Protecting Exchange and OWA with ISA Server
Download
Report
Transcript Protecting Exchange and OWA with ISA Server
SEC413: Protecting
Exchange And OWA
With ISA Server
Today’s Agenda
Blow through this real fast so it doesn’t
look like we’re complaining (too much)
RPC operation, perception problems
OWA
VPNs
IPSec
Spend the bulk of our time here
Exchange publishing with ISA
MAPI? No way!
Uh, well, yes way
Users want full Outlook® functionality
Was difficult—impossible, even—for a
long time
RPC security problems
RPC performance problems
RPC perception problems
Why’s RPC So Bad?
Not in an enterprise, it isn’t
But for carriers, or transmission over a
public network, it’s anathema
Er, assumed to be an anathema, anyway
RPC has this dynamic port behavior,
which ISPs and ASPs don’t like
RPC 101
The server
Server registers application’s UUID
What’s a UUID?
“Universal” UID
Every application’s UUID is, well, UU
Well-known and common across
all platforms
RPC 101
The server
Then what?
At service start, UUID is associated with free high
TCP port
Association is static for service lifetime
Not always the same port across restarts
Can you summarize this?
Sure; Think of a table
Service
Exchange
MMC
AD replication
UUID
{01020304-1111-2222-3333-aabbcc…
{15161718-4444-5555-6666-ffeedd…
{28261513-9999-8888-7777-cdbeaf…
TCP Port
1328
9965
2679
RPC 101
The client
But wait; Is all this UUID stuff important?
Sure; It’s how ISA makes the
Exchange-over-the-Internet thing easy!
How so?
Client can’t know in advance which port a service
is on
Client learns port through a request-response
exchange involving UUID
Up next: The process!
RPC 101
The client
1.
2.
3.
4.
5.
6.
Client connects to server on 135/tcp
(called the portmapper)
Client knows UUID of service it wants
Client asks, “Portmapper, what’s the port
associated with UUID n?”
Portmapper responds with associated port.
(Remember the previous table)
Server closes connection
Client reconnects to server on learned port to
access application
RPC Problems
That portmapper thing sounds pretty
cool; So what are all these problems
with RPC?
Well, security, mainly
Can’t know in advance which port a
service will register
Reduces firewall to Swiss cheese
Some services can be locked to a range
Can also set generic range
Extra configuration, though
RPC Problems
Anything else?
Performance
Many RPC applications can’t handle
Internet’s latency and jitter very well
Perception
RPC is an “intranet” protocol! Not
something that belongs on the Internet!
“Protocol purity” arguments are (finally!)
losing their validity
That port numbers somehow prove traffic
validity and intent; False!
Other Alternatives
Let’s just use OWA; After all, doesn’t
HTTP make the perfect transport?
HTTP is an application protocol; Just
because every firewall in the world
passes 80/tcp doesn’t mean HTTP is good
for carrying the world’s traffic!
HTTP is inefficient
OWA feels slow because of SSL
Of course, RPC isn’t much faster…
Not everyone has or likes
Internet Explorer
Other Alternatives
A VPN! Everybody loves VPNs!
VPNs excel for remote access from the
Internet into a corporate network
For LAN users, VPNs introduce a
difficult problem
It’s the split-tunnel problem, right? What is it?
Briefly…
IPSec
Let’s use IPSec between the customer
and the ASP
There’s the little NAT problem, remember?
Oh yeah
Yeah; Most ASPs and subscribers have
NAT, unfortunately
IPSec breaks if NAT is in the path
Your narrator hates NAT for this and many
other reasons; Details available!
IPSec Through NAT
Soon-to-be RFC specifying UDP
encapsulation
Stuff IPSec (IP protocols 51 and 51) into
UDP packets
Header from hell
IP | UDP | IP | IPSec | next-prot | payload
Existing NAT devices can handle this
Requires support at endpoints
Windows .NET Server includes
Updates to Windows XP and 2000
Enter ISA!
So this ISA thing has some real
merit, then
It sure does; Amazing, isn’t it?
Details coming up!
