Upload
maximilian-george
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Technical Overview of SecurityTechnical Overview of Security
Fred BaumhardtFred BaumhardtLead Security Technology ArchitectLead Security Technology Architect
Microsoft EMEAMicrosoft EMEA
[email protected]@microsoft.com or MSN or MSN [email protected]@hotmail.com
Plan of ActionPlan of Action
This session is about questions – not answersThis session is about questions – not answers
Understand the Security ProblemUnderstand the Security Problem
Understand the Roots of Security and IPUnderstand the Roots of Security and IP
Look at Modern Security TechnologiesLook at Modern Security Technologies
Perimeter based- what is a perimeter anyway ?Perimeter based- what is a perimeter anyway ?
Network BasedNetwork Based
Host Based and Domain BasedHost Based and Domain Based
People…..the final frontier (and dumbest too) People…..the final frontier (and dumbest too)
The Datacenter Security ProblemThe Datacenter Security Problem
Some Core SystemsSome Core Systems
Internet SystemsInternet Systems
DepartmentsDepartments
ExtranetsExtranets
Branch OfficesBranch Offices
• Systems organically grown under “Project” contextSystems organically grown under “Project” context• No clear best practice from vendorsNo clear best practice from vendors• Security often bolted on as an afterthoughtSecurity often bolted on as an afterthought• Fear of change – Time to Market Fear of change – Time to Market • Branch has poor bandwidth and is under managedBranch has poor bandwidth and is under managed• Worm always smaller than patchWorm always smaller than patch
Project 1…n SystemProject 1…n System
The External User ProblemThe External User ProblemGrandmothers aren’t good at patching – Grandmothers aren’t good at patching – neither are vendors…yet neither are vendors…yet
People at large suffer from People at large suffer from itcanthappentome-itisitcanthappentome-itis
ADSL, Cable and other technologies make ADSL, Cable and other technologies make non-secure users the majority– most of non-secure users the majority– most of Internet IPs not policed or managedInternet IPs not policed or managed
External Drones can bring down your External Drones can bring down your network in seconds by DDoS, Co-network in seconds by DDoS, Co-ordinated attacks, relay pointsordinated attacks, relay points
Internal User Problems (abridged)Internal User Problems (abridged)
VPN and Remote Access put our “trusted” people VPN and Remote Access put our “trusted” people into the untrusted Internetinto the untrusted Internet
Users treat corporate assets as personal propertyUsers treat corporate assets as personal property
Infections come into our perimeter from mixing Infections come into our perimeter from mixing internal/external user roles – eg home use of internal/external user roles – eg home use of laptop to browse funbags.comlaptop to browse funbags.com
When Inside – Our users don’t follow/ know our When Inside – Our users don’t follow/ know our security policy (if we have one)security policy (if we have one)
Users versus IT department mentality (vice-versa)Users versus IT department mentality (vice-versa)
And Just When You Thought It And Just When You Thought It Couldn’t Get Worse….Couldn’t Get Worse….
The Network lets you downThe Network lets you down
Modern nets are generally large TCP/IP spaces Modern nets are generally large TCP/IP spaces segmented by one or two sets of firewalls to the segmented by one or two sets of firewalls to the Internet (the DMZ- more on this little gem later)Internet (the DMZ- more on this little gem later)
IT usually does little internal network protection IT usually does little internal network protection focusing on external Firewalls, and DMZ focusing on external Firewalls, and DMZ scenarios for securityscenarios for security
Attackers switch attacks to the application level Attackers switch attacks to the application level which network equipment can’t understandwhich network equipment can’t understand
The Security Strategy ToolboxThe Security Strategy Toolbox
Data and Resources:Data and Resources: ACLs, ACLs, EFS, AV, AD, App CodingEFS, AV, AD, App Coding
Application Defences:Application Defences: AV, AV, Content Scanning, Layer 7 (URL) Content Scanning, Layer 7 (URL) Switching, Secure apps like IIS, Switching, Secure apps like IIS, Exchange, authenticationExchange, authentication
Host Defences:Host Defences: Server Server Hardening, Host Intrusion Hardening, Host Intrusion Detection, IPSec Filtering, Detection, IPSec Filtering, Auditing, ADAuditing, AD
Network Defences:Network Defences: VLAN VLAN Access Control Lists, Internal Access Control Lists, Internal Firewall, Auditing, Intrusion Firewall, Auditing, Intrusion DetectionDetection
Perimeter Defences:Perimeter Defences: Packet Packet Filtering with stateful Inspection of Filtering with stateful Inspection of Packets, Intrusion Detection, ALF, Packets, Intrusion Detection, ALF, IDS/IPS, Pre-AuthenticationIDS/IPS, Pre-Authentication
..
