520 likes | 686 Views
Network Security and ISA Server. Paul Hogan Ward Solutions. Session Prerequisites. Hands-on experience with Windows 2000 or Windows Server 2003 Working knowledge of networking, including basics of security Basic knowledge of network security-assessment strategies. Level 300. Agenda.
E N D
Network Security and ISA Server Paul Hogan Ward Solutions
Session Prerequisites • Hands-on experience with Windows 2000 or Windows Server 2003 • Working knowledge of networking, including basics of security • Basic knowledge of network security-assessment strategies Level 300
Agenda 10:00 11:00 Network Security 11:00 11:15 Break 11:30 12:00 Securing SQL Server 12:00 1:00 Lunch 1:00 2:00 Securing Exchange 2:30 2:15 Break 2:15 3:15 Lab Sessions 3:15 Q&A
This sessions are about… • …about operational security • The easy way is not always the secure way • Networks are usually designed in particular ways • In many cases, these practices simplify attacks • In some cases these practices enable attacks • In order to avoid these practices it helps to understand how an attacker can use them
This sessions are NOT … • a hacking tutorial • Hacking networks you own can be enlightening • HACKING NETWORKS YOU DO NOT OWN IS ILLEGAL • …demonstrating vulnerabilities in Windows • Everything we show stems from operational security or custom applications • Knowing how Windows operates is critical to avoiding problems • …for the faint of heart
Strong passwords, ACLs, backup and restore strategy Policies, procedures, and awareness Physical security Data Application Application hardening OS hardening, authentication, security update management, antivirus updates, auditing Host Internal network Network segments, NIDS Firewalls, boarder routers, VPNs with quarantine procedures Perimeter Guards, locks, tracking devices Security policies, procedures, and education Understanding Defense-in-Depth Using a layered approach: • Increases an attacker’s risk of detection • Reduces an attacker’s chance of success
Why Does Network Security Fail? Network security fails in several common areas, including: • Human awareness • Policy factors • Hardware or software misconfigurations • Poor assumptions • Ignorance • Failure to stay up-to-date
What we will cover: • How to Implement Perimeter defenses • How ISA Server protects networks • Using Windows Firewalls to Protect Clients • How to Protect Wireless Networks
Purpose and Limitations of Perimeter Defenses • Properly configured firewalls and border routers are the cornerstone for perimeter security • The Internet and mobility increase security risks • VPNs have exposed a destructive, pernicious entry point for viruses and worms in many organizations • Traditional packet-filtering firewalls only block network ports and computer addresses • Most modern attacks occur at the application layer
Purpose and Limitations of Intrusion Detection • Detects the pattern of common attacks and records suspicious traffic in event logs and/or alerts administrators • Integrates with other firewall features to prevent common attacks • Threats and vulnerabilities are constantly evolving, which leaves systems vulnerable until a new attack is known and a new signature is created and distributed
Implementing Network-Based Intrusion-Detection Systems Network-based intrusion-detection system Provides rapid detection and reporting of external malware attacks Important points to note: • Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected • ISA Server 2004 provides network-based intrusion-detection abilities
Business Partner Main Office LAN LAN Internet Network perimeters include connections to: • The Internet • Branch offices • Business partners • Remote users • Wireless networks • Internet applications Remote User Wireless Network LAN Perimeter Connections Branch Office
Internet Screened Subnet Firewall LAN Firewall Design: Three Homed
Internet DMZ External Firewall Internal Firewall LAN Firewall Design: Back-to-Back
Internet Types of Firewalls • Packet Filtering • Stateful Inspection • Application-Layer Inspection Multi-layer inspection (including application-layer filtering)
Agenda • Introduction/Defense in Depth • Using Perimeter Defenses • Using ISA Server to Protect Perimeters • Using Windows Firewall to Protect Clients • Protecting Wireless Networks • Protecting Networks by Using IPSec
Protecting Perimeters • ISA Server has full screening capabilities: • Packet filtering • Stateful inspection • Application-level inspection • ISA Server blocks all network traffic unless you allow it • ISA Server is ICSA and Common Criteria certified
Protecting Web Servers • Web Publishing Rules • Protect Web servers behind the firewall from external attacks by inspecting HTTP traffic and ensuring it is properly formatted and complies with standards. • Inspection of SSL traffic • Inspects incoming encrypted Web requests for proper formatting and standards compliance. • Will optionally re-encrypt the traffic before sending them to your Web server
URLScan • ISA Server Feature Pack 1 includes URLScan 2.5 for ISA Server • Allows URLScan ISAPI filter to be applied at the network perimeter • General blocking for all Web servers behind the firewall • Perimeter blocking for known and newly discovered attacks Web Server 1 Web Server 2 ISA Server Web Server 3
Demonstration 1Application-Layer Inspection in ISA ServerURL ScanWeb PublishingMessage Screener
Traffic that Bypasses Firewall Inspection • SSL tunnels through traditional firewalls because it is encrypted, which allows viruses and worms to pass through undetected and infect internal servers. • VPN traffic is encrypted and can’t be inspected • Instant Messenger (IM) traffic often is not inspected and may be used to transfer files in addition to be used for messaging.
