1 / 63

Securing the Perimeter Thomas Lee Chief Technologist QA thomas.lee@qa

Securing the Perimeter Thomas Lee Chief Technologist QA thomas.lee@qa.com. Continuing from Yesterday. Scripting IPSec NAT-T. Scripting IPSec. netsh ipsec is the starting point. NAT Traversal-the problem. NAT device cannot update IPSec auth-data Hash includes IP address of source

yule
Download Presentation

Securing the Perimeter Thomas Lee Chief Technologist QA thomas.lee@qa

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing the Perimeter Thomas LeeChief TechnologistQA thomas.lee@qa.com

  2. Continuing from Yesterday • Scripting IPSec • NAT-T

  3. Scripting IPSec • netsh ipsec is the starting point

  4. NAT Traversal-the problem • NAT device cannot update IPSec auth-data • Hash includes IP address of source • When natted, the recepient will get data from a ‘different’ IP address • IKE ports can not be changed (UDP 500) • See http://tinyurl.com/2j99q for more information about NAT issues

  5. NAT-T Changes • UDP encapsulation for ESP • A UDP header is placed between the outer IP header and the ESP header, encapsulating the ESP PDU. The same ports that are used for IKE are used for UDP-encapsulated ESP traffic. • A modified IKE header format • The IPSec NAT-T IKE header contains a new Non-ESP Marker field that allows a recipient to distinguish between a UDP-encapsulated ESP PDU and an IKE message. IPSec NAT-T-capable peers begin to use the new IKE header after they have determined that there is an intermediate NAT. • A new NAT-Keepalive packet • A UDP message that uses the same ports as IKE traffic, contains a single byte (0xFF) and is used to refresh the UDP port mapping in a NAT for IKE and UDP-encapsulated ESP traffic to a private network host.• • A new Vendor ID IKE payload • This new payload contains a well-known hash value, which indicates that the peer is capable of performing IPSec NAT-T.•

  6. NAT-T (continued) • A new NAT-Discovery (NAT-D) IKE payload • This new payload contains a hash value that incorporates an address and port number. An IPSec peer includes two NAT-Discovery payloads during Main Mode negotiation—one for the destination address and port and one for the source address and port. The recipient uses the NAT-Discovery payloads to discover whether a NAT translated addresses or port numbers, and, based on which addresses and ports were changed, which peers are located behind NATs.• • New encapsulation modes for UDP-encapsulated ESP transport mode and tunnel mode • These two new encapsulation modes are specified during Quick Mode negotiation to inform the IPSec peer that UDP encapsulation for ESP PDUs should be used.• • A new NAT-Original Address (NAT-OA) IKE payload • This new payload contains the original (untranslated) address of the IPSec peer. For UDP-encapsulated ESP transport mode, each peer sends the NAT-OA IKE payload during Quick Mode negotiation. The recipient stores this address in the parameters for the SA

  7. NAT/IPSec – more Info • IKE Negotiation for IPSec Security Associations • http://www.microsoft.com/technet/community/columns/cableguy/cg0602.mspx • Windows 2000 IPSec Web Site • http://www.microsoft.com/windows2000/technologies/communications/ipsec/default.asp • L2TP/IPSec NAT-T Update for Windows XP and Windows 2000 • http://support.microsoft.com/default.aspx?scid=kb;en-us;818043

  8. Agenda • Introduction • What is the Perimeter? • Securing with … • Using Microsoft Internet Security and Acceleration (ISA) Server to Protect Perimeters • Using Internet Connection Firewall (ICF) to Protect Clients • Protecting Wireless Networks • Protecting Communications by Using IPSec

  9. Defense in Depth ACL, encryption Application hardening, antivirus OS hardening, update management, authentication, HIDS Network segments, IPSec, NIDS Firewalls, VPN quarantine Guards, locks, tracking devices User education • A layered approach • Increases an attacker’s risk of detection • Reduces an attacker’s chance of success Policies, Procedures, & Awareness Physical Security Data Application Host Internal Network Perimeter

  10. Agenda • Introduction • What is the perimeter? • Securing the perimeter with … • Using Microsoft Internet Security and Acceleration (ISA) Server to Protect Perimeters • Using Internet Connection Firewall (ICF) to Protect Clients • Protecting Wireless Networks • Protecting Communications by Using IPSec

  11. Perimeter Connections Overview Business Partner Main Office LAN LAN Internet Network perimeter includes connections to: Branch Office • The Internet • Branch offices • Business partners • Remote users • Wireless networks • Internet applications Remote User Wireless Network LAN

  12. Defending The Perimeter • Properly configured firewalls and border routers are the cornerstone for perimeter security • The Internet and mobility increase security risks • VPNs/ wireless networking soften the perimeter • Traditional packet-filtering firewalls block only network ports and computer addresses • Most modern attacks occur at the application layer • Perimeter security useless if breech is from the inside

  13. Defending at the Client • The client is part of the perimeter too! • Client defenses block attacks that bypass perimeter defenses or originate on the internal network • Client defenses include, among others: • Operating system hardening • Antivirus software • Personal firewalls • Client defenses require configuring many computers • In unmanaged environments, users may bypass client defenses

  14. What About Intrusion Detection? • Detects the pattern of common attacks, records suspicious traffic in event logs, and/or alerts administrators • Threats and vulnerabilities are constantly evolving, which leaves systems vulnerable until a new attack is known and a new signature is created and distributed • Is ID really helpful?

