Technical Overview of Security Fred Baumhardt Lead Security Technology Architect Microsoft EMEA or MSN

Slides:



Advertisements
Similar presentations
Securing Network – Wireless – and Connected Infrastructures
Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
FIREWALLS Chapter 11.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Securing Exchange, IIS, and SQL Infrastructures
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Securing the Borderless Network March 21, 2000 Ted Barlow.
Firewall Configuration Strategies
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Firewalls and Intrusion Detection Systems
Chapter 12 Network Security.
Chapter 7 HARDENING SERVERS.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Securing Microsoft® Exchange Server 2010
Chapter 6: Packet Filtering
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 14: Configuring Server Security Compliance
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител
Module 11: Designing Security for Network Perimeters.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Securing the Network Perimeter with ISA Server 2004 Ravi Sankar IT Professional Evangelist Microsoft.
IS3220 Information Technology Infrastructure Security
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Security fundamentals
Secure Connected Infrastructure
Securing the Network Perimeter with ISA 2004
Click to edit Master subtitle style
Goals Introduce the Windows Server 2003 family of operating systems
{ Security Technologies}
Implementing Client Security on Windows 2000 and Windows XP Level 150
Introduction to Network Security
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
Server Security Technologies
Presentation transcript:

Technical Overview of Security Fred Baumhardt Lead Security Technology Architect Microsoft EMEA or MSN

Plan of Action This session is about questions – not answers Understand the Security Problem Understand the Roots of Security and IP Look at Modern Security Technologies Perimeter based- what is a perimeter anyway ? Network Based Host Based and Domain Based People…..the final frontier (and dumbest too)

The Datacenter Security Problem Some Core Systems Internet Systems Departments Extranets Branch Offices Systems organically grown under “Project” context Systems organically grown under “Project” context No clear best practice from vendors No clear best practice from vendors Security often bolted on as an afterthought Security often bolted on as an afterthought Fear of change – Time to Market Fear of change – Time to Market Branch has poor bandwidth and is under managed Branch has poor bandwidth and is under managed Worm always smaller than patch Worm always smaller than patch Project 1…n System

The External User Problem Grandmothers aren’t good at patching – neither are vendors…yet Grandmothers aren’t good at patching – neither are vendors…yet People at large suffer from itcanthappentome-itis ADSL, Cable and other technologies make non-secure users the majority– most of Internet IPs not policed or managed External Drones can bring down your network in seconds by DDoS, Co- ordinated attacks, relay points

Internal User Problems (abridged) VPN and Remote Access put our “trusted” people into the untrusted Internet Users treat corporate assets as personal property Infections come into our perimeter from mixing internal/external user roles – eg home use of laptop to browse funbags.com When Inside – Our users don’t follow/ know our security policy (if we have one) Users versus IT department mentality (vice-versa)

And Just When You Thought It Couldn’t Get Worse…. The Network lets you down Modern nets are generally large TCP/IP spaces segmented by one or two sets of firewalls to the Internet (the DMZ- more on this little gem later) IT usually does little internal network protection focusing on external Firewalls, and DMZ scenarios for security Attackers switch attacks to the application level which network equipment can’t understand

The Security Strategy Toolbox Data and Resources: ACLs, EFS, AV, AD, App Coding Application Defences: AV, Content Scanning, Layer 7 (URL) Switching, Secure apps like IIS, Exchange, authentication Host Defences: Server Hardening, Host Intrusion Detection, IPSec Filtering, Auditing, AD Network Defences: VLAN Access Control Lists, Internal Firewall, Auditing, Intrusion Detection Perimeter Defences: Packet Filtering with stateful Inspection of Packets, Intrusion Detection, ALF, IDS/IPS, Pre-Authentication. Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data

Purpose and Limitations of Perimeter Defences Properly configured firewalls and border routers are the cornerstone for perimeter security – and possibly internally too The Internet and mobility increase security risks VPNs have “softened” the perimeter and, along with wireless networking, have essentially caused the disappearance of the traditional concept of network perimeter Traditional packet-filtering firewalls block only network ports and computer addresses Most modern attacks occur at the application layer

