Presentation is loading. Please wait.

Presentation is loading. Please wait.

Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.

Similar presentations


Presentation on theme: "Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services."— Presentation transcript:

1

2 Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services

3 El modelo de Defensa en profundidad Antivirus/ OS hardening, authentication, patch management, HIDS Firewalls, Network Access Quarantine Control Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, ACLs, encryption, EFS Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data

4 Defensas Perimetrales. Los firewalls bien configurados y los routers externos forman la principal frontera y punto de defensa de la seguridad de red. Internet y los nuevas tendencias en movilidad incrementan los problemas de seguridad. Las VPN han desdibujado el perímetro y junto con las redes wireless han hecho que el perímetro clásico de red haya desaparecido.

5 Defensas en el cliente. Las defensas en el cliente se encargan de bloquear los ataques que han sobrepasado el perímetro de red externa o se han originado en la red interna. Las defensas en el Cliente incluyen: Mejoras en seguridad en el sistema operativo Antivirus Firewalls Personales En entornos sin administrar los usuarios pueden sobrepasar y desactivar las defensas en el cliente.

6 Metas de la seguridad en redes. Perimeter Defense Client Defense Intrusion Detection Network Access Control Confi- dentiality Secure Remote Access ISA Server ICF 802.1x / WPA IPSec

7 Usando Defensas Perimetrales.

8 Visión de las redes actuales. Main Office LAN Business Partner LAN Branch Office Wireless Network LAN Remote User Network perimeters include connections to: The Internet Branch offices Business partners Remote users Wireless networks Internet applications The Internet Branch offices Business partners Remote users Wireless networks Internet applications Internet

9 Diseño de Firewalls. Screened SubnetInternet LAN Firewall

10 Diseño de Firewalls Screened Subnet Internet External Firewall LAN Internal Firewall

11 Contra que no nos protegen los Firewall Trafico malicioso que pasa por puertos abiertos y que no son inspeccionados por el Firewall. Cualquier tipo de trafico que pase dentro de un túnel o sesión encriptados. Ataques después de penetrar en la red. Usuarios y administradores que intencionadamente o accidentalmente instalan virus. Administradores que usan passwords débiles.

12 Software vs. Hardware Firewalls Decision Factors Description Flexibility Updating for latest vulnerabilities and patches is often easier with software-based firewalls Extensibility Many hardware firewalls allow only limited customizability. Choice of Vendors Software firewalls allow you to choose from hardware for a wide variety of needs, and there is no reliance on single vendor for additional hardware. Cost Initial purchase price for hardware firewalls might be less. Software firewalls take advantage of low CPU costs. The hardware can be easily upgraded, and old hardware can be repurposed. Complexity Hardware firewalls are often less complex. Overall Suitability The most important decision factor is whether a firewall can perform the required tasks. Often the lines between hardware and software firewalls are blurred.

13 Tipos de Firewalls. Filtrado de Paquetes. Inspección a nivel de aplicación. Multi-layer Inspection (Including Application-Layer Filtering) Multi-layer Inspection (Including Application-Layer Filtering) Internet

14 META: Parar el 95% de los ataques en el perímetro de nuestra red.

15 Ataques de Denegación de servicio Mandan trafico no esperado o malformado. Habitualmente atacan una vulnerabilidad conocida pero no parcheada. DoS puede: Crear grandes perdidas de negocio. Puede dañar la reputación de los negocios.

16 DDoS Wake up! Ping! Reply!

17 Securizando redes wireless

18 Problemas de seguridad en Wireless. Limitaciones de Wired Equivalent Privacy (WEP) Static WEP keys are not dynamically changed and therefore are vulnerable to attack. There is no standard method for provisioning static WEP keys to clients. Scalability: Compromise of a static WEP key by anyone exposes everyone. Limitations of MAC Address Filtering Attacker could spoof an allowed MAC address.

19 Posible soluciones. Password-based Layer 2 Authentication IEEE 802.1x PEAP/MSCHAP v2 Certificate-based Layer 2 Authentication IEEE 802.1x EAP-TLS Other Options VPN Connectivity L2TP/IPsec (preferred) or PPTP Does not allow for roaming Useful when using public wireless hotspots No computer authentication or processing of computer settings in Group Policy IPSec Interoperability issues

20 Comparación de seguridad en WLAN. WLAN Security Type Security Level Ease of Deploymen t Usability and Integration Static WEP LowHighHigh IEEE 802.1X PEAP HighMediumHigh IEEE 802.1x TLS HighLowHigh VPN High (L2TP/IPSec) MediumLow IPSecHighLowLow

21 802.1x Defines port-based access control mechanism Works on anything, wired or wireless No special encryption key requirements Allows choice of authentication methods using Extensible Authentication Protocol (EAP) Chosen by peers at authentication time Access point doesnt care about EAP methods Manages keys automatically No need to preprogram wireless encryption keys

22 802.1x en RADIUS Associate EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/Identity EAP-Response (credentials) Radius-Access-Request Radius-Access-Challenge Radius-Access-Request Radius-Access-Accept EAPOL-Key (Key) EAP-Success Access Allowed Access Blocked Association Access Point Laptop Computer Wireless Ethernet Radius Server

