1 / 59

Seguridad en redes 802.1x y NAP

Seguridad en redes 802.1x y NAP. Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services. El modelo de Defensa en profundidad. Policies, Procedures, & Awareness. Physical Security. ACLs, encryption, EFS. Data. Application hardening, .

ryo
Download Presentation

Seguridad en redes 802.1x y NAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services

  2. El modelo de Defensa en profundidad Policies, Procedures, & Awareness Physical Security ACLs, encryption, EFS Data Application hardening, Application Antivirus/ OS hardening, authentication, patch management, HIDS Host Internal Network Network segments, IPSec, NIDS Perimeter Firewalls, Network Access Quarantine Control Guards, locks, tracking devices

  3. Defensas Perimetrales. • Los firewalls bien configurados y los routers externos forman la principal frontera y punto de defensa de la seguridad de red. • Internet y los nuevas tendencias en movilidad incrementan los problemas de seguridad. • Las VPN han desdibujado el perímetro y junto con las redes wireless han hecho que el perímetro clásico de red haya desaparecido.

  4. Defensas en el cliente. • Las defensas en el cliente se encargan de bloquear los ataques que han sobrepasado el perímetro de red externa o se han originado en la red interna. • Las defensas en el Cliente incluyen: • Mejoras en seguridad en el sistema operativo • Antivirus • Firewalls Personales • En entornos sin administrar los usuarios pueden sobrepasar y desactivar las defensas en el cliente.

  5. Metas de la seguridad en redes.

  6. Usando Defensas Perimetrales.

  7. Business Partner Main Office LAN LAN Internet Network perimeters include connections to: Branch Office • The Internet • Branch offices • Business partners • Remote users • Wireless networks • Internet applications Remote User Wireless Network LAN Visión de las redes actuales.

  8. Diseño de Firewalls. Internet Screened Subnet Firewall LAN

  9. Diseño de Firewalls Screened Subnet Internet External Firewall Internal Firewall LAN

  10. Contra que no nos protegen los Firewall • Trafico malicioso que pasa por puertos abiertos y que no son inspeccionados por el Firewall. • Cualquier tipo de trafico que pase dentro de un túnel o sesión encriptados. • Ataques después de penetrar en la red. • Usuarios y administradores que intencionadamente o accidentalmente instalan virus. • Administradores que usan passwords débiles.

  11. Software vs. Hardware Firewalls

  12. Multi-layer Inspection (Including Application-Layer Filtering) Internet Tipos de Firewalls. • Filtrado de Paquetes. • Inspección a nivel de aplicación.

  13. META: Parar el 95% de los ataques en el perímetro de nuestra red.

  14. Ataques de Denegación de servicio • Mandan trafico no esperado o malformado. • Habitualmente atacan una vulnerabilidad conocida pero no parcheada. • DoS puede: • Crear grandes perdidas de negocio. • Puede dañar la reputación de los negocios.

  15. DDoS Wake up! Ping! Reply!

  16. Securizando redes wireless

  17. Problemas de seguridad en Wireless. • Limitaciones de Wired Equivalent Privacy (WEP) • Static WEP keys are not dynamically changed and therefore are vulnerable to attack. • There is no standard method for provisioning static WEP keys to clients. • Scalability: Compromise of a static WEP key by anyone exposes everyone. • Limitations of MAC Address Filtering • Attacker could spoof an allowed MAC address.

  18. Posible soluciones. • Password-based Layer 2 Authentication • IEEE 802.1x PEAP/MSCHAP v2 • Certificate-based Layer 2 Authentication • IEEE 802.1x EAP-TLS • Other Options • VPN Connectivity • L2TP/IPsec (preferred) or PPTP • Does not allow for roaming • Useful when using public wireless hotspots • No computer authentication or processing of computer settings in Group Policy • IPSec • Interoperability issues

  19. Comparación de seguridad en WLAN.

  20. 802.1x • Defines port-based access control mechanism • Works on anything, wired or wireless • No special encryption key requirements • Allows choice of authentication methods using Extensible Authentication Protocol (EAP) • Chosen by peers at authentication time • Access point doesn’t care about EAP methods • Manages keys automatically • No need to preprogram wireless encryption keys

