Securing an Extranet

1
Securing an Extranet

• Identifying Common Firewall Strategies
• Securing Internet-Accessible Resources in a
  Demilitarized Zone (DMZ)
• Securing Data Flow Through a DMZ

2
Identifying Common Firewall Strategies

• Identifying firewall features to protect the
  extranet
• Comparing DMZ configurations

3
Firewall Overview
4
Firewall Services

• Network Address Translation (NAT)
• Packet filtering
• Static address mapping
• Stateful inspection of network traffic
• Advanced features

5
Protecting Private Network Addressing with NAT
6
Private Network Addressing

• RFC 1918 reserves three ranges of IP addresses
  for private network addressing
• 10.0.0.0 10.255.255.255 (10.0.0.0/8)
• 172.16.0.0 172.31.255.255 (172.16.0.0/12)
• 192.168.0.0 192.168.255.255 (192.168.0.0/16)

7
Packet Filters
8
Typical Packet Filter Fields

• Source address
• Source port
• Destination address
• Destination port
• Protocol
• Action

9
Port Numbers

• To determine what ports are used by specific
  services and applications, view the Services text
  file in the systemroot\system32\drivers\etc
  folder.
• To view a listing of well-known port numbers, go
  to www.isi.edu/in-notes/iana/assignments
  /port-numbers.

10
Mirroring Packet Filters
11
Firewall Strategies

• Choose one of the following typical firewall
  strategies, based on the organization's risk
  level.
• Specify allowed protocols and prohibit everything
  else.
• Specify prohibited protocols and allow everything
  else.
• Higher security networks specify the allowed
  protocols and prohibit everything else.

12
Static Address Mapping
13
Stateful Inspection

• Simple packet filters might not provide enough
  security.
• Packet filters define which ports are left open
  at the firewall to redirect network traffic to
  Internet-accessible resources.
• Many protocols use random ports above port 1024
  at the client computer side.
• Stateful inspection allows the firewall to
  inspect and open the ports used for an initial
  connection and then close them when the
  connection is terminated.
• If any suspect ports are requested, the firewall
  can recognize the attack and drop the connection.
• Stateful inspection allows firewall rules to be
  established so that User Datagram Protocol
  (UDP)-based protocols (such as SNMP) can pass
  through successfully.

14
Advanced Techniques

• Configuring time-out tolerance
• Allows the firewall to disconnect sessions before
  the synchronize (SYN) queue overflows
• Impedes SYN flood attacks, which attempt to lock
  up the firewall and prevent further connections
  by flooding it with incomplete Transmission
  Control Protocol (TCP) sessions
• Content scanning
• Allows the firewall to inspect the commands
  transmitted within a session
• Can also scan all incoming content for known
  virus signatures

15
Making the Decision Designing Firewall Features

• NAT
• Packet filters
• Static address mapping
• Stateful inspection
• Time-out tolerances
• Content scanning

16
Applying the Decision Designing the Market
Florists Firewall

• NAT
• The private network client computers require
  access to the Internet.
• All outgoing IP addresses will be replaced with
  the NAT common address (client.marketflorist.tld
  IP address 131.107.88.2).
• Packet filters
• Packet filtering must be defined to allow only
  the authorized protocols to connect to each
  network resource.
• Several protocols are allowed to enter the
  extranet for each Market Florist server.

17
Applying the Decision Designing the Market
Florists Firewall (Cont.)

• Static address mapping
• www.marketflorist.tld
• ftp.marketflorist.tld
• mail.marketflorist.tld
• vpn.marketflorist.tld
• Stateful inspection
• Flower Power uses UDP as its transport protocol.
• UDP-based applications do not establish sessions.
• Stateful inspection ensures that the Flower Power
  connections are not hijacked.
• Stateful inspection ensures that all response
  packets use the same IP addresses and UDP ports
  that were used by the initial request packets.

18
Applying the Decision Designing the Market
Florists Firewall (Cont.)

• Time-out tolerance
• Time-outs disconnect sessions to protect the Web
  site and other extranet resources from a denial
  of service attack.
• Time-out tolerance prevents SYN flooding attacks
  against the network.
• Content scanning
• To prevent uploads of data to the MFFTP server,
  the firewall should deploy content scanning and
  prevent all attempts to use the FTP PUT command.
• This provides greater protection by scanning the
  File Transfer Protocol (FTP) transmissions for
  disallowed commands.

