Transcript Application Layer Firewalling With ISA Server 2004

Application Layer Firewalling With
ISA Server 2004
Fred Baumhardt
Lead Security Technology Architect
Microsoft EMEA
Call to Action
A quantum shift in thinking is needed to
avoid a cataclysmic failure in global
network security
I don’t have all the answers in this
session, lots of questions
We have all been lucky major global
worms have not carried class 0 (evil evil)
payloads like format disk and flash BIOS
Question all “experts” you hear and draw
your own conclusion
Agenda
The roots of the Internet and security
The problem with conventional firewalls
Advantage of application layer inspection
Application inspection with ISA server
Pre-authentication (OWA + IIS + Apache)
Inbound SSL termination and inspection
Filtration of HTTP content and URLs
Other Application Filters
Putting it all together
Internet Security Roots
Lets be honest – from a security perspective:
IPv4 is not great – not designed for Security
The Internet used to require Security clearance to
use – physical access was restricted – no need for
protocol security
Resistance to Nuclear attack was more important
than protecting traffic
Everyone on the network was trusted
TCP/IP was thus designed without security in
mind – added as a bolt-on
Security and HTTP
We assume that HTTP is good business protocol–
block almost all others outbound SO:
Developers start using tunnelling over port 80- to
deliver apps and data- call it web services
Microsoft does it with Outlook and Exchange 2003 –
we call it a feature (easy Outlook Conn)
Joe Smith tunnels and uploads your HR database to
your competition – you call him a hacker
More concerned at blocking porn (by dest) than
checking that the content is valid (by deep insp)
Tunneling
When someone puts some sort of data in
one port/socket– encapsulates it in some
sort of packet – and sends it do a
destination you allow (because you think
it is doing something else)
Example – HTTP-TUNNEL.com where
you stick any (eg terminal server) traffic
that is otherwise blocked- in TCP 80 and
for 19.95 a month, they send it to the
server you really want to talk to.
HTTP Tunnel
Lets Rip open a packet
Currently – most firewalls check only basic packet information
Real world equivalent of looking at the number and destination of
a bus – and not looking at the passengers
Fundamental Assumptions L3/L4
We trust that traffic on a port is what we think it should
be (TCP80==HTTP)
We implicitly trust that the traffic going through is clean
(as we admit we cant scan it)
We don’t place these devices to protect from internal
networks as our users are trusted
The user in machine 1.2.3.4 must be the one that
always uses that machine
TCP 80 is almost always open to everywhere – The
Universal Firewall Bypass and Avoidance Protocol
Most of these mistakes result in a security breach
which is usually blamed on the OS, or the app – but
came over network
OK Guys, how would you do it ?
Some keys to application inspection
Segmentation of Logical Components in network –
ALF can only inspect to/from somewhere
Encryption only where required – with trusted context
– it usually invalidates inspection, IDS
Understanding the purpose of the traffic you are
trying to filter, and blocking non consistent traffic
Strategic depth-countermeasures covering entire
classes of attacks, especially against worms
Heuristical systems supplemented with
behavioural systems, and intelligence
Built In Application Filters
HTTP
Syntax analysis, signature blocking
OWA
Forms Based Authentication
SMTP
Command and message filtering
RPC
Interface blocking
FTP
Read only support
DNS
Intrusion detection
POP3
Intrusion detection
H.323
Allows H.323 traffic
MMS
Enables Microsoft media streaming
All filters:
- validate protocol RFC conformance
- enable NAT traversal
Examples Of 3rd Party Filter Add-ons
Expected to be available soon after ISA Server 2004 availability
Filters
Companies
IM
Akonix
SOCKS 5
CornerPost Software
SOAP/raw XML
Forum Systems, Inc.
Antivirus
McAfee, GFI, Panda
URL Filtering
SurfControl, Futuresoft, FilterLogix,
Cerberian, Wavecrest
Intrusion Detection
ISS, GFI
Many add-ons in other firewall areas available
For details see:
http://www.microsoft.com/isaserver/partners
RPC – A typical challenge
RPC 101
Client accesses
Client connects
application
over to
portmapper
on server
Client knows
UUID port
learned
(port 135/tcp)
of service it wants
Portmapper responds
Client asks,
“What
with the
port and closes
port is associated
the connection
with my UUID?”
4402/tcp
135/tcp
Service
234-1111…}
RPC client
(Outlook)
Port
Exchange
UUID
4402/tcp
{12341234-1111…
AD replication
{01020304-4444…
3544
MMC
RPC server
{19283746-7777…
9233
4402
(Exchange)
Serverto
matches
UUID to nature of RPC, this is not
Due
the random
the current port…
RPCfeasible
services grab
random
over
the Internet
high ports when they start,
64,512table
high ports
serverAll
maintains
traditional firewalls
& port 135 must be opened on
RPC Filter Security
Learn the protocol and use its features to improve security
Firewall only allows specific UUIDs
Only DC Replication, or Only Exchange/Outlook
Not defined UUIDs such as MMC, Printing blocked
Takes back control of RPC behaviour
Tunneling not allowed – as syntax is checked
RPC
Exchange specific – like enforce client encryption
External
network
Exchange
/ RPC
Server
Internal
network
ISA Server with
Feature Pack 1
Outlook/
RPC
Client
Protecting HTTPS
Basic authentication
delegation
URLScan
for ISA Server
ISA Server can
Web
server
prompts
forcan
ISA Server pre-authenticates
HTTP
filter
for ISA
Server
decrypt
and
inspect
authentication
— any
users, eliminating multiple
…which
allows
viruses
stop
Web
attacks
at the
network
SSL traffic
URLScan
for
Internet
userencrypted
can
dialog boxes and only allowing
andedge,
worms
to pass
even
over
this prompt
valid traffic through throughaccess
undetected…
inbound
SSL
ISA
Server
SSL
SSL
SSL or
HTTP
Internet
client
ISATraditional
Server 2004
withfirewall
HTTP Filter
Web
Srv/
OWA
SSL tunnels through
traditional firewalls
inspected …and
traffic infect
can beinternal
sent toservers!
the internal
because it is encrypted…
server re-encrypted or in the clear.
