Securing the Perimeter - PowerPoint PPT Presentation

1 / 63

About This Presentation

Title:

Securing the Perimeter

Description:

When natted, the recepient will get data from a different' IP address ... Future EAP methods in Windows XP and Windows Server 2003 might not be backported ... – PowerPoint PPT presentation

Number of Views:55

Avg rating:3.0/5.0

Slides: 64

Provided by: downloadM

Category:

more less

Transcript and Presenter's Notes

Title: Securing the Perimeter

1

Securing the Perimeter
Thomas LeeChief TechnologistQA
thomas.lee_at_qa.com

2
Continuing from Yesterday

Scripting IPSec
NAT-T

3
Scripting IPSec

netsh ipsec is the starting point

4
NAT Traversal-the problem

NAT device cannot update IPSec auth-data
Hash includes IP address of source
When natted, the recepient will get data from a
different IP address
IKE ports can not be changed (UDP 500)
See http//tinyurl.com/2j99q for more information
about NAT issues

5
NAT-T Changes

UDP encapsulation for ESP
A UDP header is placed between the outer IP
header and the ESP header, encapsulating the ESP
PDU. The same ports that are used for IKE are
used for UDP-encapsulated ESP traffic.
A modified IKE header format
The IPSec NAT-T IKE header contains a new Non-ESP
Marker field that allows a recipient to
distinguish between a UDP-encapsulated ESP PDU
and an IKE message. IPSec NAT-T-capable peers
begin to use the new IKE header after they have
determined that there is an intermediate NAT.
A new NAT-Keepalive packet
A UDP message that uses the same ports as IKE
traffic, contains a single byte (0xFF) and is
used to refresh the UDP port mapping in a NAT for
IKE and UDP-encapsulated ESP traffic to a private
network host.
A new Vendor ID IKE payload
This new payload contains a well-known hash
value, which indicates that the peer is capable
of performing IPSec NAT-T.

6
NAT-T (continued)

A new NAT-Discovery (NAT-D) IKE payload
This new payload contains a hash value that
incorporates an address and port number. An IPSec
peer includes two NAT-Discovery payloads during
Main Mode negotiationone for the destination
address and port and one for the source address
and port. The recipient uses the NAT-Discovery
payloads to discover whether a NAT translated
addresses or port numbers, and, based on which
addresses and ports were changed, which peers are
located behind NATs.
New encapsulation modes for UDP-encapsulated ESP
transport mode and tunnel mode
These two new encapsulation modes are specified
during Quick Mode negotiation to inform the IPSec
peer that UDP encapsulation for ESP PDUs should
be used.
A new NAT-Original Address (NAT-OA) IKE payload
This new payload contains the original
(untranslated) address of the IPSec peer. For
UDP-encapsulated ESP transport mode, each peer
sends the NAT-OA IKE payload during Quick Mode
negotiation. The recipient stores this address in
the parameters for the SA

7
NAT/IPSec more Info

IKE Negotiation for IPSec Security Associations
http//www.microsoft.com/technet/community/columns
/cableguy/cg0602.mspx
Windows 2000 IPSec Web Site
http//www.microsoft.com/windows2000/technologies/
communications/ipsec/default.asp
L2TP/IPSec NAT-T Update for Windows XP and
Windows 2000
http//support.microsoft.com/default.aspx?scidkb
en-us818043

8
Agenda

Introduction
What is the Perimeter?
Securing with
Using Microsoft Internet Security and
Acceleration (ISA) Server to Protect Perimeters
Using Internet Connection Firewall (ICF) to
Protect Clients
Protecting Wireless Networks
Protecting Communications by Using IPSec

9
Defense in Depth

A layered approach
Increases an attackers risk of detection
Reduces an attackers chance of success

Policies, Procedures, Awareness
Physical Security
Data
Application
Host
Internal Network
Perimeter
10
Agenda

