350 likes | 474 Views
Application and Remote Access Security in Higher Education. Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com. Higher Education Challenges. Internal risks pose as much or more of a threat than the Internet Unmanageable student machines
E N D
Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com
Higher Education Challenges • Internal risks pose as much or more of a threat than the Internet • Unmanageable student machines • Decentralized management of internal resources • Difficulty limiting access to resources do to research and educational usage requirements
Firewalls in Higher Education • Access Control lists and traditional firewalls • No single entry point to secure • Internal security zones needed to protect specific groups of users, segments, applications or services • Need to allow relatively open access, but want to protect against known vulnerabilities and exploits • Security often being offered as a ‘service’, not a requirement
IP Header Source Address,Dest. Address,TTL, Checksum TCP Header Sequence NumberSource Port,Destination Port,Checksum Application Layer Content ???????????????????????????????????????????? • Forwarding decisions based on port numbers • Legitimate traffic and application layer attacks use identical ports Web Servers Internet Expected HTTP Port 80 Traffic Unexpected HTTP Port 80 Traffic Attacks over Port 80 Non-HTTP Traffic over port 80 A Traditional Firewall’s View Of A Packet – unable to protect Applications • Only packet headers are inspected • Application layer content appears as “black box”
IP Header Source Address,Dest. Address,TTL, Checksum TCP Header Sequence NumberSource Port,Destination Port,Checksum Application Layer Content <html><head><meta http- quiv="content-type" content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet" • Forwarding decisions based on content • Only legitimate and allowed traffic is processed Web Servers Internet Expected HTTP Traffic Unexpected HTTP Traffic Attacks Non-HTTP Traffic Application Layer Firewall View Of A Packet • Packet headers and application content are inspected
Application Layer Firewalls (ALF) and ISA Server 2004 • IP/Port filtering is not enough anymore • HTTP/S has become the carrier protocol of the internet – Music/File swapping, IM, RPC over HTTP, Intranet Portals, SSL capabilities in Yukon and Longhorn. • Most exploits are occurring at the Application Layer • ISA 2004 application filtering framework • Built in filters for common protocols • Built in capabilities for advanced protection of many major MS solutions including Exchange, IIS, IE, Intranet & RPC solutions • Solutions focused approach, ease of extensibility, rich partner community and product roadmap Application Layer Inspection is useless without the ability to set app level security policies and make intelligent decisions based on what you are looking at!
SecurityDefense In Depth Perimeter Defenses Network Defenses Host Defenses Application Defenses Data and Resources
Defense in Depth • Protecting Networks • Protecting Clients • Providing secure access to applications • Secure and manageable remote access
Threat modeling • Third-party code inspection • In Evaluation for CC EAL4+ • Unused features off by default • Reduce attack surface area • Least Privilege • Deployment Kits and Guidance documents! • Network Templates and Wizards • Management and Monitoring Tools • Newsgroup Support • Microsoft Security Summits • Third-party support Engineering Excellence
Protecting Networks with ISA Server 2004 • Enterprise Class Firewall capabilities • Application layer inspection allows more advanced and intelligent management of traffic • Network Segmentation for layered protections • Allows mitigation against worm outbreaks internally • Secure specific sets of resources, applications or services • Protecting and securely connecting Remote Locations
Securing the traffic Internally • Limit traffic between segments to specific # of connections, types of traffic & access to specific resources • Certain ports will have to be opened for standard communication between segments or to resources • Application layer inspection provides the ability to allow approved traffic–while still identifying & blocking exploits & inappropriate content that should be blocked
Network Segmentation • Labs • Student Machines • Other unmanaged segments
Protecting Your Clients • Application Layer protection for inbound and outbound traffic • HTTP inspection and Signature blocking • Protect from browser vulnerabilities • Can be deployed in a service oriented single NIC configuration • Monitoring, Reporting and Managing Access based on User, Group, Computer, etc. • Caching • URL and Domain based filtering • Transparent Authentication capabilities • Partner Add-ons
Browser EXPLOIT HTTP Filtering to protect clients www.BADSITE.com • HTTP filtering can be used to protect web browsers http://www.BADSITE.com/default.htm Internet Internal Client Browsing Internet Exploit Blocked at ISA
Host Isolation • Windows XP Service Pack 2 • Windows Server 2003 Service Pack 1 • Microsoft Windows AntiSpyware • Software Restriction Policies • Future: Network Access Protection
Protecting and Providing Secure Access to Applications and Services
1 The RPC server maintains a table of Universally Unique Identifiers (UUID) and assigned port 2 The client connects to TCP port 135 on the server to query for the port associated with a UUID 3 The server responds with theassociated port 4 The client reconnects to server on the designated port to access Exchange How Exchange RPC Works RPC Server (Exchange) Port 4402: Data Server: Port 4402 TCP 135:Port for {0E4A…} RPC Client (Outlook)
