MSA: Secure Datacenter Design
Download
Report
Transcript MSA: Secure Datacenter Design
Sec 372
Microsoft Systems Architecture:
The Secure Datacenter Design
Fred Baumhardt
Microsoft UK
Luis Carvalho
Microsoft Portugal
Agenda
Why we are all in a big mess
Brief intro to Trustworthy Computing
Who Hacks you –Where – and Why
Security Mitigation and Countermeasures
Strategic Defence
Defense-in-Depth Strategy
Physical Defenses
Network Defenses
Host/Device Defenses
Data Defenses
Application Defenses
The Datacenter Security Problem
•
•
•
•
•
Systems organically grown under a “Project” context
No clear best practice from vendors – plus vulnerabilities
Security often bolted on as an afterthought
Fear of change in solution
The sticky tape thing sort of works – so lets not touch it !
Some Core Systems
Extranets
Internet Systems
Project 1…n System
Branch Offices
Departments
.
Internet Security Roots
The Protocol is not designed for Security !!!!
The Internet used to require Security clearance to
use – physical access was restricted – no need
for protocol security
Resistance to Nuclear attack was more important
than protecting traffic
Everyone on the network was trusted (and well
intentioned)- they will follow port rules- Right??
TCP/IP was thus designed without security in
mind – added as a bolt-on
.
Who are the enemies?
Answer: *.* - don’t trust anyone
Stats vary - but majority of serious attacks
originate internally
Corporate espionage or Inside knowledge
“People playing with stuff they don’t know”
Self-propagating attacks (Slammer, Nimda)
Externally…could be anyone
“Script kiddies” armed with widely accessible
tools- powerful – simple tools – stupid people
More serious attackers– Corporate espionage,
h@ckuRs looking for greetz
HTTP is Safe and Harmless….
Right?
Most firewalls have closed almost all ports
other than TCP80 – which is NOT HTTP
So “Developers” create Web Services, SOAP,
SIP, RPC/HTTP, etc to use get around this- for
them its called “next generation web services”
Hackers are also developers – they use the
same behaviour to perforate security – for
them its called “hacking”
.
But Its OK – I got a Firewall…
False – fake – and irrelevant sense of
security to people who don’t understand it
Most firewalls don’t understand the
difference between ports and data
Most firewalls don’t protect internally –
conventional wisdom is you don’t have to
End to End encryption invalidates most
Firewalls and IDS
Did your firewall stop Nimda – Apache
Worm, Sendmail Trojan, Love-Letter.vbs ?
.
Don’t panic – we’re on it
We all have an industry problem – not a
vendor specific one
Strategic Defence – Trustworthy Comp.
Technology Defence – SD3+C
People and Process Defence – Microsoft
Solutions (MSA- MSS – MSM – MOF )
.
Trustworthy Computing
The NO BS Version
How much do you trust your computer ?
Not Many people do- so we have to do any and
everything until People trust it – earn respect
Cultural change– NOT marketing campaign
People – process – technology
Core Tenets
Security
Privacy
Reliability
Business Integrity
TwC - Security Framework
SD3 + Communications
Secure by
Design
Secure by
Default
Secure in
Deployment
Communications
Secure architecture
Security aware features
Reduce vulnerabilities in the code
Reduce attack surface area
Unused features off by default
Only require minimum privilege
Protect, detect, defend, recover, manage
Process: How to, architecture guides, MSA
People: Training, Culture, SBU, Leaders
Security commitment and disclosure
Active in broad security community
MS Security Response Center– 3rdparties
What MSA Addresses
MSA is a solution centred approach to
security and infrastructure
MSA can help design and build secure,
stable (trustworthy) infrastructures
MSA implements multi-layer – multi-vendor
security – with official best practices
MSA reduces your pain in designing and
achieving secure, stable solutions
What Ships?
Sample Business
Requirements
Planning Guide
Architectural & Service
“Blueprints”
(Planning Information)
Build Guides
(How-to) for
sample instantiation
(Design Choices & how
we arrived at them)
for sample instantiation
Test guides, scripts,
and test results for
sample instantiation
Solution
Operations Guide for
sample instantiation
Since your requirements will be different, your instantiation will be different.