Pre-Authentication
No L7 password = no access to internal system
– excellent failsafe
Potential attackers go from 7 Billion to the number
of people who have credentials to your network
Worms will not have your credentials (hopefully )
ISA 2000 can also do this by RSA secure ID for
HTTP (though not for RPC/HTTP with sec ID)
Cookie pre-authentication for Outlook Web
Access 2003 also available
Protecting HTTP and (S) cont.
The Big Picture
Understanding the protocol – how it works,
what its rules are, and what to expect is
critical
Inbound HTTPS termination is easy (you
control the cert) outbound is difficult
Human behaviour is easy – FW admins
close all ports so we use 80, thus we need
to learn now to filter 80
Web Publishing Protection
Worms usually go by IP or network range, they
seldom know the FQDN (yet)
Publish by FQDN https://mail.yc.com/exchange
Nothing gets in unless it asks firewall for the exact
URL (in HTTP language) not just 212.30.12.1:T80
Use HTTP Filter verbs – signature strings, and
method blocking to eliminate entire classes of
attacks
Lets look at some examples
Example:
Protecting A Web Server
General
Limit header length, query and URL length.
Verify normalization.
Methods
Allow only specified methods:
GET, HEAD, POST
Extensions
Block specified extensions (allow all others):
.exe, .bat, .cmd, .com, .htw, .ida, idq, .htr, .idc,
.shtm, .shtml, .stm, .printer, .ini, .log, .pol,
.dat , …..
Signatures
(Request URL)
Block content containing these signatures
.. , ./ , \ , : , % , &
Demonstration of HTTP Filtration
Example:
Protocol Level Countermeasures HTTP
General
Limit header length, query and URL length.
Verify normalization.
Methods
Allow only specified methods:
GET, HEAD, POST
Extensions
Block specified extensions (allow all others):
.exe, .bat, .cmd, .com, .htw, .ida, idq, .htr, .idc,
.shtm, .shtml, .stm, .printer, .ini, .log, .pol,
.dat , …..
Signatures
(Request URL)
Block content containing these signatures
.. , ./ , \ , : , % , &
Example:
Blocking Apps Over HTTP
Application
Search in
HTTP header
Signature
MSN Messenger
Request headers
User-Agent:
MSN Messenger
Windows Messenger
Request headers
User-Agent:
MSMSGS
AOL Messenger (and
Gecko browsers)
Request headers
User-Agent:
Gecko/
Yahoo Messenger
Request headers
Host
msg.yahoo.com
Kazaa
Request headers
P2P-Agent
Kazaa, Kazaaclient:
Kazaa
Request headers
User-Agent:
KazaaClient
Kazaa
Request headers
X-Kazaa-Network:
KaZaA
Gnutella
Request headers
User-Agent:
Gnutella
Gnucleus
Edonkey
Request headers
User-Agent:
e2dk
Morpheus
Response header
Server
Morpheus
DNS Protection
Rudimentary
protection
General antitunneling
protection
through T/U 53
Mail Protection
Lots of Antispam and antivirus vendors cover the
relay points- what about:
IS TCP 25 really SMTP?
Is someone sending a buffer overflow to the RCPT:
command ?
Can I block someone using the VRFY command ?
Can I strip an attachment, or block a user
Why not do the Protocol level protection at the
network device, use the firewall to add a layer of
defence for the mail system.
Mail Filtration Examples
Requires another box
to do the storage of
mail
Must link the box to
ISA via RPC
Applies Protocol
validation and some
keyword and
attachment stripping
Def in Dep – not
primary mail solution
Encapsulated Traffic
IPSEC (AH and ESP), PPTP etc can not
be scanned at ISA server if published or
allowed through
If you tunnel traffic through these ports
ISA will log the tunnel – can not look
inside unless it is terminating the VPN
Your call – open more ports with app
filters or tunnel traffic through with no
inspection – most DC protocols have no
filters
Be aware of the implications of NAT
VPN Termination
ISA currently does intra-tunnel VPN
inspection, so traffic coming in via VPN will
be inspected at the application layer
VPN Client Traffic is treated as a dedicated
network – so you can control where it goes
and its Application Filter rules
Windows Server 2003 Quarantine with ISA
VPN fully supported – excellent functionality
Extending The Platform
Firewalls are placed in different locations
for different reasons. Understand the
requirement and filter accordingly
Extend core functionality with protocol
filters covering your specific scenario
No one device will ever be the silver bullet,
solutions are more important than devices
One Vision for Secure Networking
Internet
Redundant Routers
First Tier Firewalls
URL Filtering for OWA
RPC Termination for Outlook
ISA Firewalls
NIC teams/2 switches
VLAN
Intrusion Detection
VLAN
.
Intrusion Detection
VLAN
Intrusion Detection
VLAN
Front-end
DC + Infrastructure
Backend
One or more Switches Implement VLANs and Control Inter-VLAN Traffic like
Firewalls do – VLANs are not bullet proof (but neither are servers)
Traffic is allowed or blocked based on requirements of the application, filters
understand and enforce these requirements
Debunking Network Security Myths
People DON’T play by the rules – unless you
make them and ports are not intent – you
need to check
Hardware devices are NOT more secure –
they are more convenient – that’s all
Invest in getting to know the device, what it
can/t do – don’t buy what you know – buy what
you need
Don’t let just the network people control and
purchase firewalls – it takes application
awareness
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.