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
Purpose and Limitations of Purpose and Limitations of Perimeter DefencesPerimeter Defences
Properly configured firewalls and border routers are Properly configured firewalls and border routers are the cornerstone for perimeter security – and possibly the cornerstone for perimeter security – and possibly internally toointernally too
The Internet and mobility increase security risksThe Internet and mobility increase security risks
VPNs have “softened” the perimeter and, along with VPNs have “softened” the perimeter and, along with wireless networking, have essentially caused the wireless networking, have essentially caused the disappearance of the traditional concept of network disappearance of the traditional concept of network perimeter perimeter
Traditional packet-filtering firewalls block only Traditional packet-filtering firewalls block only network ports and computer addressesnetwork ports and computer addresses
Most modern attacks occur at the application layer Most modern attacks occur at the application layer
The DMZ…. A Favourite MythThe DMZ…. A Favourite MythIn military terms – it is where you put your In military terms – it is where you put your unwanted soldiers (they will die quickly)unwanted soldiers (they will die quickly)
An Area where neither side will place heavy An Area where neither side will place heavy weapons (except attacking side breaking the weapons (except attacking side breaking the DMZ rules)DMZ rules)
Internal NetworkInternal Network
InternetInternet
DMZDMZ
Internal NetworkInternal Network
InternetInternet
DMZDMZ
Traditional IT DMZsTraditional IT DMZsA Rear Firewall (or rear ruleset) is placed A Rear Firewall (or rear ruleset) is placed to protect internal network from DMZ in to protect internal network from DMZ in case of breach, from front firewallcase of breach, from front firewall
Placement of Semi-Trusted Machines – Placement of Semi-Trusted Machines – like Proxies, SMTP Relays, Web Servers like Proxies, SMTP Relays, Web Servers
Semi-Trusted is like Semi-PregnantSemi-Trusted is like Semi-Pregnant
Rear Firewalls look like Swiss CheeseRear Firewalls look like Swiss Cheese
At the application level all traffic that is At the application level all traffic that is needed is allowed – like DB ports, DC portsneeded is allowed – like DB ports, DC ports
Devices that filter aren’t application awareDevices that filter aren’t application aware
Firewall Perimeter TechnologyFirewall Perimeter TechnologyPacket inspection devices that take traffic on one side Packet inspection devices that take traffic on one side – and allow it or block it based on rules you define– and allow it or block it based on rules you define
Limited by what they inspect – source, destination, Limited by what they inspect – source, destination, port, sequence, TTL- new devices can inspect at the port, sequence, TTL- new devices can inspect at the data and application layerdata and application layer
Encryption can invalidate these defencesEncryption can invalidate these defences
Other Perimeter TechnologiesOther Perimeter Technologies
Intrusion Detection/Prevention – more laterIntrusion Detection/Prevention – more later
Anti-Virus, Anti-Spam Gateways – content filters, and Anti-Virus, Anti-Spam Gateways – content filters, and inspection devices for inbound or outbound trafficinspection devices for inbound or outbound traffic
ISA Server 2004 is custom built for this scenarioISA Server 2004 is custom built for this scenario
VPN solutions – for extending corporate resources – VPN solutions – for extending corporate resources – multi-factor, smart cards, Secure ID etc. – VPN multi-factor, smart cards, Secure ID etc. – VPN quarantine- park a user whilst their state and patch quarantine- park a user whilst their state and patch level is checkedlevel is checked
Private Perimeter Domains/Forests to power Windows Private Perimeter Domains/Forests to power Windows Security PolicySecurity Policy
VPN SecurityVPN SecurityWarning - Every time you connect into a network you Warning - Every time you connect into a network you extend the security perimeterextend the security perimeter
