Presentation is loading. Please wait.

Presentation is loading. Please wait.

OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,

Published byTrevor Ball Modified over 8 years ago

Similar presentations

Presentation on theme: "OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,"— Presentation transcript:

1

2 OSP201

3

4

5

6 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment, not an expense. "Good enough" security now, is better than "perfect" security...never There is no such thing as "complete security" in a usable system. A false sense of security is worse than a true sense of insecurity. Your absolute security is only as strong as your weakest link. Concentrate on known, probable threats. Security is directly related to the education and ethics of your users. Security is not a static end state, it is an interactive process. There are few forces in the universe stronger than the desire of an individual to get his or her job accomplished. You only get to pick two: fast, secure, cheap. In the absence of other factors, always use the most secure options available. Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to be thorough. It gets in the way of being done.

7

8

9  Defines electrical and physical specifications  Defines relationship between a device and its medium (Copper, optical, radio, etc)

10

11

12

13 How data is transferred from node to node across a network.

14

15  Wireless Networks  Sniffers  ARP flooding

16

17

18

19

20

21

22 IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network IPsec has two goals: to protect IP packets and to defend against network attacks Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other IPsec secures network traffic by using encryption and data signing An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated

23

24 Are there policies to process? START Does connection attempt match policy conditions? Yes Reject connection attempt Is the remote access permission for the user account set to Deny Access? Is the remote access permission for the user account set to Allow Access? Yes No Go to next policy No Yes Is the remote access permission on the policy set to Deny remote access permission? Does the connection attempt match the user object and profile settings? No Yes Accept connection attempt Reject connection attempt No Yes No

25

26

27

28

29

30 ProtocolPort Inbound/ Outbound FromToReason RPC / Auth 135, 137, 138, 139, 445 TCP InboundWFE / IndexCustomer DCUsed for people picker / auth. LDAP389 TCP/ UDPInboundWFE / IndexCustomer DC Used for client authentication (NTLM) / people picker / profile imports DNS53 UDP / TCPInboundWFE/ IndexCustomer DCDNS to resolve DCs HTTPS443 TCPOutboundCustomer NetworkWFEAccess SharePoint from customer’s internal corp Kerberos88 TCP/UDPInboundWFE/IndexCustomer ANY IPKerberos for People Picker Crawling SMB 137, 138, 139, 445 TCP InboundIndexCustomer sharesUsed for crawling files shares. Need IPs from customer. HTTP 80 TCPInboundIndexCustomer sitesAccess additional customer web sites to crawl. Need IPs from customer.

31 ProtocolPort Inbound/ Outbound FromToReason HTTP80 TCPInboundInternetWFEWill display friendly error to use HTTPS instead of HTTP HTTP80 TCPInboundCustomer NetworkWFE Will display friendly error to use HTTPS instead of HTTP. (Network team asked to call out connection to customer.) HTTP80 TCPOutboundWFEInternet Needed to download updates for ForeFront, Windows, etc. Also needed for RSS viewer web parts which pull from external sources. HTTPS443 TCPInboundInternetWFEAccess SharePoint HTTPS443 TCPInboundCustomer NetworkWFE Access SharePoint (Network team asked to call out connection to customer.) LDAP389 TCP/ UDPOutboundWFECustomer DCUsed for client authentication (NTLM) / people picker / profile imports DNS53 UDP / TCPOutboundWFECustomer DCDNS to resolve customer DCs RPC / Auth135, 137, 138, 139, 445 TCPOutboundWFECustomer DCSeen in use during people picker use.

32 ProtocolPort Inbound/ Outbound FromToReason RPC / Auth 135, 137, 138, 139, 445 TCP OutboundIndexCustomer DCUsed for client authentication. LDAP389 TCP/ UDPOutboundIndexCustomer DC Used for client authentication (NTLM) / people picker / profile imports DNS53 UDP / TCPOutboundIndexCustomer DCDNS to resolve customer DCs Kerberos88 TCP/UDPOutboundWFE/IndexCustomer ANY IPKerberos for People Picker Crawling SMB 137, 138, 139, 445 TCPOutboundIndexCustomer sharesUsed for crawling files shares. Need IPs from customer. HTTP 80 TCPOutboundIndexCustomer sites Access additional customer web sites to crawl. Need IPs from customer. HTTPS443 TCPOutboundIndexWFECrawling SharePoint SMTP25 TCPOutboundWFEManagedFor sending alerts and outgoing messages Index Propagation 137, 138, 139 TCP / UDP OutboundIndexWFEs (Query Boxes)Propagate index to query boxes, typically the WFEs.

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51 Law #1: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore Law #2: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Law #3: If a bad guy can view your conversation, you have just invited him to tell everyone Law #4: If a bad guy can alter the operating system on your computer, it's not your computer anymore Law #5: If you allow a bad guy to upload programs to your website or network, it's not your stuff any more Law #6: Absolute anonymity isn't practical, in real life or on the Web Law #7: Weak passwords trump strong security Law #8: A computer is only as secure as the administrator is trustworthy Law #9: Your infrastructure is only as strong as your weakest link Law #10: Technology is not a panacea

52

53 Resources www.microsoft.com/teched Sessions On-Demand & CommunityMicrosoft Certification & Training Resources Resources for IT ProfessionalsResources for Developers www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn http://northamerica.msteched.com Connect. Share. Discuss.

54

55 Scan the Tag to evaluate this session now on myTechEd Mobile

56

Download ppt "OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,"

Similar presentations

WSV405. IPv6 Ready Logo Program www.ipv6ready.org.

WSV405. IPv6 Ready Logo Program
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
SIM303. “ The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically,

SIM303. “ The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically,
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Network Layer and Transport Layer.

Network Layer and Transport Layer.
SIM346. General information about the software application.

SIM346. General information about the software application.
DEV202 Before I get started... …is too expensive. …is too complex. …requires a server.

DEV202 Before I get started... …is too expensive. …is too complex. …requires a server.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
WCL309. Demo.

WCL309. Demo.
SIM329. Certificate Enrollment Without CEP/CES Certificate Authority Active Directory Client Workstations 3 4 1 2 LDAP RPC/DCOM.

SIM329. Certificate Enrollment Without CEP/CES Certificate Authority Active Directory Client Workstations LDAP RPC/DCOM.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
WSV404 DirectAccess Server (Server 2008 R2) DirectAccess Client (Windows 7) Internet Native IPv6 6to4 Teredo IP-HTTPS Tunnel over IPv4 UDP, HTTPS,

WSV404 DirectAccess Server (Server 2008 R2) DirectAccess Client (Windows 7) Internet Native IPv6 6to4 Teredo IP-HTTPS Tunnel over IPv4 UDP, HTTPS,
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
SIM314 Introduction Transport Layer Summary Network Layer.

SIM314 Introduction Transport Layer Summary Network Layer.
demo.

demo.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google