ࡱ> n ە/+h;K_PNG  IHDR, 9!sRGBgAMA7 cHRMz&u0`:pQ<fPLTEf3333ff3fff33f3333333f3f3fff33̙33̙3f̙f3ff3f33333F p+tRNS'4 5 cmPPJCmp0712|4IDATH E#ZSkTdTc/@:CDi/G&HHw˫ ZmUս>@ b1ȑc1^~{~~w1~DI8DXoc}$)E$UU;{G >3cE)̙ͩ,g0@ݬy:㸐/yz'''P8W_%5YUUkt9zHvH:oJtt Xgn]zZ=^PU>>??O3sOFNIsZ\x21n0]LvM On{NSU[mUG+;okVV$H@o"" ì/v+CҬ$5F q0"Sd;G&I}e⒈a~ɉo/mmH wF;KjwEYcqۡLRU%ޭi".eXN"+UH_M2efyMjSR2[>gd=s],3;a:du먉wkrbc*Ih~|Bȑ9e]9d\*RBR9s׹$sued7fyj+g 5]U'QaEުfVȐnm 2xf?_f]E({3p9`sN|Eie\IP`T5 $G&djdsN͔}Ձ@3n=WXIݚ&Z39;'U@YKRzWL1O" hM:L]7ku5ެK]Rn~ 9UV AJ4 (/MSJ)=+:go b=2#Z&ȐgLM x9O*rN7U$nj!63I$M?wO>'o!$DIENDB`nz XO w/\cPNG  IHDRX _a;gAMAPLTEff̙f̙3̙f3f33f3f3333ff3fff33f3f3f3f33f33333333333*pMsڇa QQEܩqN|]+5 ~psaauXru4%UŎۚ9tRNS AbKGDIDATxXr6 tƦrG(RdVu% /7鄒%QI`XwnΡ77RHc")46&smIO~k[qۍݚpodct>u`.i٥ÞZeV1&[a^+ruՖcǽ{e{u.s: *|4kVfo7u q" 7 m 3P rC~nӎ7|DB&(#D ʕtv^\C*ƭ&)\*OAɵo% ڧW X?4R=liB`|U؉f3PLi43JhA*|>;T ^G*w-njY590'gX|~MEW!-]kdIsY8[g8|76f%zM;4֢k9?%uJA#Rf+K**[ݰ&j$̬w4bF^wm\Fv81'qO!ɩ Wbu, X2هb97KImTH,IvDUgqIojZ]^}輥%>rJY2gBvk2j[o6 w̼Ƭk|6dss{-:frfhazfƔz݆j:Q摀NaR#đW$.1>J(a״,k&dm_c+mJ܏7!Eu[+ D?#_Hq$ U(*osDffrora|s x$u%9d\cz ^z\* ~5&%h820"Ԅd^>U*um\C@r&FVTdof-}f>QW%:嗔+2TZ䓅er JKTq^mC3Hz¢Q;ӠA4Gy,>`)<9, *um(l EmJd#QWݯ` X"dZhx.T,hWOt &fT)[B͹o(e- j^sE+H+#鬐0,w,P_3xAjXK/u u$RZU"?1R>YW4e҆$%ɮLIJ뱵8bUpT_G ɞeAbѽ2' E[uʦ#UРWO:ݕV1"^t2MV<6{QdRmZ(Sѻrˌ0Nk #HQHIGS r\,.5sů'&XkFJ[&3/z0D,G$CBP/=MLjOBni6*Q {FY+ =\Di"aLf-ER2t /@w?7oiVUsFIENDB`na;`B;;˃ PNG  IHDRX<B4sRGBgAMA7 cHRMz&u0`:pQ<PLTE33f3ff3PP̙f3fff333f33f333f33f333f333f333ff333ff3ff3f̙3f̙f3f3f3ff33f3f33f33ff33ff33fff̙f333tRNS@f cmPPJCmp0712g9IDATx}kwȒڽ=uے%B{U(16#" 3CR$E Ȭ]K1Dܦ)NM]wlƧ]&64 ~t0a\o~i?Gӭyhm'MLa]um .V6]ǩ>/`6ڵio-=p[>tB .qL"~ojfׂzi)}Χ=~>‡_q?ys{yRJ]tN//'罽l?=ϓ/×߿?`O;hkz =s>rܦ)|a˗x`_s?~^mv][a!9]n17DZmqoci O_/__/_=|1}^ @a+L@]gu!g{E|9}9 tԙ' xyq2xlprWc{d,P,; ߇_ ?qўw_|&{T17\rO_&·bbq&27c]04s35g,˶#hyZa|.PnM44MX5(A 3+ii0*a}ZC s6xN0Vͻ]+cPpJ^Xӡ3/ Sy/ Wϟdzׯvk,nw$#7l?xN8mٴe,aˠΚ~ǂ 5U2k@>>|؜@{ kf2"=Yxɇs2dxV3:j[Lq<ě1,CX{eAˮdoloA8+CUζd8YT4:/{O`==#}<aBovŭǧO_^>+C!l_N(b,G>۝=ʾXycXae='g,Ba(en%raq͢!