Title: Network Security and ISA Server
1Network Security and ISA Server
- Paul Hogan
- Ward Solutions
2Session Prerequisites
- Hands-on experience with Windows 2000 or Windows
Server 2003 - Working knowledge of networking, including basics
of security - Basic knowledge of network security-assessment
strategies
Level 300
3Agenda
- 1000 1100 Network Security
- 1100 1115 Break
- 1130 1200 Securing SQL Server
- 1200 100 Lunch
- 100 200 Securing Exchange
- 230 215 Break
- 215 315 Lab Sessions
- 315 QA
4This sessions are about
- about operational security
- The easy way is not always the secure way
- Networks are usually designed in particular ways
- In many cases, these practices simplify attacks
- In some cases these practices enable attacks
- In order to avoid these practices it helps to
understand how an attacker can use them
5This sessions are NOT
- a hacking tutorial
- Hacking networks you own can be enlightening
- HACKING NETWORKS YOU DO NOT OWN IS ILLEGAL
- demonstrating vulnerabilities in Windows
- Everything we show stems from operational
security or custom applications - Knowing how Windows operates is critical to
avoiding problems - for the faint of heart
6The Sessions
7The Network
8Introducing the Case-Study Scenario
9 Understanding Defense-in-Depth
- Using a layered approach
- Increases an attackers risk of detection
- Reduces an attackers chance of success
10 Why Does Network Security Fail?
Network security fails in several common areas,
including
- Human awareness
- Policy factors
- Hardware or software misconfigurations
- Poor assumptions
- Ignorance
- Failure to stay up-to-date
11What we will cover
- How to Implement Perimeter defenses
- How ISA Server protects networks
- Using Windows Firewalls to Protect Clients
- How to Protect Wireless Networks
12Purpose and Limitations of Perimeter Defenses
- Properly configured firewalls and border routers
are the cornerstone for perimeter security - The Internet and mobility increase security risks
- VPNs have exposed a destructive, pernicious entry
point for viruses and worms in many organizations
- Traditional packet-filtering firewalls only block
network ports and computer addresses - Most modern attacks occur at the application
layer
13Purpose and Limitations of Intrusion Detection
- Detects the pattern of common attacks and records
suspicious traffic in event logs and/or alerts
administrators - Integrates with other firewall features to
prevent common attacks - Threats and vulnerabilities are constantly
evolving, which leaves systems vulnerable until a
new attack is known and a new signature is
created and distributed
14Implementing Network-Based Intrusion-Detection
Systems
Provides rapid detection and reporting of
external malware attacks
Network-based intrusion-detection system
Important points to note
- Network-based intrusion-detection systems are
only as good as the process that is followed once
an intrusion is detected - ISA Server 2004 provides network-based
intrusion-detection abilities
15Perimeter Connections
Branch Office
16Firewall Design Three Homed
17Firewall Design Back-to-Back
18Software vs Hardware Firewalls
19Types of Firewalls
- Packet Filtering
- Stateful Inspection
- Application-Layer Inspection
Multi-layer inspection (including
application-layer filtering)
20Agenda
- Introduction/Defense in Depth
- Using Perimeter Defenses
- Using ISA Server to Protect Perimeters
- Using Windows Firewall to Protect Clients
- Protecting Wireless Networks
- Protecting Networks by Using IPSec
21Protecting Perimeters
- ISA Server has full screening capabilities
- Packet filtering
- Stateful inspection
- Application-level inspection
- ISA Server blocks all network traffic unless you
allow it - ISA Server is ICSA and Common Criteria certified
22Protecting Clients
23Protecting Web Servers
- Web Publishing Rules
- Protect Web servers behind the firewall from
external attacks by inspecting HTTP traffic and
ensuring it is properly formatted and complies
with standards. - Inspection of SSL traffic
- Inspects incoming encrypted Web requests for
proper formatting and standards compliance. - Will optionally re-encrypt the traffic before
sending them to your Web server
24URLScan
- ISA Server Feature Pack 1 includes URLScan 2.5
for ISA Server - Allows URLScan ISAPI filter to be applied at the
network perimeter - General blocking for all Web servers behind the
firewall - Perimeter blocking for known and newly discovered
attacks
Web Server 1
Web Server 2
ISA Server
Web Server 3
25Protecting Exchange Server
26Demonstration 1Application-Layer Inspection in
ISA Server URL ScanWeb PublishingMessage
Screener
27Traffic that Bypasses Firewall Inspection
- SSL tunnels through traditional firewalls because
it is encrypted, which allows viruses and worms
to pass through undetected and infect internal
servers. - VPN traffic is encrypted and cant be inspected
- Instant Messenger (IM) traffic often is not
inspected and may be used to transfer files in
addition to be used for messaging.
28Inspecting All Traffic
- Use intrusion detection and other mechanisms to
inspect VPN traffic after it has been decrypted - Remember Defense in Depth
- Use a firewall that can inspect SSL traffic
- Expand inspection capabilities of your firewall
- Use firewall add-ons to inspect IM traffic
29SSL Inspection
- SSL tunnels through traditional firewalls because
it is encrypted, which allows viruses and worms
to pass through undetected and infect internal
servers. - ISA Server pre-authenticates users, eliminating
multiple dialog boxes and allowing only valid
traffic through. - ISA Server can decrypt and inspect SSL traffic.
Inspected traffic can be sent to the internal
server re-encrypted or in the clear.
