Transcript Securing Remote Access and Your Microsoft Applications

Application and Remote Access
Security in Higher Education
Tom Bartlett, CISSP
Security Solutions Specialist
Microsoft Corporation
[email protected]
Higher Education Challenges




Internal risks pose as much or more of a
threat than the Internet
Unmanageable student machines
Decentralized management of internal
resources
Difficulty limiting access to resources do to
research and educational usage
requirements
Firewalls in Higher Education





Access Control lists and traditional firewalls
No single entry point to secure
Internal security zones needed to protect
specific groups of users, segments,
applications or services
Need to allow relatively open access, but
want to protect against known vulnerabilities
and exploits
Security often being offered as a ‘service’,
not a requirement
A Traditional Firewall’s View Of A
Packet – unable to protect Applications

Only packet headers are inspected


Application layer content appears as “black box”
IP Header
TCP Header
Source Address,
Dest. Address,
TTL,
Checksum
Sequence Number
Source Port,
Destination Port,
Checksum
Application Layer
Content
??????????????????????
??????????????????????
Forwarding decisions based on port numbers

Legitimate traffic and application layer attacks use identical ports
Web Servers
Internet
Expected HTTP Port 80 Traffic
Unexpected HTTP Port 80 Traffic
Attacks over Port 80
Non-HTTP Traffic over port 80
Application Layer Firewall
View Of A Packet

Packet headers and application content are inspected
IP Header
Source Address,
Dest. Address,
TTL,
Checksum

TCP Header
Sequence Number
Source Port,
Destination Port,
Checksum
Application Layer Content
<html><head><meta httpquiv="content-type"
content="text/html; charset=UTF8"><title>MSNBC - MSNBC Front
Page</title><link rel="stylesheet"
Forwarding decisions based on content

Only legitimate and allowed traffic is processed
Web Servers
Internet
Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic
Application Layer Firewalls (ALF) and
ISA Server 2004

IP/Port filtering is not enough anymore



HTTP/S has become the carrier protocol of the internet –
Music/File swapping, IM, RPC over HTTP, Intranet Portals, SSL
capabilities in Yukon and Longhorn.
Most exploits are occurring at the Application Layer
ISA 2004 application filtering framework



Built in filters for common protocols
Built in capabilities for advanced protection of many major MS
solutions including Exchange, IIS, IE, Intranet & RPC solutions
Solutions focused approach, ease of extensibility, rich partner
community and product roadmap
Application Layer Inspection is useless without the
ability to set app level security policies and make
intelligent decisions based on what you are looking at!
Security
Defense In Depth
Perimeter Defenses
Network Defenses
Host Defenses
Application Defenses
Data and Resources
Defense in Depth




Protecting Networks
Protecting Clients
Providing secure access to applications
Secure and manageable remote access
Engineering Excellence












Threat modeling
Third-party code inspection
In Evaluation for CC EAL4+
Unused features off by default
Reduce attack surface area
Least Privilege
Deployment Kits and Guidance documents!
Network Templates and Wizards
Management and Monitoring Tools
Newsgroup Support
Microsoft Security Summits
Third-party support
Protecting Networks with
ISA Server 2004




Enterprise Class Firewall capabilities
Application layer inspection allows more
advanced and intelligent management of traffic
Network Segmentation for layered protections
 Allows mitigation against worm outbreaks
internally
 Secure specific sets of resources,
applications or services
Protecting and securely connecting Remote
Locations
Securing the traffic Internally



Limit traffic between segments to specific # of connections, types
of traffic & access to specific resources
Certain ports will have to be opened for standard communication
between segments or to resources
Application layer inspection provides the ability to allow approved
traffic–while still identifying & blocking exploits & inappropriate
content that should be blocked
Network Segmentation



Labs
Student Machines
Other unmanaged
segments
Protecting Your Clients







Application Layer protection for inbound and
outbound traffic
 HTTP inspection and Signature blocking
 Protect from browser vulnerabilities
Can be deployed in a service oriented single NIC
configuration
Monitoring, Reporting and Managing Access based on
User, Group, Computer, etc.
Caching
URL and Domain based filtering
Transparent Authentication capabilities
Partner Add-ons
HTTP Filtering to protect clients

HTTP filtering can be used to
protect web browsers
www.BADSITE.com
Browser
EXPLOIT
Internet
Internal Client
Browsing Internet
Exploit Blocked at ISA
Host Isolation





Windows XP Service Pack 2
Windows Server 2003 Service Pack 1
Microsoft Windows AntiSpyware
Software Restriction Policies
Future: Network Access Protection
Protecting and Providing
Secure Access to Applications
and Services
Example:
Securing Exchange Services
How Exchange RPC Works
RPC Server
(Exchange)
1 The RPC server maintains a table of Universally
Unique Identifiers (UUID) and assigned port
2 The client connects to TCP port 135 on the
server to query for the port associated with a
UUID
3 The server responds with the
associated port
4 The client reconnects to
server on the designated port
to access Exchange
RPC Client
(Outlook)
Service
UUID
Port
Exchange
Info Store
{0E4A0156-DD5D-11D2-8C2F00CD4FB6BCDE}
4402
Active
Directory
{E35114235-4B06-11D1-AB0400C04C2DCD2}
3544
Performance
Monitor
{A00C021C-2BE2-11D2-B6780000F87A8F8E}
9233
RPC and Traditional Firewalls


