Post on 15-Jan-2016
transcript
Network Security and ISA Server
Paul Hogan
Ward Solutions
Session Prerequisites
Hands-on experience with Windows 2000 or Windows Server 2003
Working knowledge of networking, including basics of security
Basic knowledge of network security-assessment strategies
Level 300
Agenda
10:00 11:00 Network Security
11:00 11:15 Break
11:30 12:00 Securing SQL Server
12:00 1:00 Lunch
1:00 2:00 Securing Exchange
2:30 2:15 Break
2:15 3:15 Lab Sessions
3:15 Q&A
This sessions are about…
…about operational security
The easy way is not always the secure way
Networks are usually designed in particular ways
In many cases, these practices simplify attacks
In some cases these practices enable attacks
In order to avoid these practices it helps to understand how an attacker can use them
This sessions are NOT …
a hacking tutorial
Hacking networks you own can be enlightening
HACKING NETWORKS YOU DO NOT OWN IS ILLEGAL
…demonstrating vulnerabilities in Windows
Everything we show stems from operational security or custom applications
Knowing how Windows operates is critical to avoiding problems
…for the faint of heart
The Sessions
The Network
External LAN
Internal LAN
ISA Server Firewall
IIS 6.0Windows 2003
Access Points
ISA Server Firewall
Introducing the Case-Study Scenario
Understanding Defense-in-Depth
Using a layered approach:Increases an attacker’s risk of detection Reduces an attacker’s chance of success
Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness
Guards, locks, tracking devicesPhysical securityPhysical security
Application hardeningApplication
OS hardening, authentication, security update management, antivirus updates, auditing
Host
Network segments, NIDSInternal network
Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter
Strong passwords, ACLs, backup and restore strategy
Data
Why Does Network Security Fail?
Network security fails in several common areas, including:Network security fails in several common areas, including:
Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date
Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date
What we will cover:
How to Implement Perimeter defenses
How ISA Server protects networks
Using Windows Firewalls to Protect Clients
How to Protect Wireless Networks
Purpose and Limitations of Perimeter Defenses
Properly configured firewalls and border routers are the cornerstone for perimeter security
The Internet and mobility increase security risks
VPNs have exposed a destructive, pernicious entry point for viruses and worms in many organizations
Traditional packet-filtering firewalls only block network ports and computer addresses
Most modern attacks occur at the application layer
Purpose and Limitations of Intrusion Detection
Detects the pattern of common attacks and records suspicious traffic in event logs and/or alerts administrators
Integrates with other firewall features to prevent common attacks
Threats and vulnerabilities are constantly evolving, which leaves systems vulnerable until a new attack is known and a new signature is created and distributed
Implementing Network-Based Intrusion-Detection Systems
Important points to note:Important points to note:
Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected
ISA Server 2004 provides network-based intrusion-detection abilities
Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected
ISA Server 2004 provides network-based intrusion-detection abilities
Provides rapid detection and reporting of external malware attacks
Provides rapid detection and reporting of external malware attacks
Network-based intrusion-detection system
Network-based intrusion-detection system
Perimeter Connections
The Internet Branch offices Business partners Remote users Wireless networks Internet applications
Network perimeters include connections to:
Business Partner
LAN
Main Office
LAN
LAN
Wireless Network
Remote User
Internet
Branch OfficeBranch Office
Firewall Design: Three Homed
Screened SubnetInternet
LAN
Firewall
Firewall Design: Back-to-Back
DMZInternet
ExternalFirewall
LANInternalFirewall
Software vs Hardware Firewalls
Decision Factors Description
Flexibility Updating for latest vulnerabilities and patches is easier with software-based firewalls.
Extensibility Many hardware firewalls only allow for limited customizability.
Choice of Vendors
Software firewalls allow you to choose from hardware for a wide variety of needs, and there is no reliance on single vendor for additional hardware.
CostsInitial purchase price for hardware firewalls may be less. Software firewalls take advantage of low CPU costs. The hardware can be easily upgraded and old hardware can be repurposed.
Complexity Hardware firewalls are often less complex.