19
Comparing DMZ Configurations

• It is unadvisable to host Internet-accessible
  resources within the private network.
• Place all Internet-accessible resources in a
  network segment (called a DMZ) between the
  private network and the public network.
• Other terms for DMZ are screened subnet and
  perimeter network.
• There are three types of DMZ designs
  three-pronged firewall, mid-ground, and hybrid
  (or multizone).
• A DMZ is part of the public and private network.

20
A Three-Pronged Firewall DMZ
21
A Mid-Ground DMZ
22
A Hybrid DMZ with a Single Firewall
23
A Hybrid DMZ with Multiple Firewalls
24
Making the DecisionChoosing Among DMZ
Strategies

• Three-pronged firewall DMZ
• Mid-ground DMZ
• Hybrid DMZ

25
Applying the Decision Developing a DMZ Strategy
for Market Florist
26
Securing Internet-Accessible Resources in a DMZ

• Securing Internet Information Server (IIS)
• Securing other services within the DMZ

27
Securing Internet Information Server (IIS)

• The content on a Web server is the most common
  network resource exposed to the Internet.
• IIS 5.0, included with Microsoft Windows 2000
  Server, allows an organization to host Web sites.
• Additional configuration is required to fully
  secure an IIS server when it is exposed to the
  Internet.

28
Preventing Attacks Against the Web Servers

• Change all default account names.
• Ensure that the Web server is not a member of the
  same forest as the private network.

29
Preventing Attacks Against the Web Servers (Cont.)

• Separate content into different folders by type.

30
Preventing Attacks Against the Web Servers (Cont.)

• Secure available content by type.

31
Preventing Attacks Against the Web Servers (Cont.)

• Remove all sample applications from the Web
  server.

32
Preventing Attacks Against the Web Servers (Cont.)

• Disable unnecessary services.
• Block commonly attacked ports with Internet
  Protocol Security (IPSec).
• Enable IIS logging.
• Implement Secure Socket Layer (SSL) to protect
  secure areas of the Web server.
• Deploy an intrusion detection system.
• Disable the use of parent paths.
• Apply the IIS 5.0 security checklist.
• Mitigate against successful attacks.
• Maintain the latest service packs and hot fixes
  for the Web server.

33
Making the Decision Securing a Web Server

• Track all access to the Web server.
• Provide the strongest security to Web-accessible
  data.
• Prevent an attacker from accessing unauthorized
  areas of the disk subsystem.
• Prevent port scans against commonly attacked
  ports.
• Detect hacking attempts.
• Prevent a successful attack against the Web
  server from compromising other data stored on the
  network.
• Ensure that the latest security fixes are applied
  to the Web server.
• Limit the effect of a successful hacking attempt.
• Apply the recommended security configuration for
  the Web server.

34
Applying the Decision Configuring the Web Server
for Market Florist

• Configure the Web server as a Network Load
  Balancing Service (NLBS) cluster.
• Configure the NLBS cluster to load balance
  equally among the four nodes.
• Apply any additional security configurations
  uniformly against all four servers.

35
Applying the Decision Configuring the Web Server
for Market Florist (Cont.)

• Configuration for the four Web servers
• Enable auditing on each Web server.
• Separate the content from the rest of the Web
  site.
• Implement SSL on the Web server.
• Apply Internet Protocol Security (IPSec) to
  restrict public network access to the Web server.
• Apply the IIS 5.0 security checklist
  recommendations to the IIS servers.

36
Applying the Decision Configuring the Web Server
for Market Florist (Cont.)

• Recommended IPSec filters

37
Securing Other Services Within the DMZ

• FTP services
• Telnet services
• Domain Name System (DNS) services
• Terminal Services
• All services

38
Protect Transmitted Data Between Computers in the
DMZ
39
Making the Decision Protecting
Internet-Accessible Resources

• Protect the following resources
• FTP services
• Telnet services
• DNS services
• All services
• Interaction between servers

40
Applying the Decision Protecting
Internet-Accessible Resources at Market Florist

• Implement the following resources
• FTP service
• DNS service
• Telnet services
• Terminal Services
• Interaction between servers

41
Securing Data Flow Through a DMZ

• Determining a firewall strategy
• Securing DNS resolution traffic
• Securing Web traffic
• Securing FTP traffic
• Securing mail traffic
• Securing application traffic
• Securing Terminal server traffic
• Securing VPN traffic

42
Specify Allowed Protocols and Prohibit Everything
Else

• The packet filters identify all protocols that
  can pass through the firewall.
• If the packet filter does not identify a packet,
  the packet is assumed to be disallowed and is
  dropped.
• This strategy is typically used at external
  firewalls to define which protocols are allowed
  to enter the DMZ and the private network.
• This strategy is also used in high-security
  networks where only authorized protocols are
  allowed to enter the DMZ and the private network.

