Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | myles-horn |
View: | 224 times |
Download: | 0 times |
Enabling Enabling SecureSecureRemote AccessRemote AccessIn your environmentIn your environmentSteve LambSteve Lamb
IT Pro Security EvangelistIT Pro Security Evangelisthttp://blogs.technet.com/steve_lambhttp://blogs.technet.com/steve_lamb
[email protected]@microsoft.com
Our time todayOur time todaySolving the access vs. security dilemmaSolving the access vs. security dilemmaUnderstanding the three methodsUnderstanding the three methods
External access to internal web-based External access to internal web-based applicationsapplicationsProviding users with “desktop over HTTPS” Providing users with “desktop over HTTPS” capabilitiescapabilitiesBuilding full IP-based virtual private networksBuilding full IP-based virtual private networks
When to choose which?When to choose which?
The dilemma: access or The dilemma: access or securitysecurityMore users require more access from more More users require more access from more
placesplacesIncrease in mobile workers and where they come Increase in mobile workers and where they come from (homes, hotels, airports, hotspots)from (homes, hotels, airports, hotspots)Wireless access is everywhere nowWireless access is everywhere nowNo longer just “employee” access: business No longer just “employee” access: business partners, customerspartners, customers
But we can’t compromise securityBut we can’t compromise securityRemote access increases security risksRemote access increases security risks
Unmanaged PCs and devicesUnmanaged PCs and devicesUnpatched and unprotected devicesUnpatched and unprotected devices
Difficult and expensive to implement current Difficult and expensive to implement current solutionssolutions
High pricesHigh pricesDifficult to deploy client side softwareDifficult to deploy client side software
Ugh! How do we Ugh! How do we dodo this? this?
Internal Internal ApplicationsApplicationsvia the Webvia the Web
ExamplesExamples
E-mail (Outlook Web Access)E-mail (Outlook Web Access)File sharing (SharePoint varieties)File sharing (SharePoint varieties)Custom applicationsCustom applications
What’s in common?What’s in common?Internal applicationInternal applicationRuns on a web serverRuns on a web serverNew business requirement for New business requirement for providing access while not attached to providing access while not attached to corpnetcorpnet
Security issuesSecurity issuesHTTPHTTPSS is the transport is the transport
Provides the necessary privacy for protecting Provides the necessary privacy for protecting confidential information in transit over the confidential information in transit over the InternetInternet
But what about checking the content?But what about checking the content?Intrusion detection (if you still do this)Intrusion detection (if you still do this)Validating conformance to information Validating conformance to information dissemination policies—email, documents, …dissemination policies—email, documents, …
Typical designTypical design
Good: Good: performance performanceIsolates access based on Isolates access based on locationlocationProtects internal networkProtects internal network
Bad: Bad: security securityTunnel through outside Tunnel through outside firewall: no inspectionfirewall: no inspectionMany holes in inside Many holes in inside firewall for authenticationfirewall for authenticationAnonymous initial Anonymous initial connectionsconnections
AppApp ADAD
AppApp
DBDB
Improving securityImproving security
Security goalsSecurity goalsInspect SSL trafficInspect SSL trafficMaintain wire privacyMaintain wire privacyEnforce conformance to HTML/HTTPEnforce conformance to HTML/HTTP
Block misuse of the protocolBlock misuse of the protocol
Allow only known URL constructionAllow only known URL constructionBlock URL-borne attacksBlock URL-borne attacks
OptionallyOptionallyPre-authenticate incoming connectionsPre-authenticate incoming connections
Protect the application Protect the application with ISA Serverwith ISA ServerBetter application-level securityBetter application-level securityISA Server becomes ISA Server becomes
the “bastion host”the “bastion host”Web proxy terminates Web proxy terminates all connectionsall connectionsDecrypts HTTPSDecrypts HTTPSInspects contentInspects contentInspects URL (with Inspects URL (with URLScan)URLScan)Re-encrypts for delivery Re-encrypts for delivery to web applicationto web applicationAppApp
ISAISAServerServer
DBDB ADAD
x36dj23sx36dj23s2oipn49v2oipn49v<a href…<a href…http://...http://...
