Implementing Network and Perimeter Security
Download
Report
Transcript Implementing Network and Perimeter Security
Implementing Network
and Perimeter Security
Prerequisite Knowledge
Understanding of network security
essentials
Hands-on experience with Windows®
2000 Server or Windows Server™ 2003
Experience with Windows management
tools
Level 300
Agenda
Introduction
Using Perimeter Defenses
Using Microsoft® Internet Security and
Acceleration (ISA) Server to Protect
Perimeters
Using Internet Connection Firewall
(ICF) to Protect Clients
Protecting Wireless Networks
Protecting Communications by Using
IPSec
Defense in Depth
Using a layered approach:
Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Data
Application
Host
Internal Network
Perimeter
Physical Security
Policies, Procedures, &
Awareness
ACL, encryption
Application hardening, antivirus
OS hardening, update management,
authentication, HIDS
Network segments, IPSec, NIDS
Firewalls, VPN quarantine
Guards, locks, tracking devices
User education
Purpose and Limitations of
Perimeter Defenses
Properly configured firewalls and border
routers are the cornerstone for perimeter
security
The Internet and mobility increase security
risks
VPNs have softened the perimeter and, along
with wireless networking, have essentially
caused the disappearance of the traditional
concept of network perimeter
Traditional packet-filtering firewalls block only
network ports and computer addresses
Most modern attacks occur at the application
layer
Purpose and Limitations of Client
Defenses
Client defenses block attacks that bypass perimeter
defenses or originate on the internal network
Client defenses include, among others:
Operating system hardening
Antivirus software
Personal firewalls
Client defenses require configuring many computers
In unmanaged environments, users may bypass client
defenses
Purpose and Limitations of
Intrusion Detection
Detects the pattern of common attacks,
records suspicious traffic in event logs,
and/or alerts administrators
Threats and vulnerabilities are constantly
evolving, which leaves systems
vulnerable until a new attack is known
and a new signature is created and
distributed
Goals of Network Security
Perimeter Client
Defense
Defense
ISA
Server
ICF
802.1x /
WPA
IPSec
Intrusion Network
Detection Access
Control
Confidentiality
Secure
Remote
Access
Agenda
Introduction
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using ICF to Protect Clients
Protecting Wireless Networks
Protecting Communications by Using
IPSec
Perimeter Connections Overview
Business Partner
Main Office
LAN
LAN
Internet
Network perimeters include
connections to:
The Internet
Branch offices
Business partners
Remote users
Wireless networks
Internet applications
Branch Office
Remote User
Wireless
Network
LAN
Firewall Design: Three-Homed
Internet
Screened Subnet
Firewall
LAN
Firewall Design: Back-to-Back
Internet
Screened Subnet
External
Firewall
Internal
Firewall
LAN
What Firewalls Do NOT Protect
Against
Malicious traffic that is passed on open ports
and not inspected at the application layer by
the firewall
Any traffic that passes through an encrypted
tunnel or session
Attacks after a network has been penetrated
Traffic that appears legitimate
Users and administrators who intentionally or
accidentally install viruses
Administrators who use weak passwords
Software vs. Hardware Firewalls
Decision
Factors
Flexibility
Extensibility
Choice of
Vendors
Cost
Complexity
Overall
Suitability
Description
Updating for latest vulnerabilities and patches is often
easier with software-based firewalls.
Many hardware firewalls allow only limited
customizability.
Software firewalls allow you to choose from hardware for
a wide variety of needs, and there is no reliance on single
vendor for additional hardware.
Initial purchase price for hardware firewalls might be less.
Software firewalls take advantage of low CPU costs. The
hardware can be easily upgraded, and old hardware can
be repurposed.
Hardware firewalls are often less complex.
The most important decision factor is whether a firewall
can perform the required tasks. Often the lines between
hardware and software firewalls are blurred.
Types of Firewall Functions
Packet Filtering
Stateful Inspection
Application-Layer Inspection
Internet
Multi-layer Inspection
(Including Application-Layer Filtering)
Agenda
Introduction
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using ICF to Protect Clients
Protecting Wireless Networks
Protecting Communications by Using
IPSec
Goals of Network Security
Perimeter Client
Defense
Defense
Intrusion Network
Detection Access
Control
ISA
Server
ICF
802.1x /
WPA
IPSec
* Basic intrusion detection, extended by partners
*
Confidentiality
Secure
Remote
Access
Protecting Perimeters
ISA Server has full screening capabilities:
Packet filtering
Stateful inspection
Application-level inspection
ISA Server blocks all network traffic
unless you allow it
ISA Server provides secure VPN
connectivity
ISA Server is ICSA certified and Common
Criteria certified
Protecting Clients
Method
Proxy Functions
Client Support
Rules
Add-ons
Description
Processes all requests for clients and never allows direct
connections.
