200 likes | 434 Views
Securing the Branch Office. Fred Baumhardt & Sandeep Modhvadia Security Technology Architects Microsoft. Core Datacenter. What is a Branch Office Root Causes Solutions. Branch Offices. What is a Branch Office. Introduction. It is where Enterprise makes money
E N D
Securing the Branch Office Fred Baumhardt & Sandeep Modhvadia Security Technology Architects Microsoft
Core Datacenter What is a Branch Office Root Causes Solutions Branch Offices What is a Branch Office Introduction • It is where Enterprise makes money • It is where IT Departments don’t have people on the ground • It has a high multiplier (10 -10,000+ remote offices) • It has typically low Bandwidth • It is the 19th Century Wild West
Core Datacenter Branch Offices Session Plan Root Causes – Why The Branch Causes Pain Solutions Introduction • Bandwidth – the root cause • Vendor Thinking ! • Poor Management – no IT Staff locally, little mngmt technology • Large User Base – code name “PEBCAK” • High privilege and legacy applications (poor execution control) Sticky Tape Wet String HLLB – High Latency Low Bandwidth
Core Datacenter Branch Offices Session Plan Root Causes – How You Feel the Pain Solutions Introduction • Viruses (self inflicted) • Worms (network inflicted) • *.ware - Malware/Spyware • Users countering policy • Service and Network Outage (due to saturation and loss) • Cost Sticky Tape Wet String HLLB – High Latency Low Bandwidth
Improve Bandwidth -cache, compress, etc Take Back Control of WAN Take Back Control of LAN Select Branch Application Platforms Assume Branch Conditions in design Train Internal Development Enable Management remotely Start Patching (easier said than done) User Training and Enablement Control of Task Based Work Technologies like SRP, ACLs, LUA Clear policy, Tech Enforced Securing the Branch…. Networks Vendors Management Execution Control
Improve Bandwidth -cache, compress, etc Take Back Control of WAN Take Back Control of LAN Networks • If you can, improve it – it’s a root killer • Increase Bandwidth Contracts at next window • Consider local Internet Local Breakout w/VPN, MPLS, etc over leased lines • Bandwidth has high correlation with security • Caching Technology is a great enabler
Improve Bandwidth -cache, compress, etc Take Back Control of WAN, Take Back Control of LAN Networks • ISA Server Branch Feature Pack • BITS Caching – so you can start to patch – one download for all clients – works for WUAC, WSUS, SMS, all Microsoft BITS • HTTP Compression – Reduce B/W required for HTTP streams • HTTP Based Quality of Service – tagging QoS for Network equipment based on URL • Caching and pre-population • Depending on your cache device content can be pre-deployed during low bandwidth times (like 00:00 -04:00) • R2 components like Remote Differential Compression • Appliances like Tacit etc that do workload caching
Improve Bandwidth -cache, compress, etc Take Back Control of WAN Take Back Control of LAN Networks • Authenticate Traffic Using the WAN • Worms are Anonymous – authentication defeats them • Start reducing non-essential non controlled traffic • Example – Branch Users Group can access RPC UUID 00AABB-FA00000 to AppSRV1 • Control of what protocols each user class can use – block all others – map the network to the business • Requires a Layer 7 Application Layer device • Protocol Inspect the WAN • Check syntax of what HTTP, SMTP, RPC, DNS, etc use- enforce protocol conformance to reduce non std (overflow) attacks • Goal is to prevent infection from leaving/entering branch
Improve Bandwidth -cache, compress, etc Take Back Control of WAN Take Back Control of LAN Networks • Branch Host Based Firewalls on Clients • Machines treat other network peers as hostile untrusted • XP and WS2003 built-in to OS, other OS third party providers • Usually Branch Workloads allow this feature to be turned on • Win Firewall doesn’t block outbound traffic- APT will
Select Branch Application Platforms Assume Branch Conditions in design Train Internal Development Vendors • Decisions on Branch Network taken by Network Team – little consultation to infrastructure concerns • Architects can buy applications based on relationship/golf games, not capability SLAs and Bandwidth have been “under-negotiated” Many environments have near total Network Infra monopolies, other architectures exist Network companies want to sell in order: Leased Line, MPLS, xDSL