Types of Firewalls
Packet Filtering
Stateful Inspection
Application-Layer Inspection
Multi-layer inspectionMulti-layer inspection(including application-layer filtering)(including application-layer filtering)
InternetInternet
Agenda
Introduction/Defense in Depth
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using Windows Firewall to Protect Clients
Protecting Wireless Networks
Protecting Networks by Using IPSec
Protecting Perimeters
ISA Server has full screening capabilities:
Packet filtering
Stateful inspection
Application-level inspection
ISA Server blocks all network traffic unless you allow it
ISA Server is ICSA and Common Criteria certified
Protecting Clients
Method Description
Proxy Functions Processes all requests for clients and never allows direct connections.
Client Support Support for all clients without special software. Installation of ISA Firewall software allows for greater functionality.
Rules Protocol Rules, Site and Content Rules, and Publishing Rules determine if access is allowed.
Add-onsInitial purchase price for hardware firewalls may be less. Software firewalls take advantage of low CPU costs. The hardware can be easily upgraded and old hardware can be repurposed.
Protecting Web Servers
Web Publishing Rules Protect Web servers behind the firewall from external
attacks by inspecting HTTP traffic and ensuring it is properly formatted and complies with standards.
Inspection of SSL traffic Inspects incoming encrypted Web requests for proper
formatting and standards compliance.
Will optionally re-encrypt the traffic before sending them to your Web server
URLScan
ISA Server Feature Pack 1 includes URLScan 2.5 for ISA ServerAllows URLScan ISAPI filter to be applied at the network perimeter General blocking for all Web servers behind the firewall Perimeter blocking for known and newly discovered attacks
Web Server 1
ISA Server
Web Server 2
Web Server 3
Protecting Exchange Server
Method Description
Mail Publishing Wizard
Configures ISA Server rules to securely publish internal mail services to external users.
Message Screener Screens e-mail messages that enter the internal network.
RPC Publishing Secure native protocol access for Outlook clients.
OWA Publishing Provides protection for remote Outlook users accessing Exchange Server over untrusted networks without a VPN.
Demonstration 1Application-Layer Inspection in
ISA Server
URL ScanWeb Publishing
Message Screener
Traffic that Bypasses Firewall Inspection
SSL tunnels through traditional firewalls because it is encrypted, which allows viruses and worms to pass through undetected and infect internal servers.
VPN traffic is encrypted and can’t be inspected
Instant Messenger (IM) traffic often is not inspected and may be used to transfer files in addition to be used for messaging.
Inspecting All Traffic
Use intrusion detection and other mechanisms to inspect VPN traffic after it has been decrypted
Remember: Defense in Depth
Use a firewall that can inspect SSL traffic
Expand inspection capabilities of your firewall
Use firewall add-ons to inspect IM traffic
SSL Inspection
SSL tunnels through traditional firewalls because it is encrypted, which allows viruses and worms to pass through undetected and infect internal servers.
ISA Server pre-authenticates users, eliminating multiple dialog boxes and allowing only valid traffic through.
ISA Server can decrypt and inspect SSL traffic. Inspected traffic can be sent to the internal server re-encrypted or in the clear.
ISA Server with Feature Pack 1
Client Internal ServerInternet
Demonstration 2SSL Inspection in ISA Server
ISA Server Hardening
Secure your Server Wizard
Review Bastion Host information in Security Guides
Disable unnecessary services
Harden the Network Stack
Disable unnecessary network protocols on the external network interface:
File and print sharing
Client for Microsoft Networks
NetBIOS over TCP/IP
Best Practices
Use access rules that only allow requests that are specifically allowed
Use ISA server’s authentication capabilities to restrict and log Internet access
Configure Web publishing rules only for specific URLs
Use SSL Inspection to inspect encrypted data that is entering your network
Demonstration 3Internet Connection Firewall
(ICF)
Configuring ICF ManuallyTesting ICF
Reviewing ICF Log FilesConfiguring Group Policy
Settings
Agenda
Introduction/Defense in Depth
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using Windows Firewall to Protect Clients
Protecting Wireless Networks
Protecting Networks by Using IPSec
New Security Features in Windows Firewall
On by defaultOn by default
Boot-time securityBoot-time security
Global configuration and restore defaultsGlobal configuration and restore defaults
Local subnet restrictionsLocal subnet restrictions
Command-line supportCommand-line support
On with no exceptionsOn with no exceptions
Windows Firewall exceptions listWindows Firewall exceptions list
Multiple profilesMultiple profiles
RPC supportRPC support
Unattended setup supportUnattended setup support
Configuring Windows Firewall for Antivirus Defense
Agenda
Introduction/Defense in Depth
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using Windows Firewall to Protect Clients
Protecting Wireless Networks
Protecting Networks by Using IPSec
Limitations of Wired Equivalent Privacy (WEP) WEP is inherently weak to due poor key exchange. WEP keys are not dynamically changed and therefore
vulnerable to attack. No method for provisioning WEP keys to clients.Limitations of MAC Address Filtering Scalability - Must be administered and propagated to all APs.