Support for all clients without special software. Installation
of ISA Firewall software on Windows clients allows for
greater functionality.
Protocol Rules, Site and Content Rules, and Publishing
Rules determine if access is allowed.
Initial purchase price for hardware firewalls might be less.
Software firewalls take advantage of low CPU costs. The
hardware can be easily upgraded and old hardware can
be repurposed.
Protecting Web Servers
Web Publishing Rules
Protect Web servers behind the firewall from
external attacks by inspecting HTTP traffic and
ensuring that it is properly formatted and
complies with standards
Inspection of Secure Socket Layer
(SSL) traffic
Decrypts and inspects incoming encrypted Web
requests for proper formatting and standards
compliance
Will optionally re-encrypt the traffic before
sending them to your Web server
URLScan
ISA Server Feature Pack 1 includes URLScan
2.5 for ISA Server
Allows URLScan ISAPI filter to be applied at
the network perimeter
General blocking for all Web servers behind the
firewall
Perimeter blocking for known and newly
discovered attacks
Web
Server 1
Web
Server 2
ISA
Server
Web
Server 3
Protecting Exchange Server
Method
Description
Mail Publishing Configures ISA Server rules to securely publish internal
Wizard
mail services to external users
Message
Screener
Screens SMTP e-mail messages that enter the internal
network
RPC Publishing
Secures native protocol access for Microsoft Outlook®
clients.
Provides protection of the OWA front-end for remote
OWA Publishing Outlook users accessing Microsoft Exchange Server over
untrusted networks without a VPN
Traffic That Bypasses Firewall
Inspection
SSL tunnels through traditional firewalls
because it is encrypted, which allows viruses
and worms to pass through undetected and
infect internal servers
VPN traffic is encrypted and cannot be
inspected
Instant Messenger (IM) traffic often is not
inspected and might be used to transfer files
Inspecting All Traffic
Use intrusion detection and other
mechanisms to inspect VPN traffic after it has
been decrypted
Remember: Defense in Depth
Use a firewall that can inspect SSL traffic
Expand inspection capabilities of your
firewall
Use firewall add-ons to inspect IM traffic
SSL Inspection
SSL tunnels through traditional firewalls
because it is encrypted, which allows viruses
and worms to pass through undetected and
infect internal servers.
ISA Server can decrypt and inspect SSL
traffic. Inspected traffic can be sent to the
internal server
re-encrypted or in the clear.
ISA Server Hardening
Harden the network stack
Disable unnecessary network protocols on
the external network interface:
Client for Microsoft Networks
File and Printer Sharing for Microsoft Networks
NetBIOS over TCP/IP
Best Practices
Use access rules that only allow
requests that are specifically allowed
Use ISA Server’s authentication
capabilities to restrict and log Internet
access
Configure Web publishing rules only
for specific destination sets
Use SSL Inspection to inspect
encrypted data that is entering your
network
Agenda
Introduction
Using Perimeter Defenses
Using ISA Server to Protect
Perimeters
Using ICF to Protect Clients
Protecting Wireless Networks
Protecting Communications by
Using IPSec
Goals of Network Security
Perimeter Client
Defense
Defense
ISA
Server
ICF
802.1x /
WPA
IPSec
Intrusion
Detection
Network
Access
Control
Confidentiality
Secure
Remote
Access
Overview of ICF
What It Is
What It Does
Internet Connection Firewall in
Microsoft Windows XP and Microsoft
Windows Server 2003
Helps stop network-based attacks, such
as Blaster, by blocking all unsolicited
inbound traffic
Ports can be opened for services
running on the computer
Enterprise administration through
Group Policy
Key Features
Enabling ICF
Enabled by:
Selecting one
check box
Network Setup
Wizard
New Connection
Wizard
Enabled separately
for each network
connection
ICF Advanced Settings
Network services
Web-based
applications
ICF Security Logging
Logging options
Log file options
ICF in the Enterprise
Configure ICF by using Group Policy
Combine ICF with Network Access
Quarantine Control
Best Practices
Use ICF for home offices and small business to
provide protection for computers directly
connected to the Internet
Do not turn on ICF for a VPN connection (but do
enable ICF for the underlying LAN or dial-up
connection
Configure service definitions for each ICF
connection through which you want the service
to work
Set the size of the security log to 16 megabytes
to prevent an overflow that might be caused by
denial-of-service attacks
Agenda
Introduction
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using ICF to Protect Clients
Protecting Wireless Networks
Protecting Communications by Using
IPSec
Goals of Network Security
Perimeter Client
Defense
Defense
ISA
Server
ICF
802.1x /
WPA
IPSec
Intrusion Network
Detection Access
Control
Confidentiality
Secure
Remote
Access
Wireless Security Issues
Limitations of Wired Equivalent Privacy
(WEP)
Static WEP keys are not dynamically
changed and therefore are vulnerable to
attack.