  21. Wireless Access Point Ethernet Laptop Computer Radius Server Association Access Blocked 802.11 Associate EAPOL-Start EAP-Request/Identity EAP-Response/Identity Radius-Access-Request EAP-Request/Identity Radius-Access-Challenge Radius-Access-Request EAP-Response (credentials) Radius-Access-Accept EAP-Success Access Allowed EAPOL-Key (Key) 802.1x en 802.11 802.11 RADIUS

  22. Requerimientos para 802.1x • Client: Windows XP • Server: Windows Server 2003 IAS • Internet Authentication Service—our RADIUS server • Certificate on IAS computer • 802.1x on Windows 2000 • Client and IAS must have SP3 • See KB article 313664 • No zero-configuration support in the client • Supports only EAP-TLS and MS-CHAPv2 • Future EAP methods in Windows XP and Windows Server 2003 might not be backported

  23. Configure Windows Server 2003 with IAS 1 Join a domain 2 Enroll computer certificate 3 Register IAS in Active Directory 4 Configure RADIUS logging 5 Add AP as RADIUS client 6 Configure AP for RADIUS and 802.1x 7 Create wireless client access policy 8 Configure clients Don’t forget to import the root certificate 9 802.1x Setup

  24. Políticas de acceso. • Policy condition • NAS-port-type matches Wireless IEEE 802.11 OR Wireless Other • Windows-group = <some group in AD> • Optional; allows administrative control • Should contain user and computer accounts

  25. Políticas de acceso. • Profile • Time-out: 60 min. (802.11b) or 10 min. (802.11a/g) • No regular authentication methods • EAP type: protected EAP; use computer certificate • Encryption: only strongest (MPPE 128-bit) • Attributes: Ignore-User-Dialin-Properties = True

  26. Wi-Fi Protected Access WPA • A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless (local area network ) LAN systems • WPA Requires 802.1x authentication for network access • Goals • Enhanced data encryption • Provide user authentication • Be forward compatible with 802.11i • Provide non-RADIUS solution for Small/Home offices

  27. Use 802.1x authentication Organize wireless users and computers into groups Apply wireless access policies using Group Policy Use EAP-TLS for certificate-based authentication and PEAP for password-based authentication Configure your remote access policy to support user authentication as well as machine authentication Develop a method to deal with rogue access points, such as LAN-based 802.1x authentication, site surveys, network monitoring, and user education Practicas Recomendadas.

  28. Securizando comunicaciones con IPsec.

  29. IPSec • What is IP Security (IPSec)? • A method to secure IP traffic • Framework of open standards developed by the Internet Engineering Task Force (IETF) • Why use IPSec? • To ensure encrypted and authenticated communications at the IP layer • To provide transport security that is independent of applications or application-layer protocols

  30. Escenarios de IPSec • Basic permit/block packet filtering • Secure internal LAN communications • Domain replication through firewalls • VPN across untrusted media

  31. Implementando el filtrado de Paquetes IPSec • Filters for allowed and blocked traffic • No actual negotiation of IPSec security associations • Overlapping filters—most specific match determines action • Does not provide stateful filtering • Must set "NoDefaultExempt = 1" to be secure

  32. Trafico no filtrado por IPSec • IP broadcast addresses • Cannot secure to multiple receivers • Multicast addresses • From 224.0.0.0 through 239.255.255.255 • Kerberos—UDP source or destination port 88 • Kerberos is a secure protocol, which the Internet Key Exchange (IKE) negotiation service may use for authentication of other computers in a domain • IKE—UDP destination port 500 • Required to allow IKE to negotiate parameters for IPSec security

  33. Rendimiento de IPSec • IPSec processing has some performance impact • IKE negotiation time—about 2–5 seconds initially • 5 round trips • Authentication—Kerberos or certificates • Cryptographic key generation and encrypted messages • Done once per 8 hours by default, settable • Session rekey is fast—<1–2 seconds, 2 round trips, once per hour, settable • Encryption of packets

  34. Rendimiento de IPSec • How to improve? • Offloading NICs do IPSec almost at wire speed • Using faster CPUs

  35. Plan your IPSec implementation carefully Choose between AH and ESP Use Group Policy to implement IPSec Policies Consider the use of IPSec NICs Never use Shared Key authentication outside your test lab Choose between certificates and Kerberos authentication Use care when requiring IPSec for communications with domain controllers and other infrastructure servers Practicas Recomendadas.