30Demonstration 2SSL Inspection in ISA Server
31ISA Server Hardening
- Secure your Server Wizard
- Review Bastion Host information in Security
Guides - Disable unnecessary services
- Harden the Network Stack
- Disable unnecessary network protocols on the
external network interface - File and print sharing
- Client for Microsoft Networks
- NetBIOS over TCP/IP
32Best Practices
- Use access rules that only allow requests that
are specifically allowed - Use ISA servers authentication capabilities to
restrict and log Internet access - Configure Web publishing rules only for specific
URLs - Use SSL Inspection to inspect encrypted data that
is entering your network
33Demonstration 3Internet Connection Firewall
(ICF) Configuring ICF ManuallyTesting
ICFReviewing ICF Log FilesConfiguring Group
Policy Settings
34Agenda
- Introduction/Defense in Depth
- Using Perimeter Defenses
- Using ISA Server to Protect Perimeters
- Using Windows Firewall to Protect Clients
- Protecting Wireless Networks
- Protecting Networks by Using IPSec
35New Security Features in Windows Firewall
On by default
On with no exceptions
ü
ü
Windows Firewall exceptions list
Boot-time security
ü
ü
Global configuration and restore defaults
Multiple profiles
ü
ü
RPC support
ü
Local subnet restrictions
ü
Unattended setup support
ü
Command-line support
ü
36Configuring Windows Firewall for Antivirus Defense
37Agenda
- Introduction/Defense in Depth
- Using Perimeter Defenses
- Using ISA Server to Protect Perimeters
- Using Windows Firewall to Protect Clients
- Protecting Wireless Networks
- Protecting Networks by Using IPSec
38Wireless Security Issues
- Limitations of Wired Equivalent Privacy (WEP)
- WEP is inherently weak to due poor key exchange.
- WEP keys are not dynamically changed and
therefore vulnerable to attack. - No method for provisioning WEP keys to clients.
- Limitations of MAC Address Filtering
- Scalability - Must be administered and propagated
to all APs. List may have a size limit. - No way to associate a MAC to a username.
- User could neglect to report a lost card.
- Attacker could spoof an allowed MAC address.
39Possible Solutions
- VPN Connectivity
- PPTP
- L2TP
- Third Party
- IPSec
- Many vendors
- Password-based Layer 2 Authentication
- Cisco LEAP
- RSA/Secure ID
- IEEE 802.1x PEAP/MSCHAP v2
- Certificate-based Layer 2 Authentication
- IEEE 802.1x EAP/TLS
40WLAN Security Comparisons
41802.1X
- Defines port-based access control mechanism
- Works on anything, wired and wireless
- Access point must support 802.1X
- No special encryption key requirements
- Allows choice of authentication methods using EAP
- Chosen by peers at authentication time
- Access point doesnt care about EAP methods
- Manages keys automatically
- No need to preprogram wireless encryption keys
42802.1X using EAP/TLS or MSCHAPv2
802.11/.1XAccess Point
RADIUS (IAS)
Server Certificate
Domain User/Machine Certificate
3, 5, 7
1, 2, 6
EAP Connection
4
Certification Authority
Laptop
Domain Controller
DHCP
Exchange
File Server
43Wi-Fi Protected Access (WPA)
- A specification of standards-based, interoperable
security enhancements that strongly increase the
level of data protection and access control for
existing and future wireless LAN systems - Goals
- Enhanced Data Encryption
- Provide user authentication
- Be forward compatible with 802.11i
- Provide non-RADIUS solution for Small/Home
offices (WPA-PSK) - Products shipping
44Best Practices
- Use 802.1x authentication
- Organize wireless users and computers into groups
- Apply wireless access policies using Group Policy
- Use EAP/TLS and 128 bit WEP
- Set clients to force user authentication as well
as machine authentication - Develop a method to manage rogue APs such as LAN
based 802.1x authentication and wireless sniffers.
45What Firewalls Do NOT Protect Against
- Malicious traffic that is passed on open ports
and not inspected by the firewall - Any traffic that passes through an encrypted
tunnel or session - Attacks after a network has been penetrated
- Traffic that appears legitimate
- Users and administrators who intentionally or
accidentally install viruses - Administrators who use weak passwords
46Understanding Application and Database Attacks
Common application and database attacks include
Buffer overruns
- Write applications in managed code
SQL injection attacks
- Validate input for correct size and type
47Attacks Buffer Overflow
- Aka the Boundary Condition Error Stuff more
data into a buffer than it can handle. The
resulting overflowed data falls into a precise
location and is executed by the system - Local overflows are executed while logged into
the target system - Remote overflows are executed by processes
running on the target that the attacker
connects to - Result Commands are executed at the privilege
level of the overflowed program
48Attacks Input validation
- An process does not strip input before
processing it, ie special shell characters such
as semicolon and pipe symbols - An attacker provides data in unexpected fields,
ie SQL database parameters
49Implementing Application Layer Filtering
Application layer filtering includes the
following
- Web browsing and e-mail can be scanned to ensure
that content specific to each does not contain
illegitimate data
- Deep content analyses, including the ability to
detect, inspect, and validate traffic using any
port and protocol
50Session Summary
- Introduction/Defense in Depth
- Using Perimeter Defenses
- Using ISA Server to Protect Perimeters
- Using ICF to Protect Clients
- Protecting Wireless Networks
51(No Transcript)
52Questions and Answers