Inspecting All Traffic • Use intrusion detection and other mechanisms to inspect VPN traffic after it has been decrypted • Remember: Defense in Depth • Use a firewall that can inspect SSL traffic • Expand inspection capabilities of your firewall • Use firewall add-ons to inspect IM traffic
Client Internet Internal Server ISA Server with Feature Pack 1 SSL Inspection • SSL tunnels through traditional firewalls because it is encrypted, which allows viruses and worms to pass through undetected and infect internal servers. • ISA Server pre-authenticates users, eliminating multiple dialog boxes and allowing only valid traffic through. • ISA Server can decrypt and inspect SSL traffic. Inspected traffic can be sent to the internal server re-encrypted or in the clear.
ISA Server Hardening • Secure your Server Wizard • Review Bastion Host information in Security Guides • Disable unnecessary services • Harden the Network Stack • Disable unnecessary network protocols on the external network interface: • File and print sharing • Client for Microsoft Networks • NetBIOS over TCP/IP
Best Practices • Use access rules that only allow requests that are specifically allowed • Use ISA server’s authentication capabilities to restrict and log Internet access • Configure Web publishing rules only for specific URLs • Use SSL Inspection to inspect encrypted data that is entering your network
Demonstration 3Internet Connection Firewall (ICF)Configuring ICF ManuallyTesting ICFReviewing ICF Log FilesConfiguring Group Policy Settings
Agenda • Introduction/Defense in Depth • Using Perimeter Defenses • Using ISA Server to Protect Perimeters • Using Windows Firewall to Protect Clients • Protecting Wireless Networks • Protecting Networks by Using IPSec
New Security Features in Windows Firewall On by default On with no exceptions ü ü Windows Firewall exceptions list Boot-time security ü ü Global configuration and restore defaults Multiple profiles ü ü RPC support ü Local subnet restrictions ü Unattended setup support ü Command-line support ü
Agenda • Introduction/Defense in Depth • Using Perimeter Defenses • Using ISA Server to Protect Perimeters • Using Windows Firewall to Protect Clients • Protecting Wireless Networks • Protecting Networks by Using IPSec
Wireless Security Issues • Limitations of Wired Equivalent Privacy (WEP) • WEP is inherently weak to due poor key exchange. • WEP keys are not dynamically changed and therefore vulnerable to attack. • No method for provisioning WEP keys to clients. • Limitations of MAC Address Filtering • Scalability - Must be administered and propagated to all APs. List may have a size limit. • No way to associate a MAC to a username. • User could neglect to report a lost card. • Attacker could spoof an allowed MAC address.
Possible Solutions • VPN Connectivity • PPTP • L2TP • Third Party • IPSec • Many vendors • Password-based Layer 2 Authentication • Cisco LEAP • RSA/Secure ID • IEEE 802.1x PEAP/MSCHAP v2 • Certificate-based Layer 2 Authentication • IEEE 802.1x EAP/TLS
802.1X • Defines port-based access control mechanism • Works on anything, wired and wireless • Access point must support 802.1X • No special encryption key requirements • Allows choice of authentication methods using EAP • Chosen by peers at authentication time • Access point doesn’t care about EAP methods • Manages keys automatically • No need to preprogram wireless encryption keys
802.1X using EAP/TLS or MSCHAPv2 802.11/.1XAccess Point RADIUS (IAS) Server Certificate Domain User/Machine Certificate 3, 5, 7 1, 2, 6 EAP Connection 4 Certification Authority Laptop Domain Controller DHCP Exchange File Server
Wi-Fi Protected Access (WPA) • A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems • Goals • Enhanced Data Encryption • Provide user authentication • Be forward compatible with 802.11i • Provide non-RADIUS solution for Small/Home offices (WPA-PSK) • Products shipping
Best Practices • Use 802.1x authentication • Organize wireless users and computers into groups • Apply wireless access policies using Group Policy • Use EAP/TLS and 128 bit WEP • Set clients to force user authentication as well as machine authentication • Develop a method to manage rogue APs such as LAN based 802.1x authentication and wireless sniffers.
What Firewalls Do NOT Protect Against • Malicious traffic that is passed on open ports and not inspected by the firewall • Any traffic that passes through an encrypted tunnel or session • Attacks after a network has been penetrated • Traffic that appears legitimate • Users and administrators who intentionally or accidentally install viruses • Administrators who use weak passwords
Understanding Application and Database Attacks Common application and database attacks include: Buffer overruns: • Write applications in managed code SQL injection attacks: • Validate input for correct size and type
Attacks: Buffer Overflow • Aka the “Boundary Condition Error”: Stuff more data into a buffer than it can handle. The resulting overflowed data “falls” into a precise location and is executed by the system • Local overflows are executed while logged into the target system • Remote overflows are executed by processes running on the target that the attacker “connects” to • Result: Commands are executed at the privilege level of the overflowed program
Attacks: Input validation • An process does not “strip” input before processing it, ie special shell characters such as semicolon and pipe symbols • An attacker provides data in unexpected fields, ie SQL database parameters
Implementing Application Layer Filtering Application layer filtering includes the following: • Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data • Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol
Session Summary • Introduction/Defense in Depth • Using Perimeter Defenses • Using ISA Server to Protect Perimeters • Using ICF to Protect Clients • Protecting Wireless Networks