  36. Los problemas de 802.1X

  37. Que es 802.1X? • Port-based access control method defined by IEEE http://standards.ieee.org/getieee802/download/802.1X-2001.pdf • EAP provides mutual authentication between devices ftp://ftp.rfc-editor.org/in-notes/rfc3748.txt • Works over anything • Wired • Wireless ftp://ftp.rfc-editor.org/in-notes/rfc2549.txt http://eagle.auc.ca/~dreid

  38. Que necesitas para 802.1X? • Network infrastructure that supports it • Switches, mostly • Clients and servers that support it • Supplicants included in Windows XP, 2003,Vista • Download for Windows 2000

  39. Porque es perfecto en entornos wireless? • The supplicant (client) and authentication server (RADIUS) generate session keys • Keys are never sent over the air • Nothing for an attacker to use to conduct impersonation or man-in-the-middle attacks • Can manage centrally with GPOs

  40. Por que no es tan perfecto para entornos wired? • No GPOs—and we can’t retrofit • Worse…a fundamental protocol design flaw • 802.1X authenticates only at the start of traffic between client and switch • After the switch port opens, everything after that is assumed to be valid • These kinds of assumptions allow MITM attacks! • Does require physical access to the network

  41. Ataques contra 802.1x …authenticate… …authenticate… 1.2.3.4 aa:bb:cc:dd:ee:ff drop all inbound not for me 1.2.3.4 aa:bb:cc:dd:ee:ff

  42. Como funciona. • 802.1X lacks per-packet authentication • It assumes that the post-authentication traffic is valid—based on MAC and IP only • Switch has no idea what’s happened! • Attacker can communicate only over UDP • Victim would reset any TCP reply it received but didn’t send (victim sees reply to shadow)

  43. Ataques contra 802.1x ACK-SYN ACK-RST RST 1.2.3.4 aa:bb:cc:dd:ee:ff ACK-SYN ACK-SYN ACK-RST ACK-RST SYN 1.2.3.4 aa:bb:cc:dd:ee:ff

  44. Se puede mejorar!! • If the victim computer happens to run a personal firewall… …which drops unsolicited ACK-SYNs… It gets better!

  45. El ataque … mejorado. ACK-SYN 1.2.3.4 aa:bb:cc:dd:ee:ff ACK-SYN ACK-SYN SYN ACK 1.2.3.4 aa:bb:cc:dd:ee:ff

  46. Soluciones. • Despite what the networking vendors claim, 802.1X is inappropriate for preventing rogue access to the network • Good security mechanisms never assume that computers are playing nicely • 802.1X makes this incorrect assumption • IPsecdoes not • If you’re worried about bad guys flooding your network… • Then 802.1X + IPsec is the way to go

  47. Trusted users disclosing high value data • Compromise of trusted credentials • Untrusted computers compromising other untrusted computers • Loss of physical security of trusted computers • Lack of compliance mechanisms for trusted computers

  48. Preparándose para Network Access Protection ( NAP ). • Deploy domain isolation to become familiar with IPsec concepts • NAP will provide a richer enforcement mechanism, while adding to server and domain isolation • Plan and model to add health authentication and other compliance enforcement mechanisms network access protection provides • More guidance available during Longhorn beta

  49. El futuro de IPsec • Server 2003, Windows XP • Isolation by domain or server • Authentication of machine, but no • health check • Windows firewall integration • Authenticated bypass capability • Overhead offload • 10/100mb NIC—lower CPU • “Longhorn” and beyond • Extensible isolation • User and machine credentials • Health certificates • Firewall integration • Windows filtering platform • Improved administration • One-size-fits-all policy • Extensible performance • Gig-E offload for lower CPU

  50. Protección de redes con NAP

More Related