43
Specify Prohibited Protocols and Allow Everything
Else

• The packet filters identify all protocols that
  must be dropped at the firewall.
• If the packet filter does not identify a packet,
  the packet is allowed to pass through the
  firewall.
• This strategy is typically used at internal
  firewalls to block private network users from
  specific protocols.
• This strategy is also used in lower security
  networks where only unauthorized protocols are
  blocked at the firewall.

44
Order of the Packet Filters

• The order of processing depends on the specific
  firewall product.
• Two common methods for processing packet filters
• Process the packet filters in the order in which
  they are entered.
• Process the most specific packet filters before
  the more general packet filters.

45
Making the Decision Choosing Firewall Strategies

• The "Specify allowed protocols and prohibit
  everything else" strategy
• The "Specify prohibited protocols and allow
  everything else" strategy
• The "Specify allowed protocols and prohibit
  everything else strategy and then create packet
  filters that deny specific protocols

46
Applying the Decision Choosing a Firewall
Strategy for Market Florist

• The "Specify allowed protocols and prohibit
  everything else" strategy best meets the security
  needs of the Market Florist network.
• It allows Market Florist to define only
  authorized protocols that can enter the DMZ and
  the private network.
• If a protocol is not included in the packet
  filter list, the protocol is assumed to be denied
  access to the DMZ or private network.

47
Securing DNS Resolution Traffic

• The DNS service is used as a locator service in a
  Microsoft Windows 2000 network.
• DNS is also used as the locator service for the
  Internet.
• When designing security for the DNS service,
  define how DNS traffic moves through the private
  network and the DMZ to the Internet.
• Separate the internal DNS service from the
  external DNS service.

48
DNS Traffic Flow in a DMZ
49
Internal Firewall Rules to Restrict DNS Usage
50
External Firewall Rules to Restrict DNS Usage
51
Making the Decision Securing DNS Resolution
Traffic

• Establish packet filters at the external firewall
  to allow only TCP port 53 and UDP port 53 packets
  to reach the DNS server.
• Establish packet filters at the internal firewall
  to allow only the internal DNS server to send TCP
  port 53 and UDP port 53 packets to the external
  DNS server.
• Configure the internal DNS server to forward all
  irresolvable DNS queries to the external DNS
  server.
• Configure the external DNS server to forward
  irresolvable DNS queries to the ISPs DNS server.

52
Applying the Decision Securing DNS Resolution
Traffic at Market Florist
53
Securing Web Traffic

• A Web server is one of the most common network
  resources for Internet access.
• A Web server listens for connections from
  external client computers on TCP port 80 for HTTP
  and port 443 for HTTPS connections.

54
Web Server Placement in the DMZ
55
External Packet Filters for a Web Server
56
Making the Decision Securing Web Traffic

• Establish packet filters at the external firewall
  to allow only TCP port 80 and TCP port 443
  packets to reach the Web server.
• Implement SSL protection for Web pages that
  require external users to input sensitive data.
• When authentication is required to a Web site,
  use either Windows Integrated Authentication or
  Basic Authentication with SSL encryption to
  protect credentials from interception.

57
Applying the Decision Securing Web Traffic for
Market Florist
58
Securing FTP Traffic

• FTP allows data to be transferred to and from a
  central location.
• FTP uses two separate channels for FTP sessions.
• A control stream (a connection to TCP port 21)
  sends FTP commands from the FTP client software
  to the FTP server.
• A data stream (a connection to TCP port 20)
  transfers data.
• Active FTP clients require the FTP server to
  initiate the data transfer.
• Establish packet filters that allow the FTP
  server to initiate FTP data sessions.

59
Providing FTP Access in a DMZ
60
FTP Server Packet Filters
61
Making the Decision Securing FTP Traffic at
Market Florist

• Establish packet filters at the external firewall
  to allow only TCP port 20 and TCP port 21 packets
  to reach the FTP server.
• If active FTP clients exist, or if it is unknown
  if they exist, establish reverse packet filters
  that originate at the FTP server for TCP port 20
  and TCP port 21.
• To provide maximum password security, allow only
  anonymous access to the FTP server.