Keys to Architectural Defence
Segmentation of Logical Components in
network – by intelligent devices
Encryption only where required – with
trusted context
A pro-active/re-active management
infrastructure with low latency
Strategic depth-countermeasures
covering entire classes of attacks
Heuristical systems like IDS - AV
Security Risk Management
Discipline and MSA
Assessment
Asset assessment and valuation
Identifying security risks
Analyzing and prioritizing security risks
Security risk tracking, planning, and scheduling
Development and Implementation
Security remediation development
Security remediation testing
Capturing security knowledge
Operate
Reassessing new and changed assets and security risks
Stabilizing and deploying new or changed countermeasures
MSA Defensive Countermeasures
The full MSA is very rich – some highlights will
be covered in the following areas:
Security Zones
Defense-in-Depth Strategy
Physical Defenses
Network Defenses
Host/Device Defenses
Data Defenses
Application Defenses
Security Zones
`
`
Public
`
Tier Restrictions
Intra-zone Tier
Communication
Restrictions
Inter-zone
Communication
Restrictions
Public DNS
Perimeter DNS
Perimeter Web
Perimeter Web
Perimeter DNS
Perimeter
Core Database
Core AD
Core Database
Core DNS
Core Infrastructure
Core
`
`
`
Client
Internal
Private
`
Identify and
potentially
mitigate risk at
all layers
APPLICATION DEFENSE
DATA DEFENSE
HOST/DEVICE DEFENSE
NETWORK DEFENSE
PHYSICAL DEFENSES
.
Assume Prior Layers Fail
Defense In Depth
Physical Defenses
Building that equipment is in
is access controlled
Room that equipment is in is
access controlled
Racks that equipment is in
are access controlled
APPLICATION DEFENSE
DATA DEFENSE
HOST/DEVICE DEFENSE
NETWORK DEFENSE
PHYSICAL DEFENSES
.
Assume Prior Layers Fail
MSA Instantiation Guidance
Recommendations
Routers only allow necessary
inbound ports
Perimeter firewalls maintain
stateful tables of connections
inbound to permitted hosts/ports,
provide reverse and application
proxying
Perimeter firewalls allow outbound
Internet access originating from
only specified servers over
specified ports
VPN Servers allow secure
encrypted remote access to the
data center
.
APPLICATION DEFENSE
DATA DEFENSE
HOST/DEVICE DEFENSE
NETWORK DEFENSE
PHYSICAL DEFENSES
Assume Prior Layers Fail
Perimeter Network Defenses
Architecture Can Prevent Attack
I
N
T
E
R
N
E
T
B
O
R
D
E
R
P
e
r
i
m
e
t
e
r
Internet
Redundant Routers
Redundant Firewalls
.
Intrusion
Detection
NIC teams/2 switches
VLAN
VLAN
VLAN
VLAN
Client and Site VPN
DNS & SMTP
Proxy
Redundant Internal Firewalls
Infrastructure Network –
Perimeter Active Directory
NIC teams/2 switches
VLAN
I
N
T
E
R
N
A
L
Remote data
center
Data Network – SQL Server
Clusters
VLAN
Messaging Network – Exchange
Infrastructure Network
– Internal Active Directory
VLAN
Management Network – MOM, deployment
VLAN
VLAN
VLAN
Client Network
VLAN
RADIUS Network
VLAN
Intranet Network - Web Servers
Virtual LANs (VLANs) are used to
isolate like services from
each other
Switch access control lists (ACLs)
are used to control traffic flow
between VLANs at Layer 3
Layer 2 VLANs are used where no
routing is desired
Internal firewalls control port level
access to internal VLANs
Multi-homed DMZ servers…these
servers are the only physical
connection between the perimeter
and internal firewalls
APPLICATION DEFENSE
DATA DEFENSE
HOST/DEVICE DEFENSE
NETWORK DEFENSE
PHYSICAL DEFENSES
Assume Prior Layers Fail
Internal Network Defenses
EAP certificate-based
authentication
L2TP and PPTP used
(PPTP to support older
clients)
APPLICATION DEFENSE
DATA DEFENSE
In MSA 2.0 Windows
Server 2003’s NAT-T is
utilized for IPSec
EAP certificate-based
authentication used
HOST/DEVICE DEFENSE
NETWORK DEFENSE
PHYSICAL DEFENSES
Assume Prior Layers Fail
VPN Network Defenses
All server except firewall are
members of Windows 2000
and Windows Server 2003
Active Directory for
centralized security
administration and
management
Windows 2000 and
Windows Server 2003
Security Templates
DNS security
Secured installation of IIS 5
Minimal installation of IIS 6
APPLICATION DEFENSE
DATA DEFENSE
HOST/DEVICE DEFENSE
NETWORK DEFENSE
PHYSICAL DEFENSES
Assume Prior Layers Fail
Host Defenses
.
