Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technical Overview of Security Fred Baumhardt Lead Security Technology Architect Microsoft EMEA or MSN

Published byMaximilian George Modified over 8 years ago

Similar presentations

Presentation on theme: "Technical Overview of Security Fred Baumhardt Lead Security Technology Architect Microsoft EMEA or MSN"— Presentation transcript:

1 Technical Overview of Security Fred Baumhardt Lead Security Technology Architect Microsoft EMEA fred@microsoft.comfred@microsoft.com or MSN fredbaum@hotmail.com fredbaum@hotmail.com fred@microsoft.comfredbaum@hotmail.com

2 Plan of Action This session is about questions – not answers Understand the Security Problem Understand the Roots of Security and IP Look at Modern Security Technologies Perimeter based- what is a perimeter anyway ? Network Based Host Based and Domain Based People…..the final frontier (and dumbest too)

3 The Datacenter Security Problem Some Core Systems Internet Systems Departments Extranets Branch Offices Systems organically grown under “Project” context Systems organically grown under “Project” context No clear best practice from vendors No clear best practice from vendors Security often bolted on as an afterthought Security often bolted on as an afterthought Fear of change – Time to Market Fear of change – Time to Market Branch has poor bandwidth and is under managed Branch has poor bandwidth and is under managed Worm always smaller than patch Worm always smaller than patch Project 1…n System

4 The External User Problem Grandmothers aren’t good at patching – neither are vendors…yet Grandmothers aren’t good at patching – neither are vendors…yet People at large suffer from itcanthappentome-itis ADSL, Cable and other technologies make non-secure users the majority– most of Internet IPs not policed or managed External Drones can bring down your network in seconds by DDoS, Co- ordinated attacks, relay points

5 Internal User Problems (abridged) VPN and Remote Access put our “trusted” people into the untrusted Internet Users treat corporate assets as personal property Infections come into our perimeter from mixing internal/external user roles – eg home use of laptop to browse funbags.com When Inside – Our users don’t follow/ know our security policy (if we have one) Users versus IT department mentality (vice-versa)

6 And Just When You Thought It Couldn’t Get Worse…. The Network lets you down Modern nets are generally large TCP/IP spaces segmented by one or two sets of firewalls to the Internet (the DMZ- more on this little gem later) IT usually does little internal network protection focusing on external Firewalls, and DMZ scenarios for security Attackers switch attacks to the application level which network equipment can’t understand

7 The Security Strategy Toolbox Data and Resources: ACLs, EFS, AV, AD, App Coding Application Defences: AV, Content Scanning, Layer 7 (URL) Switching, Secure apps like IIS, Exchange, authentication Host Defences: Server Hardening, Host Intrusion Detection, IPSec Filtering, Auditing, AD Network Defences: VLAN Access Control Lists, Internal Firewall, Auditing, Intrusion Detection Perimeter Defences: Packet Filtering with stateful Inspection of Packets, Intrusion Detection, ALF, IDS/IPS, Pre-Authentication. Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data

8 Purpose and Limitations of Perimeter Defences Properly configured firewalls and border routers are the cornerstone for perimeter security – and possibly internally too The Internet and mobility increase security risks VPNs have “softened” the perimeter and, along with wireless networking, have essentially caused the disappearance of the traditional concept of network perimeter Traditional packet-filtering firewalls block only network ports and computer addresses Most modern attacks occur at the application layer

9 The DMZ…. A Favourite Myth In military terms – it is where you put your unwanted soldiers (they will die quickly) An Area where neither side will place heavy weapons (except attacking side breaking the DMZ rules) Internal Network Internet DMZ Internet DMZ

10 Traditional IT DMZs A Rear Firewall (or rear ruleset) is placed to protect internal network from DMZ in case of breach, from front firewall Placement of Semi-Trusted Machines – like Proxies, SMTP Relays, Web Servers Semi-Trusted is like Semi-Pregnant Rear Firewalls look like Swiss Cheese At the application level all traffic that is needed is allowed – like DB ports, DC ports Devices that filter aren’t application aware