Open port 135 for incoming traffic Open every port that RPC might use for incoming traffic Traditional firewalls can’t provide secure RPC access RPC and Traditional Firewalls RPC Server (Exchange) Port 4402: Data Server: Port 4402 TCP 135:Port for {0E4A… ? RPC Client (Outlook)
Initial connection: Only allows valid RPC traffic Blocks non-Exchange queries Secondary connection Only allows connectionto port used byExchange Enforces encryption RPC and ISA Server RPC Server (Exchange) Port 4402: Data Server: Port 4402 TCP 135:Port for {0E4A… ? RPC Client (Outlook)
OWA: Traditional Firewall OWA Traffic Password Guessing SSL Tunnel Web Server Attacks Exchange Server • Web traffic to OWA is encrypted • Standard SSL encryption • Security against eavesdropping and impersonation • Limitation: • Default OWA implementation does not protect against application layer attacks
How ISA Server Protects OWA OWA Traffic Password Guessing SSL Tunnel Web Server Attacks Inspection Authentication Exchange Server • Authentication • Unauthorized requests are blocked before they reach the Exchange server • Enforces all OWA authentication methods • Optional forms-based authentication prevents caching of credentials • Inspection • Invalid HTTP requests or requests for non-OWA content are blocked • Inspection of SSL traffic before it reaches Exchange server • Confidentiality • Ensures encryption of traffic over the Internet • Can prevent the downloading of attachments to client computers
Additional Exchange Services • Similar benefits and application layer filtering for publishing other Exchange Services • SMTP • RPC over HTTP(s) • Active Sync • Outlook Mobile Access
Securing Access to Web Resources • Inspect HTTP content before it reaches Web servers • Central location to block disallowed Web requests and URLs • Blocks disallowed or invalid HTTP syntax • Blocks attacks based on signatures • Inspect and bridge SSL Traffic • Unified view of Web resources • Map different external names/paths to internal names/paths • ISA Server can protect server farms or entire networks • Link Translation • User authentication • Active Directory, RADIUS or SecurID • Credentials can be forwarded to published server
Enabling Universal Resource Access • Access to some university resources requires protocols other than HTTP • FTP servers for access to files • Database servers in DMZ or internal network • Public DNS servers to locate company’s servers • Server publishing allows secure access to non-Web resources • ISA Server supports all IP-based protocols • Application-layer filtering for selected protocols:FTP, DNS, RPC, etc.
XML/SOAP Filtering • Offload and/or enhance Security from Biztalk/IIS and .NET applications • Forum’s Application Filter for ISA provides • Schema Validation • Message Level Access Control • Authorization Management to Web Services • Permissions enforcement • XML Content Filtering • Protection against SOAP/XML DOS attacks • Archiving • SSL Termination
Secure & Manageable Remote Access • ISA Server 2004 - Enterprise VPN Solution • Access Controls and traffic segregation • De-tunnel & inspect traffic at Application Layer • Multiple Authentication options • Integrated Client in Windows • Simplified client deployment (built in) • Logon via VPN • PPTP, IPSEC/L2TP • Integrated support and use of Quarantine
Goal: Prevent VPN clients that don’t meet security requirements from accessing network Network Access Quarantine • Client script checks whether client meets organizational security policies • Personal firewall enabled? • Latest virus definitions used? • Required patches installed? • If checks succeed, client gets full access • If checks fail client gets disconnected after timeout period
ISA Server 2004 Enterprise • ADAM Based configuration • No AD dependency, but AD can still be used… • User/Group database (and integrated Authentication) • Credential store • Certificate authority • Management • Redundant ADAM stores • Enterprise Monitoring via MOM Management Pack • Enterprise logging via a SQL Database • Enterprise Policies and central policy management • NLB enhancements and integrated management • CARP (Cached Array Routing Protocol) • Multi or dedicated function arrays • Role based management
Third-party Add-ons For details see:http://www.microsoft.com/isaserver/partners
More Options for Customers ISA Server 2004 OEM Appliance • Pre-hardened and Pre-test • Hardened configuration for reduced attack surface • Easy to purchase, set up and deploy Added Value and Customer Choice • Out-of-box configuration tools • Web-based administration • Customized and fully integrated deployment options New World-Wide Industry Partnerships • Celestix Networks, Hewlett-Packard and Network Engines
Security Technologies Timeline Microsoft Baseline Security Analyzer (MBSA) v1.2 Virus Cleaner Tools Systems Management Server (SMS) 2003 Software Update Services (SUS) SP1 Internet Security and Acceleration (ISA) Server 2004 Standard Edition Prior Windows XP Service Pack 2 Patching Technology Improvements (MSI 3.0) Systems Management Server 2003 SP1 Microsoft Operations Manager 2005 H2 04 Windows malicious software removal tool Windows Server 2003 Service Pack 1 Windows Update Services ISA Server 2004 Enterprise Edition Windows Rights Management Services SP1 Windows AntiSpyware System Center 2005 Windows Server 2003 “R2” Visual Studio 2005 2005 Vulnerability Assessment and Remediation Active Protection Technologies Antivirus Future