List may have a size limit. No way to associate a MAC to a username. User could neglect to report a lost card. Attacker could spoof an allowed MAC address.
Wireless Security Issues
VPN Connectivity PPTP L2TP Third PartyIPSec Many vendorsPassword-based Layer 2 Authentication Cisco LEAP RSA/Secure ID IEEE 802.1x PEAP/MSCHAP v2Certificate-based Layer 2 Authentication IEEE 802.1x EAP/TLS
Possible Solutions
WLAN Security Type Security Level Ease of Deployment Usability and Integration
IEEE 802.11 Low High High
VPN Medium Medium Low
Password-based Medium Medium High
IPSec High Low Low
IEEE 802.1x TLS High Low High
WLAN Security Comparisons
Defines port-based access control mechanism
Works on anything, wired and wireless
Access point must support 802.1X
No special encryption key requirements
Allows choice of authentication methods using EAP
Chosen by peers at authentication time
Access point doesn’t care about EAP methods
Manages keys automatically
No need to preprogram wireless encryption keys
802.1X
802.1X using EAP/TLS or MSCHAPv2
Domain Controller
DHCPExchange
File Server
Certification Authority
RADIUS (IAS)
Server Certificate
802.11/.1XAccess Point
Laptop
Domain User/Machine
CertificateEAP Connection1, 2, 6 3, 5, 7
4
A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems
Goals Enhanced Data Encryption Provide user authentication Be forward compatible with 802.11i Provide non-RADIUS solution for Small/Home offices (WPA-PSK)
Products shipping
Wi-Fi Protected Access (WPA)
Best Practices
Use 802.1x authentication
Organize wireless users and computers into groups
Apply wireless access policies using Group Policy
Use EAP/TLS and 128 bit WEP
Set clients to force user authentication as well as machine authentication
Develop a method to manage rogue APs such as LAN based 802.1x authentication and wireless sniffers.
Malicious traffic that is passed on open ports and not inspected by the firewall
Any traffic that passes through an encrypted tunnel or session
Attacks after a network has been penetrated
Traffic that appears legitimate
Users and administrators who intentionally or accidentally install viruses
Administrators who use weak passwords
What Firewalls Do NOT Protect Against
Understanding Application and Database Attacks
Common application and database attacks include:Common application and database attacks include:
Buffer overruns:Buffer overruns:
Write applications in managed code Write applications in managed code
SQL injection attacks:SQL injection attacks:
Validate input for correct size and type Validate input for correct size and type
Attacks: Buffer Overflow
Aka the “Boundary Condition Error”: Stuff more data into a buffer than it can handle. The resulting overflowed data “falls” into a precise location and is executed by the system
Local overflows are executed while logged into the target system
Remote overflows are executed by processes running on the target that the attacker “connects” to
Result: Commands are executed at the privilege level of the overflowed program
Attacks: Input validation
An process does not “strip” input before processing it, ie special shell characters such as semicolon and pipe symbols
An attacker provides data in unexpected fields, ie SQL database parameters
Implementing Application Layer Filtering
Application layer filtering includes the following:Application layer filtering includes the following:
Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data
Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol
Session Summary
Introduction/Defense in Depth
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using ICF to Protect Clients
Protecting Wireless Networks
Questions and Answers