There is no standard method for
provisioning static WEP keys to clients.
Scalability: Compromise of a static WEP
key by anyone exposes everyone.
Limitations of MAC Address Filtering
Attacker could spoof an allowed MAC
address.
Possible Solutions
Password-based Layer 2 Authentication
Certificate-based Layer 2 Authentication
IEEE 802.1x PEAP/MSCHAP v2
IEEE 802.1x EAP-TLS
Other Options
VPN Connectivity
L2TP/IPsec (preferred) or PPTP
Does not allow for roaming
Useful when using public wireless hotspots
No computer authentication or processing of
computer settings in Group Policy
IPSec
Interoperability issues
WLAN Security Comparisons
Security
Level
Ease of
Deployment
Usability and
Integration
Static WEP
Low
High
High
IEEE 802.1X PEAP
High
Medium
High
IEEE 802.1x TLS
High
Low
High
High
(L2TP/IPSec)
Medium
Low
High
Low
Low
WLAN Security Type
VPN
IPSec
802.1x
Defines port-based access control
mechanism
Allows choice of authentication methods
using Extensible Authentication Protocol
(EAP)
Works on anything, wired or wireless
No special encryption key requirements
Chosen by peers at authentication time
Access point doesn’t care about EAP methods
Manages keys automatically
No need to preprogram wireless encryption keys
802.1x on 802.11
Wireless
Access Point
Radius Server
Laptop Computer
Ethernet
Association
Access Blocked
802.11 Associate
802.11
RADIUS
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request
EAP-Response
(credentials)
EAP-Success
Radius-Access-Request
Radius-Access-Challenge
Radius-Access-Request
Radius-Access-Accept
Access Allowed
EAPOL-Key (Key)
System Requirements for 802.1x
Client: Windows XP
Server: Windows Server 2003 IAS
Internet Authentication Service—our
RADIUS server
Certificate on IAS computer
802.1x on Windows 2000
Client and IAS must have SP3
See KB article 313664
No zero-configuration support in the
client
Supports only EAP-TLS and MS-CHAPv2
Future EAP methods in Windows XP and
Windows Server 2003 might not be
backported
802.1x Setup
1.
2.
3.
4.
5.
6.
7.
8.
9.
Configure Windows Server 2003 with IAS
Join a domain
Enroll computer certificate
Register IAS in Active Directory
Configure RADIUS logging
Add AP as RADIUS client
Configure AP for RADIUS and 802.1x
Create wireless client access policy
Configure clients
Don’t forget to import the root certificate
Access Policy
Policy condition
NAS-port-type
matches Wireless
IEEE 802.11 OR
Wireless Other
Windows-group =
<some group in AD>
Optional; allows
administrative control
Should contain user
and computer
accounts
Access Policy Profile
Profile
Time-out: 60 min.
(802.11b) or 10 min.
(802.11a/g)
No regular
authentication methods
EAP type: protected
EAP; use computer
certificate
Encryption: only
strongest
(MPPE 128-bit)
Attributes: Ignore-UserDialin-Properties = True
Wireless Protected Access (WPA)
A specification of standards-based, interoperable security
enhancements that strongly increase the level of data
protection and access control for existing and future wireless
LAN systems
WPA Requires 802.1x authentication for network access
Goals
Enhanced data encryption
Provide user authentication
Be forward compatible with 802.11i
Provide non-RADIUS solution for Small/Home offices
Wi-Fi Alliance began certification testing for interoperability on
WPA products in February 2003
Use 802.1x authentication
Organize wireless users and computers into
groups
Apply wireless access policies using Group
BestPolicy
Practices
Use EAP-TLS for certificate-based authentication
and PEAP for password-based authentication
Configure your remote access policy to support
user authentication as well as machine
authentication
Develop a method to deal with rogue access
points, such as LAN-based 802.1x authentication,
site surveys, network monitoring, and user
education
Agenda
Introduction/Defense in Depth
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using ICF to Protect Clients
Protecting Wireless Networks
Protecting Communications by Using
IPSec
Goals of Network Security
Perimeter Client
Defense
Defense
ISA
Server
ICF
802.1x /
WPA
IPSec
Intrusion Network
Detection Access
Control
Confidentiality
Secure
Remote
Access
Overview of IPSec
What is IP Security (IPSec)?
