Presentation on theme: "PROTECTING YOUR LAN BORDER Best Practice for your Firewall Setting and Configuration. By Fernando Navarrete and Oswaldo Bolívar."— Presentation transcript:
PROTECTING YOUR LAN BORDER Best Practice for your Firewall Setting and Configuration. By Fernando Navarrete and Oswaldo Bolívar
INTRODUCTION Protecting the infrastructure and keeping students and staff safe requires the implementation security controls capable of mitigating both well-known and new forms of threats. Common threats to school environments include: Service disruption—Disruption of the administrative infrastructure and learning resources such as computer labs caused by botnets, worms, malware, adware, spyware, viruses, DoS attacks. Harmful or inappropriate content—Pornography, adult, aggressive, offensive and other type of content that could put the physical and psychological well being of minors at risk. Network abuse—Peer-to-peer file sharing and instant messaging abuse, use of non-approved applications by students, staff, and faculty.
INTRODUCTION (Cont.) Unauthorized access—Intrusions, unauthorized users, escalation of privileges, and unauthorized access to learning and administrative resources. Data loss—Theft or leakage of student, staff and faculty private data from servers, endpoints, and while in transit, or as a result of spyware, malware, key-loggers, viruses, etc.
INTERNET PERIMETER PROTECTION The primary functions of the Internet perimeter is to allow for safe and secure access to students, staff, and faculty, and to provide public services without compromising the confidentiality, integrity, and availability of school resources and data. To that end, the Internet perimeter incorporates the following security functions: Internet Border Internet Firewall Public Services DMZ
The most commonly observed types of exploits in 1H11 were those targeting vulnerabilities in the Oracle (formerly Sun) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters. Detections of operating system exploits increased dramatically in 2Q11 because of increased exploitation of vulnerability CVE-2010-2568. EXPLOITS
Exploits that affected Adobe Acrobat and Adobe Reader accounted for most document format exploits detected in the first half of 2011. Almost all of these exploits involved the generic exploit family Win32/Pdfjsc. More than half of Microsoft Office exploits involved CVE-2010-3333, a vulnerability in the Rich Text Format (RTF) parser in versions of Microsoft Word. DOCUMENT EXPLOITS
LOCAL INFECTIONS IN THE LAST MONTH http://www.securelist.com/en/statistics#/en/top20/ids/month
NETWORK ATTACKS IN THE LAST MONTH http://www.securelist.com/en/statistics#/en/top20/ids/month
OUR LINE OF ACTION
Malware is driven by commercial gain Advanced attacks and increased proliferation A global approach The virus became Cybercrime Applications and programs with many features to manage Poor interoperability No integrability with existing IT infrastructure Interoperability with Beta versions Self-managed systems with very high demands Quantification is required to be justified CHALLENGES FOR IT STAFF ATTACKS MORE DANGEROUS THAN EVER FRAGMENTATION OF SAFETY TECHNOLOGIES DIFFICULT TO USE, INSTALL AND MANAGE REQUIREMENTS FOR A SECURITY SOLUTION
INTERNET/ CLOUD O.S. CLIENTS AND SERVERS APPLICATION SERVERS PERIMETER/ EDGE PROTECTION AGAINST VIRUSES, MALWARE, HACKERS AND SPAM
Forefront TMG is a comprehensive secure web gateway solution that helps to protect employees from web-based threats. Forefront TMG also delivers simple, unified perimeter security, with integrated firewall, VPN, intrusion prevention, malware inspection and URL filtering. Key Features: URL Filtering Forefront TMG 2010 blocks malicious sites more effectively by using aggregated data from multiple URL filtering vendors and the anti-phishing and anti-malware technologies that also protect Internet Explorer 8 users. The highly accurate categorization of websites also blocks sites that may violate corporate policies. HTTPS Inspection HTTPS Inspection enables Forefront TMG 2010 to inspect inside your users' SSL-encrypted Web traffic. By inspecting within these encrypted sessions, Forefront TMG 2010 can both detect possible malware as well as limit employee web usage to approved sites. Sensitive sites, such as banking sites, can be excluded from inspection. Network Inspection System Forefront TMG 2010 Includes integrated intrusion prevention technology that protects against browser-based and other vulnerabilities, including browser plug-in exploits. Web Anti-malware Forefront TMG 2010 provides highly accurate malware detection with a scanning engine that combines generic signatures and heuristic technologies to proactively catch variants without specific signatures. Server Management Ongoing management of servers in the data center is one of the most time-consuming tasks facing IT professionals today. Inefficient servers can drive up energy usage and costs. Windows Server 2008 R2 with SP1 delivers features in Server Manager to reduce your administrative effort for common day-to- day operational tasks. Builds on ISA 2006 Includes and builds on the proven network