62
Applying the Decision Securing FTP Traffic at
Market Florist
63
Applying the Decision Securing FTP Traffic at
Market Florist (Cont.)

• Configure the FTP server to accept only anonymous
  connections.
• Authenticated access is not required to download
  floral arrangement brochures.
• John Coake and Pat Coleman will use Telnet from
  the private network to manage the data in the
  Ftproot folder.
• To allow Telnet access from the private network,
  the internal firewall must either allow all
  access or restrict access to TCP port 23 on the
  MFFTP server.

64
Securing Mail Traffic
65
Common Protocols Supported by Mail Servers

• Post Office Protocol v3 (POP3)
• Internet Mail Access Protocol v4 (IMAPv4)
• Simple Message Transfer Protocol (SMTP)
• Lightweight Directory Access Protocol (LDAP)

66
Protect Protocols Using SSL

• Implement Secure Sockets Layer (SSL) to protect
  POP3, IMAPv4, and LDAP.
• These protocols use SSL encryption to protect
  user account and password verification during the
  authentication process.

67
Mail Server Packet Filters
68
Making the Decision Securing Mail Traffic

• Determine which protocols will be allowed to
  access the mail server from the public network.
• Establish packet filters at the external firewall
  to allow only the necessary ports to connect to
  the mail server.
• Establish restrictions on SMTP relaying to
  prevent the mail server from becoming a source
  for unsolicited bulk e-mail.
• Restrict the protocols that can be used to
  connect to the mail server from the private
  network.

69
Applying the Decision Securing Mail Traffic at
Market Florist

• Market Florist must restrict the protocols that
  can connect to the mail server in the DMZ.
• Only POP3 and SMTP will be used to connect to the
  mail server from the public network.

70
Applying the Decision Securing Mail Traffic at
Market Florist (Cont.)

• Mail Server Packet Filters for Market Florist

71
Applying the Decision Securing Mail Traffic at
Market Florist (Cont.)

• Mail Server Configuration
• Allow only SMTP relaying if the user
  authenticates with the MFMAIL server before the
  e-mail client attempts the SMTP relay action.
• Do not restrict use of network IP addresses,
  since the sales force will connect from unknown
  IP addresses.

72
Securing Application Traffic

• Servers in the DMZ are often required to store or
  access data from an application server in the
  private network.
• Configure the internal firewall to allow only
  specific protocols to pass between the server in
  the DMZ and the application server in the private
  network.
• It is risky to place the application server in
  the DMZ because data stored on the application
  server might be compromised.
• Ensure that only authorized connections between
  the server in the DMZ and the application server
  in the private network can take place.

73
Securing Application Traffic Managing the
Connection Between the Two Servers

• Attach the server in the DMZ directly to the
  computer on the private network, using a
  crossover cable and a protocol other than TCP/IP.
• Open the firewall to allow the native protocol to
  transfer between the server in the DMZ and the
  application server in the private network.
• Use IPSec to encrypt the data transmitted between
  the server in the DMZ and the application server
  in the private network.

74
Securing Application Traffic SQL Server Packet
Filters for the Internal Firewall
75
Securing Application Traffic IPSec Packet
Filters for the Internal Firewall
76
Securing Application Traffic External Firewall

• Public network clients are only allowed to
  connect to the Web server.
• The public network clients do not query the SQL
  server on the private network.
• The Web server actually performs the query on the
  external customers behalf.
• For the transaction to occur, the external
  customer only needs to connect to the Web server
  using HTTP or HTTPS.

77
Making the Decision Securing Application Traffic

• Determine which protocols are required to access
  the server-based component in the DMZ.
• Configure the external firewall to allow only
  public network client computers to connect to the
  server in the DMZ.
• Determine which protocols the server-based
  component uses to connect to the application
  server in the private network.
• Determine the most secure method to connect the
  server in the DMZ to the application server in
  the private network.
• Define the necessary packet filters at the
  internal firewall to allow only the required
  protocols to exchange data between the DMZ and
  the private network.

78
Applying the Decision Securing Application
Traffic at Market Florist

• Market Florist must allow customers to connect to
  the SQL server on the private network.
• All data transmitted between the Web server
  (MFWEB) and the SQL server (MFSQL) must be
  encrypted using IPSec transport mode.