Introduction
What is the perimeter?
Securing the perimeter with
Using Microsoft Internet Security and
Acceleration (ISA) Server to Protect Perimeters
Using Internet Connection Firewall (ICF) to
Protect Clients
Protecting Wireless Networks
Protecting Communications by Using IPSec

11
Perimeter Connections Overview
12
Defending The Perimeter

Properly configured firewalls and border routers
are the cornerstone for perimeter security
The Internet and mobility increase security risks
VPNs/ wireless networking soften the perimeter
Traditional packet-filtering firewalls block only
network ports and computer addresses
Most modern attacks occur at the application
layer
Perimeter security useless if breech is from the
inside

13
Defending at the Client

The client is part of the perimeter too!
Client defenses block attacks that bypass
perimeter defenses or originate on the internal
network
Client defenses include, among others
Operating system hardening
Antivirus software
Personal firewalls
Client defenses require configuring many
computers
In unmanaged environments, users may bypass
client defenses

14
What About Intrusion Detection?

Detects the pattern of common attacks, records
suspicious traffic in event logs, and/or alerts
administrators
Threats and vulnerabilities are constantly
evolving, which leaves systems vulnerable until a
new attack is known and a new signature is
created and distributed
Is ID really helpful?

15
Agenda

Introduction
What is the perimeter?
Securing the perimeter with
Using Microsoft Internet Security and
Acceleration (ISA) Server to Protect Perimeters
Using Internet Connection Firewall (ICF) to
Protect Clients
Protecting Wireless Networks
Protecting Communications by Using IPSec

16
Firewall Design Three-Homed
17
Firewall Design Back-to-Back
18
What Firewalls Do NOT Protect Against

Malicious traffic that is passed on open ports
and not inspected at the application layer by the
firewall
Any traffic that passes through an encrypted
tunnel or session
Attacks after a network has been penetrated
Traffic that appears legitimate
Users and administrators who intentionally or
accidentally install viruses
Administrators who use weak passwords

19
Software vs. Hardware Firewalls
20
Types of Firewall Functions

Packet Filtering
Stateful Inspection
Application-Layer Inspection

Multi-layer Inspection (Including
Application-Layer Filtering)
21
Protecting Perimeters

ISA Server has full screening capabilities
Packet filtering
Stateful inspection
Application-level inspection
ISA Server blocks all network traffic unless you
allow it
ISA Server provides secure VPN connectivity
ISA Server is ICSA certified and Common Criteria
certified

22
Demonstration 1Application-Layer Inspection in
ISA Server Web Publishing
23
Traffic That Bypasses Firewall Inspection

SSL tunnels through traditional firewalls because
it is encrypted, which allows viruses and worms
to pass through undetected and infect internal
servers
VPN traffic is encrypted and cannot be inspected
Instant Messenger (IM) traffic often is not
inspected and might be used to transfer files

24
Inspecting All Traffic

Use intrusion detection and other mechanisms to
inspect VPN traffic after it has been decrypted
Remember Defense in Depth
Use a firewall that can inspect SSL traffic
Expand inspection capabilities of your firewall
Use firewall add-ons to inspect IM traffic

25
SSL Inspection

SSL tunnels through traditional firewalls because
it is encrypted, which allows viruses and worms
to pass through undetected and infect internal
servers.
ISA Server can decrypt and inspect SSL traffic.
Inspected traffic can be sent to the internal
server re-encrypted or in the clear.

26
Demonstration 2SSL Inspection in ISA Server
27
ISA Server Hardening

Harden the network stack
Disable unnecessary network protocols on the
external network interface
Client for Microsoft Networks
File and Printer Sharing for Microsoft Networks
NetBIOS over TCP/IP

28
Best Practices

Use access rules that only allow requests that
are specifically allowed
Use ISA Servers authentication capabilities to
restrict and log Internet access
Configure Web publishing rules only for specific
destination sets
Use SSL Inspection to inspect encrypted data that
is entering your network

