Transcript TechEd SEC 320 - Center

Technical Overview of Security
Fred Baumhardt
Lead Security Technology Architect
Microsoft EMEA
[email protected] or MSN [email protected]
Plan of Action
This session is about questions – not answers
Understand the Security Problem
Understand the Roots of Security and IP
Look at Modern Security Technologies
Perimeter based- what is a perimeter anyway ?
Network Based
Host Based and Domain Based
People…..the final frontier (and dumbest too)
The Datacenter Security Problem
•
•
•
•
•
•
Systems organically grown under “Project” context
No clear best practice from vendors
Security often bolted on as an afterthought
Fear of change – Time to Market
Branch has poor bandwidth and is under managed
Worm always smaller than patch
Some Core Systems
Extranets
Internet Systems
Project 1…n System
Branch Offices
Departments
The External User Problem
Grandmothers aren’t good at patching –
neither are vendors…yet 
People at large suffer from
itcanthappentome-itis
ADSL, Cable and other technologies make
non-secure users the majority– most of
Internet IPs not policed or managed
External Drones can bring down your
network in seconds by DDoS, Coordinated attacks, relay points
Internal User Problems (abridged)
VPN and Remote Access put our “trusted” people
into the untrusted Internet
Users treat corporate assets as personal property
Infections come into our perimeter from mixing
internal/external user roles – eg home use of
laptop to browse funbags.com
When Inside – Our users don’t follow/ know our
security policy (if we have one)
Users versus IT department mentality (vice-versa)
And Just When You Thought It
Couldn’t Get Worse….
The Network lets you down
Modern nets are generally large TCP/IP spaces
segmented by one or two sets of firewalls to the
Internet (the DMZ- more on this little gem later)
IT usually does little internal network protection
focusing on external Firewalls, and DMZ
scenarios for security
Attackers switch attacks to the application level
which network equipment can’t understand
The Security Strategy Toolbox
Data and Resources: ACLs,
EFS, AV, AD, App Coding
Data
Application
Host
Internal Network
Perimeter
Physical Security
Policies, Procedures, &
Awareness
Application Defences: AV,
Content Scanning, Layer 7 (URL)
Switching, Secure apps like IIS,
Exchange, authentication
Host Defences: Server
Hardening, Host Intrusion
Detection, IPSec Filtering,
Auditing, AD
Network Defences: VLAN
Access Control Lists, Internal
Firewall, Auditing, Intrusion
Detection
Perimeter Defences: Packet
Filtering with stateful Inspection of
Packets, Intrusion Detection, ALF,
IDS/IPS, Pre-Authentication
.
Purpose and Limitations of
Perimeter Defences
Properly configured firewalls and border routers are
the cornerstone for perimeter security – and possibly
internally too
The Internet and mobility increase security risks
VPNs have “softened” the perimeter and, along with
wireless networking, have essentially caused the
disappearance of the traditional concept of network
perimeter
Traditional packet-filtering firewalls block only
network ports and computer addresses
Most modern attacks occur at the application layer
The DMZ…. A Favourite Myth
In military terms – it is where you put your
unwanted soldiers (they will die quickly)
An Area where neither side will place heavy
weapons (except attacking side breaking the
DMZ rules)
Internet
Internet
DMZ
DMZ
Internal Network
Internal Network
Traditional IT DMZs
A Rear Firewall (or rear ruleset) is placed
to protect internal network from DMZ in
case of breach, from front firewall
Placement of Semi-Trusted Machines –
like Proxies, SMTP Relays, Web Servers
Semi-Trusted is like Semi-Pregnant
Rear Firewalls look like Swiss Cheese
At the application level all traffic that is
needed is allowed – like DB ports, DC ports
Devices that filter aren’t application aware
Firewall Perimeter Technology
Packet inspection devices that take traffic on one side
– and allow it or block it based on rules you define
Limited by what they inspect – source, destination,
port, sequence, TTL- new devices can inspect at the
data and application layer
Encryption can invalidate these defences
Other Perimeter Technologies
Intrusion Detection/Prevention – more later
Anti-Virus, Anti-Spam Gateways – content filters, and