protection technologies of Microsoft Internet Security and Acceleration Server 2006, the previous version of Forefront TMG 2010. This enables you to deploy a perimeter firewall or a secure gateway for such applications as Microsoft Exchange Server and Microsoft SharePoint. Centralized Management: Enables you to create and manage all web security functions across distributed environments from a single console. Manages both Standard and Enterprise editions. Custom Reports Generates web security reports quickly and facilitates easy customization to meet business- specific reporting needs. It also integrates with Microsoft SQL Server Express or SQL Server infrastructure for creating custom reports. Active Directory Integration Simplifies authentication and policy enforcement by integrating with Active Directory ®. For example, Forefront TMG 2010 simplifies HTTPS inspection by distributing its certificate via Active Directory. It also leverages the Windows ® Update infrastructure to enable quick distribution of new protections to all Forefront TMG 2010 servers
600,000 devices 121,000 users 98 countries 441 buildings 100,000+ Windows Vista clients 75,000 Office 2007 clients 500 Windows Longhorn Servers 46,000,000+ remote connections per month 189,000+ SharePoint Sites 8 Data Centers 15,000+ production servers E-mails per day: 3,000,000 internal 10,000,000 incoming 9,000,000 outgoing 33,000,000 IMs per month 120,000+ e-mail accounts Real Production Environment Case Study: MICROSOFT ®
CAPACITY PLANNING TOOL
CAPACITY PLANNING REPORT
CONFIGURE NETWORK INSPECTION SYSTEM (NIS): Keep updated NIS signature. Microsoft Malware Protection Center (http://go.microsoft.com/fwlink/?LinkId=160624) periodically updates the known vulnerability database to help detect and block malicious traffic. Although NIS is enabled by default, must be configured after the installation of TMG through the Getting Started Wizard. You can exclude network entities from Network Inspection System (NIS) scans. A typical entity that you might want to exclude is a detection IP address, which is an isolated, unprotected IP address used by a firewall administrator to learn about various network attacks in a Lab. CONFIGURE PROTECTION FROM NETWORK ATTACKS: Forefront TMG provides protection from attacks on your networks with sophisticated attack detection features, such as, intrusion detection, flood mitigation, and spoof detection. CONFIGURE DNS ATTACKS FILTER: Which intercepts and analyzes all DNS traffic destined for published DNS servers (that is, DNS servers that are made accessible through publishing rules). You can specify the types of suspicious activity that you want the DNS Filter to check for. TONE UP SETTINGS FOR FLOOD MITIGATION: Flood attacks are attempts by malicious users to attack a network, by a HTTP denial of service attack, SYN attack, worm propagation, or any other means that could deplete the victim's resources, or disable its services. While the default configuration settings for flood mitigation help ensure that Forefront TMG can continue to function under a flood attack, there are some actions you can take during an attack that can further mitigate its effect. Best Practice for your Firewall Setting and Configuration
PROTECTION FROM WEB-BASED THREATS You must protect your School from malware and other Web-based threats by: CONFIGURING MALWARE INSPECTION: For inspection of user-requested Web pages and files for harmful content. CONFIGURING HTTPS INSPECTION: For inspection of outbound HTTPS traffic, in order to protect your School from security risks inherent to Secure Sockets Layer (SSL) tunnels. CONFIGURING HTTP FILTERING: That is the application-layer HTTP filter to allow only HTTP traffic that complies with your corporate policy and security needs. About this, HTTP methods (also known as HTTP verbs) are instructions sent in a request message that notifies an HTTP server of the action to perform on the specified resource. An example of blocking by method would be to block POST, so that internal clients cannot post data to an external Web page. This is useful in a secure network scenario where you want to prevent sensitive information from being posted on a web site. This can also be useful in Web publishing, to prevent malicious users from posting malicious material to your School web site.
In the following video You will see Yuri Diogenes (Yuri works for Microsoft as Senior Technical Writer in the Windows Security Team ) demonstrates an attempt to exploit a SMB vulnerability on Windows system and how Forefront TMG can block that using Network Inspection System (NIS). Level 200 VIDEO DEMO
Microsoft Server and Cloud Plataform: http://www.microsoft.com/en-us/server-cloud/forefront/default.aspx Forefront Threat Management Gateway (TMG): http://www.microsoft.com/en-us/server-cloud/forefront/threat-management-gateway.aspx Forefront TMG (ISA Server) Product Team Blog: http://technet.microsoft.com/en-us/evalcenter/ee423778.aspx Forefront TechCenter: http://technet.microsoft.com/en-us/forefront/ee175814.aspx Download Microsoft Forefront TMG 2010 http://technet.microsoft.com/en-us/evalcenter/ee423778.aspx USEFUL LINKS