170 likes | 423 Views
Securing Network – Wireless – and Connected Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th , 2003 Agenda Defining the Datacenter Network Security Problem Penetration Techniques and Tools Network Defence-in-Depth Strategy
E N D
Securing Network – Wireless – and Connected Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4th, 2003
Agenda • Defining the Datacenter Network Security Problem • Penetration Techniques and Tools • Network Defence-in-Depth Strategy • Perimeter and Network Defences • Operating System and Services Defences • Application Defences • Data Defences
Some Core Systems Extranets Internet Systems Project 1…n System Branch Offices Departments The Datacenter Problem We All Face • Systems organically grown under “Project” context • No clear best practice from vendors • Security often bolted on as an afterthought • Fear of change – Time to Market
The Big Picture of Security • OS hardening is only one component of security strategy AND Firewalls are not a Panacea • Entering the Bank Branch doesn’t get you into the vault • Security relies on multiple things • People and skills • Process and incident management • Internal Technologies – E.G. OS, Management Tools, switches, IDS, ISA • Edge Technologies – Firewalls, ISA, IDS
Internal Users are usually far more dangerous Normal employees have tools, experience, and know your systems – after all they use them Customers usually take little internal protection precautions – preferring to focus on external Firewalls, and DMZ scenarios for security Data is now being hacked – not just systems Threat Modelling
The First Phase of Hacking • Information Gathering and Intelligence • Port Scanning – Banner Grabbing – TCP/IP Packet Profiling – TTL Packet Manipulating • Researching network structure – newsgroup posts, outbound emails, these all hold clues to network design .
The Second Phase of Hacking • Analysis of Collected Information • Process relevant bits of data about target network • Formulate an attack plan • For Example: Attacker wont use SUN specific attacks on W2K Boxes, won’t use NT Attacks on .NET etc.. • Hacker Forums, websites, exploit catalogues
The Third Phase of Hacking • The Compromise • OS Specific Attacks • Denial of Service Attacks • Application Attacks • Buffer Overflows • URL String Attacks • Injection • Cross-site Scripting Attacks • Compromised system jumps into another
Networking and Security • The network component is the single most important aspect to security • Wireless is based on Radio transmission and reception – not bounded by wires • Some sort of encryption is thus required to protect open medium • Ethernet is also just about as insecure
Network Problems ctd • Use encryption and authentication to control access to network • WEP – Wired Equivalent Privacy • 802.1X - using Public Key Cryptography • Mutually authenticating client and network
Securing a Wireless Connection • Three major strategies • WEP – basic low security simple solution • VPN – use an encrypted tunnel assuming network is untrusted • 802.1X family – Use PKI to encrypt seamlessly from client to access point • Usually complex to implement but then seamless to user • Substantial investment in PKI • Also vendor specific like Leap
What about the wired network ? • This is where the hackers kill you • Currently a “total trust” model • You can ping HR database, or chairman's PC, or accounting system in Tokyo • We assume anyone who can get in to our internal network is trusted – and well intentioned • Ethernet and TCP/IP is fundamentally insecure
A B Host Host VPN • Extend the “internal” network space to clients in internet • Extends the security perimeter to the client • Main systems are PPTP – L2TP/IPSEC IP Tunnel Corporate Net or Client Corporate Net in Reading Router D Router C Internet
How the Architecture Can Prevent Attack INTERNET Internet Remote data center Redundant Routers Redundant Firewalls Intrusion Detection BORDER NIC teams/2 switches VLAN VLAN VLAN VLAN Per imeter Client and Site VPN DNS &SMTP Proxy Redundant Internal Firewalls Infrastructure Network – Perimeter Active Directory NIC teams/2 switches INTERNAL VLAN VLAN VLAN VLAN Messaging Network – Exchange Data Network – SQL Server Clusters Infrastructure Network – Internal Active Directory VLAN VLAN VLAN VLAN . Client Network RADIUS Network Intranet Network - Web Servers Management Network – MOM, deployment
How do I do it ? • A Flat DMZ Design to push intelligent inspection outwards • ISA layer 7 filtration – RPC – SMTP – HTTP - • Switches that act like firewalls • IPSec where required between servers • Group Policy to Manage Security • 802.1X or VPN into ISA servers treating Wireless as Hostile • Internal IDS installed TCP 443: HTTPS Or TCP 443: HTTPS TCP 80: HTTP Internet Stateful Packet Filtering Firewall Application Filtering Firewall (ISA Server) Exchange Server Wireless
Call To Action • Take Action – your network transport is insecure • Read and use security operations guides for each technology you use • Mail me with questions – fredbaum@microsoft.com • If I didn’t want to talk to you I would put a fake address • Use the free MS tools to establish a baseline and stay on it • Attack yourself – you will learn
Wherever you go – go securely ! ____________________________________________________________