23 Requerimientos para 802.1x Client: Windows XP Server: Windows Server 2003 IAS Internet Authentication Serviceour RADIUS server Certificate on IAS computer 802.1x on Windows 2000 Client and IAS must have SP3 See KB article No zero-configuration support in the client Supports only EAP-TLS and MS-CHAPv2 Future EAP methods in Windows XP and Windows Server 2003 might not be backported

24 802.1x Setup Configure Windows Server 2003 with IAS 1 1 Join a domain 2 2 Enroll computer certificate 3 3 Register IAS in Active Directory 4 4 Configure RADIUS logging 5 5 Add AP as RADIUS client 6 6 Configure AP for RADIUS and 802.1x 7 7 Create wireless client access policy 8 8 Configure clients Dont forget to import the root certificate Configure clients Dont forget to import the root certificate 9 9

25 Políticas de acceso. Policy condition NAS-port-type matches Wireless IEEE OR Wireless Other Windows-group = Windows-group = Optional; allows administrative control Should contain user and computer accounts

26 Políticas de acceso. Profile Time-out: 60 min. (802.11b) or 10 min. (802.11a/g) No regular authentication methods EAP type: protected EAP; use computer certificate Encryption: only strongest (MPPE 128-bit) Attributes: Ignore-User- Dialin-Properties = True

27 Wi-Fi Protected Access WPA A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless (local area network ) LAN systems WPA Requires 802.1x authentication for network access Goals Enhanced data encryption Provide user authentication Be forward compatible with i Provide non-RADIUS solution for Small/Home offices

28 Practicas Recomendadas. Use 802.1x authentication Organize wireless users and computers into groups Apply wireless access policies using Group Policy Use EAP-TLS for certificate-based authentication and PEAP for password-based authentication Configure your remote access policy to support user authentication as well as machine authentication Develop a method to deal with rogue access points, such as LAN-based 802.1x authentication, site surveys, network monitoring, and user education

29 Securizando comunicaciones con IPsec.

30 IPSec What is IP Security (IPSec)? A method to secure IP traffic Framework of open standards developed by the Internet Engineering Task Force (IETF) Why use IPSec? To ensure encrypted and authenticated communications at the IP layer To provide transport security that is independent of applications or application-layer protocols

31 Basic permit/block packet filtering Secure internal LAN communications Domain replication through firewalls VPN across untrusted media Escenarios de IPSec

32 Implementando el filtrado de Paquetes IPSec Filters for allowed and blocked traffic No actual negotiation of IPSec security associations Overlapping filtersmost specific match determines action Does not provide stateful filtering Must set "NoDefaultExempt = 1" to be secure From IP To IP Protoco l Src Port Dest Port Action Any My Internet IP AnyN/AN/ABlock Any TCPAny80Permit

33 Trafico no filtrado por IPSec IP broadcast addresses Cannot secure to multiple receivers Multicast addresses From through KerberosUDP source or destination port 88 Kerberos is a secure protocol, which the Internet Key Exchange (IKE) negotiation service may use for authentication of other computers in a domain IKEUDP destination port 500 Required to allow IKE to negotiate parameters for IPSec security

34 Rendimiento de IPSec IPSec processing has some performance impact IKE negotiation timeabout 2–5 seconds initially 5 round trips AuthenticationKerberos or certificates Cryptographic key generation and encrypted messages Done once per 8 hours by default, settable Session rekey is fast<1–2 seconds, 2 round trips, once per hour, settable Encryption of packets

35 How to improve? Offloading NICs do IPSec almost at wire speed Using faster CPUs Rendimiento de IPSec

36 Practicas Recomendadas. Plan your IPSec implementation carefully Choose between AH and ESP Use Group Policy to implement IPSec Policies Consider the use of IPSec NICs Never use Shared Key authentication outside your test lab Choose between certificates and Kerberos authentication Use care when requiring IPSec for communications with domain controllers and other infrastructure servers

37 Los problemas de 802.1X

38 Que es 802.1X? Port-based access control method defined by IEEE pdf EAP provides mutual authentication between devices ftp://ftp.rfc-editor.org/in- notes/rfc3748.txt Works over anything WiredWireless ftp://ftp.rfc-editor.org/in-notes/rfc2549.txthttp://eagle.auc.ca/~dreid

39 Que necesitas para 802.1X? Network infrastructure that supports it Switches, mostly Clients and servers that support it Supplicants included in Windows XP, 2003,Vista Download for Windows 2000

40 Porque es perfecto en entornos wireless? The supplicant (client) and authentication server (RADIUS) generate session keys Keys are never sent over the air Nothing for an attacker to use to conduct impersonation or man-in-the-middle attacks Can manage centrally with GPOs

41 Por que no es tan perfecto para entornos wired? No GPOsand we cant retrofit Worse…a fundamental protocol design flaw 802.1X authenticates only at the start of traffic between client and switch After the switch port opens, everything after that is assumed to be valid These kinds of assumptions allow MITM attacks! Does require physical access to the network