Protect the application Protect the application with ISA Serverwith ISA ServerBetter user authenticationBetter user authentication Easy authentication to Easy authentication to
Active DirectoryActive DirectoryPre-authenticate Pre-authenticate communicationscommunications
ISA Server queries user ISA Server queries user for credentialsfor credentialsVerifies against ADVerifies against ADEmbeds in HTTP headers Embeds in HTTP headers to application serverto application serverRequires FP1Requires FP1AppApp
ISAISAServerServer
DBDB ADAD
404404
New wizards and better New wizards and better HTTP rulesHTTP rules
AuthN delegation AuthN delegation requirementsrequirementsAuthenticate at the perimeterAuthenticate at the perimeter
Choice of domain membership or RADIUSChoice of domain membership or RADIUSClient to ISA Server:Client to ISA Server: basic or forms-based basic or forms-based authenticationauthentication
ISA Server presents form and generates cookieISA Server presents form and generates cookieSeparate timeouts for public and private Separate timeouts for public and private computerscomputersOWA form included; can copy and reuse code for OWA form included; can copy and reuse code for your own forms-based applicationsyour own forms-based applications
ISA Server to web server:ISA Server to web server: basic basicWon’t work with client certificatesWon’t work with client certificates
ISA Server has no access to client’s private keyISA Server has no access to client’s private key
Delegation processDelegation process
URLURL
access-acceptaccess-acceptgroup attribsgroup attribs
URL +URL +basic credsbasic creds
Win
Log
oW
inLog
onn
datadata
datadata
ADAD
IISIIS
ISA ServerISA Server
401401OWA formOWA form
URL + basic credsURL + basic credsform variablesform variables
RA
DIU
SR
AD
IUS
access-requestaccess-request
WinLogonWinLogon
tokentoken
toke
toke
nn
browserbrowser
cookiecookie
URLScan 2.5URLScan 2.5Policy-based URL evaluationPolicy-based URL evaluation
Define what’s allowed; drop everything elseDefine what’s allowed; drop everything elseJust like you do in your firewall (right?)Just like you do in your firewall (right?)
Helps protect from attacks that—Helps protect from attacks that—Request unusual actionsRequest unusual actionsHave a large number of charactersHave a large number of charactersAre encoded using an alternate character setAre encoded using an alternate character set
Can be used in conjunction with SSL Can be used in conjunction with SSL inspection to detect attacks over SSLinspection to detect attacks over SSL
Yes, the script-kiddie warez do this now, tooYes, the script-kiddie warez do this now, too
URLScan specificsURLScan specificsURL canonicalizationURL canonicalization
..\..\cmd.exe..\..\cmd.exe
URLScan specificsURLScan specificsURL canonicalizationURL canonicalization
%2e%2e\%2e%2e\cmd.exe%2e%2e\%2e%2e\cmd.exe
URLScan specificsURLScan specificsURL canonicalizationURL canonicalization
%352e%352e\%352e%352e\cmd.exe%352e%352e\%352e%352e\cmd.exe
??
URLScan specificsURLScan specificsURL canonicalizationURL canonicalizationURL lengthURL lengthContent lengthContent lengthContent typesContent typesPermitted or blocked headersPermitted or blocked headersPermitted or blocked verbsPermitted or blocked verbsPermitted or blocked file extensionsPermitted or blocked file extensions
Recall the typical design…Recall the typical design…OWA exampleOWA example
ExFEExFE SMTPSMTP
ExBEExBE ADAD
New requirements, new New requirements, new designsdesigns Move critical servers Move critical servers
inside for better inside for better protectionprotectionAdd ISA Server to Add ISA Server to your existing DMZyour existing DMZ
Use these exact Use these exact words!words!
Increase security by Increase security by publishing web-publishing web-based applicationsbased applicationsFew interior FW Few interior FW holesholes
RADIUS (1812, RADIUS (1812, 1813/udp)1813/udp)HTTPS (443/tcp)HTTPS (443/tcp)
ExFEExFE SMTPSMTP
ExBEExBE ADAD
ISAISAServerServer
ResultsResultsKnown good contentKnown good contentKnown good URLKnown good URLKnown good userKnown good user
Dare I say it… Dare I say it… trusted access?trusted access?
