Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Network – Wireless – and Connected Infrastructures

Published byEthan Lucas Modified over 10 years ago

Similar presentations

Presentation on theme: "Securing Network – Wireless – and Connected Infrastructures"— Presentation transcript:

1 Securing Network – Wireless – and Connected Infrastructures
Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4th, 2003

2 Agenda Defining the Datacenter Network Security Problem
Penetration Techniques and Tools Network Defence-in-Depth Strategy Perimeter and Network Defences Operating System and Services Defences Application Defences Data Defences

3 The Datacenter Problem We All Face
Systems organically grown under “Project” context No clear best practice from vendors Security often bolted on as an afterthought Fear of change – Time to Market Some Core Systems Extranets Internet Systems Project 1…n System Branch Offices Departments

4 The Big Picture of Security
OS hardening is only one component of security strategy AND Firewalls are not a Panacea Entering the Bank Branch doesn’t get you into the vault Security relies on multiple things People and skills Process and incident management Internal Technologies – E.G. OS, Management Tools, switches, IDS, ISA Edge Technologies – Firewalls, ISA, IDS

5 Threat Modelling Internal Users are usually far more dangerous
Normal employees have tools, experience, and know your systems – after all they use them Customers usually take little internal protection precautions – preferring to focus on external Firewalls, and DMZ scenarios for security Data is now being hacked – not just systems

6 The First Phase of Hacking
Information Gathering and Intelligence Port Scanning – Banner Grabbing – TCP/IP Packet Profiling – TTL Packet Manipulating Researching network structure – newsgroup posts, outbound s, these all hold clues to network design .

7 The Second Phase of Hacking
Analysis of Collected Information Process relevant bits of data about target network Formulate an attack plan For Example: Attacker wont use SUN specific attacks on W2K Boxes, won’t use NT Attacks on .NET etc.. Hacker Forums, websites, exploit catalogues

8 The Third Phase of Hacking
The Compromise OS Specific Attacks Denial of Service Attacks Application Attacks Buffer Overflows URL String Attacks Injection Cross-site Scripting Attacks Compromised system jumps into another

9 Networking and Security
The network component is the single most important aspect to security Wireless is based on Radio transmission and reception – not bounded by wires Some sort of encryption is thus required to protect open medium Ethernet is also just about as insecure

10 Network Problems ctd Use encryption and authentication to control access to network WEP – Wired Equivalent Privacy 802.1X - using Public Key Cryptography Mutually authenticating client and network

11 Securing a Wireless Connection
Three major strategies WEP – basic low security simple solution VPN – use an encrypted tunnel assuming network is untrusted 802.1X family – Use PKI to encrypt seamlessly from client to access point Usually complex to implement but then seamless to user Substantial investment in PKI Also vendor specific like Leap

12 What about the wired network ?
This is where the hackers kill you Currently a “total trust” model You can ping HR database, or chairman's PC, or accounting system in Tokyo We assume anyone who can get in to our internal network is trusted – and well intentioned Ethernet and TCP/IP is fundamentally insecure

13 VPN Extend the “internal” network space to clients in internet
Extends the security perimeter to the client Main systems are PPTP – L2TP/IPSEC IP Tunnel Corporate Net or Client Corporate Net in Reading Host A Host B Router C Router D Internet

14 How the Architecture Can Prevent Attack
INTERNET Internet Remote data center Redundant Routers Redundant Firewalls Intrusion Detection BORDER NIC teams/2 switches VLAN VLAN VLAN VLAN Per imeter Client and Site VPN DNS & SMTP Proxy Redundant Internal Firewalls Infrastructure Network – Perimeter Active Directory NIC teams/2 switches INTERNAL VLAN VLAN VLAN VLAN Data Network – SQL Server Clusters Infrastructure Network – Internal Active Directory Messaging Network – Exchange VLAN VLAN VLAN VLAN . Client Network RADIUS Network Intranet Network - Web Servers Management Network – MOM, deployment

15 How do I do it ? A Flat DMZ Design to push intelligent inspection outwards ISA layer 7 filtration – RPC – SMTP – HTTP - Switches that act like firewalls IPSec where required between servers Group Policy to Manage Security 802.1X or VPN into ISA servers treating Wireless as Hostile Internal IDS installed TCP 443: HTTPS Or TCP 443: HTTPS Internet TCP 80: HTTP Stateful Packet Filtering Firewall Application Filtering Firewall (ISA Server) Exchange Server Wireless

16 Call To Action Take Action – your network transport is insecure
Read and use security operations guides for each technology you use Mail me with questions – If I didn’t want to talk to you I would put a fake address Use the free MS tools to establish a baseline and stay on it Attack yourself – you will learn

17 Wherever you go – go securely !
____________________________________________________________

Download ppt "Securing Network – Wireless – and Connected Infrastructures"

Similar presentations

SMC2804WBRP-G Barricade™ g 2.4GHz 54Mbps Wireless Cable/DSL Broadband Router with USB Print Server SMC2804WBRP-G www.smc.com.

SMC2804WBRP-G Barricade™ g 2.4GHz 54Mbps Wireless Cable/DSL Broadband Router with USB Print Server SMC2804WBRP-G
Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Firewalls Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Firewalls Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Securing Exchange, IIS, and SQL Infrastructures

Securing Exchange, IIS, and SQL Infrastructures
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
SecPath Firewall Architecture. Objectives Upon completion of this course, you will be able to: Understand the architecture of SecPath series firewalls.

SecPath Firewall Architecture. Objectives Upon completion of this course, you will be able to: Understand the architecture of SecPath series firewalls.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Similar presentations

Ads by Google