$? I  8O!0vHdkD#iʘST#Ƙ 3$a>2 +F-c v+o3mtMC.@Su@Q`%{cQ\>~i,i=cy6Xr!=BY2,fx|_p|748_J:d2+&1oX/2Hx/ `BBξ8p-Jg;%dX8Y$,@k'G^Rke-q>6? (>>4qV0c DTT_V&Z@A͎AY@Vs2.V캨[4eȌ@eYT`-&,C!VfUk>+er`V!G$;SZfCƲ#`xt (;!~~/7G'bW~d[/P:T+Iv?/GCgX<.gJVa D$9U !aB ~Z0Xh3#k2\ wFPRp0k+0LbN8ktdgrؕ)%Vhm02u% 7FpF428#υ |thgOqX"f=ak~,@k\*bfkg7y[`Mz[2Ͷ@C ؚrcq+SxT/^^pL& qVq<;eGC0Y;p6bY1hw#ʬQeS LBHw6"~! 큪'&v !xbpE$<ЎY9zKAYWG(: )@2AǙD%EK]23@0A,1(w;'#1YaWw")m] L)" PZĄMaeQȈvю: +0mYP(3:QV ,hۅ`J ZЊ]@ޗYLt/R^FmeigUcjeȗLn/Ҟg8/~Y@X%zFY~dNO?l_xRG4ҁ ZH؉KZ*G"EhK(h+\ La])9L,4Pbv!ɧ@qBMVs$lvgy'!˖p*,> < R.>ҮkO!3 -۳ʯB %.!515,1> #4Yaa2bL;S$-ՂV$!ap,.Bd(TA ˂-IP]j¢V  q8ar^wد)8d>ەIߦ%Z7!Zz- ]KvfGblq)tD4Oʞu{3dbV 0|va 4P,z22d=1踕פ Qǎ"dc(!h1@7Nf%daGwrNw.@Uuo S$<)l'Beo 3z 8&w }j !H5W!Xv&[hfzH7dH֌"c@c:vZG (!\Ԝs萑)-Z8mYl5m IV8Z|e8-&@eY{I`۷$(54 U *%,>^>=ݑO_ T}ʐ2~}Qۆ#)yP, N㱡T; pwVV4jA P3Ʋ\cP[GTݷ QPߴˉHP5+l`T - 9SR˿*cim%c wmtXELD$Z2L߽$jqp>_"пAtxi #4Eir\ž 1kymiW~jh +I!Ϣ2FhqVEO'G :z 円@FB }O8BVO?(®4Yx"ͦNd>% !Uxt*;FU23 e1XaB=!Ryp,!i{& ~`trHEʇ@.DX'7Zg)'(9eXby Ŗ&`Vj눬X/\H;ʡ1jl!-bhB'˦LR^aasY0(Nΰ1\o{EDl`P mt׺†P_>$Oi8YGXl"b 07b1H5"g2!2R2gֽ,DRT3 ?S؋;8!B*,4dzIb@5:Z΄ɠ^4y  )ɫ'3\Y&JaogMpĠTF&ITKWDU*ZNpn2~C~w "턝0PPu v};e̱rY2Y5B@! s >Zk Rk0ckKF<'؎ DV"kG=K0⫕jj/egHYbD05*KSk'!P2 2<N#l5v@jᖠOe{G8J f9}8xV'k++F!#3~UxBQŴ_ee%$dcp$Si.副 (2zRF[GZϴ0¹#pyap&:\ƞz!C8L?'@u D35>: k3 1ޢ7+ŁqhP0G(BU\dW"GAnșt$J'Wr bŎtI f:  @];a,a}\q< ܜ&xx}b!C6IIA˺ .a3 P/=dl'Ϸ`F@ U nK˽`Sd;`+ 4C/ޠϡ֥YbՃ4RbG)z#ڍ #_ '0VYDR.[HRaQ/"K~OH DU {\IQoߑC\x#Ri?X#8<[;)^]rD"ҊmвC֏*PYn*JFVCh'K]d,Tu#aH7-\*& 朴վ`)?kN=6Gب$]:2KKB(X+/Q=medJ8]dRl3J?KX=feTUP(MZIU&Be1H%*ϕoOހt!8g F>+=2)dFQ\Զy*O|ȇFHd},-r)aC`z"%DT Ooi6([r0hW Kg5:c:{YJ䀫'gQQ2SljkG 6m޶~`XTR_G DKL0Vlo|4 MK 2\=W+ sr\z:]NW}.?w`d3%m o7j/&2Zc-K!#J|ъ, T SO /ѹ"M*HYBY1NTTA%]nl=ղdx \0$5)i.3x?_dAYSSAvƫ) h%Z(ʂ*,h`ߥaGjONf)I]%Sn{COڈKJNYW#71p/ 2Nu^(FkzY (x+$eBHX۴i͗'7APY2߁jaJ^T0+'ɤx1~nG*;:NƈB@≃;@.xgb*dՂR:I13nUY`󑕖(T\Tc + *AnܶI&v7wqlEej$ȏ*TөEV4+ jlEY4H]fm`])2?蘆E[56"~`cetGW JB# >ufmԱڨQv )w""r_q{I-|hM #[AU"m]~bd GyXL އ"@LV ".bJ?ﮕ6L&{4%*( }ȫhM%fA#'Od'jGB LLR3yQÈ!kU3#CI&3U,q0Y؟ q1Φz' JaLRulrX<']!]Wynư}Y*d$U(WBJCRJF[`ڼ)UkZyaY4JAUhIcC: Z!uנYv溅Igo@:D)A2~ݹzwxck=#+}//c݉@f֐aQCV0O: UY&Fc5*3 ?g_|F`v}RJQr c  ]$qBYD\7˄i]BdʑUb,*nF[+ Ejoopy L;9]6haZk~ӝ[^)#'GҘ@RQS[Qq؎Rd$eQd:U!U^M E"lzy9UUVr=Uni1D*(^= Ғ"\e-F^ey>8,ǚxTmMlw oU ]Yߗׅc-4Z䦎TN y|䐲OhцO? O;;LEɔ ޒ W V192 kEed#-=(Yd<ScܥWW6_V_].m#-$:m'?HPatLX5$nNozx?cuEҒ"ۗ2aCMwnrHoHMPkmum#baZ\5ʱ0"6 A wuq@sl6o0Xg.N?h" KlЇwD ӛ'%Z ϩTNW-%  q`FXgUO-I<(Ȱ Mg/ &.IgrW"okqX,)I7u06.WjuX0߮V{(YZN|o\a޽\X+aCU!Em:UϾ饭`8ՏX#"pZʩS{QӯЈ#WZ/b5ҎnOwH#a,C^%JW D4J/@=ِçԊ!F UW ,xkTYTZr< Z^ȅ #L/KQQgϐ>- =vJ)ÂG0 .ۢ IZ^5j%8"ow ] krdŵ'b ;GVG"txl K3&Dӵrjv0-2G!u-$IbݛRڕ~V0JuUWAPO;𢶭"X gP_ tMTz)r$V$NÒ?P;\/X1 B.W'v,VQ_ӿ2Gr YHޛ欼E-a& ɦpۊv{k• 1MmܖĪ*t,չDe>"DHthy;N-n68:dF|FŠV!E%QGQP>v7XW v xX^Rِ%,Z31Å p˾L?NXoX aa(O+>J\3:R1U5T{m3U;M!&uzM\|Po65 kY̌Ik֫n}iRE._5pEZ ; E4ƒVwPAjZV\[lQj1Z~4I3]'%1xhCp2&U8f&Dt*3,o8k@%W5mps%k߷i rM Xq 7~htGϠCq f y<N9MI5K~^+2;xiF.@Ճ6B\_`_ H 91ĦAvڇ8UiIŵ{ƍ5+#vƯ'MMY"eF"Pk ܑ?v2 w\K1A7@fM߿IM H<{)˙2dgWùʶYһNWaiʠ_7_ءuQ)_D[mP9:,m<}c}4 ?u0r^zgDP[IF_=Պ!6M CIG smCJV>-V¡e}CQ:t#M^|>kV )8λ#zW~7[;|) :諶TA\,a Y}SLJcRa;r\$ZTk6EaW!'NYo4ɾx 5hC0x럧7ZJFoqiiN`55;ƒƊgPy]Denx`jm&]9OӭQ07YcMWqRT[Gw rT|TTP\&Dwh_`{IIJN XFVaiRWE?RGWZ1X+,j:L23fQ4@HW-ezzܫ\3D:>BYl)O)o @Z?FH8z,D? $vPcJlv;s/Vy2@ʽu?i)鍲OU~8W vLaQTu[s1bTTNyL"cε6jSCv |{*/ C|:.1w4C^mV?\+΂*N[. 28oA [ncIiXm\z{2VsF ! nC4i"5Sir{'e"=7i;uUmAdWG1\+ӹ"zA04dZo.bZ)j,2H$CE]z\h3n4]Tc8)2?<\!N߼EK{MNֻHIjY:)< LU~M6}Z+VO!n <*k\wVN`GHcx ow}Bx#:ol)‚Nn3,Q\N3 tD+:̱2V#flpNBܜTӾ ʶpy0o+66v, dHACt%WGٯZ #f)^ʩc(zi(xͅu~Z{CU|vĝ] G~ ?Nuwpn:h,i-8-)a鈩P-i#$Kil7iI;5co'[Jo߹ߕ;S]_Zc4Lgo[&$>b: C/%yꞭg_AoY "UsN^VNYWH{pظ )~:iW7(. V ͬooɛ& ≔V pʏbmQUG- @gpUmgEx{gVN+nN|0 <3Xmq~:eNeMTY$dDŽfUi0n^ 5'eLтb*j'і5>-3"6K eUf+"∑NBjJԅ.ƺfvqh@cz[†?AaiI Kތwݧv g__VONV .kCmzwHI#nPwQy5Vm=^)7ژ[-]|zz?c.Oxv"fs=&W.@c0H#p3&+Roۙ!i5'K? i$d-RpC _fY▕u{4ws:b&8lGo/x6magSˇ#k3Gj} :]&/RJ>L>!@VXG.*v`oozpLYj8߅u'$9>sal3z۽d,>טhk,IENDB`(5( / 0DTimes New RomanȷȷԳ0 0DArialNew RomanȷȷԳ0 0" DWingdingsRomanȷȷԳ0 0   @n?" dd@  @@`` 6.!a        ?b$ ە/+h;K_b$XO w/\c b$`B;;˃ i;s j0e0e A18c8c     ?1d0u0@Ty2 NP'p<'pA)BCD|E||@8g4QdQd 0XNppp@ <4!d!dmȷ <4BdBdȷȷ?