View
3
Download
0
Category
Preview:
Citation preview
NETWORK SECURITY
Agenda
• PKI Overview
• Secure Remote Access
• Secure Wireless
• Segmentation via IPsec
• Application Layer Firewalling
Symmetric Key Cryptography
Encryption
“The quick
brown fox
jumps over
the lazy
dog”
“AxCv;5bmEseTfid3)f
GsmWe#4^,sdgfMwir3
:dkJeTsY8R\s@!q3%”
“The quick
brown fox
jumps over
the lazy dog”
Decryption
Plain-text input Plain-text output Cipher-text
Same key (shared secret)
Public Key Encryption
Encryption
“The quick
brown fox
jumps over
the lazy
dog”
“Py75c%bn&*)9|fDe^b
DFaq#xzjFr@g5=&nm
dFg$5knvMd’rkvegMs”
“The quick
brown fox
jumps over
the lazy
dog”
Decryption
Clear-text Input Clear-text Output Cipher-text
Different keys
Recipient’s
public key
Recipient’s
private key
private public
Public Key Pros and Cons
• Weakness: • Extremely slow
• Susceptible to “known ciphertext” attack
• Problem of trusting public key (see later on PKI)
• Strength • Solves problem of passing the key
• Allows establishment of trust context between parties
Hybrid Encryption (Real World)
As above, repeated
for other recipients
or recovery agents
Digital
Envelope
Other recipient’s or
agent’s public key
(in certificate)
in recovery policy
Launch key for nuclear
missile “RedHeat”
is...
Symmetric key
encrypted asymmetrically
(e.g., RSA)
Digital
Envelope User’s
public key
(in certificate)
RNG
Randomly-
Generated symmetric
“session” key
Symmetric
encryption
(e.g. DES)
*#$fjda^j
u539!3t
t389E *&\@
5e%32\^kd
*#$fjda^j
u539!3t
t389E *&\@
5e%32\^kd
Launch key for nuclear
missile “RedHeat”
is...
Symmetric
decryption
(e.g. DES)
Digital
Envelope
Asymmetric
decryption of
“session” key (e.g. RSA)
Symmetric
“session” key
Session key must be
decrypted using the
recipient’s private key Digital envelope
contains “session”
key encrypted using
recipient’s public
key
Recipient’s
private key
Hybrid Decryption
Digitally Signing - Signing
Hash
Aksjdlka
alsjla394897
&(^&*kshfos
(*&E321029
83
“Py75c%bn&*)9|fDe^b
DFaq#xzjFr@g5=&nm
dFg$5knvMd’rkvegMs”
This is the
data that I
am sending
Encryption
Data Hash Encrypted Data Hash
Recipient’s private key
Data &
Encrypted Hash Sent
Digital Signing - Checking
Decryption
(Hash)
Message
Hash =
Decrypted
Message
Hash
“Py75c%bn&*)9|fDe^b
DFaq#xzjFr@g5=&nm
dFg$5knvMd’rkvegMs”
Data +
Encrypted
Hash
Compare
Clear-text Input Check Decrypted
Hash
public
Key Thoughts
• How do you design a PKI?
• By Geography?
• By PK Function?
• By Administration
• Internal or External?
• How Many Certificates
• Usage Times
What is Quarantine? • Health Checkup
• IT checks “health” of client - patch
level, AV, other scriptable checks
• Network Access Control
• Access/No Access using
RRAS & IAS
• Health Maintenance
• Quarantined clients are given access
to fix-up services
• Can’t protect against malicious users
From Home
Returning
Laptops
`
Unhealthy
Desktops
CM Profile
• Runs customizable
post connect script
• Script runs RQC notifier
with “results string”
Listener
• RQS receives Notifier
“results string”
• Compares results to
possible results
• Removes time-out if
response received but
client out of date
• Removes quarantine filter
if client up to date
Quarantine VSAs
• Timer limits time
window to receive
notify before auto
disconnect
• Q-filter sets
temporary route filter
to quarantine access
Internet Corpnet
Client RRAS IAS Quarantine
• IAS:
All VSA features
• RRAS:
VSA support & API to
remove quarantine
• Client/Server:
RQC, RQS
Classic VPN Quarantine (V1)
RQS = Remote Quarantine Server
RQC = Remote Quarantine Client
VSA = Vendor Specific Attributes
Classic VPN Quarantine
Connect
Authenticate
Authorize
Quarantine VSA
+ Normal Filters
Policy Check
Result Remove Quarantine
Quarantine
Access
Internet Corpnet
Client RRAS IAS Quarantine
Full Access
Secure Remote Access
• Expanding the managed network
• Where is the edge?