  15. Agenda • Introduction • Whatis the perimeter? • Securing the perimeter with … • Using Microsoft Internet Security and Acceleration (ISA) Server to Protect Perimeters • Using Internet Connection Firewall (ICF) to Protect Clients • Protecting Wireless Networks • Protecting Communications by Using IPSec

  16. Firewall Design: Three-Homed Internet DMZ Firewall LAN

  17. Firewall Design: Back-to-Back Internet DMZ External Firewall Internal Firewall LAN

  18. What Firewalls Do NOT Protect Against • Malicious traffic that is passed on open ports and not inspected at the application layer by the firewall • Any traffic that passes through an encrypted tunnel or session • Attacks after a network has been penetrated • Traffic that appears legitimate • Users and administrators who intentionally or accidentally install viruses • Administrators who use weak passwords

  19. Software vs. Hardware Firewalls

  20. Types of Firewall Functions Internet • Packet Filtering • Stateful Inspection • Application-Layer Inspection Multi-layer Inspection (Including Application-Layer Filtering)

  21. Protecting Perimeters • ISA Server has full screening capabilities: • Packet filtering • Stateful inspection • Application-level inspection • ISA Server blocks all network traffic unless you allow it • ISA Server provides secure VPN connectivity • ISA Server is ICSA certified and Common Criteria certified

  22. Demonstration 1Application-Layer Inspection in ISA ServerWeb Publishing

  23. Traffic That Bypasses Firewall Inspection • SSL tunnels through traditional firewalls because it is encrypted, which allows viruses and worms to pass through undetected and infect internal servers • VPN traffic is encrypted and cannot be inspected • Instant Messenger (IM) traffic often is not inspected and might be used to transfer files

  24. Inspecting All Traffic • Use intrusion detection and other mechanisms to inspect VPN traffic after it has been decrypted • Remember: Defense in Depth • Use a firewall that can inspect SSL traffic • Expand inspection capabilities of your firewall • Use firewall add-ons to inspect IM traffic

  25. SSL Inspection • SSL tunnels through traditional firewalls because it is encrypted, which allows viruses and worms to pass through undetected and infect internal servers. • ISA Server can decrypt and inspect SSL traffic. Inspected traffic can be sent to the internal server re-encrypted or in the clear.

  26. Demonstration 2SSL Inspection in ISA Server

  27. ISA Server Hardening • Harden the network stack • Disable unnecessary network protocols on the external network interface: • Client for Microsoft Networks • File and Printer Sharing for Microsoft Networks • NetBIOS over TCP/IP

  28. Best Practices • Use access rules that only allow requests that are specifically allowed • Use ISA Server’s authentication capabilities to restrict and log Internet access • Configure Web publishing rules only for specific destination sets • Use SSL Inspection to inspect encrypted data that is entering your network

  29. Agenda • Introduction • What is the Perimeter? • Securing with … • Using Microsoft Internet Security and Acceleration (ISA) Server to Protect Perimeters • Using Internet Connection Firewall (ICF) to Protect Clients • Protecting Wireless Networks • Protecting Communications by Using IPSec

  30. Overview of ICF • Ports can be opened for services running on the computer • Enterprise administration through Group Policy • Internet Connection Firewall in Microsoft Windows XP and Microsoft Windows Server 2003 What It Is • Helps stop network-based attacks, such as Blaster, by blocking all unsolicited inbound traffic What It Does Key Features

  31. Enabling ICF • Enabled by: • Selecting one check box • Network Setup Wizard • New Connection Wizard • Enabled separately for each network connection

  32. ICF Advanced Settings • Network services • Web-based applications

  33. ICF Security Logging • Logging options • Log file options

  34. ICF in the Enterprise • Configure ICF by using Group Policy • Combine ICF with Network Access Quarantine Control

  35. Best Practices • Use ICF for home offices and small business to provide protection for computers directly connected to the Internet • Do not turn on ICF for a VPN connection (but do enable ICF for the underlying LAN or dial-up connection • Configure service definitions for each ICF connection through which you want the service to work • Set the size of the security log to 16 megabytes to prevent an overflow that might be caused by denial-of-service attacks