Remote DesktopRemote DesktopMechanismsMechanisms
A useful “middle ground”A useful “middle ground”
Users require more access than is Users require more access than is possible through standard web possible through standard web browser and web serverbrowser and web server
Full IP VPNs might be too expensive Full IP VPNs might be too expensive or too complex or provide too much or too complex or provide too much accessaccessConsider technologies that display a Consider technologies that display a desktop remotely, probably over desktop remotely, probably over HTTPSHTTPS
IfIf
ButBut
ThenThen
SSL VPNsSSL VPNs
Poorly-named glomming on a trendPoorly-named glomming on a trendA “remote desktop in a browser”A “remote desktop in a browser”Accessed via web-based front endsAccessed via web-based front endsRunning proprietary protocols that Running proprietary protocols that require some ActiveX or Java add-require some ActiveX or Java add-onon
VPNsVPNsAppreciably simpler than other Appreciably simpler than other remote desktop alternativesremote desktop alternativesAny more secure than IPsec-based Any more secure than IPsec-based VPNs or HTTPS-protected access to VPNs or HTTPS-protected access to published internal web sitespublished internal web sites
AreAre
Aren’tAren’t
Why not call it what it is?Why not call it what it is?It’s just remote desktop or remote displayIt’s just remote desktop or remote display
Certainly not a new ideaCertainly not a new ideaApparently not as sexy as “SSL VPN”Apparently not as sexy as “SSL VPN”
Two products can do this for you nowTwo products can do this for you nowTerminal Server—basic remote desktop displayTerminal Server—basic remote desktop displayCitrix Metaframe—more flexible preconfigured Citrix Metaframe—more flexible preconfigured remote desktops and application groupingsremote desktops and application groupings
Remote Desktop clientRemote Desktop client
Remote desktop MMCRemote desktop MMC
RDP in detailRDP in detailBased on T-120 family of protocolsBased on T-120 family of protocols
Multipoint Communications Service (MCS) Multipoint Communications Service (MCS) (T.122,125)(T.122,125)
Channel assignment, priority levels, data segmentationChannel assignment, priority levels, data segmentation
Generic Conference Control (GCC)Generic Conference Control (GCC)Manages channels and session connections, controls Manages channels and session connections, controls resourcesresources
Extends core T.Share functionalityExtends core T.Share functionality
Two driversTwo driverswdtshare.syswdtshare.sys—UI, compression, encryption, —UI, compression, encryption, framingframingtdtcp.systdtcp.sys—package RDP onto TCP—package RDP onto TCP
Permits up to 64,000 data transmission Permits up to 64,000 data transmission channelschannels
Current version uses one channel for Current version uses one channel for keyboard/mouse activity and display outputkeyboard/mouse activity and display output
RDP in detailRDP in detailOperates independent of network and Operates independent of network and transport protocolstransport protocolsBandwidth preservationBandwidth preservation
CompressionCompressionCaching in RAM and to disk (up to 10 MB for Caching in RAM and to disk (up to 10 MB for bitmaps)bitmaps)
Supports Network Load BalancingSupports Network Load Balancing
stackstack
wrapping/framingwrapping/framing
RDP packet creationRDP packet creation
Application dataApplication dataAppApp AppApp AppApp AppApp AppApp AppApp AppApp
MCSMCSchannechanne
lsls
AppApp
TCPTCPIPIP
Server 2003 Server 2003 enhancementsenhancementsCan connect to real console in admin modeCan connect to real console in admin mode
Group policy control of various optionsGroup policy control of various options……profile paths…wallpaper…encryption…profile paths…wallpaper…encryption…
WMI provider for scripted TS configurationWMI provider for scripted TS configurationADSI provider for access to per-user TS ADSI provider for access to per-user TS profilesprofilesTS Manager reduces automatic server TS Manager reduces automatic server enumerationenumerationCan limit users to a single sessionCan limit users to a single session
Security enhancementsSecurity enhancementsFollows standard Windows paradigms betterFollows standard Windows paradigms betterRemote Desktop Users (RDU) security group Remote Desktop Users (RDU) security group contains IDs of allowed userscontains IDs of allowed users
Most people allow “Everyone”Most people allow “Everyone”Permits controlling through group policyPermits controlling through group policy
Can also use Security Policy Editor to grant Can also use Security Policy Editor to grant permissionspermissions128-bit RC4 (“high”) now the default128-bit RC4 (“high”) now the defaultSoftware Restriction Policies can limit the Software Restriction Policies can limit the programs users are allowed to runprograms users are allowed to run
Encryption optionsEncryption optionsFIPSFIPS
compliantcompliantUse Federal Information Use Federal Information Processing Standards 140-1 and Processing Standards 140-1 and 140-2 algorithms in both 140-2 algorithms in both directionsdirectionsIf already configured in the If already configured in the system’s policy, you can’t system’s policy, you can’t change it herechange it here
HighHigh 128-bit RC4 in both directions128-bit RC4 in both directionsClientClient
compatiblecompatibleUse whatever the client can Use whatever the client can supportsupport
LowLow 56-bit encryption from client to 56-bit encryption from client to server; cleartext from server to server; cleartext from server to clientclient
Configure with group policy or TS Configure with group policy or TS consoleconsole
Securing Terminal ServerSecuring Terminal ServerTypical layered approachTypical layered approach
Physical security of the server computerPhysical security of the server computerSecure configuration of the operating systemSecure configuration of the operating systemSecure configuration of Terminal ServerSecure configuration of Terminal ServerProper security of the network pathProper security of the network path