Select Branch Application Platforms Assume Branch Conditions in design Train Internal Development Vendors • Look at the Development and Purchasing Culture – how are applications for remote offices decided • Large move to Web Based Applications in Remote Offices, but seldom is caching or HTTP acceleration thought of • Browser clients still require O/S patching etc, and it should be thought of • Consider deployment of caching and application acceleration infrastructure • Train In-House Developers to think about the deployment conditions they are writing for – send them to work in a remote office for a couple of days
Enable Management remotely Start Patching (easier said than done) User Training and Enablement Management • A Lot of Remote Management Capabilities already • Point to Point - Technologies • Terminal Services is fairly efficient in B/W terms • HTTP Based Server Consoles like SATK • Remote Access like RPC Consoles (not recommended) • R2 adding things like Print Management Console • Breadth Management Tools • SMS, MOM now increasingly bandwidth friendly • Management tools moving to BITS as transfer language • Other Third party tools increasingly improving b/w usage
Enable Management remotely Start Patching (easier said than done) User Training and Enablement Management • What is the Management Response Plan for Branches ? • Some Questions to Ask: • How do you contain branch failure ? • How will you detect branch failure ? • What are your SLAs to the business ? • Are there “High Value Assets at branch ? • Does your expenditure on remote office correlate to the above ?
Enable Management remotely Start Patching (easier said than done) User Training and Enablement Management • Patch Management is Reactive – but necessary • Most Companies don’t patch due to B/W
Enable Management remotely Start Patching (easier said than done) User Training and Enablement Management • User Training is Key – Users can be useful to IT • Users – (like pets ) can Help You – If you train them • Branch Manager etc can be delegated some tasks • Equipment can be swapped out by Users, if it and your design is IPA (Idiot Proof Architecture) • Security Policy should be communicated to user base – and peer enforced • Users are IT eyes and ears @ branch
Control of Task Based Work Technologies like SRP, ACLs, LUA Clear policy, Tech Enforced Execution Control Whitelists like Software Restriction Policy require Business Investment – but are the most effective Blacklist technologies are “appliantized”, easy to deploy and require signature payments – perfect for the security industry- bad for you You will need to buy lots of different blacklist technologies If your tellers only use the bank application – and they can only run it (and nothing else) – do you need AV ?
Control of Task Based Work Technologies like SRP, ACLs, LUA Clear policy, Tech Enforced Execution Control Remove Admin Privileges from Task Based Users – until Vista this will be very difficult to do for Information Workers Active Directory driven group policy provides a repeatable re-applied lock down – but GPOs depend on DC placement (B/W) Usually Anti(*.*) takes management and bandwidth for signatures Access Control Lists, etc can be very expensive to deploy – LUA for Vista, SRP arent widely deployed For IW branch users, full management is required for security, consider AD GPO, SRP, HBF, Auto Patching
Control of Task Based Work Technologies like SRP, ACLs, LUA Clear policy, Tech Enforced Execution Control Optimal Policy Enforcement • Do your users know what their policy is ? • Do they know its NOT OK to let someone take the server away “for repair” without authorisation ? • Can you Technologically Enforce your Security Policy – if not why is it there? • Did you write your policy with legal guidance? • Have you adjusted your policy for the branch environment ? • Do you have a Monitoring Infrastructure in place to detect contravention ?
Resources • The latest news on Microsoft security: www.microsoft.com/uk/security www.microsoft.com/uk/technet • Read and contribute to our blogs: http://blogs.technet.com/sandeep/default.aspx http://blogs.technet.com/fred/default.aspx
We are better at this stuff than you think… fred@microsoft.com deep@microsoft.com