RPC Server
(Exchange)
Open port 135 for
incoming traffic
Open every port that
RPC might use for
incoming traffic
RPC Client
(Outlook)
Traditional firewalls can’t
provide secure RPC access
RPC and ISA Server

Initial connection:
Only allows valid RPC traffic
 Blocks non-Exchange queries


Secondary connection
Only allows connection
to port used by
Exchange
 Enforces
encryption

RPC Client
(Outlook)
RPC Server
(Exchange)
OWA: Traditional Firewall
OWA Traffic
SSL Tunnel
Password Guessing
Web Server Attacks

Web traffic to OWA is encrypted



Exchange Server
Standard SSL encryption
Security against eavesdropping and impersonation
Limitation:

Default OWA implementation does not protect against
application layer attacks
How ISA Server Protects OWA
OWA Traffic
SSL Tunnel
Inspection
Authentication



Exchange Server
Unauthorized requests are blocked before they reach the Exchange
server
Enforces all OWA authentication methods
Optional forms-based authentication prevents caching of credentials
Inspection



Web Server Attacks
Authentication


Password Guessing
Invalid HTTP requests or requests for non-OWA content are blocked
Inspection of SSL traffic before it reaches Exchange server
Confidentiality


Ensures encryption of traffic over the Internet
Can prevent the downloading of attachments to client computers
Additional Exchange Services

Similar benefits and application layer
filtering for publishing other Exchange
Services




SMTP
RPC over HTTP(s)
Active Sync
Outlook Mobile Access
IIS, Web and Server
Publishing
Securing Access to Web Resources

Inspect HTTP content before it reaches Web servers





Unified view of Web resources




Central location to block disallowed Web requests and URLs
Blocks disallowed or invalid HTTP syntax
Blocks attacks based on signatures
Inspect and bridge SSL Traffic
Map different external names/paths to internal names/paths
ISA Server can protect server farms or entire networks
Link Translation
User authentication


Active Directory, RADIUS or SecurID
Credentials can be forwarded to published server
Enabling Universal Resource Access

Access to some university resources requires
protocols other than HTTP





FTP servers for access to files
Database servers in DMZ or internal network
Public DNS servers to locate company’s servers
Server publishing allows secure access to nonWeb resources
ISA Server supports all IP-based protocols

Application-layer filtering for selected protocols:
FTP, DNS, RPC, etc.
XML/SOAP Filtering
(EAI, .NET and Biztalk/XML Solutions)
XML/SOAP Filtering


Offload and/or enhance Security from
Biztalk/IIS and .NET applications
Forum’s Application Filter for ISA provides








Schema Validation
Message Level Access Control
Authorization Management to Web Services
Permissions enforcement
XML Content Filtering
Protection against SOAP/XML DOS attacks
Archiving
SSL Termination
Secure & Manageable Remote Access

ISA Server 2004 - Enterprise VPN Solution






Access Controls and traffic segregation
De-tunnel & inspect traffic at Application Layer
Multiple Authentication options
Integrated Client in Windows
 Simplified client deployment (built in)
 Logon via VPN
PPTP, IPSEC/L2TP
Integrated support and use of Quarantine
Network Access Quarantine

Client script checks whether client meets
organizational security policies





Personal firewall enabled?
Latest virus definitions used?
Required patches installed?
If checks succeed, client gets full access
If checks fail client gets disconnected after
timeout period
Goal: Prevent VPN clients that don’t meet
security requirements from accessing network
ISA Server 2004 Enterprise


ADAM Based configuration
No AD dependency, but AD can still be used…












User/Group database (and integrated Authentication)
Credential store
Certificate authority
Management
Redundant ADAM stores
Enterprise Monitoring via MOM Management Pack
Enterprise logging via a SQL Database
Enterprise Policies and central policy management
NLB enhancements and integrated management
CARP (Cached Array Routing Protocol)
Multi or dedicated function arrays
Role based management
Third-party Add-ons
Filtering Area
Company
IM
Akonix
SOCKS 5
CornerPost Software
SOAP/XML
Forum Systems, Inc.
Pop-up blocking/HTML filter Collective Software
URL Redirection
SecureNat Web Auth
Antivirus
McAfee, GFI, Panda
URL Filtering
SurfControl, Futuresoft, FilterLogix,
SecureComputing, WebSense
Intrusion Detection
ISS, GFI
For details see: http://www.microsoft.com/isaserver/partners
More Options for Customers
ISA Server 2004 OEM Appliance



Pre-hardened and Pre-test
Hardened configuration for reduced attack surface
Easy to purchase, set up and deploy
Added Value and Customer Choice



Out-of-box configuration tools
Web-based administration
Customized and fully integrated
deployment options
New World-Wide Industry Partnerships

Celestix Networks, Hewlett-Packard
and Network Engines
Security Technologies Timeline
Prior
H2 04
2005
Microsoft Baseline Security Analyzer (MBSA) v1.2
Virus Cleaner Tools
Systems Management Server (SMS) 2003
Software Update Services (SUS) SP1
Internet Security and Acceleration (ISA) Server 2004 Standard Edition
Windows XP Service Pack 2
Patching Technology Improvements (MSI 3.0)
Systems Management Server 2003 SP1
Microsoft Operations Manager 2005
Windows malicious software removal tool
Windows Server 2003 Service Pack 1
Windows Update Services
ISA Server 2004 Enterprise Edition
Windows Rights Management Services SP1
Windows AntiSpyware
System Center 2005
Windows Server 2003 “R2”
Visual Studio 2005
Future
Vulnerability Assessment and Remediation
Active Protection Technologies
Antivirus