29
Agenda

Introduction
What is the Perimeter?
Securing with
Using Microsoft Internet Security and
Acceleration (ISA) Server to Protect Perimeters
Using Internet Connection Firewall (ICF) to
Protect Clients
Protecting Wireless Networks
Protecting Communications by Using IPSec

30
Overview of ICF

Internet Connection Firewall in Microsoft Windows
XP and Microsoft Windows Server 2003

What It Is

Helps stop network-based attacks, such as
Blaster, by blocking all unsolicited inbound
traffic

What It Does

Ports can be opened for services running on the
computer
Enterprise administration through Group Policy

Key Features
31
Enabling ICF

Enabled by
Selecting one check box
Network Setup Wizard
New Connection Wizard
Enabled separately for each network connection

32
ICF Advanced Settings

Network services
Web-based applications

33
ICF Security Logging

Logging options
Log file options

34
ICF in the Enterprise

Configure ICF by using Group Policy
Combine ICF with Network Access Quarantine Control

35
Best Practices

Use ICF for home offices and small business to
provide protection for computers directly
connected to the Internet
Do not turn on ICF for a VPN connection (but do
enable ICF for the underlying LAN or dial-up
connection
Configure service definitions for each ICF
connection through which you want the service to
work
Set the size of the security log to 16 megabytes
to prevent an overflow that might be caused by
denial-of-service attacks

36
Demonstration 3Internet Connection Firewall
(ICF) Configuring ICF ManuallyTesting
ICFReviewing ICF Log FilesConfiguring Group
Policy Settings
37
Agenda

Introduction
What is the Perimeter?
Securing with
Using Microsoft Internet Security and
Acceleration (ISA) Server to Protect Perimeters
Using Internet Connection Firewall (ICF) to
Protect Clients
Protecting Wireless Networks
Protecting Communications by Using IPSec

38
Wireless Security Issues

Limitations of Wired Equivalent Privacy (WEP)
Static WEP keys are not dynamically changed and
therefore are vulnerable to attack.
There is no standard method for provisioning
static WEP keys to clients.
Scalability Compromise of a static WEP key by
anyone exposes everyone.
Limitations of MAC Address Filtering
Attacker could spoof an allowed MAC address.

39
Possible Solutions

Password-based Layer 2 Authentication
IEEE 802.1x PEAP/MSCHAP v2
Certificate-based Layer 2 Authentication
IEEE 802.1x EAP-TLS
Other Options
VPN Connectivity
L2TP/IPsec (preferred) or PPTP
Does not allow for roaming
Useful when using public wireless hotspots
No computer authentication or processing of
computer settings in Group Policy
IPSec
Interoperability issues

40
WLAN Security Comparisons

41
802.1x

Defines port-based access control mechanism
Works on anything, wired or wireless
No special encryption key requirements
Allows choice of authentication methods using
Extensible Authentication Protocol (EAP)
Chosen by peers at authentication time
Access point doesnt care about EAP methods
Manages keys automatically
No need to preprogram wireless encryption keys

42
802.1x on 802.11

Wireless
Access Point
Radius Server
Ethernet
Laptop Computer
802.11
RADIUS
43
System Requirements for 802.1x

Client Windows XP
Server Windows Server 2003 IAS
Internet Authentication Serviceour RADIUS server
Certificate on IAS computer
802.1x on Windows 2000
Client and IAS must have SP3
See KB article 313664
No zero-configuration support in the client
Supports only EAP-TLS and MS-CHAPv2
Future EAP methods in Windows XP and Windows
Server 2003 might not be backported

44
802.1x Setup

Configure Windows Server 2003 with IAS
Join a domain
Enroll computer certificate
Register IAS in Active Directory
Configure RADIUS logging
Add AP as RADIUS client
Configure AP for RADIUS and 802.1x
Create wireless client access policy
Configure clients
Dont forget to import the root certificate

45
Access Policy

Policy condition
NAS-port-type matches Wireless IEEE 802.11 OR
Wireless Other
Windows-group ltsome group in ADgt
Optional allows administrative control
Should contain user and computer accounts