42 Ataques contra 802.1x aa:bb:cc:dd:ee:f f drop all inbound not for me …authenticate… …authenticate…

43 Como funciona X lacks per-packet authentication It assumes that the post-authentication traffic is validbased on MAC and IP only Switch has no idea whats happened! Attacker can communicate only over UDP Victim would reset any TCP reply it received but didnt send (victim sees reply to shadow)

44 Ataques contra 802.1x aa:bb:cc:dd:ee:f f SYN ACK-SYN ACK-SYNACK-SYN RST ACK-RST ACK-RSTACK-RST

45 Se puede mejorar!! If the victim computer happens to run a personal firewall… …which drops unsolicited ACK-SYNs… It gets better!

46 El ataque … mejorado aa:bb:cc:dd:ee:f f SYN ACK-SYN ACK-SYNACK-SYN ACK

47 Soluciones. Despite what the networking vendors claim, 802.1X is inappropriate for preventing rogue access to the network Good security mechanisms never assume that computers are playing nicely 802.1X makes this incorrect assumption IPsec does not If youre worried about bad guys flooding your network… Then 802.1X + IPsec is the way to go

48 Trusted users disclosing high value data Compromise of trusted credentials Untrusted computers compromising other untrusted computers Loss of physical security of trusted computers Lack of compliance mechanisms for trusted computers

49 Preparándose para Network Access Protection ( NAP ). Deploy domain isolation to become familiar with IPsec concepts NAP will provide a richer enforcement mechanism, while adding to server and domain isolation Plan and model to add health authentication and other compliance enforcement mechanisms network access protection provides More guidance available during Longhorn beta

50 El futuro de IPsec Server 2003, Windows XP Isolation by domain or server Authentication of machine, but noAuthentication of machine, but no health check Windows firewall integration Authenticated bypass capabilityAuthenticated bypass capability Overhead offload 10/100mb NIClower CPU10/100mb NIClower CPU Longhorn and beyond Extensible isolation User and machine credentialsUser and machine credentials Health certificatesHealth certificates Firewall integration Windows filtering platformWindows filtering platform Improved administration One-size-fits-all policyOne-size-fits-all policy Extensible performance Gig-E offload for lower CPUGig-E offload for lower CPU

51 Protección de redes con NAP

52 Internet Intranet Remote Employees Remote Access Gateway Web Server Customers Perimeter X Infrastructure Servers Extranet Server Un mundo conectado Interconnected networks Distributed data Mobile workers Business extranets Remote access Web services Wireless Mobile smart devices

53 Visión de la arquitectura de NAP MS Network Policy Server Quarantine Server (QS) Client NAP Agent Health policyUpdates Health Statements Network Access Requests System Health Servers Remediation Servers Health Certificate Network Access Devices and Servers System Health Agent MS and 3rd Parties System Health Validator Enforcement Client (DHCP, IPsec, 802.1X, VPN) Client SHA – Health agents check client state QA – Coordinates SHA/EC EC – Method of enforcement Remediation Server Serves up patches, AV signatures, etc. Network Policy Server QS – Coordinates SHV SHV – Validates client health System Health Server Provides client compliance policies

54 Network Access Protection enforcement methods Internet Protocol security (IPsec)-protected communications IEEE 802.1X-authenticated network connections Remote access virtual private network (VPN) connections Dynamic Host Configuration Protocol (DHCP) configuration

55 Requesting access. Heres my new health status. Protección con NAP MS NPS Client 802.1x Switch Remediation Servers May I have access? Heres my current health status. Should this client be restricted based on its health? Ongoing policy updates to Network Policy Server You are given restricted access until fix-up. Can I have updates? Here you go. According to policy, the client is not up to date. Quarantine client, request it to update. Restricted Network Client is granted access to full intranet. System Health Servers According to policy, the client is up to date. Grant access.

56 NAP client with limited access DHCP server Remediation servers VPN server Network Policy Server (NPS) Active Directory Intranet Restricted network Perimeter network Health certificate server (HCS) IEEE 802.1X devices Internet Policy servers Componentes de NAP

57 NAP client DHCP server Remediation server NPS DHCP messages Remote Authentication Dial-in User Service (RADIUS) messages System health updates HCS Hypertext Transfer Protocol over Secure Sockets Layer (SSL) (HTTPS) messages Interacción de los componentes de NAP

58 NAP client NPS System health requirement queries VPN server Protected Extensible Authentication Protocol (PEAP) messages over the Point-to-Point Protocol (PPP) IEEE 802.1X devices PEAP messages over EAP over LAN (EAPOL) Policy server Interacción de los componentes de NAP (2) RADIUS messages

59 Componentes de arquitectura cliente de NAP System Health Agent (SHA) NAP Agent NAP Enforcement Client (EC) IPsec NAP EC EAPHost NAP EC VPN NAP EC DHCP NAP EC

60 PREGUNTAS ?


Download ppt "Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services."

Similar presentations


Ads by Google