Transcript Network Security and ISA Server

Network Security and ISA
Server
Paul Hogan
Ward Solutions
Session Prerequisites
Hands-on experience with Windows 2000 or Windows
Server 2003
Working knowledge of networking, including basics
of security
Basic knowledge of network security-assessment strategies
Level 300
Agenda
10:00 11:00
Network Security
11:00 11:15
Break
11:30 12:00
Securing SQL Server
12:00 1:00
Lunch
1:00 2:00
Securing Exchange
2:30 2:15
Break
2:15 3:15
Lab Sessions
3:15
Q&A
This sessions are about…
…about operational security
The easy way is not always the secure way
Networks are usually designed in particular ways
 In many cases, these practices simplify attacks
 In some cases these practices enable attacks
In order to avoid these practices it helps to understand
how an attacker can use them
This sessions are NOT …
a hacking tutorial
 Hacking networks you own can be enlightening
 HACKING NETWORKS YOU DO NOT OWN IS ILLEGAL
…demonstrating vulnerabilities in Windows
 Everything we show stems from operational security or custom
applications
 Knowing how Windows operates is critical to avoiding problems
…for the faint of heart
The Sessions
The Network
IIS 6.0
Windows 2003
Internal LAN
ISA Server Firewall
ISA Server Firewall
External LAN
Access
Points
Introducing the Case-Study Scenario
Understanding Defense-in-Depth
Using a layered approach:
Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Data
Application
Host
Internal network
Strong passwords, ACLs,
backup and restore
strategy
Application hardening
OS hardening, authentication,
security update management,
antivirus updates, auditing
Network segments, NIDS
Perimeter
Firewalls, boarder routers, VPNs
with quarantine procedures
Physical security
Guards, locks, tracking devices
Policies, procedures, and awareness
Security policies, procedures, and
education
Why Does Network Security Fail?
Network security fails in several common areas,
including:
Human awareness
Policy factors
Hardware or software misconfigurations
Poor assumptions
Ignorance
Failure to stay up-to-date
What we will cover:
How to Implement Perimeter defenses
How ISA Server protects networks
Using Windows Firewalls to Protect Clients
How to Protect Wireless Networks
Purpose and Limitations of Perimeter Defenses
Properly configured firewalls and border routers are the
cornerstone for perimeter security
The Internet and mobility increase security risks
VPNs have exposed a destructive, pernicious entry point
for viruses and worms in many organizations
Traditional packet-filtering firewalls only block network
ports and computer addresses
Most modern attacks occur at the application layer
Purpose and Limitations of Intrusion Detection
Detects the pattern of common attacks and records
suspicious traffic in event logs and/or alerts
administrators
Integrates with other firewall features to prevent
common attacks
Threats and vulnerabilities are constantly evolving,
which leaves systems vulnerable until a new attack
is known and a new signature is created and
distributed
Implementing Network-Based
Intrusion-Detection Systems
Network-based
intrusion-detection
system
Provides rapid detection and
reporting of external malware
attacks
Important points to note:
Network-based intrusion-detection systems are only
as good as the process that is followed once an
intrusion is detected
ISA Server 2004 provides network-based intrusiondetection abilities
Perimeter Connections
Business Partner
Main Office
LAN
LAN
Internet
Network perimeters include
connections to:
 The Internet
 Branch offices
 Business partners
 Remote users
 Wireless networks
 Internet applications
Branch Office
Remote User
Wireless
Network
LAN
Firewall Design: Three Homed
Internet
Screened Subnet
Firewall
LAN
Firewall Design: Back-to-Back
Internet
DMZ
External
Firewall
Internal
Firewall
LAN
Software vs Hardware Firewalls
Decision
Factors
Description
Flexibility
Updating for latest vulnerabilities and patches is easier with softwarebased firewalls.
Extensibility
Many hardware firewalls only allow for limited customizability.
Choice of
Vendors
Software firewalls allow you to choose from hardware for a wide variety
of needs, and there is no reliance on single vendor for additional
hardware.
Costs
Initial purchase price for hardware firewalls may be less. Software
firewalls take advantage of low CPU costs. The hardware can be easily
upgraded and old hardware can be repurposed.
Complexity
Hardware firewalls are often less complex.
Types of Firewalls
Packet Filtering
Stateful Inspection
Application-Layer Inspection
Internet
Multi-layer inspection
(including application-layer filtering)
Agenda
Introduction/Defense in Depth
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using Windows Firewall to Protect Clients
Protecting Wireless Networks
Protecting Networks by Using IPSec
Protecting Perimeters
ISA Server has full screening capabilities:

Packet filtering

Stateful inspection

Application-level inspection
ISA Server blocks all network traffic unless you
allow it
ISA Server is ICSA and Common Criteria
certified
Protecting Clients
Method
Description
Proxy Functions
Processes all requests for clients and never allows direct connections.
Client Support
Support for all clients without special software. Installation of ISA
Firewall software allows for greater functionality.
Rules
Protocol Rules, Site and Content Rules, and Publishing Rules
determine if access is allowed.
Add-ons
Initial purchase price for hardware firewalls may be less. Software
firewalls take advantage of low CPU costs. The hardware can be easily
upgraded and old hardware can be repurposed.
Protecting Web Servers
Web Publishing Rules

Protect Web servers behind the firewall from external
attacks by inspecting HTTP traffic and ensuring it is
properly formatted and complies with standards.
Inspection of SSL traffic

Inspects incoming encrypted Web requests for proper
formatting and standards compliance.

Will optionally re-encrypt the traffic before sending them
to your Web server
URLScan
ISA Server Feature Pack 1 includes URLScan 2.5 for ISA
Server
Allows URLScan ISAPI filter to be applied at the network
perimeter
 General blocking for all Web servers behind the firewall
 Perimeter blocking for known and newly discovered attacks
Web
Server 1
Web
Server 2
ISA
Server
Web
Server 3
Protecting Exchange Server
Method
Description
Mail Publishing
Wizard
Configures ISA Server rules to securely publish internal mail services
to external users.
Message Screener
Screens e-mail messages that enter the internal network.
RPC Publishing
Secure native protocol access for Outlook clients.
OWA Publishing
Provides protection for remote Outlook users accessing Exchange
Server over untrusted networks without a VPN.
Demonstration 1
Application-Layer Inspection in
ISA Server
URL Scan
Web Publishing
Message Screener
Traffic that Bypasses Firewall Inspection
SSL tunnels through traditional firewalls because it is
encrypted, which allows viruses and worms to pass
through undetected and infect internal servers.
VPN traffic is encrypted and can’t be inspected
Instant Messenger (IM) traffic often is not inspected
and may be used to transfer files in addition to be
used for messaging.
Inspecting All Traffic
Use intrusion detection and other mechanisms to inspect VPN
traffic after it has been decrypted
Remember: Defense in Depth
Use a firewall that can inspect SSL traffic
Expand inspection capabilities of your firewall
Use firewall add-ons to inspect IM traffic
SSL Inspection
SSL tunnels through traditional firewalls because it is
encrypted, which allows viruses and worms to pass
through undetected and infect internal servers.
ISA Server pre-authenticates users, eliminating multiple
dialog boxes and allowing only valid traffic through.
ISA Server can decrypt and inspect SSL traffic. Inspected
traffic can be sent to the internal server re-encrypted or in
the clear.
Client
Internet
ISA Server with
Feature Pack 1
Internal Server
Demonstration 2
SSL Inspection in ISA Server
ISA Server Hardening
Secure your Server Wizard
Review Bastion Host information in Security Guides
Disable unnecessary services
Harden the Network Stack
Disable unnecessary network protocols on the
external network interface:
 File and print sharing
 Client for Microsoft Networks
 NetBIOS over TCP/IP
Best Practices
Use access rules that only allow requests that
are specifically allowed
Use ISA server’s authentication capabilities to
restrict and log Internet access
Configure Web publishing rules only for specific
URLs
Use SSL Inspection to inspect encrypted data
that is entering your network
Demonstration 3
Internet Connection Firewall
(ICF)
Configuring ICF Manually
Testing ICF
Reviewing ICF Log Files
Configuring Group Policy
Settings
Agenda
Introduction/Defense in Depth
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using Windows Firewall to Protect Clients
Protecting Wireless Networks
Protecting Networks by Using IPSec
New Security Features in Windows Firewall
 On by default
 On with no exceptions
 Boot-time security
Firewall
 Windows
exceptions list
configuration and
 Global
restore defaults
 Multiple profiles
 Local subnet restrictions
 Command-line support
 RPC support
 Unattended setup
support
Configuring Windows Firewall for
Antivirus Defense
Agenda
Introduction/Defense in Depth
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using Windows Firewall to Protect Clients
Protecting Wireless Networks
Protecting Networks by Using IPSec
Wireless Security Issues
Limitations of Wired Equivalent Privacy (WEP)
 WEP is inherently weak to due poor key exchange.
 WEP keys are not dynamically changed and therefore
vulnerable to attack.
 No method for provisioning WEP keys to clients.
Limitations of MAC Address Filtering
 Scalability - Must be administered and propagated to all APs.
List may have a size limit.
 No way to associate a MAC to a username.
 User could neglect to report a lost card.
 Attacker could spoof an allowed MAC address.
Possible Solutions
VPN Connectivity
 PPTP
 L2TP
 Third Party
IPSec
 Many vendors
Password-based Layer 2 Authentication
 Cisco LEAP
 RSA/Secure ID
 IEEE 802.1x PEAP/MSCHAP v2
Certificate-based Layer 2 Authentication
 IEEE 802.1x EAP/TLS
WLAN Security Comparisons
Security Level
Ease of Deployment
Usability and
Integration
Low
High
High
VPN
Medium
Medium
Low
Password-based
Medium
Medium
High
IPSec
High
Low
Low
IEEE 802.1x TLS
High
Low
High
WLAN Security Type
IEEE 802.11
802.1X
Defines port-based access control mechanism