11 Firewall Perimeter Technology Packet inspection devices that take traffic on one side – and allow it or block it based on rules you define Limited by what they inspect – source, destination, port, sequence, TTL- new devices can inspect at the data and application layer Encryption can invalidate these defences

12 Other Perimeter Technologies Intrusion Detection/Prevention – more later Anti-Virus, Anti-Spam Gateways – content filters, and inspection devices for inbound or outbound traffic ISA Server 2004 is custom built for this scenario VPN solutions – for extending corporate resources – multi-factor, smart cards, Secure ID etc. – VPN quarantine- park a user whilst their state and patch level is checked Private Perimeter Domains/Forests to power Windows Security Policy

13 VPN Security Warning - Every time you connect into a network you extend the security perimeter Harden your clients on the Internet or hackers will attack clients and ride the VPN, tokens wont help as the VPN will already be established Client Based IDS systems, Firewalls can help Most organisations infected recently by worms were done by Laptops, or mobile assets VPNing back into network, or coming back from external infection VPN Quarantine such as Windows 2003 critical

14 Alternatives to VPN Mail – around 80% of the reason for VPN usage RPC/HTTP for Exchange 2003 Outlook 2003 mail Remote Mail Access Formats (OWA) IMAP/POP3 not fully featured – avoid if possible SSL for Extranet enabled applications RPC Filtration with ISA server

15 Network Defences Conventional Networks don’t usually segment or use concepts such as VLanning (virtual LANS) Modern networks are one big open space under the water line Once infections come in – the faster the network the faster they spread

16 Segmentation…. A previously naughty word Internet Redundant Routers Redundant Firewalls VLAN VLANVLANVLAN Redundant Internal FWs DNS & SMTP Client and Site VPN Infrastructure Network – Internal Active Directory INTERNALINTERNAL PerimeterPerimeter INTERNETINTERNET VLANVLAN Messaging Network – Exchange FE VLAN Management Network – MOM, deployment VLAN Client Networks 1…n VLAN VLANVLAN RADIUS NetworkIntranet Network - Web Servers Proxy Data Network – SQL Server Clusters Remote data center VLAN NIC teams/2 switches IDS/IPS Messaging Network – Exchange BE

17 Which leads us to encryption… Use of Cryptography to encrypt the payload of a transmission – can be at: Data Level – like Kerberos Keys, App Specific Transport Level – SSL – IPSEC etc Many different symmetric and Asymmetric algorithms – their strength determines effect Invalidates most IDS, Firewall inspection, logging, caching etc. EG an SSL tunnel from client to web server invalidates: Front Firewall (all it sees is encrypted tunnel) Front IDS (all it sees is encrypted tunnel) Encryption Everywhere is not necessarily the answer

18 So then we have Intrusion Detection, That will stop’em…. Detects the pattern of common attacks, records suspicious traffic in event logs, and/or alerts administrators, can collate patterns from nodes Threats and vulnerabilities are constantly evolving, which leaves systems vulnerable until a new attack is known and a new signature is created and distributed… hey this is a good commercial model Threats and vulnerabilities are constantly evolving, which leaves systems vulnerable until a new attack is known and a new signature is created and distributed… hey this is a good commercial model Encryption makes network based ones useless (mostly) Client Side ones have to be managed and their policy distributed Heuristic systems are not very common (yet)

19 Other Network Based Devices Network based IDS/IPS/AV/ and Internal Firewalls need to be placed where they can see traffic, where they can act upon it Switches, can apply firewall like rules of what can go where when and how Your routing tables can act as segmentation devices, so can IPSEC …

20 What is IP Security (IPSec)? A method to secure IP traffic at the transport level A method to mutually authenticate end points Framework of open standards developed by the Internet Engineering Task Force (IETF) Uses of IPSec? To ensure encrypted and authenticated communications at the IP layer To provide transport security that is independent of applications or application-layer protocols Protects against Spoofing, Tampering in wire, Information Disclosure Cheap Firewall for Windows 2000 Provides mechanism for tunneling – probably as bad as good Overview of IPSec

21 Host Based O/S Defences Much conventional technology is focused on this area – Host Hardening Hardened Machines – components removed, configuration enforced, software execution controlled, Domain Aware Authentication Schemes like Kerberos to ensure end points are who they say they are – Kerberos is one part of AD – not all of it Important to mutually authenticate – not just client to server IPSEC can do IP network level end point authentication