““Locking down Windows Server 2003 Locking down Windows Server 2003 Terminal Server sessions”—registry settings Terminal Server sessions”—registry settings for fine-grained controlfor fine-grained control
Probably not necessaryProbably not necessary
Some RDP configuration Some RDP configuration settingssettings
End a disconnected session: 3 hoursEnd a disconnected session: 3 hoursActive session limit: 1 dayActive session limit: 1 dayIdle session limit: 15 minutesIdle session limit: 15 minutes
TS Configuration | Connections |TS Configuration | Connections |RDP-Tcp | PropertiesRDP-Tcp | Properties
TS over the web is coolTS over the web is cool
Rapidly deploy several applications Rapidly deploy several applications to many usersto many usersKeep those applications up-to-dateKeep those applications up-to-date
Lowest bandwidth requirementsLowest bandwidth requirementsIdeal for dial-up scenariosIdeal for dial-up scenarios
Works on many devices, even some Works on many devices, even some non-Windowsnon-WindowsGood for older hardwareGood for older hardware
DeploymeDeploymentnt
BandwidthBandwidth
AccessAccess
Terminal Server over the Terminal Server over the webweb
webwebbrowserbrowser
IIS withIIS withRDWCRDWC
TerminaTerminallServerServer
connect to web connect to web pagepagehttp://http://serverserver/tswe/tswebb
download ActiveX download ActiveX controlcontrol
over HTTP (80/tcp)over HTTP (80/tcp)or HTTPS (443/tcp)or HTTPS (443/tcp)
connect to TSconnect to TSover RDP (3389/tcp)over RDP (3389/tcp)
Full IP VPNsFull IP VPNs
Requirements for remote-Requirements for remote-access VPNaccess VPNUser User
authenticatiauthenticationon
Restrict network access only to Restrict network access only to authorized usersauthorized usersProvide auditing and accounting Provide auditing and accounting recordsrecords
Address Address managemenmanagemen
tt
Assign client computer’s address Assign client computer’s address on private networkon private networkProvide address separationProvide address separation
Data Data encryptionencryption
Encrypt user’s data over InternetEncrypt user’s data over InternetKeep confidential information Keep confidential information privateprivate
Key Key managemenmanagemen
tt
Generate/refresh encryption Generate/refresh encryption keys for client and serverkeys for client and server
Important termsImportant termsAuthenticationAuthentication Proof that all parties in a Proof that all parties in a
transaction are who they say transaction are who they say they arethey are
PrivacyPrivacy Only the parties entitled to see Only the parties entitled to see the transaction are able to see itthe transaction are able to see it
IntegrityIntegrity Guarantees that information Guarantees that information hasn’t been altered or corrupted hasn’t been altered or corrupted enrouteenroute
Non-Non-repudiationrepudiation
Mutual, binding confirmation Mutual, binding confirmation that a transaction occurred—the that a transaction occurred—the digital analog of a signed digital analog of a signed contractcontract
AuthorizationAuthorization Ability to determine what Ability to determine what privileges a user has after privileges a user has after authenticationauthentication
AuthenticationAuthenticationWhat What
you you knowknow
Static passwordsStatic passwordsOne-time passwords (OTP)One-time passwords (OTP)
What What you you
havehave
Requires possession of a physical Requires possession of a physical objectobject
Cryptographic calculators Cryptographic calculators Public key smartcards Public key smartcards
Supported for IPsec, SSL/TLS, EAPSupported for IPsec, SSL/TLS, EAP
What What you areyou are
Authenticates the personAuthenticates the personFingerprint analysisFingerprint analysisRetinal scanRetinal scanSpeech pattern recognitionSpeech pattern recognition
Not based on a device or knowledge Not based on a device or knowledge which can be transferredwhich can be transferredSupported for EAPSupported for EAP
AuthorizationAuthorizationReasons to care about authorizationReasons to care about authorization
Untrusted users on internal net (vendors, Untrusted users on internal net (vendors, contractors)contractors)Need for different treatment of classes of usersNeed for different treatment of classes of users
Machine certificates are not enoughMachine certificates are not enoughMakes authorization difficultMakes authorization difficultGuest has the same privileges as AdministratorGuest has the same privileges as Administrator
Issue addressed in L2TP+IPsecIssue addressed in L2TP+IPsecIPsec machine certificates provide integrity IPsec machine certificates provide integrity protection and encryptionprotection and encryptionL2TP provides user authenticationL2TP provides user authenticationLDAP/RADIUS provide authorizationLDAP/RADIUS provide authorization
PrivacyPrivacyWhat good is it to authenticate and then What good is it to authenticate and then have data sent in the clear?have data sent in the clear?Privacy achieved through encryptionPrivacy achieved through encryption
Implies need for authentication and key Implies need for authentication and key management, protected ciphersuite negotiationmanagement, protected ciphersuite negotiationL2TP+IPsec provides for tunnel authentication, L2TP+IPsec provides for tunnel authentication, key management, and protected ciphersuite key management, and protected ciphersuite negotiationnegotiationEAP-TLS (PPTP) provides key management, EAP-TLS (PPTP) provides key management, mutual authentication and protected ciphersuite mutual authentication and protected ciphersuite negotiationnegotiationMS-CHAP v2 provides key management, mutual MS-CHAP v2 provides key management, mutual authentication for PPTP; encryption is MPPEauthentication for PPTP; encryption is MPPE
Physical security does not ensure privacy Physical security does not ensure privacy Are telco WANs really more secure than IP?Are telco WANs really more secure than IP?
