Securing Network – Wireless – and Connected Infrastructures
Download
1 / 17

Agenda - PowerPoint PPT Presentation


  • 212 Views
  • Updated On :

Securing Network – Wireless – and Connected Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th , 2003 Agenda Defining the Datacenter Network Security Problem Penetration Techniques and Tools Network Defence-in-Depth Strategy

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Agenda' - Rita


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

Securing Network – Wireless – and Connected Infrastructures

Fred Baumhardt

Infrastructure Solutions Consulting

Microsoft Security Solutions, Feb 4th, 2003


Agenda l.jpg
Agenda Infrastructures

  • Defining the Datacenter Network Security Problem

  • Penetration Techniques and Tools

  • Network Defence-in-Depth Strategy

    • Perimeter and Network Defences

    • Operating System and Services Defences

    • Application Defences

    • Data Defences


The datacenter problem we all face l.jpg

Some Core Systems Infrastructures

Extranets

Internet Systems

Project 1…n System

Branch Offices

Departments

The Datacenter Problem We All Face

  • Systems organically grown under “Project” context

  • No clear best practice from vendors

  • Security often bolted on as an afterthought

  • Fear of change – Time to Market


The big picture of security l.jpg
The Big Picture of Security Infrastructures

  • OS hardening is only one component of security strategy AND Firewalls are not a Panacea

  • Entering the Bank Branch doesn’t get you into the vault

  • Security relies on multiple things

    • People and skills

    • Process and incident management

    • Internal Technologies – E.G. OS, Management Tools, switches, IDS, ISA

    • Edge Technologies – Firewalls, ISA, IDS


Threat modelling l.jpg

Internal Users are usually far more dangerous Infrastructures

Normal employees have tools, experience, and know your systems – after all they use them

Customers usually take little internal protection precautions – preferring to focus on external Firewalls, and DMZ scenarios for security

Data is now being hacked – not just systems

Threat Modelling


The first phase of hacking l.jpg
The First Phase of Hacking Infrastructures

  • Information Gathering and Intelligence

    • Port Scanning – Banner Grabbing – TCP/IP Packet Profiling – TTL Packet Manipulating

    • Researching network structure – newsgroup posts, outbound emails, these all hold clues to network design

.


The second phase of hacking l.jpg
The Second Phase of Hacking Infrastructures

  • Analysis of Collected Information

    • Process relevant bits of data about target network

    • Formulate an attack plan

    • For Example: Attacker wont use SUN specific attacks on W2K Boxes, won’t use NT Attacks on .NET etc..

    • Hacker Forums, websites, exploit catalogues


The third phase of hacking l.jpg
The Third Phase of Hacking Infrastructures

  • The Compromise

    • OS Specific Attacks

    • Denial of Service Attacks

    • Application Attacks

      • Buffer Overflows

      • URL String Attacks

      • Injection

      • Cross-site Scripting Attacks

  • Compromised system jumps into another


Networking and security l.jpg
Networking and Security Infrastructures

  • The network component is the single most important aspect to security

  • Wireless is based on Radio transmission and reception – not bounded by wires

  • Some sort of encryption is thus required to protect open medium

  • Ethernet is also just about as insecure


Network problems ctd l.jpg
Network Problems ctd Infrastructures

  • Use encryption and authentication to control access to network

    • WEP – Wired Equivalent Privacy

    • 802.1X - using Public Key Cryptography

    • Mutually authenticating client and network


Securing a wireless connection l.jpg
Securing a Wireless Connection Infrastructures

  • Three major strategies

    • WEP – basic low security simple solution

    • VPN – use an encrypted tunnel assuming network is untrusted

    • 802.1X family – Use PKI to encrypt seamlessly from client to access point

      • Usually complex to implement but then seamless to user

      • Substantial investment in PKI

    • Also vendor specific like Leap


What about the wired network l.jpg
What about the wired network ? Infrastructures

  • This is where the hackers kill you

  • Currently a “total trust” model

    • You can ping HR database, or chairman's PC, or accounting system in Tokyo

  • We assume anyone who can get in to our internal network is trusted – and well intentioned

  • Ethernet and TCP/IP is fundamentally insecure


Slide13 l.jpg

A Infrastructures

B

Host

Host

VPN

  • Extend the “internal” network space to clients in internet

  • Extends the security perimeter to the client

  • Main systems are PPTP – L2TP/IPSEC

IP Tunnel

Corporate Net or Client

Corporate Net in Reading

Router D

Router C

Internet


How the architecture can prevent attack l.jpg
How the Architecture Can Prevent Attack Infrastructures

INTERNET

Internet

Remote data

center

Redundant Routers

Redundant Firewalls

Intrusion Detection

BORDER

NIC teams/2 switches

VLAN

VLAN

VLAN

VLAN

Per

imeter

Client and Site VPN

DNS &SMTP

Proxy

Redundant Internal Firewalls

Infrastructure Network – Perimeter Active Directory

NIC teams/2 switches

INTERNAL

VLAN

VLAN

VLAN

VLAN

Messaging Network – Exchange

Data Network – SQL Server Clusters

Infrastructure Network

– Internal Active Directory

VLAN

VLAN

VLAN

VLAN

.

Client Network

RADIUS Network

Intranet Network - Web Servers

Management Network – MOM, deployment


How do i do it l.jpg
How do I do it ? Infrastructures

  • A Flat DMZ Design to push intelligent inspection outwards

  • ISA layer 7 filtration – RPC – SMTP – HTTP -

  • Switches that act like firewalls

  • IPSec where required between servers

  • Group Policy to Manage Security

  • 802.1X or VPN into ISA servers treating Wireless as Hostile

  • Internal IDS installed

TCP 443: HTTPS Or

TCP 443: HTTPS

TCP 80: HTTP

Internet

Stateful Packet

Filtering

Firewall

Application Filtering Firewall (ISA Server)

Exchange Server

Wireless


Call to action l.jpg
Call To Action Infrastructures

  • Take Action – your network transport is insecure

  • Read and use security operations guides for each technology you use

  • Mail me with questions – [email protected]

    • If I didn’t want to talk to you I would put a fake address

  • Use the free MS tools to establish a baseline and stay on it

  • Attack yourself – you will learn


Slide17 l.jpg

Wherever you go – go securely ! Infrastructures

____________________________________________________________


ad