ISA Configuration
The LAT
LAT = local address table
Defines what’s local and what’s
external, from ISA’s POV
More on network design later
demo
Creating The LAT
Review
LAT contents
Published servers
Exchange
OWA
SMTP
Ancillary servers
AD
Internal DNS
No external access: No publishing rules
ISA Server Publishing
ISA proxy operates in two “directions”
Forward proxy
Forward proxy
Reverse proxy
Controlling where/when/how users access the
world beyond ISA
Not used at all here
Reverse proxy
Controlling how the world accesses the network
behind ISA
This is server and Web publishing
Reverse Proxy Behavior
Two kinds
Server publishing
Web publishing
Differences
Packet processing (header construction)
Policy element involvement
Listeners (for SSL and authentication)
SSL handling
Packet Processing
A.k.a., “transparent reverse proxy”
Accepts connections from outside
Generates new packets
Preserves original address and port
New TCP sequence numbers
Issues
Can’t load balance with current NLB
Which ISA to send return traffic through?
More On Packet Processing
Server publishing preserves client
source address (“transparent NAT”)
Might cause problems in complex
routed networks
External addresses in DMZ, for instance
ISA can’t be default gateway
ISA SP1 includes new registry key
Changes Exchange RPC and FTP
If present, rules now use ISAs inside IP as
source address
SSL Handling
Server publishing passes SSL through
to destination Web server
Exchange OWA bug
Problem with links
Fixed in ISA Service Pack 1
Security?
Pros and cons; more later
Policies And Their Elements
Protocol definitions for inbound traffic
Site and content rules
Where can a LAT member go?
What can a LAT member see?
Protocol rules
The ones we need are already defined
How can a LAT member operate?
Packet filters
Nothing new needed
demo
Creating Default Site
And Content Rule;
Creating Default
Protocol Rule
Review
S/C and protocol rule
Site and content rule
Generic one allowing everything
everywhere always
Protocol rule
Generic rule allowing everything always
Or: Outbound SMTP and DNS only, in
conjunction with client address sets
(more to come)
Publishing Rules
Three publishing rules
Protocols already defined
ISA Server invisible otherwise
Exchange RPC – for Outlook
HTTPS – for OWA
SMTP – for inbound mail
Will portscan it in a bit
Let’s take a look!
demo
Creating The
Publishing Rules
Review
Publishing rules
Describe functionality of each rule
Exchange RPC – for Outlook
HTTPS – for OWA
SMTP – for inbound mail
Exchange RPC
Mapped protocol: “Exchange RPC”
E-RPC rule allows
Exchange UUID, none others
Authentication carried inside RPC
New mail notification (more on this later)
Operation
Rule examines portmapper traffic
Opens packet filter only if correct UUID
Filter is between client:port and ISA:port
ISA generates new packets to Exchange
HTTPS (SSL)
Mapped protocol: “HTTPS server”
ISA listens on 443/tcp
Receives inbound traffic
Regenerates new packets and forwards
to OWA server
Preserves source address and port,
remember
HTTPS (SSL)
Security
What if inspection is required?
SSL termination
Use Web publishing instead (and listeners!)
ISA boxes will need more power—consider hardware
encryption cards
SSL stops at ISA; cleartext from ISA to OWA
Certificate per ISA server
SSL bridging
SSL from client to ISA; new SSL from ISA to OWA
Need certificates for ISA and OWA servers
HTTPS (SSL)
Bug
Problem is with SSL termination
ISA accepts HTTPS from client
Sends HTTP to OWA
OWA’s links, then, are HTTP rather
than HTTPS
Client surfing breaks
HTTPS (SSL)
Solution
Need to have special HTTP header
FrontEndHttps: On
In stream between OWA and Exchange
ISA Service Pack 1
New registry key
Adds header to OWA-Exchange stream
SMTP
Mapped protocol: “SMTP server”
Typical ISA reverse proxy behavior
SMTP filter provides protection
Attachment disposition
Rejected senders and domains
SMTP command validation and limitations
Keyword filtering
demo
Portscan The
ISA computer
Review
ISA’s security
Visible ports
25/tcp
135/tcp
443/tcp
SMTP
RPC portmapper
SSL
ISA drops packets not matching
published services
Better than sending RST (reset)
IPSec filtering also silenty drops unmatched traffic
IP stack filtering doesn’t
Good Internet Citizenship
Improve resistance to compromise
Allow only outbound SMTP and DNS
Much harder to
For new connections only
Doesn’t block outbound return traffic
Download code onto compromised
servers (no TFTP now)
Hijack as DDoS constellation member
Use client address sets and
protocol rules
demo
Creating The Client
Address Set And The
Protocol Rules
Review
Client address set
Address set for SMTP
bridgehead servers
Need only one
Contains IP addresses (or range)
of all servers
Component of protocol rule
Review
Protocol rules
Limit what LAT computers can
do outbound
Not what they can respond to, however
Need two rules
Use existing protocol definitions
“DNS query”
“SMTP”
Rule applies to client address set
created earlier
New Mail Notification
Setup
1.
