Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Network – Wireless – and Connected Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th,

Similar presentations


Presentation on theme: "Securing Network – Wireless – and Connected Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th,"— Presentation transcript:

1 Securing Network – Wireless – and Connected Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

2 Agenda Defining the Datacenter Network Security Problem Defining the Datacenter Network Security Problem Penetration Techniques and Tools Penetration Techniques and Tools Network Defence-in-Depth Strategy Network Defence-in-Depth Strategy Perimeter and Network Defences Perimeter and Network Defences Operating System and Services Defences Operating System and Services Defences Application Defences Application Defences Data Defences Data Defences

3 The Datacenter Problem We All Face Some Core Systems Internet Systems Departments Extranets Branch Offices Systems organically grown under Project context Systems organically grown under Project context No clear best practice from vendors No clear best practice from vendors Security often bolted on as an afterthought Security often bolted on as an afterthought Fear of change – Time to Market Fear of change – Time to Market Project 1…n System

4 The Big Picture of Security OS hardening is only one component of security strategy AND Firewalls are not a Panacea OS hardening is only one component of security strategy AND Firewalls are not a Panacea Entering the Bank Branch doesnt get you into the vault Entering the Bank Branch doesnt get you into the vault Security relies on multiple things Security relies on multiple things People and skills People and skills Process and incident management Process and incident management Internal Technologies – E.G. OS, Management Tools, switches, IDS, ISA Internal Technologies – E.G. OS, Management Tools, switches, IDS, ISA Edge Technologies – Firewalls, ISA, IDS Edge Technologies – Firewalls, ISA, IDS

5 Threat Modelling Internal Users are usually far more dangerous Internal Users are usually far more dangerous Normal employees have tools, experience, and know your systems – after all they use them Normal employees have tools, experience, and know your systems – after all they use them Customers usually take little internal protection precautions – preferring to focus on external Firewalls, and DMZ scenarios for security Customers usually take little internal protection precautions – preferring to focus on external Firewalls, and DMZ scenarios for security Data is now being hacked – not just systems Data is now being hacked – not just systems

6 The First Phase of Hacking Information Gathering and Intelligence Information Gathering and Intelligence Port Scanning – Banner Grabbing – TCP/IP Packet Profiling – TTL Packet Manipulating Port Scanning – Banner Grabbing – TCP/IP Packet Profiling – TTL Packet Manipulating Researching network structure – newsgroup posts, outbound s, these all hold clues to network design Researching network structure – newsgroup posts, outbound s, these all hold clues to network design.

7 The Second Phase of Hacking Analysis of Collected Information Analysis of Collected Information Process relevant bits of data about target network Process relevant bits of data about target network Formulate an attack plan Formulate an attack plan For Example: Attacker wont use SUN specific attacks on W2K Boxes, wont use NT Attacks on.NET etc.. For Example: Attacker wont use SUN specific attacks on W2K Boxes, wont use NT Attacks on.NET etc.. Hacker Forums, websites, exploit catalogues Hacker Forums, websites, exploit catalogues

8 The Third Phase of Hacking The Compromise The Compromise OS Specific Attacks OS Specific Attacks Denial of Service Attacks Denial of Service Attacks Application Attacks Application Attacks Buffer Overflows Buffer Overflows URL String Attacks URL String Attacks Injection Injection Cross-site Scripting Attacks Cross-site Scripting Attacks Compromised system jumps into another Compromised system jumps into another

9 Networking and Security The network component is the single most important aspect to security The network component is the single most important aspect to security Wireless is based on Radio transmission and reception – not bounded by wires Wireless is based on Radio transmission and reception – not bounded by wires Some sort of encryption is thus required to protect open medium Some sort of encryption is thus required to protect open medium Ethernet is also just about as insecure Ethernet is also just about as insecure

10 Network Problems ctd Use encryption and authentication to control access to network Use encryption and authentication to control access to network WEP – Wired Equivalent Privacy WEP – Wired Equivalent Privacy 802.1X - using Public Key Cryptography 802.1X - using Public Key Cryptography Mutually authenticating client and network Mutually authenticating client and network

11 Securing a Wireless Connection Three major strategies Three major strategies WEP – basic low security simple solution WEP – basic low security simple solution VPN – use an encrypted tunnel assuming network is untrusted VPN – use an encrypted tunnel assuming network is untrusted 802.1X family – Use PKI to encrypt seamlessly from client to access point 802.1X family – Use PKI to encrypt seamlessly from client to access point Usually complex to implement but then seamless to user Usually complex to implement but then seamless to user Substantial investment in PKI Substantial investment in PKI Also vendor specific like Leap Also vendor specific like Leap

12 What about the wired network ? This is where the hackers kill you This is where the hackers kill you Currently a total trust model Currently a total trust model You can ping HR database, or chairman's PC, or accounting system in Tokyo You can ping HR database, or chairman's PC, or accounting system in Tokyo We assume anyone who can get in to our internal network is trusted – and well intentioned We assume anyone who can get in to our internal network is trusted – and well intentioned Ethernet and TCP/IP is fundamentally insecure Ethernet and TCP/IP is fundamentally insecure

13 Internet Corporate Net in Reading Router C Router D Corporate Net or Client Host A B IP Tunnel VPN Extend the internal network space to clients in internet Extend the internal network space to clients in internet Extends the security perimeter to the client Extends the security perimeter to the client Main systems are PPTP – L2TP/IPSEC Main systems are PPTP – L2TP/IPSEC

14 How the Architecture Can Prevent Attack Internet Redundant Routers Redundant Firewalls VLAN VLANVLANVLAN Redundant Internal Firewalls DNS & SMTP Client and Site VPN Infrastructure Network – Internal Active Directory INTERNALINTERNAL PerimeterPerimeter INTERNETINTERNET BORDERBORDER VLANVLAN Messaging Network – Exchange VLAN Management Network – MOM, deployment VLAN Client Network VLAN VLANVLAN RADIUS NetworkIntranet Network - Web Servers Proxy Data Network – SQL Server Clusters Remote data center Infrastructure Network – Perimeter Active Directory VLAN NIC teams/2 switches Intrusion Detection.

15 How do I do it ? A Flat DMZ Design to push intelligent inspection outwards A Flat DMZ Design to push intelligent inspection outwards ISA layer 7 filtration – RPC – SMTP – HTTP - ISA layer 7 filtration – RPC – SMTP – HTTP - Switches that act like firewalls Switches that act like firewalls IPSec where required between servers IPSec where required between servers Group Policy to Manage Security Group Policy to Manage Security 802.1X or VPN into ISA servers treating Wireless as Hostile 802.1X or VPN into ISA servers treating Wireless as Hostile Internal IDS installed Internal IDS installed Exchange Server TCP 443: HTTPS Stateful Packet FilteringFirewall Application Filtering Firewall (ISA Server) TCP 80: HTTP Internet TCP 443: HTTPS Or Wireless

16 Call To Action Take Action – your network transport is insecure Take Action – your network transport is insecure Read and use security operations guides for each technology you use Read and use security operations guides for each technology you use Mail me with questions – Mail me with questions – If I didnt want to talk to you I would put a fake address If I didnt want to talk to you I would put a fake address Use the free MS tools to establish a baseline and stay on it Use the free MS tools to establish a baseline and stay on it Attack yourself – you will learn Attack yourself – you will learn

17 ____________________________________________________________ Wherever you go – go securely !


Download ppt "Securing Network – Wireless – and Connected Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th,"

Similar presentations


Ads by Google