• VPN Quarantine
• End Point Compliance
• VPN-less connections
• SSL VPNs
• Smartphones / Devices
• Smartcard Authentication
Secure Wireless Basics
• Shifting the entry barrier
• Key themes
• Security
• Management
• Usability
• Hidden SSID • Does not provide any real security • Easily discoverable in well-used environments • Windows client experience is impacted
• MAC Filtering • Does not scale • NIC management issue • MAC is spoofable
• “Shared” mode • Sounds like more security but is actually worse • Not to be confused with Pre-Shared Key (PSK) which is more secure
• Open networks and VPN’s • Grants everyone access to the wireless segment • Great for hotspots, not for your business
Security Best Practices
What NOT to do
Secure Wireless Deployment Components
Wireless Clients
Wireless Access
Points
Radio Types: 802.11 a/b/g
Network Authentication: 802.1X,
WPA, WPA2/802.11i*
Encryption: WEP, TKIP, AES
RADIUS Server
RADIUS
EAP/TLS
PEAP-MSCHAPv2
Remote Access Policies
User account
database
Remote Access permissions
Credentials = Passwords
Certificate Authority
(optional)
Credentials = Certificates
Domain and Server Isolation
Un-trusted
zone
Isolated and
Trusted
`
Unmanaged Devices
Active Directory
Domain Controller
Trusted Optional
authentication Required
authentication
X
How it works
Domain credentials identify
“trusted” vs “un-trusted”
Trusted machines with
credentials can communicate
Un-trusted machines cannot
communicate to Trusted or
Isolated and Trusted machines
Domain machines can
communicate to “unmanaged”
machines
Infrastructure
Servers
Authenticating
Host Firewalls
X
Available today with Windows 2000, XP and Server 2003
Threats That IPsec Mitigates:
• Tampering with data in transit
• Unauthenticated access to trusted systems
• Including worm propagation from untrusted systems
• Man-in-the-middle attacks
• Spoofing
• Eavesdropping on network traffic
• And others….
IPsec Modes of Operation
• Tunnel Mode
• Classic VPN
• Network-to-Network
• Host-to-Network
• Transport Mode
• Host-to-Host
• In Network Isolation
• Group to group
• An Isolation Group can contain 1 or 10000 hosts!
Methods for IPsec Protection • AH
• Mutual authentication of endpoints
• End-to-end IP header integrity
• Will not traverse a NAT device
• ESP
• Mutual authentication of endpoints
• Option to use encryption
• Will traverse a NAT device
Lets Rip open a packet • Currently – most firewalls check only basic packet information
• Real world equivalent of looking at the number and destination of a bus – and not looking at the passengers
Control Internet access, protect clients from malicious Internet traffic
Application Layer Content:
???????????????????????????????
???????????????????????????????
???????????????????????????????
Only packet headers are inspected
Application layer content appears as “black box”
TCP Header:
Sequence Number
Source Port,
Destination Port,
Checksum
IP Header:
Source Address,
Dest. Address,
TTL,
Checksum
Forwarding decisions based on port numbers
Legitimate traffic and application layer attacks use identical ports
A Traditional Firewall’s View
Internet
Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic Corporate Network
Control Internet access, protect clients from malicious Internet traffic
Application Layer Content:
GET www.contoso.com/partners/default.htm
IP Header:
Source Address,
Dest. Address,
TTL,
Checksum
TCP Header:
Sequence Number
Source Port,
Destination Port,
Checksum
Forwarding decisions based on content
Only legitimate HTTP traffic is sent to Web server
ISA Server’s View of a Packet Packet headers and application content are inspected
Internet
Allowed HTTP Traffic
Prohibited HTTP Traffic
Attacks
Non-HTTP Traffic Corporate Network
RPC server
(Exchange)
RPC client
(Outlook)
Problem – RPC Protocol Standard Firewall Challenge
Service UUID Port
Exchange {12341234-1111… 4402
AD replication {01020304-4444… 3544
MMC {19283746-7777… 9233
RPC services grab random
high ports when they start,
server maintains table
135/tcp
Client connects to
portmapper on server
(port 135/tcp) Client knows UUID
of service it wants
{12341234-1111…}
Client accesses
application over
learned port
Client asks, “What
port is associated
with my UUID?”
Server matches UUID to
the current port…
4402/tcp
Portmapper responds
with the port and closes
the connection
4402/tcp
Due to the random nature of RPC, this is not feasible over
the Internet
All 64,512 high ports & port 135 must be opened on traditional
firewalls
Traditional
firewall
OWA client
OWA server prompts for
authentication — any
Internet user can
access this prompt
SSL
SSL tunnels through
traditional firewalls
because it is encrypted…
…which allows viruses
and worms to pass
through undetected…
…and infect internal servers!
ISA Server 2004
Basic authentication delegation
ISA Server pre-authenticates
users, eliminating multiple
dialog boxes and only allowing
valid traffic through
URLScan for ISA Server
SSL or
HTTP
SSL
ISA Server can
decrypt and inspect
SSL traffic
inspected traffic can be sent to the internal
server re-encrypted or in the clear.
URLScan for
ISA Server
URLScan for ISA Server can stop
Web attacks at the network edge,
even over encrypted SSL
Internet
Securely make email available to outside employees
Recommended