The DMZ…. A Favourite Myth In military terms – it is where you put your unwanted soldiers (they will die quickly) An Area where neither side will place heavy weapons (except attacking side breaking the DMZ rules) Internal Network Internet DMZ Internet DMZ

Traditional IT DMZs A Rear Firewall (or rear ruleset) is placed to protect internal network from DMZ in case of breach, from front firewall Placement of Semi-Trusted Machines – like Proxies, SMTP Relays, Web Servers Semi-Trusted is like Semi-Pregnant Rear Firewalls look like Swiss Cheese At the application level all traffic that is needed is allowed – like DB ports, DC ports Devices that filter aren’t application aware

Firewall Perimeter Technology Packet inspection devices that take traffic on one side – and allow it or block it based on rules you define Limited by what they inspect – source, destination, port, sequence, TTL- new devices can inspect at the data and application layer Encryption can invalidate these defences

Other Perimeter Technologies Intrusion Detection/Prevention – more later Anti-Virus, Anti-Spam Gateways – content filters, and inspection devices for inbound or outbound traffic ISA Server 2004 is custom built for this scenario VPN solutions – for extending corporate resources – multi-factor, smart cards, Secure ID etc. – VPN quarantine- park a user whilst their state and patch level is checked Private Perimeter Domains/Forests to power Windows Security Policy

VPN Security Warning - Every time you connect into a network you extend the security perimeter Harden your clients on the Internet or hackers will attack clients and ride the VPN, tokens wont help as the VPN will already be established Client Based IDS systems, Firewalls can help Most organisations infected recently by worms were done by Laptops, or mobile assets VPNing back into network, or coming back from external infection VPN Quarantine such as Windows 2003 critical

Alternatives to VPN Mail – around 80% of the reason for VPN usage RPC/HTTP for Exchange 2003 Outlook 2003 mail Remote Mail Access Formats (OWA) IMAP/POP3 not fully featured – avoid if possible SSL for Extranet enabled applications RPC Filtration with ISA server

Network Defences Conventional Networks don’t usually segment or use concepts such as VLanning (virtual LANS) Modern networks are one big open space under the water line Once infections come in – the faster the network the faster they spread

Segmentation…. A previously naughty word Internet Redundant Routers Redundant Firewalls VLAN VLANVLANVLAN Redundant Internal FWs DNS & SMTP Client and Site VPN Infrastructure Network – Internal Active Directory INTERNALINTERNAL PerimeterPerimeter INTERNETINTERNET VLANVLAN Messaging Network – Exchange FE VLAN Management Network – MOM, deployment VLAN Client Networks 1…n VLAN VLANVLAN RADIUS NetworkIntranet Network - Web Servers Proxy Data Network – SQL Server Clusters Remote data center VLAN NIC teams/2 switches IDS/IPS Messaging Network – Exchange BE

Which leads us to encryption… Use of Cryptography to encrypt the payload of a transmission – can be at: Data Level – like Kerberos Keys, App Specific Transport Level – SSL – IPSEC etc Many different symmetric and Asymmetric algorithms – their strength determines effect Invalidates most IDS, Firewall inspection, logging, caching etc. EG an SSL tunnel from client to web server invalidates: Front Firewall (all it sees is encrypted tunnel) Front IDS (all it sees is encrypted tunnel) Encryption Everywhere is not necessarily the answer

So then we have Intrusion Detection, That will stop’em…. Detects the pattern of common attacks, records suspicious traffic in event logs, and/or alerts administrators, can collate patterns from nodes Threats and vulnerabilities are constantly evolving, which leaves systems vulnerable until a new attack is known and a new signature is created and distributed… hey this is a good commercial model Threats and vulnerabilities are constantly evolving, which leaves systems vulnerable until a new attack is known and a new signature is created and distributed… hey this is a good commercial model Encryption makes network based ones useless (mostly) Client Side ones have to be managed and their policy distributed Heuristic systems are not very common (yet)

Other Network Based Devices Network based IDS/IPS/AV/ and Internal Firewalls need to be placed where they can see traffic, where they can act upon it Switches, can apply firewall like rules of what can go where when and how Your routing tables can act as segmentation devices, so can IPSEC …

