DEFCON 20: “Your network sucks” Skytalk

Note: the dialog noted here is a general representation of what was actually talked about in the presentation; it is not accurate and may not be the exact ideas stated by the speaker, as he was kind of getting drunk.

“Your network¬† sucks,” stated Anch with an almost slurring dialect as he began his Defcon 20 Skytalk. A drink in his hand to cure the previous night’s hangover, he informed the audience about how many networks he’s seen that suck by design. Sure, you can have network admins who can set up switches and firewalls, but there are a few points of security that you end up missing. Or, if you do end up having the security, you end up implementing it incorrectly, rendering it useless.

“Some people think that there is this magical device you can plug into your network which will automatically protect it from all hackers, this device is called an ‘IPS’; it is in fact a marketing term for an IDS that costs more and has cool blinking lights on it.” His main point ran clear: appliances don’t protect your network, you as the network administrator protect your network. If you believe that you can just put a device on your network and leave it alone, thinking that it will protect your assets, you are horribly mistaken. Each of these devices, for whatever preventive measures it takes, firstly cannot block all attackers or methods of attacks. There is always a way around it, though it may make life a little bit more difficult for the person who is trying to get in or around your appliance. New attacks and methods are bound to arise, and without configuring and updating that appliance for every possible vector, known and unknown, you cannot stop everything. And secondly, these devices usually work on layer 3 and doesn’t cover much in layer 2 of the network.

“DRINK!” the crowd yells as Anch looks at his cup in despair.

“I’m going to get so hammered…” as he takes another sip, “so people think that they can secure their networks by using VLANs…” Indeed, utilizing VLANs on your network can help segregate different machines and systems on your network into logical network groups. Problem is, if they are setup, they are usually setup incorrectly and misconfigured. The issue of VLAN hopping also arises, and while technically harder to do for an attacker, it is still possible. “VLAN segregation is not an effective security measure, it is simply a separation method.”

ACLs are great, if you take the time to set them up properly.”¬†Problem is, most people don’t set them up properly. Also, they are, like VLANs, not the “perfect” solution, meaning that they shouldn’t exist on their own as the only security mechanism. In a way, ACLs function like a rudimentary firewall – great for keeping out the known and preventing easy attacks by filtering packets. The key is of course, filtering – while it may catch some or even most of the bad packets if maintained, it won’t get everything.

“And lastly, there is 802.1X, which sucks because it doesn’t have client support.” If your network has all Windows machines and only Windows machines, you really don’t have to worry about this…for the most part (again, configuration is key). However, once you start including Linux into the scope, lets just say that the complexity of configuring Linux clients becomes a whole different story. And for those using agent based solutions, you’ll probably have to bug your vendor to release a stable agent for each distribution of Linux that you currently use (unless you can persuade them to hand over the source code…good luck, bring plenty of cash).

“Here, I have a refill for you,” one of the audience members’ says as he hands Anch a cup.

“What is this stuff, it tastes like crap!” “Oh, it’s Heineken; screw that, I’m not drinking this stuff!” Anch exclaimed as he went and poured himself a Fat Tire. “So where was I…oh yeah, how do you fix your network so it doesn’t suck anymore.”

“Organization and monitoring are key. Your network diagram is the first thing you have to fix because it probably sucks.” Indeed, if you are like every other network admin who uses Visio to make a diagram, you are cutting yourself short on information, not to mention any updates to your network make that diagram practically unmaintainable. Your network diagram, to be complete, must contain the following at a minimum:

  • IP addresses for devices and machines
  • MAC addresses for devices and machines
  • Ports on switches correlating to the MAC addresses for devices and machines

Those are the basics. Then, you group computers and devices into logical segments based on functionality and network traffic type. You have your sensitive servers in one area, you have your mail servers in another, and file servers in yet another. The main purpose behind grouping servers is to then monitor the traffic coming to and from the servers. Any odd traffic? Investigate it. Watch logfiles and obtain data for system events. Find the norm for the server and then you can filter any anomalies. Don’t stop there though; investigate the norm for the server as well – it may have already been compromised (in which case, establishing the norm traffic pattern for the server would include the suspicious traffic). This is the job of the network admin – “fancy blinking lights” of a costly network device will never replace that functionality.

“The point I’m trying to get across,” Anch said while stumbling about a bit, “is that a condom is better than seran wrap that you currently have when it comes to your network…”

“It’s still better than tinfoil!” yelled an audience member.