&, app062799O =--The Home Team Advantage_A. Padgett Peterson, P.E. Information Protection Lockheed Martin Corporation Orlando, Florida $`E The Home Team AdvantagePWhy bother ? Attacks coming faster Using novel mechanisms for attack (dare I say  covert channels ?) Responses slow  Nothing worse than an expert out of their field &  The Home Team AdvantageIs defense feasible ? Good question Defenders need to close every hole, attacker needs to find just one Many find  school of fish approach attractive (may I suggest a tontine ?) Others just keep their resume updated&The Home Team AdvantageFIf defense is to work, defenders need an  unfair advantage Perimeter Defense Desktop defense Layered Defense Defense in depth  It s not just an admin job anymore 6<C%<C%The Home Team AdvantageFor years tools have been designed be  universal applications. Can be launched from anywhere Operate across bridges/firewalls Operate unattended Consider portscanners ISS Cybercop Satan/Santa Socket2me T@R$@R$,  The Home Team AdvantageAll are essentially similar Select an IP (or range) Identify hardware/OS Select a port from a list Try to open it If it opens, perform known manipulations If that works, identify vulnerability To here is basically the same for attacker and defender 699The Home Team AdvantageR Home Team can Identify IP range Identify hardware/OS Compare to map Correct Exceptions Run Portmapper/NetStat Identify Services (expected/not) Identify vulnerabilities*ZZ,] :The Home Team Advantage@Difference: can walk up to machine, run local tests, interview administrator Example: consider  Back Oriface Scanner can only detect if uses default (no password/ port 31337 Portmapper/NetStat will show anomalous UDP no matter what configuration Of course you must know what to expect. Rnn >eC _The Home Team AdvantageOr consider Port Scanners themselves Most check only most common ports FWTK checks less than half Commercial scanners may check as many as 100 known