22 Patch Management – Beware Myths around this…. Patch Management is important- but not the be-all- end-all of security – do it right=no bonus; wrong=job Goal is to eliminate discovered code vulnerability If the human body did patch management like IT – we would all be dead… There have to be other defences in place to buy time for yourself whilst you fix the vulnerability Zero Day exploits will be faster than any possible patch solution for many years to come Many solutions coming from vendors and third parties – but they wont fundamentally change this…yet

23 Host Based Firewalls Goal Machines treat other network peers as hostile – untrusted Blocks connections from outside sources unless they have been initiated locally first Prevent “Drones” on the Internet and corporate networks compromised by Worms (of any vendors making) XP and WS2003 built-in to OS, other OS third party providers WF is on by default in almost all configurations Effectiveness depends on when it boots, and what ports left open WF - Boot time protection – runs in Kernel Mode WF - Multiple profile support Egress Filtering (outbound) still a major feature differential

24 Host Based Security Technologies Anti-Virus Looks for signatures of pathogens usually in files, or email linked clients Real-Time scanning for known issues Dependent on continual refresh of signatures Host Based IDS Looks for patterns – at network packet or file level, frequently bundles host Firewall as well Sends information to central point for gathering Some can look for behaviour deltas

25 Host Domain Security Design Domain Department OU Secured XP Users OU Windows XP OU Desktop OU Laptop OU Domain Policy Secured XP Users Policy Laptop Policy Desktop Policy AD is amongst the best security tools Frequent Re-application of host security policy Hierarchical Application NTFS, Registry, Permissions, Security Settings, Groups, Services all can be controlled – thousand plus settings Further settings can be applied in custom templates

26 Host Based Challenges Unless Technologies are Behavioural or Heuristic they are linked to signatures of attack patterns, which means latency in policy deployment AD is 90min+-30 for policy size – and it doesn’t apply everything if host changed – only if server changes Deploying Policy and its response time can be an issue – Slammer took 9 secs to bring down network Behavioural Heuristics is coming – which will actively build profiles and stop things outside them

27 Security Auditing Understand what is going on – in Human terms Auditing is the most important thing If someone walks up to the bank and takes out a machine gun – someone will notice Anyone could break into anywhere if given enough explosives, people, and attitude What stops them is that someone notices and counteracts them – police, army, SWAT, etc Ultimately, Security is about having enough defences in place to stop someone from doing something- until you notice them doing it and stop them If you don’t notice them doing it – then all your efforts will eventually fail

28 and finally….. we have the application The application is what the IT asset exists to do – securing it is critical Depends on guidance from vendors, architecture, and required privileges and design Secure by Design, Default, and in Deployment is the Microsoft guidance other vendors have theirs Too many application details to mention

29 Common Database Server Threats and Countermeasures SQL Server Browser Web App Unauthorized External Access SQL Injection Password Cracking Network Eavesdropping Network Vulnerabilities Failure to block SQL ports Configuration Vulnerabilities Overprivileged service account Weak permissions No certificate Web App Vulnerabilities Overprivileged accounts Weak input validation Internal Firewall Perimeter Firewall

30 Exchange Architecture.

31 Closing Out Our Tour Security is about natively stopping them doing bad/dumb things for just long enough for you to notice, and take corrective action whilst allowing everything else to work You have to know how your system works You have to assume they know how it works (obscurity is no defence) Any questions…..

32 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Technical Overview of Security Fred Baumhardt Lead Security Technology Architect Microsoft EMEA or MSN"

Similar presentations

Securing Network – Wireless – and Connected Infrastructures

Securing Network – Wireless – and Connected Infrastructures
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Securing Exchange, IIS, and SQL Infrastructures

Securing Exchange, IIS, and SQL Infrastructures
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Securing the Borderless Network March 21, 2000 Ted Barlow.

Securing the Borderless Network March 21, 2000 Ted Barlow.
Firewall Configuration Strategies

Firewall Configuration Strategies
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Similar presentations

Ads by Google