Works on anything, wired and wireless

Access point must support 802.1X

No special encryption key requirements
Allows choice of authentication methods using EAP

Chosen by peers at authentication time

Access point doesn’t care about EAP methods
Manages keys automatically

No need to preprogram wireless encryption keys
802.1X using EAP/TLS or MSCHAPv2
802.11/.1X
Access Point
Domain
User/Machine
Certificate
RADIUS
(IAS)
3, 5, 7
1, 2, 6
Server
Certificate
4
Laptop
Domain
Controller
DHCP
Exchange
File Server
Certification
Authority
Wi-Fi Protected Access (WPA)
A specification of standards-based, interoperable
security enhancements that strongly increase the
level of data protection and access control for
existing and future wireless LAN systems
Goals




Enhanced Data Encryption
Provide user authentication
Be forward compatible with 802.11i
Provide non-RADIUS solution for Small/Home offices (WPA-PSK)
Products shipping
Best Practices
Use 802.1x authentication
Organize wireless users and computers into groups
Apply wireless access policies using Group Policy
Use EAP/TLS and 128 bit WEP
Set clients to force user authentication as well as
machine authentication
Develop a method to manage rogue APs such as LAN
based 802.1x authentication and wireless sniffers.
What Firewalls Do NOT Protect Against
Malicious traffic that is passed on open ports and not
inspected by the firewall
Any traffic that passes through an encrypted tunnel or
session
Attacks after a network has been penetrated
Traffic that appears legitimate
Users and administrators who intentionally or
accidentally install viruses
Administrators who use weak passwords
Understanding Application and Database Attacks
Common application and database attacks include:
Buffer overruns:
Write applications in managed code
SQL injection attacks:
Validate input for correct size and type
Attacks: Buffer Overflow
Aka the “Boundary Condition Error”: Stuff more data
into a buffer than it can handle. The resulting overflowed
data “falls” into a precise location and is executed by
the system
 Local overflows are executed while logged into the target
system
 Remote overflows are executed by processes running on
the target that the attacker “connects” to
Result: Commands are executed at the privilege level of
the overflowed program
Attacks: Input validation
An process does not “strip” input before processing it,
ie special shell characters such as semicolon and pipe
symbols
An attacker provides data in unexpected fields, ie SQL
database parameters
Implementing Application Layer Filtering
Application layer filtering includes the following:
Web browsing and e-mail can be scanned to ensure that
content specific to each does not contain illegitimate data
Deep content analyses, including the ability to detect,
inspect, and validate traffic using any port and protocol
Session Summary
Introduction/Defense in Depth
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using ICF to Protect Clients
Protecting Wireless Networks
Questions and Answers