  36. Demonstration 3Internet Connection Firewall (ICF)Configuring ICF ManuallyTesting ICFReviewing ICF Log FilesConfiguring Group Policy Settings

  37. Agenda • Introduction • What is the Perimeter? • Securing with … • Using Microsoft Internet Security and Acceleration (ISA) Server to Protect Perimeters • Using Internet Connection Firewall (ICF) to Protect Clients • Protecting Wireless Networks • Protecting Communications by Using IPSec

  38. Wireless Security Issues • Limitations of Wired Equivalent Privacy (WEP) • Static WEP keys are not dynamically changed and therefore are vulnerable to attack. • There is no standard method for provisioning static WEP keys to clients. • Scalability: Compromise of a static WEP key by anyone exposes everyone. • Limitations of MAC Address Filtering • Attacker could spoof an allowed MAC address.

  39. Possible Solutions • Password-based Layer 2 Authentication • IEEE 802.1x PEAP/MSCHAP v2 • Certificate-based Layer 2 Authentication • IEEE 802.1x EAP-TLS • Other Options • VPN Connectivity • L2TP/IPsec (preferred) or PPTP • Does not allow for roaming • Useful when using public wireless hotspots • No computer authentication or processing of computer settings in Group Policy • IPSec • Interoperability issues

  40. WLAN Security Comparisons

  41. 802.1x • Defines port-based access control mechanism • Works on anything, wired or wireless • No special encryption key requirements • Allows choice of authentication methods using Extensible Authentication Protocol (EAP) • Chosen by peers at authentication time • Access point doesn’t care about EAP methods • Manages keys automatically • No need to preprogram wireless encryption keys

  42. 802.1x on 802.11 Association Access Blocked 802.11 Associate EAPOL-Start EAP-Request/Identity Radius-Access-Request EAP-Response/Identity Radius-Access-Challenge EAP-Request Radius-Access-Request EAP-Response (credentials) Radius-Access-Accept EAP-Success Access Allowed EAPOL-Key (Key) Wireless Access Point Radius Server Laptop Computer Ethernet 802.11 RADIUS

  43. System Requirements for 802.1x • Client: Windows XP • Server: Windows Server 2003 IAS • Internet Authentication Service—our RADIUS server • Certificate on IAS computer • 802.1x on Windows 2000 • Client and IAS must have SP3 • See KB article 313664 • No zero-configuration support in the client • Supports only EAP-TLS and MS-CHAPv2 • Future EAP methods in Windows XP and Windows Server 2003 might not be backported

  44. 802.1x Setup • Configure Windows Server 2003 with IAS • Join a domain • Enroll computer certificate • Register IAS in Active Directory • Configure RADIUS logging • Add AP as RADIUS client • Configure AP for RADIUS and 802.1x • Create wireless client access policy • Configure clients • Don’t forget to import the root certificate

  45. Access Policy • Policy condition • NAS-port-type matches Wireless IEEE 802.11 OR Wireless Other • Windows-group = <some group in AD> • Optional; allows administrative control • Should contain user and computer accounts

  46. Access Policy Profile • Profile • Time-out: 60 min. (802.11b) or 10 min. (802.11a/g) • No regular authentication methods • EAP type: protected EAP; use computer certificate • Encryption: only strongest (MPPE 128-bit) • Attributes: Ignore-User-Dialin-Properties = True

  47. Wireless Protected Access (WPA) • A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems • WPA Requires 802.1x authentication for network access • Goals • Enhanced data encryption • Provide user authentication • Be forward compatible with 802.11i • Provide non-RADIUS solution for Small/Home offices • Wi-Fi Alliance began certification testing for interoperability on WPA products in February 2003

  48. Best Practices • Use 802.1x authentication • Organize wireless users and computers into groups • Apply wireless access policies using Group Policy • Use EAP-TLS for certificate-based authentication and PEAP for password-based authentication • Configure your remote access policy to support user authentication as well as machine authentication • Develop a method to deal with rogue access points, such as LAN-based 802.1x authentication, site surveys, network monitoring, and user education

  49. Agenda • Introduction • What is the Perimeter? • Securing with … • Using Microsoft Internet Security and Acceleration (ISA) Server to Protect Perimeters • Using Internet Connection Firewall (ICF) to Protect Clients • Protecting Wireless Networks • Protecting Communications by Using IPSec

  50. Overview of IPSec • What is IP Security (IPSec)? • A method to secure IP traffic • Framework of open standards developed by the Internet Engineering Task Force (IETF) • Why use IPSec? • To ensure encrypted and authenticated communications at the IP layer • To provide transport security that is independent of applications or application-layer protocols

More Related