46
Access Policy Profile

Profile
Time-out 60 min. (802.11b) or 10 min.
(802.11a/g)
No regular authentication methods
EAP type protected EAP use computer certificate
Encryption only strongest (MPPE 128-bit)
Attributes Ignore-User-Dialin-Properties True

47
Wireless Protected Access (WPA)

A specification of standards-based, interoperable
security enhancements that strongly increase the
level of data protection and access control for
existing and future wireless LAN systems
WPA Requires 802.1x authentication for network
access
Goals
Enhanced data encryption
Provide user authentication
Be forward compatible with 802.11i
Provide non-RADIUS solution for Small/Home
offices
Wi-Fi Alliance began certification testing for
interoperability on WPA products in February 2003

48
Best Practices

Use 802.1x authentication
Organize wireless users and computers into groups
Apply wireless access policies using Group Policy
Use EAP-TLS for certificate-based authentication
and PEAP for password-based authentication
Configure your remote access policy to support
user authentication as well as machine
authentication
Develop a method to deal with rogue access
points, such as LAN-based 802.1x authentication,
site surveys, network monitoring, and user
education

49
Agenda

Introduction
What is the Perimeter?
Securing with
Using Microsoft Internet Security and
Acceleration (ISA) Server to Protect Perimeters
Using Internet Connection Firewall (ICF) to
Protect Clients
Protecting Wireless Networks
Protecting Communications by Using IPSec

50
Overview of IPSec

What is IP Security (IPSec)?
A method to secure IP traffic
Framework of open standards developed by the
Internet Engineering Task Force (IETF)
Why use IPSec?
To ensure encrypted and authenticated
communications at the IP layer
To provide transport security that is independent
of applications or application-layer protocols

51
IPSec Scenarios

Basic permit/block packet filtering
Secure internal LAN communications
Domain replication through firewalls
VPN across untrusted media

52
Implementing IPSec Packet Filtering

Filters for allowed and blocked traffic
No actual negotiation of IPSec security
associations
Overlapping filtersmost specific match
determines action
Does not provide stateful filtering
Must set "NoDefaultExempt 1" to be secure

53
Packet Filtering Is Not Sufficient to Protect
Server

Spoofed IP packets containing queries or
malicious content can still reach open ports
through firewalls
IPSec does not provide stateful inspection
Many hacker tools use source ports 80, 88, 135,
and so on, to connect to any destination port

54
Traffic Not Filtered by IPSec

IP broadcast addresses
Cannot secure to multiple receivers
Multicast addresses
From 224.0.0.0 through 239.255.255.255
KerberosUDP source or destination port 88
Kerberos is a secure protocol, which the Internet
Key Exchange (IKE) negotiation service may use
for authentication of other computers in a domain
IKEUDP destination port 500
Required to allow IKE to negotiate parameters for
IPSec security
Windows Server 2003 configures only IKE default
exemption

55
Secure Internal Communications

Use IPSec to provide mutual device authentication
Use certificates or Kerberos
Preshared key suitable for testing only
Use Authentication Header (AH) to ensure packet
integrity
AH provides packet integrity
AH does not encrypt, allowing for network
intrusion detection
Use Encapsulation Security Payload (ESP) to
encrypt sensitive traffic
ESP provides packet integrity and confidentiality
Encryption prevents packet inspection
Carefully plan which traffic should be secured

56
IPSec for Domain Replication

Use IPSec for replication through firewalls
On each domain controller, create an IPSec policy
to secure all traffic to the other domain
controllers IP address
Use ESP 3DES for encryption
Allow traffic through the firewall
UDP Port 500 (IKE)
IP protocol 50 (ESP)

57
Best Practices

Plan your IPSec implementation carefully
Choose between AH and ESP
Use Group Policy to implement IPSec Policies
Consider the use of IPSec NICs
Never use Shared Key authentication outside your
test lab
Choose between certificates and Kerberos
authentication
Use care when requiring IPSec for communications
with domain controllers and other infrastructure
servers