling Vulnerability 90103 CAN-2003-0818 MS04-007

Microsoft Buffer Overrun in JPEG Processing 90176 CAN-2004-0200 MS04-028

Adobe Acrobat Reader Format String Vulnerability 38385 CAN-2004-1153 N/A

Microsoft Server Message Block Remote Code Execution 90230 CAN-2005-0045 MS05-011

Microsoft Internet Explorer Multiple Vulnerabilities 100025 CAN-2005-0553 MS05-020

Microsoft Word Vulnerability Could Allow Remote Code Execution 110031 CAN-2005-0558 MS05-023


Goal: Shortening the Half-Life of Critical Vulnerabilities for Internal systems to 40 days

62 days

25%

50%

75%

100%


2005

2004

372 days

• Awareness• Prioritization• Enforcement


Network Access Control Industry Initiatives• Cisco Network Admission Control (NAC)

– Leveraging Cisco Networking devices to control access

– Evaluation of devices via agent (CTA) or agent-less• Microsoft Network Access Protection (NAP)

– Client side system health agent– Server side system health validator

• TCG Trusted Network Connect (TNC)– Open software architecture for policy based access– Cross vendor architecture


Cisco NAC Architecture

AAA Server (ACS) Vendor

Servers

Hosts Attempting

Network Access

Network Access Devices

Policy Server Decision

Points

Credentials Credentials

EAP/UDP,

EAP/802.1x

RADIUS

Credentials

HTTPS

Access Rights

Notification

Cisco Trust Agent

1 2

4

5

6

2a

Comply?

Enforcement

3

Source: Cisco


Microsoft NAP Architecture

Source: Microsoft


TCG Trusted Network Connect Architecture

Source: Trusted Computing Group


Vernier Networks EdgeWall Architecture

EdgeWall

Control Server

1) Credentials

Authentication Service

Patch Management,Vulnerability Servers

2) Authentication

3) Local compliance check

4) Integrity data

5) User access rights

Source: Vernier Networks


Network Access Control Challenges • Impact/Interoperability with existing

infrastructure• Agent-based vs. agent-less approaches• Continuous vs. Initial device evaluation• Interoperability between different architectures


Why Network Access Control is important• Reduced risk of outbreak due to infected endpoints• Safe access to networks through VPN access• Controlled remediation and patching of unhealthy

endpoints• Increased security of corporate resources• Increased compliance with regulatory requirements


Thank You

Q&A

[email protected]

Copyright Security-Assessment.com, Qualys Inc, 2005 Moving Security Enforcement into the Heart of...

Documents

Transcript of Copyright Security-Assessment.com, Qualys Inc, 2005 Moving Security Enforcement into the Heart of...