Stateful vs. stateless Stateful vs. stateless encryptionencryptionStatefuStatefu
llAbility to decrypt a packet depends on Ability to decrypt a packet depends on previous packet(s)previous packet(s)If previous packet(s) were lost, you If previous packet(s) were lost, you also lose current packetalso lose current packetIf packets are sent out of order can If packets are sent out of order can result in loss where there was noneresult in loss where there was noneResult is poor performance on lossy Result is poor performance on lossy networks (like the Internet)networks (like the Internet)
StateleStatelessss
Ability to decrypt a packet does not Ability to decrypt a packet does not depend on previous packet(s)depend on previous packet(s)Method of choice for use over the Method of choice for use over the InternetInternetIPsec and MPPE are statelessIPsec and MPPE are stateless
Integrity protectionIntegrity protectionWhat good is it to authenticate and then What good is it to authenticate and then have your connection hijacked?have your connection hijacked?Want mutual authentication to ensure Want mutual authentication to ensure against rogue serversagainst rogue serversNeed per-packet integrity protectionNeed per-packet integrity protection
L2TP+IPsec provides for integrity protection on L2TP+IPsec provides for integrity protection on all data and control packetsall data and control packetsPPTP v2 (with MS-CHAP v2) offers per-packet PPTP v2 (with MS-CHAP v2) offers per-packet integrity protectionintegrity protection
Your choice of protocolsYour choice of protocolsPPTPPPTP Authenticates humanAuthenticates human
Assigns IP address to remote computerAssigns IP address to remote computerEncrypts session with MPPE (128-bit Encrypts session with MPPE (128-bit RC4)RC4)Requires good passwords to be secureRequires good passwords to be secure
MS-CHAPv2 ciphers based on passwordMS-CHAPv2 ciphers based on password
Works over NATWorks over NAT
L2TP+IPsL2TP+IPsecec
L2TPL2TPAuthenticates humanAuthenticates humanAssigns IP address to remote computerAssigns IP address to remote computer
IPsec ESP transport modeIPsec ESP transport modeMutually authenticates computer and server Mutually authenticates computer and server with digital certificates or preshared keyswith digital certificates or preshared keysEncrypts session with 3DESEncrypts session with 3DES
Works over NAT finallyWorks over NAT finally
UDPUDP L2TPL2TP PPPPPP IPIP npnp App dataApp data
L2TP+IPsec packet formatL2TP+IPsec packet format
App dataApp data
IPIP npnp App dataApp data
UDPUDP L2TPL2TP PPPPPP IPIP npnp App dataApp data
IPIP IPsecIPsec UDPUDP L2TPL2TP PPPPPP IPIP npnp App dataApp data IPIPsecsec
L2TP+IPsec client L2TP+IPsec client automaticallyautomaticallygenerates IPsec security rulegenerates IPsec security rule
Outbound FilterOutbound FilterSource IP = My IP address Source IP = My IP address (Internet)(Internet)Dest IP = Gateway IPDest IP = Gateway IPProtocol = UDPProtocol = UDPSource port 1701, dest port Source port 1701, dest port anyany
Inbound FilterInbound FilterSource IP = Gateway IPSource IP = Gateway IPDest IP = My IP Address Dest IP = My IP Address (Internet)(Internet)Protocol = UDPProtocol = UDPSource port any, dest port Source port any, dest port 17011701
Windows L2TP always uses Windows L2TP always uses UDP source port 1701, UDP source port 1701, dest port 1701dest port 1701
Allows gateway to Allows gateway to float response port float response port (per L2TP RFC (per L2TP RFC 2661)2661)
IPSec IKE negotiation is IPSec IKE negotiation is for dest port = any, so for dest port = any, so that filter mirror for that filter mirror for inbound port = anyinbound port = any
L2TP+IPsec connection is L2TP+IPsec connection is protectedprotectedIPsec IKE IPsec IKE
negotiation,negotiation,machine cert machine cert authNauthN
Establish IPsec Establish IPsec SAs forSAs forL2TP port L2TP port 1701/udp1701/udp
L2TP tunnel setup L2TP tunnel setup andandmanagement inside management inside IPsecIPsec
User User authNauthN
RADIURADIUSS
AD DCAD DCpolicypolicyenforcemenforcem
entent
No traffic gets in until:No traffic gets in until:IPsec SAs are established—strong security based on mutual IPsec SAs are established—strong security based on mutual certificate trust certificate trust User authenticated in L2TP—User authenticated in L2TP—all protected by IPSec. PPP could all protected by IPSec. PPP could use CHAP, MS-CHAP (userid/password), EAP (smartcard or use CHAP, MS-CHAP (userid/password), EAP (smartcard or token card); RADIUS client in gateway permits single sign-on token card); RADIUS client in gateway permits single sign-on for Active Directory user accountsfor Active Directory user accountsUser access control policy OK—RRAS server, IAS, and ADUser access control policy OK—RRAS server, IAS, and AD
Where do you put the Where do you put the RRAS server?RRAS server?