inspection devices for inbound or outbound traffic
ISA Server 2004 is custom built for this scenario
VPN solutions – for extending corporate resources –
multi-factor, smart cards, Secure ID etc. – VPN
quarantine- park a user whilst their state and patch
level is checked
Private Perimeter Domains/Forests to power Windows
Security Policy
VPN Security
Warning - Every time you connect into a network you
extend the security perimeter
Harden your clients on the Internet or hackers will
attack clients and ride the VPN, tokens wont help as
the VPN will already be established
Client Based IDS systems, Firewalls can help
Most organisations infected recently by worms were
done by Laptops, or mobile assets VPNing back into
network, or coming back from external infection
VPN Quarantine such as Windows 2003 critical
Alternatives to VPN
Mail – around 80% of the reason for VPN usage
RPC/HTTP for Exchange 2003 <->Outlook 2003 mail
Remote Mail Access Formats (OWA)
IMAP/POP3 not fully featured – avoid if possible
SSL for Extranet enabled applications
RPC Filtration with ISA server
Network Defences
Conventional Networks don’t usually
segment or use concepts such as
VLanning (virtual LANS)
Modern networks are one big open space
under the water line
Once infections come in – the faster the
network the faster they spread
Segmentation…. A previously naughty word
I
N
T
E
R
N
E
T
Internet
Remote data
center
Redundant Routers
Redundant Firewalls
IDS/IPS
NIC teams/2 switches
VLAN
P
e
r
i
m
e
t
e
r
VLAN
VLAN
VLAN
Client and Site VPN
Proxy
DNS &SMTP
Redundant Internal FWs
NIC teams/2 switches
I
N
T
E
R
N
A
L
VLAN
Data Network – SQL Server
Clusters
VLAN
Messaging Network – Exchange FE
Infrastructure Network
– Internal Active Directory
VLAN
Management Network – MOM, deployment
VLAN
VLAN
VLAN
Client Networks 1…n
VLAN
RADIUS Network
Messaging Network – Exchange BE
VLAN
Intranet Network - Web Servers
Which leads us to encryption…
Use of Cryptography to encrypt the payload of a
transmission – can be at:
Data Level – like Kerberos Keys, App Specific
Transport Level – SSL – IPSEC etc
Many different symmetric and Asymmetric algorithms – their
strength determines effect
Invalidates most IDS, Firewall inspection, logging, caching
etc. EG an SSL tunnel from client to web server invalidates:
Front Firewall (all it sees is encrypted tunnel)
Front IDS (all it sees is encrypted tunnel)
Encryption Everywhere is not necessarily the answer
So then we have Intrusion
Detection, That will stop’em….
Detects the pattern of common attacks, records
suspicious traffic in event logs, and/or alerts
administrators, can collate patterns from nodes
Threats and vulnerabilities are constantly evolving,
which leaves systems vulnerable until a new attack
is known and a new signature is created and
distributed… hey this is a good commercial model 
Encryption makes network based ones useless
(mostly)
Client Side ones have to be managed and their
policy distributed
Heuristic systems are not very common (yet)
Other Network Based Devices
Network based IDS/IPS/AV/ and Internal
Firewalls need to be placed where they
can see traffic, where they can act upon it
Switches, can apply firewall like rules of
what can go where when and how
Your routing tables can act as
segmentation devices, so can IPSEC …
Overview of IPSec
What is IP Security (IPSec)?
A method to secure IP traffic at the transport level
A method to mutually authenticate end points
Framework of open standards developed by the Internet
Engineering Task Force (IETF)
Uses of IPSec?
To ensure encrypted and authenticated communications
at the IP layer
To provide transport security that is independent of
applications or application-layer protocols
Protects against Spoofing, Tampering in wire, Information
Disclosure
Cheap Firewall for Windows 2000
Provides mechanism for tunneling – probably as bad as
good
Host Based O/S Defences
Much conventional technology is focused on this
area – Host Hardening
Hardened Machines – components removed,
configuration enforced, software execution
controlled, Domain Aware
Authentication Schemes like Kerberos to ensure
end points are who they say they are – Kerberos
is one part of AD – not all of it
Important to mutually authenticate – not just client to
server
IPSEC can do IP network level end point
authentication
Patch Management – Beware Myths
around this….
