Server Security Technologies

1
Server Security Technologies

• (not Dr.) Fred Baumhardt
• Security Technology Architect
• Microsoft Incubation
• fred_at_microsoft.com

2
Server Security

• How not to do it

• This is not the way to protect your front
  perimeter or edge

3
Infrastructure Security
Architecture Security
4
Root Causes

• Infrastructure Architecture

• Enterprise organically grown under Project
  context
• Security was Secondary vendors no best
  practice
• Internal Network wide open everything to
  everything
• 0 day undefended patch is the solution

Classic Security Perimeter
Unmanaged Unpatched Internet
This will Save Me !
5
Security Rules

• The Biology of Security

• Authenticate Traffic Stops foreign Infection
• Enforce Protocol Rules at the Network Device
  things that break are dropped
• Dont process traffic that you didnt ask for,
  understand protocols and know what to expect

• Worms are Anonymous they dont carry your
  password database.
• Pathogens Break protocol rules you wrote a
  buffer for 72 characters attacker sent you 182
• Worms send clients something they didnt ask for

6
Server Auth

• Auth at all levels

7
Plan Execute

• Wipe Out Attack Classes
• example

Internet
Redundant Routers
Redundant Firewalls
NIC teams/switches
Control Zone
Control Zone
Control Zone
Control Zone
Outbound Proxy Zone
Inbound Proxy
ExtranetData Network SQL
Presentation
Control Zone
Control Zone
Control Zone
Control Zone
Application Servers
Control Zone
Control Zone
Control Zone
Control Zone
Messaging Network Exchange FE
Messaging Network Exchange BE
Infrastructure Network Internal Active
Directory
Data Network SQL Server Clusters
Control Zone
Control Zone
Control Zone
Control Zone
Client Networks 1n
RADIUS Network
Intranet Network - Web Servers
Management Network MOM, deployment
8
Plan Execute

• Wipe Out Attack Classes
• NAP and Domain I

• NAP (will) and Domain Isolation (has) become the
  standard which new systems roll out to

X
?
?
X
9
Infrastructure Security
ForeFront Security
10
Capabilities

• Understand The Risks
• Define the Strategy

How Much Risk can we tolerate ? Does it aggregate
?
Outsource the risk to others Buy managed
services Hire Consultants (outsource blame)
Transformation required To prevent
re-occurence Should Wipe out Class of risk
Quantify Risk and impact Decommission/Transition A
llow long term project to fix it Low enough
risk/cost ratio to allow
.
11
Forefront Naming Transition
Previous
Current
H2 2006
2007
Client
Server
TBD
Edge
TBD
12
Its about securing the workload

• Simple malware at client or server base
  insufficient
• Multiple malware vendors scanning traffic inside
  data repository, need engines per repository
• For mail, do it at edge and cloud, but other
  protocols are attacked internally, so protection
  should be internal

13
Workload Malware Approach
Live Communications Server
EHS
SharePoint Server
E-mail
ISA Server
Exchange Hosted Services
Exchange Front End Servers
Exchange BES Servers
14
Malware Engines across Products
15
Plan Execute

• The Training and Feelings of IT

• Admin Training is Key Users can be useful to IT

• Admins (like pets ?) can Help You If you train
  them
• Work with your new IT to let them understand your
  architecture and why
• Security Policy should be open to be evolved,
  and should be enforced and challenged to
  application paradigms
• Application and Infrastructure admins should
  treat security and FW admins as peers

Be Sensitive to Jobs and Roles, re-skilling is
pain