2.
3.
User logs into Exchange
Client picks random high UDP port
(“new-mail-port”)
Exchange adds entry to table
User
ZaphodB
ArthurD
FordP
Client IP address
131.107.39.42
157.54.42.69
42.204.231.239
New-mail-port
37291
12193
53412
You’ve Got Mail!
1.
2.
3.
Exchange has new mail for user
Exchange looks in table, finds user’s
IP address and new-mail-port
Exchange sends single UDP packet to
client, indicating new mail is on server
ISA’s Exchange RPC rule
accommodates this transparently—no
special configuration required
Problems With NAT
Client accessed through NAT address
UDP registration done with original address,
though
UDP packet to NAT-address:new-mail-port
will get dropped
No NAT editors for this
Second Method
Client usually makes RPC connection
to server every 30-90 seconds
Server inserts new mail notification
flag into return packets
But, it’s broken!
Doesn’t work if there’s an error in the
RPC packets
Outlook stops processing the packet,
never sees notification flag at end
There is a QFE to fix it both for
Outlook 2000 and Outlook XP
Workarounds
Outlook 2000
Press [F9] to check
Outlook XP
Press [F9] to check
Configure polling
Simple request-response over RPC
As before, if packet has error, client
doesn’t see flag – QFE fixes this too
Other Network
Requirements
Network design
Simple—deceptively so, really
No notion of “front-net” and “back-net”
If the inside firewall allows connections
from the DMZ, what good is it?
All services live behind ISA
ISA only allows inbound communication
to known servers over known protocols
No firewall traversal problems for
authentication
Network Diagram
Internet
router
eDNS
ISA
iDNS
Exch
cluster
OWA
SMTP
AD
Clients Behind Firewalls
It’s still an RPC connection
Some networks might not permit this
To ISA, not Exchange
Possibly might if ports are known
Need to fix Exchange RPC listener’s ports
Service Pack 1, again
Uses same registry keys as does
Exchange to perform same function
Border Routers
Put anti-spoofing rules here
Eliminates most conditions for DDoS
attacks and constellations
Rule types
Inbound rule for blocking DDoS attacks
Outbound rule for preventing
constellation membership
Block private addresses
Block source-routed packets
Block fragments – with caution!
Router Configuration
Inbound: Block where
source address = own subnet
Outbound: Block where
source address ≠ own subnet
Private addresses: Block all where
source|destination = RFC 1918
Source routed: Block all where
source route is specified
Fragments: Block all
Most fragments are parts of attacks
Except IPSec and VPNs, however
DNS Configuration
Need two DNS servers
Internal, for servers to find each other
and for AD
External, for SMTP to find the world
Called “split” DNS
External DNS lives outside ISA – it’s the
only thing that does
“Split-split” DNS prevents
cache-poisoning attacks
See http://www.sans.org for details
DNS Records
For internal DNS, dynamic registration
is fine
For external
“A” records for Exchange, OWA, and
SMTP servers
“MX” records for SMTP servers
“A” records actually point to ISA’s
external interface
More Information
http://www.microsoft.com/isaserver
http://www.isainfo.org
Microsoft Consulting Services
Coming soon – your local
Exchange ASP!
如果您有任何问题,请加入
微软中文新闻组
继续讨论
加入微软中文新闻组
http://www.microsoft.com/china/community
© 2002 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.