ports Why ? RTT But if you are local can test all 65,536 ports in about ten minutes:%D%D The Home Team AdvantagerSome are wondering  why all 65,536 ports ? For one, is a nice firewall test but takes two machines  one on each side of wall. Pump 65,536 packets (131,072 with UDP, couple more for ICMP (LOKI). Find out quickly what gets through and what doesn t. Reverse for other side. Takes about an hour but often revealing.:: The Home Team AdvantageSome are still wondering & Well if defense is just a screening router, can just read the ACLs (why bother with test at all). But if the  firewall is a  farm 15 to 25 different machines Several different products Is often easier to detect ports first, then say  why ? <Z7Z8Z78Y The Home Team AdvantageXAnother is MAC addresses (quick: name four different meanings of MAC) Lost when cross bridge/router/firewall But if you can run scanner locally then header contains MAC address Six byte value Identifies manufacturer and often model Must open box to change VAX magically becoming PC is cause for concern Believe Mr. Smith knows about MAC (now).tZ-ZlZ~Z)Z-l~)  The Home Team Advantage-If MAC addresses are known, can also record location of machine On error know where to dispatch help Can identify movement on dubnets Can also use active hubs (e.g. 3Com) Allow traffic on that line only to/from that MAC address Defeats promiscuous setting, will only receive own and broadcast traffic.L@F%@F%~  The Home Team AdvantageYet another is knowing which IP addresses are assigned. Devise a promiscuous machine to respond/record any attempt to ping or open a port on an unassigned IP. Alarm if multiple DHCP provides a different problem and requires an active system with knowledge of assignments<8ZyZ^Z8y^ The Home Team AdvantageGrowing increasingly important is control of executable attachments and embedded instructions Major difficulty is identifying executable attachments and syntax. Could block all incoming containing attachments All executable HTML (