79
Applying the Decision Securing Application
Traffic at Market Florist (Cont.)
80
Securing Terminal Server Traffic

• Terminal Services allows an administrator to
  connect to servers on the network by using Remote
  Desktop Protocol (RDP).
• Configure Terminal Services to run in Remote
  Administration mode rather than Application
  Services mode.

81
Securing Access to a Terminal Server
82
Terminal Services Packet Filters
83
Making the Decision Securing Terminal Server
Traffic

• Configure the firewall to allow only connections
  to TCP port 3389, the RDP protocol, to pass
  through the firewall.
• Configure the terminal server to use the highest
  level of encryption supported by the client
  computers, subject to local import and export
  laws.
• If only administrative access to the terminal
  server is required, configure the terminal server
  to use Remote Administration mode.

84
Applying the Decision Securing Terminal Server
Traffic at Market Florist

• Use Terminal Services to manage all servers in
  the DMZ from the private network.
• Configure Terminal Services to use Remote
  Administration mode at all computers in the DMZ.

85
Applying the Decision Securing Terminal Server
Traffic at Market Florist (Cont.)

• Terminal Services Packet Filters

86
Securing VPN Traffic

• The organization must consider how the protocol
  affects the firewall and network infrastructure
  design.
• Layer Two Tunneling Protocol (L2TP) and IPSec
  tunnel mode both use IPSec to provide encryption
  services to the tunnel.
• IPSec cannot pass through a firewall that
  performs NAT on incoming and outgoing packets.

87
Securing PPTP Tunnel Traffic

• Special considerations are not needed when
  placing a Point-to-Point Tunneling Protocol
  (PPTP) tunnel server in the network.
• It does not matter if the external firewall
  performs NAT on incoming and outgoing packets.
• The only requirement is to place the tunnel
  server in the DMZ.

88
PPTP Tunnel Server in the DMZ
89
PPTP Packet Filters at the External Firewall
90
Securing PPTP Tunnel Traffic Protect the Active
Directory Database

• Deploy the PPTP server as a member of a workgroup
  rather than as a member of the domain.
• To support domain authentication, configure the
  tunnel server as a Remote Authentication Dial-In
  User Service (RADIUS) client to a RADIUS server
  on the private network.
• No additional encryption is required because the
  RADIUS protocol provides encryption services.

91
Securing PPTP Tunnel Traffic RADIUS
Authentication Filters at the Internal Firewall
92
Securing L2TP/IPSec Tunnel Traffic

• L2TP tunnel connections do not allow placing the
  tunnel server behind a firewall that performs
  NAT.
• Modify the DMZ configuration to meet this
  requirement.

93
L2TP Tunnel Server in the DMZ Using Public
Network Addressing
94
L2TP Tunnel Server in the Hybrid DMZ
95
Securing Access to an L2TP Perimeter Server
96
L2TP/IPSec Filters at the External Firewall
97
Making the Decision Securing VPN Traffic

• Use public network addressing if the L2TP tunnel
  server is placed in the DMZ.
• If the DMZ uses private network addressing as
  defined in RFC 1918, either
• Establish an outer DMZ that uses public network
  addressing
• Configure the L2TP server as a perimeter server
  with an interface on the public network to accept
  tunnel connections
• Configure the external firewall to pass the
  tunneling protocol used by the tunnel server in
  the DMZ.
• Configure the internal firewall to allow RADIUS
  authentication to a RADIUS server on the private
  network.

98
Applying the Decision Securing VPN Traffic at
Market Florist

• The MFTUNNEL server is assigned an IP address of
  192.168.77.9, which is an RFC 1918-defined
  private network address.
• The only tunneling protocol supported in this
  network infrastructure is PPTP.
• Configure the firewall to allow the MFTUNNEL
  server to pass RADIUS authentication and account
  packets to the Internet Authentication Services
  (IAS) server at IP address 10.10.10.200.

99
Applying the Decision Securing VPN Traffic at
Market Florist (Cont.)

• Tunnel Packet Filters at the Market Florist
  Firewall

100
Chapter Summary

• Identifying firewall features to protect the
  extranet
• Comparing DMZ configurations
• Securing Internet Information Server (IIS)
• Securing other services within the DMZ
• Determining a firewall strategy
• Securing DNS resolution traffic

101
Chapter Summary (Cont.)

• Securing Web traffic
• Securing FTP traffic
• Securing mail traffic
• Securing application traffic
• Securing terminal server traffic
• Securing VPN traffic