Securing Network

Download Report

Transcript Securing Network 

Securing Network – Wireless – and Connected
Infrastructures
Fred Baumhardt
Infrastructure Solutions Consulting
Microsoft Security Solutions, Feb 4th, 2003
Agenda



Defining the Datacenter Network
Security Problem
Penetration Techniques and Tools
Network Defence-in-Depth Strategy




Perimeter and Network Defences
Operating System and Services Defences
Application Defences
Data Defences
The Datacenter Problem We All
Face
•
•
•
•
Systems organically grown under “Project” context
No clear best practice from vendors
Security often bolted on as an afterthought
Fear of change – Time to Market
Some Core Systems
Extranets
Internet Systems
Project 1…n System
Branch Offices
Departments
The Big Picture of Security



OS hardening is only one component of
security strategy AND Firewalls are not a
Panacea
Entering the Bank Branch doesn’t get
you into the vault
Security relies on multiple things




People and skills
Process and incident management
Internal Technologies – E.G. OS,
Management Tools, switches, IDS, ISA
Edge Technologies – Firewalls, ISA, IDS
Threat Modelling




Internal Users are usually far more
dangerous
Normal employees have tools,
experience, and know your systems –
after all they use them
Customers usually take little internal
protection precautions – preferring to
focus on external Firewalls, and DMZ
scenarios for security
Data is now being hacked – not just
systems
The First Phase of Hacking

Information Gathering and
Intelligence
Port Scanning – Banner Grabbing –
TCP/IP Packet Profiling – TTL Packet
Manipulating
 Researching network structure –
newsgroup posts, outbound emails,
these all hold clues to network design

.
The Second Phase of
Hacking

Analysis of Collected Information
Process relevant bits of data about
target network
 Formulate an attack plan
 For Example: Attacker wont use SUN
specific attacks on W2K Boxes, won’t
use NT Attacks on .NET etc..
 Hacker Forums, websites, exploit
catalogues

The Third Phase of Hacking

The Compromise



OS Specific Attacks
Denial of Service Attacks
Application Attacks





Buffer Overflows
URL String Attacks
Injection
Cross-site Scripting Attacks
Compromised system jumps into another
Networking and Security




The network component is the
single most important aspect to
security
Wireless is based on Radio
transmission and reception – not
bounded by wires
Some sort of encryption is thus
required to protect open medium
Ethernet is also just about as
insecure
Network Problems ctd

Use encryption and authentication to
control access to network



WEP – Wired Equivalent Privacy
802.1X - using Public Key Cryptography
Mutually authenticating client and network
Securing a Wireless Connection

Three major strategies



WEP – basic low security simple solution
VPN – use an encrypted tunnel assuming
network is untrusted
802.1X family – Use PKI to encrypt
seamlessly from client to access point



Usually complex to implement but then seamless
to user
Substantial investment in PKI
Also vendor specific like Leap
What about the wired
network ?


This is where the hackers kill you
Currently a “total trust” model



You can ping HR database, or chairman's
PC, or accounting system in Tokyo
We assume anyone who can get in to our
internal network is trusted – and well
intentioned
Ethernet and TCP/IP is fundamentally
insecure
VPN



Extend the “internal” network space to clients in
internet
Extends the security perimeter to the client
Main systems are PPTP – L2TP/IPSEC
Corporate Net or Client
IP Tunnel
A
Host
Corporate Net in Reading
Router D
Router C
B
Host
Internet
How the Architecture Can
Prevent Attack
I
N
T
E
R
N
E
T
B
O
R
D
E
R
P
e
r
i
m
e
t
e
r
Internet
Redundant Routers
Redundant Firewalls
VLAN
VLAN
.
VLAN
Client and Site VPN
DNS & SMTP
Proxy
Redundant Internal Firewalls
Infrastructure Network –
Perimeter Active Directory
NIC teams/2 switches
VLAN
I
N
T
E
R
N
A
L
Intrusion
Detection
NIC teams/2 switches
VLAN
Remote data
center
Data Network – SQL Server
Clusters
VLAN
Messaging Network – Exchange
Infrastructure Network
– Internal Active Directory
VLAN
Management Network – MOM, deployment
VLAN
VLAN
VLAN
Client Network
VLAN
RADIUS Network
VLAN
Intranet Network - Web Servers
How do I do it ?







A Flat DMZ Design to push intelligent inspection outwards
ISA layer 7 filtration – RPC – SMTP – HTTP Switches that act like firewalls
IPSec where required between servers
Group Policy to Manage Security
802.1X or VPN into ISA servers treating Wireless as Hostile
Internal IDS installed
TCP 443: HTTPS Or
TCP 443: HTTPS
Internet
Stateful Packet
Filtering
Firewall
TCP 80: HTTP
Application
Filtering
Firewall (ISA
Server)
Wireless
Exchange Server
Call To Action



Take Action – your network
transport is insecure
Read and use security operations
guides for each technology you use
Mail me with questions –
[email protected]



If I didn’t want to talk to you I would
put a fake address
Use the free MS tools to establish a
baseline and stay on it
Attack yourself – you will learn
Wherever you go – go securely !
____________________________________________________________