How about How about onon the the firewall?firewall?
How RRAS+ISA secures How RRAS+ISA secures client connectionsclient connections
Broad protocol supportBroad protocol supportPPTP and L2TP/IPSecPPTP and L2TP/IPSecIPSec NAT traversal (NAT-T) for connectivity IPSec NAT traversal (NAT-T) for connectivity across any network across any network
AuthenticationAuthenticationActive Directory uses existing Windows accounts, Active Directory uses existing Windows accounts, supports PKI for two factor authenticationsupports PKI for two factor authenticationRADIUS uses non-Windows accounts databases RADIUS uses non-Windows accounts databases with standards-based integrationwith standards-based integrationSecurID provides strong, two-factor SecurID provides strong, two-factor authentication using tokens and RSA authentication using tokens and RSA authentication serversauthentication servers
All inbound and outbound traffic is inspected All inbound and outbound traffic is inspected by ISA Server’s protocol filtersby ISA Server’s protocol filters
How RRAS+ISA controls How RRAS+ISA controls network accessnetwork accessMulti-network supportMulti-network support
Control which portions of your network are Control which portions of your network are accessible from remote locationsaccessible from remote locations
Application layer firewallApplication layer firewallInspects all traffic to and from remote clientsInspects all traffic to and from remote clientsEnsures conformance to protocol specificationsEnsures conformance to protocol specifications
Network quarantineNetwork quarantinePerform security checks on client before it’s Perform security checks on client before it’s allowed access to the internal networkallowed access to the internal networkProvide mechanism for out-of-date clients to Provide mechanism for out-of-date clients to update themselvesupdate themselves
Network access Network access quarantinequarantineClient script checks whether client meets Client script checks whether client meets
corporate security policiescorporate security policiesPersonal firewall enabled?Personal firewall enabled?Latest virus definitions used?Latest virus definitions used?Required patches installed?Required patches installed?Routing table updates disabled?Routing table updates disabled?Password-protected screen saver enabled?Password-protected screen saver enabled?
If checks succeed, client gets full accessIf checks succeed, client gets full accessIf checks fail client gets disconnected after If checks fail client gets disconnected after timeout periodtimeout period
VPN quarantine process VPN quarantine process (1)(1)
Internal networkQuarantine
resources
Client computerconnects
RRAS+ISA assigns client to quarantined VPN clients network, allowing access to limited resources
Script on clientcomputer checks configuration settings
Script sends “success” notification to RRAS+ISA
RRAS+ISA assigns client to VPN clients network, providing access to internal network
VPN quarantine process VPN quarantine process (2)(2)
Quarantine resources
Client computerconnects
RRAS+ISA assigns client to quarantined VPN clients network, allowing access to limited resources
Script on clientcomputer checks configuration settings
Script does not send “success” notification to RRAS+ISA
Client can update from quarantine resources
RRAS+ISA will disconnect client after timeout expires
Quarantine architectureQuarantine architecture
CM profileCM profile• Runs Runs
customizablecustomizablepost connect post connect scriptscript
• Script runs RQC Script runs RQC notifier with notifier with “results string”“results string”
ListenerListener• RQS receives notifierRQS receives notifier
“results string”“results string”• Compares results toCompares results to
possible resultspossible results• Removes time-out ifRemoves time-out if
response received butresponse received butclient out of dateclient out of date
• Removes quarantine filterRemoves quarantine filterif client up to dateif client up to date
Quarantine VSAsQuarantine VSAs• Timer limits Timer limits
timetimewindow to window to receive notify receive notify before auto before auto disconnectdisconnect
• Q-filter sets Q-filter sets temporary route temporary route filter to filter to quarantine quarantine accessaccess
RAS clientRAS client RRAS+ISARRAS+ISA
IAS IAS ServerServer
QuarantiQuarantinene
Internet
So What to Do So What to Do Now?Now?