Provides centralized management
of servers
Organizational Units (OUs) are
created for each server type
(i.e., Web servers, SMTP servers,
DNS servers, etc.)
Security templates are created for
each server type, and imported to
GPOs, which are applied to the
OUs
IDC 1.5 uses a single AD
forest/single AD domain
EDC 1.5 uses a multi-forest AD
with no trusts
MSA 2.0 uses a multi-forest AD
with a one way cross-forest trust
APPLICATION DEFENSE
DATA DEFENSE
HOST/DEVICE DEFENSE
NETWORK DEFENSE
PHYSICAL DEFENSES
Assume Prior Layers Fail
Active Directory
IDC 1.5 ships with security templates
that are modified versions of the default
Windows 2000
security templates
Primarily self-contained
EDC 1.5 ships with modified security
templates from the IDC and the
Windows 2000 Security
Operations Guide
Applied hierarchically, locked down
higher in the OU structure, necessary
back-offs at lower levels in the structure
MSA 2.0 Ships with modified versions
of the Windows Server 2003 Security
Guide templates
Applied hierarchically, locked down
higher in the OU structure, necessary
back-offs at lower levels in the structure
.
APPLICATION DEFENSE
DATA DEFENSE
HOST/DEVICE DEFENSE
NETWORK DEFENSE
PHYSICAL DEFENSES
Assume Prior Layers Fail
Active Directory Security
Templates
Domain And DC Hardening
Domain Policy
Password and Account Lockout
Audit Policy
APPLICATION DEFENSE
Domain Controller Policy
Server Specific OU
Lockdown Policies
System Services (Unnecessary
Services Are Disabled)
Further Harden TCP/IP Parameters
Implement IPSec Packet Filters
Security Options
Restrict Anonymous, where
possible
.
DATA DEFENSE
HOST/DEVICE DEFENSE
NETWORK DEFENSE
PHYSICAL DEFENSES
Assume Prior Layers Fail
Domain and Domain
Controller Policies
Other Server Hardening
Stay Current on Service Packs
and Hotfixes
Disable NetBIOS on Servers in the DMZ
If using Terminal Services on DMZ servers,
secure TS to only the internal interface (if
multi-homed)
Secure Local and Domain Accounts
Secure the File System, use NTFS
permissions
Remove Default Administrator File
Share Access
Secure the Administrator Accounts
Don’t configure Windows Server 2003
Active Directory domains for
pre-Windows 2000 compatible access
unless necessary
Some applications need it
APPLICATION DEFENSE
DATA DEFENSE
HOST/DEVICE DEFENSE
NETWORK DEFENSE
PHYSICAL DEFENSES
Assume Prior Layers Fail
Hotfixes are a fact of life
DNS Security
Perimeter server AD DNS lookups
Perimeter server public DNS lookups
Internal server AD DNS lookups
Internal server public DNS lookups
External employee/customer lookup of
company’s public servers
Internal employee lookup of public
servers (EDC)
Separate internal AD, perimeter AD,
and public DNS zones
Separate “resolver” and “advertiser”
servers
Port access controlled for
inbound/outbound DNS servers
DNS “listens” only on appropriate
interface
Zone transfers and forwarders are
tightly controlled
APPLICATION DEFENSE
DATA DEFENSE
HOST/DEVICE DEFENSE
NETWORK DEFENSE
PHYSICAL DEFENSES
Assume Prior Layers Fail
Assessing DNS needs
Disable Directory Browsing
Set Appropriate ACLs on Virtual
Directories
No sample applications installed
ACL the IIS Log Files and
Configure Auditing
Only .htm and .asp processing
configured
Disable Parent Paths
Disable system error messages on
production servers
URLScan Tool configured
APPLICATION DEFENSE
DATA DEFENSE
HOST/DEVICE DEFENSE
NETWORK DEFENSE
Assume Prior Layers Fail
IIS Hardening
PHYSICAL DEFENSES
Some of this is by
default in IIS 6.0
.
