slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Securing Network – Wireless – and Connected Infrastructures PowerPoint Presentation
Download Presentation
Securing Network – Wireless – and Connected Infrastructures

Loading in 2 Seconds...

play fullscreen
1 / 17

Securing Network – Wireless – and Connected Infrastructures - PowerPoint PPT Presentation


  • 220 Views
  • Uploaded on

Securing Network – Wireless – and Connected Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th , 2003 Agenda Defining the Datacenter Network Security Problem Penetration Techniques and Tools Network Defence-in-Depth Strategy

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Securing Network – Wireless – and Connected Infrastructures' - Rita


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Securing Network – Wireless – and Connected Infrastructures

Fred Baumhardt

Infrastructure Solutions Consulting

Microsoft Security Solutions, Feb 4th, 2003

agenda
Agenda
  • Defining the Datacenter Network Security Problem
  • Penetration Techniques and Tools
  • Network Defence-in-Depth Strategy
    • Perimeter and Network Defences
    • Operating System and Services Defences
    • Application Defences
    • Data Defences
the datacenter problem we all face

Some Core Systems

Extranets

Internet Systems

Project 1…n System

Branch Offices

Departments

The Datacenter Problem We All Face
  • Systems organically grown under “Project” context
  • No clear best practice from vendors
  • Security often bolted on as an afterthought
  • Fear of change – Time to Market
the big picture of security
The Big Picture of Security
  • OS hardening is only one component of security strategy AND Firewalls are not a Panacea
  • Entering the Bank Branch doesn’t get you into the vault
  • Security relies on multiple things
    • People and skills
    • Process and incident management
    • Internal Technologies – E.G. OS, Management Tools, switches, IDS, ISA
    • Edge Technologies – Firewalls, ISA, IDS
threat modelling
Internal Users are usually far more dangerous

Normal employees have tools, experience, and know your systems – after all they use them

Customers usually take little internal protection precautions – preferring to focus on external Firewalls, and DMZ scenarios for security

Data is now being hacked – not just systems

Threat Modelling
the first phase of hacking
The First Phase of Hacking
  • Information Gathering and Intelligence
    • Port Scanning – Banner Grabbing – TCP/IP Packet Profiling – TTL Packet Manipulating
    • Researching network structure – newsgroup posts, outbound emails, these all hold clues to network design

.

the second phase of hacking
The Second Phase of Hacking
  • Analysis of Collected Information
    • Process relevant bits of data about target network
    • Formulate an attack plan
    • For Example: Attacker wont use SUN specific attacks on W2K Boxes, won’t use NT Attacks on .NET etc..
    • Hacker Forums, websites, exploit catalogues
the third phase of hacking
The Third Phase of Hacking
  • The Compromise
    • OS Specific Attacks
    • Denial of Service Attacks
    • Application Attacks
      • Buffer Overflows
      • URL String Attacks
      • Injection
      • Cross-site Scripting Attacks
  • Compromised system jumps into another
networking and security
Networking and Security
  • The network component is the single most important aspect to security
  • Wireless is based on Radio transmission and reception – not bounded by wires
  • Some sort of encryption is thus required to protect open medium
  • Ethernet is also just about as insecure
network problems ctd
Network Problems ctd
  • Use encryption and authentication to control access to network
    • WEP – Wired Equivalent Privacy
    • 802.1X - using Public Key Cryptography
    • Mutually authenticating client and network
securing a wireless connection
Securing a Wireless Connection
  • Three major strategies
    • WEP – basic low security simple solution
    • VPN – use an encrypted tunnel assuming network is untrusted
    • 802.1X family – Use PKI to encrypt seamlessly from client to access point
      • Usually complex to implement but then seamless to user
      • Substantial investment in PKI
    • Also vendor specific like Leap
what about the wired network
What about the wired network ?
  • This is where the hackers kill you
  • Currently a “total trust” model
    • You can ping HR database, or chairman's PC, or accounting system in Tokyo
  • We assume anyone who can get in to our internal network is trusted – and well intentioned
  • Ethernet and TCP/IP is fundamentally insecure
slide13

A

B

Host

Host

VPN
  • Extend the “internal” network space to clients in internet
  • Extends the security perimeter to the client
  • Main systems are PPTP – L2TP/IPSEC

IP Tunnel

Corporate Net or Client

Corporate Net in Reading

Router D

Router C

Internet

how the architecture can prevent attack
How the Architecture Can Prevent Attack

INTERNET

Internet

Remote data

center

Redundant Routers

Redundant Firewalls

Intrusion Detection

BORDER

NIC teams/2 switches

VLAN

VLAN

VLAN

VLAN

Per

imeter

Client and Site VPN

DNS &SMTP

Proxy

Redundant Internal Firewalls

Infrastructure Network – Perimeter Active Directory

NIC teams/2 switches

INTERNAL

VLAN

VLAN

VLAN

VLAN

Messaging Network – Exchange

Data Network – SQL Server Clusters

Infrastructure Network

– Internal Active Directory

VLAN

VLAN

VLAN

VLAN

.

Client Network

RADIUS Network

Intranet Network - Web Servers

Management Network – MOM, deployment

how do i do it
How do I do it ?
  • A Flat DMZ Design to push intelligent inspection outwards
  • ISA layer 7 filtration – RPC – SMTP – HTTP -
  • Switches that act like firewalls
  • IPSec where required between servers
  • Group Policy to Manage Security
  • 802.1X or VPN into ISA servers treating Wireless as Hostile
  • Internal IDS installed

TCP 443: HTTPS Or

TCP 443: HTTPS

TCP 80: HTTP

Internet

Stateful Packet

Filtering

Firewall

Application Filtering Firewall (ISA Server)

Exchange Server

Wireless

call to action
Call To Action
  • Take Action – your network transport is insecure
  • Read and use security operations guides for each technology you use
  • Mail me with questions – fredbaum@microsoft.com
    • If I didn’t want to talk to you I would put a fake address
  • Use the free MS tools to establish a baseline and stay on it
  • Attack yourself – you will learn
slide17

Wherever you go – go securely !

____________________________________________________________