ResourcesResources
Everything about VPN and RRAShttp://www.microsoft.com/vpnhttp://www.microsoft.com/vpn
ISA Server info and deployment guidesISA Server info and deployment guideshttp://www.microsoft.com/isaserverhttp://www.microsoft.com/isaserver
Terminal Serverhttp://www.microsoft.com/terminalserverhttp://www.microsoft.com/terminalserver
Now available!Now available!Order online:Order online:http://www.awprofessionhttp://www.awprofessional.com/title/0321336437al.com/title/0321336437Use promo codeUse promo codeJJSR6437JJSR6437
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Thanks to Steve Thanks to Steve RileyRiley
[email protected] wrote this who wrote this presentationpresentation
How MicrosoftHow MicrosoftDoes VPNDoes VPN
Current state of RAS at Current state of RAS at MicrosoftMicrosoftTwo-factor authentication for VPN Two-factor authentication for VPN
Client placed in quarantine upon connecting Client placed in quarantine upon connecting Security checks performed while in Security checks performed while in quarantinequarantineAdditional usability and security checks run Additional usability and security checks run outside of quarantine as part of the outside of quarantine as part of the connectionconnectionThree types of connection options:Three types of connection options:
Direct dialDirect dialMicrosoft-contracted 3Microsoft-contracted 3rdrd-party ISP-party ISPVPN over the Internet (this is >85% of use)VPN over the Internet (this is >85% of use)
All connections end with a VPN sessionAll connections end with a VPN session
RAS service—quick factsRAS service—quick factsUser base: ~55,000 Microsoft employees User base: ~55,000 Microsoft employees and ~25,000 contract employees worldwideand ~25,000 contract employees worldwideAverage of 45,000 unique RAS users per Average of 45,000 unique RAS users per month worldwidemonth worldwideRemote access devices globallyRemote access devices globally
95 VPN servers, 17 RADIUS servers95 VPN servers, 17 RADIUS servers18 standalone Cisco dial devices, 51 dial modules 18 standalone Cisco dial devices, 51 dial modules on shared Cisco network deviceon shared Cisco network device
Typical weekly RAS connectionsTypical weekly RAS connections ~193,233~193,233
Total direct dialTotal direct dial 11,268 11,268Total VPNTotal VPN 173,532 173,532Total RAS over InternetTotal RAS over Internet 10,759 10,759Average connection duration (min.)Average connection duration (min.) 134 134
Special implications of Special implications of VPNVPNMost use of VPN comes from unsecured Most use of VPN comes from unsecured
networksnetworksVerifying the identity of VPN users requires a Verifying the identity of VPN users requires a higher barhigher barThe higher bandwidth enabled by broadband The higher bandwidth enabled by broadband also increase effectiveness of brute force also increase effectiveness of brute force attacksattacksServicing the security needs of a remotely Servicing the security needs of a remotely located client brings additional challengeslocated client brings additional challenges
The RAS security threatsThe RAS security threats
Malicious usersMalicious usersUnpatched vulnerabilities and weak Unpatched vulnerabilities and weak configurations expose valid network configurations expose valid network credentialscredentialsHome users’ machines are frequently Home users’ machines are frequently attackedattackedRemote network access secured only by Remote network access secured only by passwordspasswordsUnauthorized activity with valid credentials Unauthorized activity with valid credentials is difficult to detect and preventis difficult to detect and prevent
Malicious softwareMalicious softwareUnmanaged and infected remote devices put Unmanaged and infected remote devices put corporate resources at riskcorporate resources at riskViruses, trojans, wormsViruses, trojans, wormsAlways-on broadband Internet access Always-on broadband Internet access heightens exposureheightens exposure
Addressing the security Addressing the security threatsthreatsthreatthreat MaliciousMalicious
usersusersMalicious Malicious softwaresoftware
requiremerequirementnt
Two-factor Two-factor authenticatioauthenticationn
Enforce remote Enforce remote system security system security configurationconfiguration
solutionsolution Smartcards Smartcards for RAS logonfor RAS logon
Connection Connection Manager and Manager and RAS RAS QuarantineQuarantine
Strengthening identity Strengthening identity with smartcardswith smartcardsSmart card chip added Smart card chip added
to existing building to existing building access cardsaccess cardsRemote access policy Remote access policy (RAP) deployed on (RAP) deployed on VPN/RADIUS VPN/RADIUS infrastructureinfrastructureUses existing self-Uses existing self-hosted PKI for digital hosted PKI for digital certificate managementcertificate managementCentralized card Centralized card management team management team formed to manage card formed to manage card creation, distribution, creation, distribution, and supportand support
Securing the RAS clientSecuring the RAS clientInfrastructure componentsInfrastructure components
