1 / 52

Network Security and ISA Server

Network Security and ISA Server. Paul Hogan Ward Solutions. Session Prerequisites. Hands-on experience with Windows 2000 or Windows Server 2003 Working knowledge of networking, including basics of security Basic knowledge of network security-assessment strategies. Level 300. Agenda.

amaya-bridges
Download Presentation

Network Security and ISA Server

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security and ISA Server Paul Hogan Ward Solutions

  2. Session Prerequisites • Hands-on experience with Windows 2000 or Windows Server 2003 • Working knowledge of networking, including basics of security • Basic knowledge of network security-assessment strategies Level 300

  3. Agenda 10:00 11:00 Network Security 11:00 11:15 Break 11:30 12:00 Securing SQL Server 12:00 1:00 Lunch 1:00 2:00 Securing Exchange 2:30 2:15 Break 2:15 3:15 Lab Sessions 3:15 Q&A

  4. This sessions are about… • …about operational security • The easy way is not always the secure way • Networks are usually designed in particular ways • In many cases, these practices simplify attacks • In some cases these practices enable attacks • In order to avoid these practices it helps to understand how an attacker can use them

  5. This sessions are NOT … • a hacking tutorial • Hacking networks you own can be enlightening • HACKING NETWORKS YOU DO NOT OWN IS ILLEGAL • …demonstrating vulnerabilities in Windows • Everything we show stems from operational security or custom applications • Knowing how Windows operates is critical to avoiding problems • …for the faint of heart

  6. The Sessions

  7. The Network

  8. Introducing the Case-Study Scenario

  9. Strong passwords, ACLs, backup and restore strategy Policies, procedures, and awareness Physical security Data Application Application hardening OS hardening, authentication, security update management, antivirus updates, auditing Host Internal network Network segments, NIDS Firewalls, boarder routers, VPNs with quarantine procedures Perimeter Guards, locks, tracking devices Security policies, procedures, and education Understanding Defense-in-Depth Using a layered approach: • Increases an attacker’s risk of detection • Reduces an attacker’s chance of success

  10. Why Does Network Security Fail? Network security fails in several common areas, including: • Human awareness • Policy factors • Hardware or software misconfigurations • Poor assumptions • Ignorance • Failure to stay up-to-date

  11. What we will cover: • How to Implement Perimeter defenses • How ISA Server protects networks • Using Windows Firewalls to Protect Clients • How to Protect Wireless Networks

  12. Purpose and Limitations of Perimeter Defenses • Properly configured firewalls and border routers are the cornerstone for perimeter security • The Internet and mobility increase security risks • VPNs have exposed a destructive, pernicious entry point for viruses and worms in many organizations • Traditional packet-filtering firewalls only block network ports and computer addresses • Most modern attacks occur at the application layer

  13. Purpose and Limitations of Intrusion Detection • Detects the pattern of common attacks and records suspicious traffic in event logs and/or alerts administrators • Integrates with other firewall features to prevent common attacks • Threats and vulnerabilities are constantly evolving, which leaves systems vulnerable until a new attack is known and a new signature is created and distributed

  14. Implementing Network-Based Intrusion-Detection Systems Network-based intrusion-detection system Provides rapid detection and reporting of external malware attacks Important points to note: • Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected • ISA Server 2004 provides network-based intrusion-detection abilities

  15. Business Partner Main Office LAN LAN Internet Network perimeters include connections to: • The Internet • Branch offices • Business partners • Remote users • Wireless networks • Internet applications Remote User Wireless Network LAN Perimeter Connections Branch Office

  16. Internet Screened Subnet Firewall LAN Firewall Design: Three Homed

  17. Internet DMZ External Firewall Internal Firewall LAN Firewall Design: Back-to-Back

  18. Software vs Hardware Firewalls

  19. Internet Types of Firewalls • Packet Filtering • Stateful Inspection • Application-Layer Inspection Multi-layer inspection (including application-layer filtering)

  20. Agenda • Introduction/Defense in Depth • Using Perimeter Defenses • Using ISA Server to Protect Perimeters • Using Windows Firewall to Protect Clients • Protecting Wireless Networks • Protecting Networks by Using IPSec

  21. Protecting Perimeters • ISA Server has full screening capabilities: • Packet filtering • Stateful inspection • Application-level inspection • ISA Server blocks all network traffic unless you allow it • ISA Server is ICSA and Common Criteria certified

  22. Protecting Clients

  23. Protecting Web Servers • Web Publishing Rules • Protect Web servers behind the firewall from external attacks by inspecting HTTP traffic and ensuring it is properly formatted and complies with standards. • Inspection of SSL traffic • Inspects incoming encrypted Web requests for proper formatting and standards compliance. • Will optionally re-encrypt the traffic before sending them to your Web server

  24. URLScan • ISA Server Feature Pack 1 includes URLScan 2.5 for ISA Server • Allows URLScan ISAPI filter to be applied at the network perimeter • General blocking for all Web servers behind the firewall • Perimeter blocking for known and newly discovered attacks Web Server 1 Web Server 2 ISA Server Web Server 3

  25. Protecting Exchange Server

  26. Demonstration 1Application-Layer Inspection in ISA ServerURL ScanWeb PublishingMessage Screener

  27. Traffic that Bypasses Firewall Inspection • SSL tunnels through traditional firewalls because it is encrypted, which allows viruses and worms to pass through undetected and infect internal servers. • VPN traffic is encrypted and can’t be inspected • Instant Messenger (IM) traffic often is not inspected and may be used to transfer files in addition to be used for messaging.