Patch Management is important- but not the be-allend-all of security – do it right=no bonus; wrong=job
Goal is to eliminate discovered code vulnerability
If the human body did patch management like IT – we
would all be dead…
There have to be other defences in place to buy time
for yourself whilst you fix the vulnerability
Zero Day exploits will be faster than any possible
patch solution for many years to come
Many solutions coming from vendors and third parties
– but they wont fundamentally change this…yet
Host Based Firewalls
Goal
Machines treat other network peers as hostile – untrusted
Blocks connections from outside sources unless they have
been initiated locally first
Prevent “Drones” on the Internet and corporate networks
compromised by Worms (of any vendors making)
XP and WS2003 built-in to OS, other OS third party providers
WF is on by default in almost all configurations
Effectiveness depends on when it boots, and what ports
left open
WF - Boot time protection – runs in Kernel Mode
WF - Multiple profile support
Egress Filtering (outbound) still a major feature
differential
Host Based Security Technologies
Anti-Virus
Looks for signatures of pathogens usually in
files, or email linked clients
Real-Time scanning for known issues
Dependent on continual refresh of signatures
Host Based IDS
Looks for patterns – at network packet or file
level, frequently bundles host Firewall as well
Sends information to central point for gathering
Some can look for behaviour deltas
Host Domain Security Design
AD is amongst the best
security tools
Domain
Frequent Re-application of
host security policy
Domain Policy
Department
OU
Secured XP
Users OU
Hierarchical Application
Windows
XP OU
Desktop
Policy
Secured XP
Users Policy
Desktop OU
Laptop
Policy
Laptop OU
NTFS, Registry, Permissions,
Security Settings, Groups,
Services all can be controlled
– thousand plus settings
Further settings can be
applied in custom templates
Host Based Challenges
Unless Technologies are Behavioural or Heuristic
they are linked to signatures of attack patterns,
which means latency in policy deployment
AD is 90min+-30 for policy size – and it doesn’t
apply everything if host changed – only if server
changes
Deploying Policy and its response time can be an
issue – Slammer took 9 secs to bring down network
Behavioural Heuristics is coming – which will
actively build profiles and stop things outside them
Security Auditing
Ultimately,what
Security
is about
Understand
is going
on – having
in Human terms
enough
defences
in
place
to
stop
Auditing is the most important thing
someone from doing something- until you
If someone
walks
up ittoand
the stop
bankthem
and takes out
notice them
doing
a machine gun – someone will notice
If you don’t notice them doing it – then all
Anyone
could break
into anywhere
your efforts
will eventually
fail if given
enough explosives, people, and attitude
What stops them is that someone notices and
counteracts them – police, army, SWAT, etc
and finally….. we have the application
The application is what the IT asset exists to do
– securing it is critical
Depends on guidance from vendors,
architecture, and required privileges and design
Secure by Design, Default, and in Deployment
is the Microsoft guidance other vendors have
theirs
Too many application details to mention
Common Database Server Threats
and Countermeasures
Password
Cracking
SQL
Injection
Web App Vulnerabilities
Overprivileged accounts
Weak input validation
Perimeter
Firewall
Network
Eavesdropping
Internal
Firewall
SQL Server
Browser
Unauthorized
External Access
Web App
Network Vulnerabilities
Failure to block SQL ports
Configuration Vulnerabilities
Overprivileged service account
Weak permissions
No certificate
Exchange Architecture
DC/GC
D
nd
so
gon
e
ep
, Netlo
, Kerb
C
G
,
RPC
TC TCP
P8 0
80
TC , TCP
P4 4
4
3 e 43 fo
n ca
r
psu Web
latin
gR
PC
us
tat
S
uth
nA
Too many to list (see slide)
Backend
R
PC
and
Front End
or
T
TCP25 in/out
TCP443 In
TCP80 In
oH
und
nd
Internal Net
PC
TCP
bo
or in
25 f
ou
outb
Potential
Firewall
R
Firewall
l
ma i
Mail Server
Internal Clients
.
Closing Out Our Tour
Security is about natively stopping them
doing bad/dumb things for just long
enough for you to notice, and take
corrective action whilst allowing everything
else to work
You have to know how your system works
You have to assume they know how it
works (obscurity is no defence)
Any questions…..
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.