Windows 2003 RRAS server (~400-600 ports Windows 2003 RRAS server (~400-600 ports configured per server)configured per server)RQS on RRAS serverRQS on RRAS serverInternet Authentication Services (IAS)Internet Authentication Services (IAS)
Responsible for authentication and policy settingResponsible for authentication and policy settingCan apply different policies based on back end rules Can apply different policies based on back end rules (this is how exceptions are granted)(this is how exceptions are granted)
Connection Manager Administration Kit (CMAK)Connection Manager Administration Kit (CMAK)ISA Server 2004ISA Server 2004
Client side componentsClient side componentsCustom connection created with CMAKCustom connection created with CMAKSecurity scanning scripts—”Secure Remote User” Security scanning scripts—”Secure Remote User” (SRU)(SRU)
Why ISA Server 2004?Why ISA Server 2004?Packet size limitation with RADIUS that limits Packet size limitation with RADIUS that limits the size of the filter listthe size of the filter list
Microsoft needs more servers in the quarantine Microsoft needs more servers in the quarantine network then the limit allows for:network then the limit allows for:
DCsDCsSRU ServersSRU ServersDNSDNS
Management of filter lists is easier with ISA Management of filter lists is easier with ISA Server 2004 then using IAS filtersServer 2004 then using IAS filters
Connection ManagerConnection ManagerProvides mechanism to manage phone book Provides mechanism to manage phone book entries for serviceentries for serviceEnables entry points for actions executed Enables entry points for actions executed during connection experienceduring connection experience
Pre-initializePre-initializePre-connectPre-connectPost-connectPost-connectPre-tunnelPre-tunnelPost-tunnelPost-tunnel
SRU runs in various places during the SRU runs in various places during the connectionconnection
Secure Remote User Secure Remote User (SRU)(SRU)Designed and developed by Microsoft IT Designed and developed by Microsoft IT
Enterprise Application Services (EAS)Enterprise Application Services (EAS)Performs critical security checksPerforms critical security checks
Windows Firewall onWindows Firewall onInternet Connection Sharing offInternet Connection Sharing offPatch managementPatch managementAnti-virus using Computer Associates eTrustAnti-virus using Computer Associates eTrustOperating system version complianceOperating system version compliance
Very flexible, self updating and gathers Very flexible, self updating and gathers metrics from the users perspectivemetrics from the users perspective
RAS InfrastructureRAS InfrastructureCustom automated reporting
VPN tunnel over broadband connection
using EAP-TLS
VPN tunnel over ISP
connection using
EAP-TLSVPN tunnel over dial-up connection
Active Directory,User groups, Global catalog
Analog / ISDNdial connection
Analog / ISDN dial connection
through ISP
Smart card
Internet
ISP
Routing and Remote Access
VPN server
IAS / RADIUSserver
IAS proxy serverRADIUS authorization
Domain controllerSQL Server
central database store
Direct dial Cisco router
MS-CHAP v2authentication
CHAPauthentication
EAP-TLS security authentication(smart card)
Lightweight Directory Access Protocol (LDAP)
authorization Secure Remote Procedure Call
(RPC) domain authentication
Microsoft user account
authentication
ModemRemote client
Corporatenetwork
resources
User session data transfers,
regional IAS / RADIUS
servers
Telephone service
Legenddata transfer pathauthentication transfer pathphysical dial connections
The user experienceThe user experienceAverage connect experience worldwide is Average connect experience worldwide is under two minutesunder two minutesFailed security check results in opportunity Failed security check results in opportunity to remediateto remediate
Microsoft IT design decisionMicrosoft IT design decision
Incorrect smartcard PIN results in quick Incorrect smartcard PIN results in quick notificationnotification
Since PIN unlocks card, decision is made locallySince PIN unlocks card, decision is made locallyFive incorrect PIN entries will lock the smartard; Five incorrect PIN entries will lock the smartard; takes a help desk call to unlocktakes a help desk call to unlock
Lessons we learnedLessons we learnedManage change—minimize overlapsManage change—minimize overlaps
Deploy smartcards firstDeploy smartcards firstThen Connection Manager and security scanning secondThen Connection Manager and security scanning second
Provide internal and external sites where users can Provide internal and external sites where users can obtain security toolsobtain security toolsConsider analog dial-up users when designing Consider analog dial-up users when designing security scriptssecurity scriptsCommunicate and set user expectations clearlyCommunicate and set user expectations clearlyThe solution is only as good as the componentsThe solution is only as good as the components
Monitor and measure each required element Monitor and measure each required element
Don’t wait until using RAS to bring machine into Don’t wait until using RAS to bring machine into compliance—encourage proactive security practicescompliance—encourage proactive security practices