Securing Network – Wireless – and Connected Infrastructures
1 / 17

- PowerPoint PPT Presentation

  • Updated On :

Securing Network – Wireless – and Connected Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th , 2003 Agenda Defining the Datacenter Network Security Problem Penetration Techniques and Tools Network Defence-in-Depth Strategy

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - Rita

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

Securing Network – Wireless – and Connected Infrastructures

Fred Baumhardt

Infrastructure Solutions Consulting

Microsoft Security Solutions, Feb 4th, 2003

Agenda l.jpg
Agenda Infrastructures

  • Defining the Datacenter Network Security Problem

  • Penetration Techniques and Tools

  • Network Defence-in-Depth Strategy

    • Perimeter and Network Defences

    • Operating System and Services Defences

    • Application Defences

    • Data Defences

The datacenter problem we all face l.jpg

Some Core Systems Infrastructures


Internet Systems

Project 1…n System

Branch Offices


The Datacenter Problem We All Face

  • Systems organically grown under “Project” context

  • No clear best practice from vendors

  • Security often bolted on as an afterthought

  • Fear of change – Time to Market

The big picture of security l.jpg
The Big Picture of Security Infrastructures

  • OS hardening is only one component of security strategy AND Firewalls are not a Panacea

  • Entering the Bank Branch doesn’t get you into the vault

  • Security relies on multiple things

    • People and skills

    • Process and incident management

    • Internal Technologies – E.G. OS, Management Tools, switches, IDS, ISA

    • Edge Technologies – Firewalls, ISA, IDS

Threat modelling l.jpg

Internal Users are usually far more dangerous Infrastructures

Normal employees have tools, experience, and know your systems – after all they use them

Customers usually take little internal protection precautions – preferring to focus on external Firewalls, and DMZ scenarios for security

Data is now being hacked – not just systems

Threat Modelling

The first phase of hacking l.jpg
The First Phase of Hacking Infrastructures

  • Information Gathering and Intelligence

    • Port Scanning – Banner Grabbing – TCP/IP Packet Profiling – TTL Packet Manipulating

    • Researching network structure – newsgroup posts, outbound emails, these all hold clues to network design


The second phase of hacking l.jpg
The Second Phase of Hacking Infrastructures

  • Analysis of Collected Information

    • Process relevant bits of data about target network

    • Formulate an attack plan

    • For Example: Attacker wont use SUN specific attacks on W2K Boxes, won’t use NT Attacks on .NET etc..

    • Hacker Forums, websites, exploit catalogues

The third phase of hacking l.jpg
The Third Phase of Hacking Infrastructures

  • The Compromise

    • OS Specific Attacks

    • Denial of Service Attacks

    • Application Attacks

      • Buffer Overflows

      • URL String Attacks

      • Injection

      • Cross-site Scripting Attacks

  • Compromised system jumps into another

Networking and security l.jpg
Networking and Security Infrastructures

  • The network component is the single most important aspect to security

  • Wireless is based on Radio transmission and reception – not bounded by wires

  • Some sort of encryption is thus required to protect open medium

  • Ethernet is also just about as insecure

Network problems ctd l.jpg
Network Problems ctd Infrastructures

  • Use encryption and authentication to control access to network

    • WEP – Wired Equivalent Privacy

    • 802.1X - using Public Key Cryptography

    • Mutually authenticating client and network

Securing a wireless connection l.jpg
Securing a Wireless Connection Infrastructures

  • Three major strategies

    • WEP – basic low security simple solution

    • VPN – use an encrypted tunnel assuming network is untrusted

    • 802.1X family – Use PKI to encrypt seamlessly from client to access point

      • Usually complex to implement but then seamless to user

      • Substantial investment in PKI

    • Also vendor specific like Leap

What about the wired network l.jpg
What about the wired network ? Infrastructures

  • This is where the hackers kill you

  • Currently a “total trust” model

    • You can ping HR database, or chairman's PC, or accounting system in Tokyo

  • We assume anyone who can get in to our internal network is trusted – and well intentioned

  • Ethernet and TCP/IP is fundamentally insecure

Slide13 l.jpg

A Infrastructures





  • Extend the “internal” network space to clients in internet

  • Extends the security perimeter to the client

  • Main systems are PPTP – L2TP/IPSEC

IP Tunnel

Corporate Net or Client

Corporate Net in Reading

Router D

Router C


How the architecture can prevent attack l.jpg
How the Architecture Can Prevent Attack Infrastructures



Remote data


Redundant Routers

Redundant Firewalls

Intrusion Detection


NIC teams/2 switches







Client and Site VPN



Redundant Internal Firewalls

Infrastructure Network – Perimeter Active Directory

NIC teams/2 switches






Messaging Network – Exchange

Data Network – SQL Server Clusters

Infrastructure Network

– Internal Active Directory






Client Network

RADIUS Network

Intranet Network - Web Servers

Management Network – MOM, deployment

How do i do it l.jpg
How do I do it ? Infrastructures

  • A Flat DMZ Design to push intelligent inspection outwards

  • ISA layer 7 filtration – RPC – SMTP – HTTP -

  • Switches that act like firewalls

  • IPSec where required between servers

  • Group Policy to Manage Security

  • 802.1X or VPN into ISA servers treating Wireless as Hostile

  • Internal IDS installed





Stateful Packet



Application Filtering Firewall (ISA Server)

Exchange Server


Call to action l.jpg
Call To Action Infrastructures

  • Take Action – your network transport is insecure

  • Read and use security operations guides for each technology you use

  • Mail me with questions – [email protected]

    • If I didn’t want to talk to you I would put a fake address

  • Use the free MS tools to establish a baseline and stay on it

  • Attack yourself – you will learn

Slide17 l.jpg

Wherever you go – go securely ! Infrastructures