What is IP Security (IPSec)? A method to secure IP traffic at the transport level A method to mutually authenticate end points Framework of open standards developed by the Internet Engineering Task Force (IETF) Uses of IPSec? To ensure encrypted and authenticated communications at the IP layer To provide transport security that is independent of applications or application-layer protocols Protects against Spoofing, Tampering in wire, Information Disclosure Cheap Firewall for Windows 2000 Provides mechanism for tunneling – probably as bad as good Overview of IPSec

Host Based O/S Defences Much conventional technology is focused on this area – Host Hardening Hardened Machines – components removed, configuration enforced, software execution controlled, Domain Aware Authentication Schemes like Kerberos to ensure end points are who they say they are – Kerberos is one part of AD – not all of it Important to mutually authenticate – not just client to server IPSEC can do IP network level end point authentication

Patch Management – Beware Myths around this…. Patch Management is important- but not the be-all- end-all of security – do it right=no bonus; wrong=job Goal is to eliminate discovered code vulnerability If the human body did patch management like IT – we would all be dead… There have to be other defences in place to buy time for yourself whilst you fix the vulnerability Zero Day exploits will be faster than any possible patch solution for many years to come Many solutions coming from vendors and third parties – but they wont fundamentally change this…yet

Host Based Firewalls Goal Machines treat other network peers as hostile – untrusted Blocks connections from outside sources unless they have been initiated locally first Prevent “Drones” on the Internet and corporate networks compromised by Worms (of any vendors making) XP and WS2003 built-in to OS, other OS third party providers WF is on by default in almost all configurations Effectiveness depends on when it boots, and what ports left open WF - Boot time protection – runs in Kernel Mode WF - Multiple profile support Egress Filtering (outbound) still a major feature differential

Host Based Security Technologies Anti-Virus Looks for signatures of pathogens usually in files, or linked clients Real-Time scanning for known issues Dependent on continual refresh of signatures Host Based IDS Looks for patterns – at network packet or file level, frequently bundles host Firewall as well Sends information to central point for gathering Some can look for behaviour deltas

Host Domain Security Design Domain Department OU Secured XP Users OU Windows XP OU Desktop OU Laptop OU Domain Policy Secured XP Users Policy Laptop Policy Desktop Policy AD is amongst the best security tools Frequent Re-application of host security policy Hierarchical Application NTFS, Registry, Permissions, Security Settings, Groups, Services all can be controlled – thousand plus settings Further settings can be applied in custom templates

Host Based Challenges Unless Technologies are Behavioural or Heuristic they are linked to signatures of attack patterns, which means latency in policy deployment AD is 90min+-30 for policy size – and it doesn’t apply everything if host changed – only if server changes Deploying Policy and its response time can be an issue – Slammer took 9 secs to bring down network Behavioural Heuristics is coming – which will actively build profiles and stop things outside them

Security Auditing Understand what is going on – in Human terms Auditing is the most important thing If someone walks up to the bank and takes out a machine gun – someone will notice Anyone could break into anywhere if given enough explosives, people, and attitude What stops them is that someone notices and counteracts them – police, army, SWAT, etc Ultimately, Security is about having enough defences in place to stop someone from doing something- until you notice them doing it and stop them If you don’t notice them doing it – then all your efforts will eventually fail

and finally….. we have the application The application is what the IT asset exists to do – securing it is critical Depends on guidance from vendors, architecture, and required privileges and design Secure by Design, Default, and in Deployment is the Microsoft guidance other vendors have theirs Too many application details to mention

Common Database Server Threats and Countermeasures SQL Server Browser Web App Unauthorized External Access SQL Injection Password Cracking Network Eavesdropping Network Vulnerabilities Failure to block SQL ports Configuration Vulnerabilities Overprivileged service account Weak permissions No certificate Web App Vulnerabilities Overprivileged accounts Weak input validation Internal Firewall Perimeter Firewall

Exchange Architecture.

Closing Out Our Tour Security is about natively stopping them doing bad/dumb things for just long enough for you to notice, and take corrective action whilst allowing everything else to work You have to know how your system works You have to assume they know how it works (obscurity is no defence) Any questions…..

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.