A method to secure IP traffic
Framework of open standards developed by the
Internet Engineering Task Force (IETF)
Why use IPSec?
To ensure encrypted and authenticated
communications at the IP layer
To provide transport security that is independent
of applications or application-layer protocols
IPSec Scenarios
Basic
permit/block
packet filtering
Secure internal
LAN
communications
Domain
replication
through firewalls
VPN across
untrusted media
Implementing IPSec Packet Filtering
Filters for allowed and blocked traffic
No actual negotiation of IPSec security
associations
Overlapping filters—most specific match
determines action
Does not provide stateful filtering
Must set "NoDefaultExempt = 1" to be
secure
From IP
Any
Any
To IP
My
Internet IP
My
Internet IP
Protocol
Src Port
Dest Port
Action
Any
N/A
N/A
Block
TCP
Any
80
Permit
Packet Filtering Is Not Sufficient to
Protect Server
Spoofed IP packets containing queries or
malicious content can still reach open
ports through firewalls
IPSec does not provide stateful inspection
Many hacker tools use source ports 80,
88, 135, and so on, to connect to any
destination port
Traffic Not Filtered by IPSec
IP broadcast addresses
Multicast addresses
Kerberos is a secure protocol, which the Internet
Key Exchange (IKE) negotiation service may use
for authentication of other computers in a domain
IKE—UDP destination port 500
From 224.0.0.0 through 239.255.255.255
Kerberos—UDP source or destination port 88
Cannot secure to multiple receivers
Required to allow IKE to negotiate parameters for
IPSec security
Windows Server 2003 configures only IKE
default exemption
Secure Internal Communications
Use IPSec to provide mutual device authentication
Use Authentication Header (AH) to ensure packet
integrity
AH provides packet integrity
AH does not encrypt, allowing for network intrusion detection
Use Encapsulation Security Payload (ESP) to encrypt
sensitive traffic
Use certificates or Kerberos
Preshared key suitable for testing only
ESP provides packet integrity and confidentiality
Encryption prevents packet inspection
Carefully plan which traffic should be secured
IPSec for Domain Replication
Use IPSec for replication through firewalls
On each domain controller, create an IPSec
policy to secure all traffic to the other domain
controller’s IP address
Use ESP 3DES for encryption
Allow traffic through the firewall:
UDP Port 500 (IKE)
IP protocol 50 (ESP)
VPN Across Untrusted Media
Client VPN
Use L2TP/IPSec
Branch Office VPN
Between Windows 2000 or Windows Server,
running RRAS: Use L2TP/IPSec tunnel (easy
to configure, appears as routable interface)
To third-party gateway: Use L2TP/ISec or pure
IPSec tunnel mode
To Microsoft Windows NT® 4 RRAS Gateway:
Use PPTP (IPSec not available)
IPSec Performance
IPSec processing has some performance
impact
IKE negotiation time—about 2–5 seconds initially
5 round trips
Authentication—Kerberos or certificates
Cryptographic key generation and encrypted messages
Done once per 8 hours by default, settable
Session rekey is fast—<1–2 seconds, 2 round trips,
once per hour, settable
Encryption of packets
How to improve?
Offloading NICs do IPSec almost at wire speed
Using faster CPUs
Best Practices
Plan your IPSec implementation carefully
Choose between AH and ESP
Use Group Policy to implement IPSec Policies
Consider the use of IPSec NICs
Never use Shared Key authentication outside
your test lab
Choose between certificates and Kerberos
authentication
Use care when requiring IPSec for
communications with domain controllers and
other infrastructure servers
Session Summary
Introduction/Defense in Depth
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using ICF to Protect Clients
Protecting Wireless Networks
Protecting Networks by Using IPSec
Next Steps
Stay informed and Sign up for security bulletins.
Get the latest Microsoft security guidance.
Get further Security Training.
Get expert help with a Microsoft® Certified Partner.
Microsoft Security Site (all audiences)
http://www.microsoft.com/uk/security
TechNet Security Site (IT professionals)
http://www.microsoft.com/uk/technet/
MSDN Security Site (developers)
http://www.microsoft.com/uk/msdn/