  28. Inspecting All Traffic • Use intrusion detection and other mechanisms to inspect VPN traffic after it has been decrypted • Remember: Defense in Depth • Use a firewall that can inspect SSL traffic • Expand inspection capabilities of your firewall • Use firewall add-ons to inspect IM traffic

  29. Client Internet Internal Server ISA Server with Feature Pack 1 SSL Inspection • SSL tunnels through traditional firewalls because it is encrypted, which allows viruses and worms to pass through undetected and infect internal servers. • ISA Server pre-authenticates users, eliminating multiple dialog boxes and allowing only valid traffic through. • ISA Server can decrypt and inspect SSL traffic. Inspected traffic can be sent to the internal server re-encrypted or in the clear.

  30. Demonstration 2SSL Inspection in ISA Server

  31. ISA Server Hardening • Secure your Server Wizard • Review Bastion Host information in Security Guides • Disable unnecessary services • Harden the Network Stack • Disable unnecessary network protocols on the external network interface: • File and print sharing • Client for Microsoft Networks • NetBIOS over TCP/IP

  32. Best Practices • Use access rules that only allow requests that are specifically allowed • Use ISA server’s authentication capabilities to restrict and log Internet access • Configure Web publishing rules only for specific URLs • Use SSL Inspection to inspect encrypted data that is entering your network

  33. Demonstration 3Internet Connection Firewall (ICF)Configuring ICF ManuallyTesting ICFReviewing ICF Log FilesConfiguring Group Policy Settings

  34. Agenda • Introduction/Defense in Depth • Using Perimeter Defenses • Using ISA Server to Protect Perimeters • Using Windows Firewall to Protect Clients • Protecting Wireless Networks • Protecting Networks by Using IPSec

  35. New Security Features in Windows Firewall On by default On with no exceptions ü ü Windows Firewall exceptions list Boot-time security ü ü Global configuration and restore defaults Multiple profiles ü ü RPC support ü Local subnet restrictions ü Unattended setup support ü Command-line support ü

  36. Configuring Windows Firewall for Antivirus Defense

  37. Agenda • Introduction/Defense in Depth • Using Perimeter Defenses • Using ISA Server to Protect Perimeters • Using Windows Firewall to Protect Clients • Protecting Wireless Networks • Protecting Networks by Using IPSec

  38. Wireless Security Issues • Limitations of Wired Equivalent Privacy (WEP) • WEP is inherently weak to due poor key exchange. • WEP keys are not dynamically changed and therefore vulnerable to attack. • No method for provisioning WEP keys to clients. • Limitations of MAC Address Filtering • Scalability - Must be administered and propagated to all APs. List may have a size limit. • No way to associate a MAC to a username. • User could neglect to report a lost card. • Attacker could spoof an allowed MAC address.

  39. Possible Solutions • VPN Connectivity • PPTP • L2TP • Third Party • IPSec • Many vendors • Password-based Layer 2 Authentication • Cisco LEAP • RSA/Secure ID • IEEE 802.1x PEAP/MSCHAP v2 • Certificate-based Layer 2 Authentication • IEEE 802.1x EAP/TLS

  40. WLAN Security Comparisons

  41. 802.1X • Defines port-based access control mechanism • Works on anything, wired and wireless • Access point must support 802.1X • No special encryption key requirements • Allows choice of authentication methods using EAP • Chosen by peers at authentication time • Access point doesn’t care about EAP methods • Manages keys automatically • No need to preprogram wireless encryption keys

  42. 802.1X using EAP/TLS or MSCHAPv2 802.11/.1XAccess Point RADIUS (IAS) Server Certificate Domain User/Machine Certificate 3, 5, 7 1, 2, 6 EAP Connection 4 Certification Authority Laptop Domain Controller DHCP Exchange File Server

  43. Wi-Fi Protected Access (WPA) • A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems • Goals • Enhanced Data Encryption • Provide user authentication • Be forward compatible with 802.11i • Provide non-RADIUS solution for Small/Home offices (WPA-PSK) • Products shipping

  44. Best Practices • Use 802.1x authentication • Organize wireless users and computers into groups • Apply wireless access policies using Group Policy • Use EAP/TLS and 128 bit WEP • Set clients to force user authentication as well as machine authentication • Develop a method to manage rogue APs such as LAN based 802.1x authentication and wireless sniffers.

  45. What Firewalls Do NOT Protect Against • Malicious traffic that is passed on open ports and not inspected by the firewall • Any traffic that passes through an encrypted tunnel or session • Attacks after a network has been penetrated • Traffic that appears legitimate • Users and administrators who intentionally or accidentally install viruses • Administrators who use weak passwords

  46. Understanding Application and Database Attacks Common application and database attacks include: Buffer overruns: • Write applications in managed code SQL injection attacks: • Validate input for correct size and type

  47. Attacks: Buffer Overflow • Aka the “Boundary Condition Error”: Stuff more data into a buffer than it can handle. The resulting overflowed data “falls” into a precise location and is executed by the system • Local overflows are executed while logged into the target system • Remote overflows are executed by processes running on the target that the attacker “connects” to • Result: Commands are executed at the privilege level of the overflowed program

  48. Attacks: Input validation • An process does not “strip” input before processing it, ie special shell characters such as semicolon and pipe symbols • An attacker provides data in unexpected fields, ie SQL database parameters

  49. Implementing Application Layer Filtering Application layer filtering includes the following: • Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data • Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol

  50. Session Summary • Introduction/Defense in Depth • Using Perimeter Defenses • Using ISA Server to Protect Perimeters • Using ICF to Protect Clients • Protecting Wireless Networks

More Related