Authentication – Windows
Integrated – Avoid Mixed
Data encryption for mixed
using SSL
Strong password for and
limited use of SA account
Validate input at DB – call
stored procs not queries
Connection Pooling –
perf vs security
SQL should not be visible
to normal user VLANs
APPLICATION DEFENSE
DATA DEFENSE
HOST/DEVICE DEFENSE
NETWORK DEFENSE
PHYSICAL DEFENSES
Assume Prior Layers Fail
Data Defenses - SQL
SAN security guidelines
NTFS and Share
Permissions
SMB Signing
Avoid usage of LanMan
and legacy auth protocols
Separate network
segments for internal and
perimeter servers
Avoid storing data on
external VLANs if possible
APPLICATION DEFENSE
DATA DEFENSE
HOST/DEVICE DEFENSE
NETWORK DEFENSE
PHYSICAL DEFENSES
Assume Prior Layers Fail
Data Defenses – Storage
Application Defenses
“Application Security Best Practices at Microsoft”
“Securing Windows 2000 Server” Microsoft
Solution for Securing Windows 2000 Server
www.microsoft.com/technet/security/prodtech/
windows/secwin2k/
The Security section of the Microsoft Developer
Network (MSDN) Web site at the following URL
APPLICATION DEFENSE
DATA DEFENSE
msdn.microsoft.com/nhp/Default.asp?contentid=
28001191&frame=true
“Writing Secure Code”, Michael Howard and
David LeBlanc, ISBN 0-7356-1722-8, April 2002,
from MSPress; For more information see
HOST/DEVICE DEFENSE
NETWORK DEFENSE
www.microsoft.com/mspress/books/5957.asp
“Designing Secure Web-Based Applications for
Microsoft Windows 2000” from MSPress by
Michael Howard, ISBN 0-7356-0995-0, July 2000, from
MSPress; For more information see
www.microsoft.com/mspress/books/4293.asp
“Microsoft Patterns and Practices: Reference Building
Blocks” at the following URL
msdn.microsoft.com/practices/type/Blocks/default.asp
PHYSICAL DEFENSES
Assume Prior Layers Fail
www.microsoft.com/technet/itsolutions/msit/security/
appsecbp.asp
Resources
Available today from
http://www.microsoft.com/systemsarchitecture
Available today from MSS:
Windows Server 2003 Security Guide at
http://microsoft.com/downloads/details.aspx?FamilyId=
8A2643C1-0685-4D89 B655521EA6C7B4DB&displaylang=en
MSA Enterprise DataCenter 1.5
MSA Internet DataCenter 1.5
MSA 2.0 Technical Preview
We welcome your feedback, E-Mail your comments to
[email protected]
Ask The Experts
Get Your Questions Answered
Luis and Fred will be available in the ATE
area after this session – come talk to us
.
Community Resources
Community Resources
http://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)
http://www.mvp.support.microsoft.com/
Newsgroups
Converse online with Microsoft Newsgroups, including Worldwide
http://www.microsoft.com/communities/newsgroups/default.mspx
User Groups
Meet and learn with your peers
http://www.microsoft.com/communities/usergroups/default.mspx
evaluations
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.