Harden your clients on the Internet or hackers will Harden your clients on the Internet or hackers will attack clients and ride the VPN, tokens wont help as attack clients and ride the VPN, tokens wont help as the VPN will already be establishedthe VPN will already be established
Client Based IDS systems, Firewalls can helpClient Based IDS systems, Firewalls can help
Most organisations infected recently by worms were Most organisations infected recently by worms were done by Laptops, or mobile assets VPNing back into done by Laptops, or mobile assets VPNing back into network, or coming back from external infectionnetwork, or coming back from external infection
VPN Quarantine such as Windows 2003 criticalVPN Quarantine such as Windows 2003 critical
Alternatives to VPNAlternatives to VPN
Mail – around 80% of the reason for VPN usageMail – around 80% of the reason for VPN usage
RPC/HTTP for Exchange 2003 <->Outlook 2003 mailRPC/HTTP for Exchange 2003 <->Outlook 2003 mail
Remote Mail Access Formats (OWA)Remote Mail Access Formats (OWA)
IMAP/POP3 not fully featured – avoid if possible IMAP/POP3 not fully featured – avoid if possible
SSL for Extranet enabled applicationsSSL for Extranet enabled applications
RPC Filtration with ISA serverRPC Filtration with ISA server
Network DefencesNetwork Defences
Conventional Networks don’t usually Conventional Networks don’t usually segment or use concepts such as segment or use concepts such as VLanning (virtual LANS)VLanning (virtual LANS)
Modern networks are one big open space Modern networks are one big open space under the water lineunder the water line
Once infections come in – the faster the Once infections come in – the faster the network the faster they spreadnetwork the faster they spread
Segmentation…. A previously naughty wordSegmentation…. A previously naughty word
Internet
Redundant RoutersRedundant Routers
Redundant FirewallsRedundant Firewalls
VLAN
VLANVLAN VLANVLAN VLANVLAN
Redundant Internal FWsRedundant Internal FWs
DNS &DNS & SMTPSMTPClient and Site VPNClient and Site VPN
Infrastructure Network – Internal Active Directory
INTERNAL
Perimeter
INTERNET
VLANVLAN VLANVLAN
Messaging Network – Exchange FE
VLANVLAN
Management Network – MOM, deployment
VLANVLAN
Client Networks 1…n
VLANVLAN
VLANVLAN VLANVLAN
RADIUS Network Intranet Network - Web Servers
Proxy
Data Network – SQL Server Clusters
Remote datacenter
VLANVLAN
NIC teams/2 switches
NIC teams/2 switches IDS/IPSIDS/IPS
Messaging Network – Exchange BE
Which leads us to encryption…Which leads us to encryption…
Use of Cryptography to encrypt the payload of a Use of Cryptography to encrypt the payload of a transmission – can be at:transmission – can be at:
Data Level – like Kerberos Keys, App SpecificData Level – like Kerberos Keys, App Specific
Transport Level – SSL – IPSEC etcTransport Level – SSL – IPSEC etc
Many different symmetric and Asymmetric algorithms – their Many different symmetric and Asymmetric algorithms – their strength determines effectstrength determines effect
Invalidates most IDS, Firewall inspection, logging, caching Invalidates most IDS, Firewall inspection, logging, caching etc. EG an SSL tunnel from client to web server invalidates:etc. EG an SSL tunnel from client to web server invalidates:
Front Firewall (all it sees is encrypted tunnel)Front Firewall (all it sees is encrypted tunnel)
Front IDS (all it sees is encrypted tunnel)Front IDS (all it sees is encrypted tunnel)
Encryption Everywhere is not necessarily the answerEncryption Everywhere is not necessarily the answer
So then we have Intrusion So then we have Intrusion Detection, That will stop’em….Detection, That will stop’em….
Detects the pattern of common attacks, records Detects the pattern of common attacks, records suspicious traffic in event logs, and/or alerts suspicious traffic in event logs, and/or alerts administrators, can collate patterns from nodesadministrators, can collate patterns from nodes
Threats and vulnerabilities are constantly evolving, Threats and vulnerabilities are constantly evolving, which leaves systems vulnerable until a new attack which leaves systems vulnerable until a new attack is known and a new signature is created and is known and a new signature is created and distributed… hey this is a good commercial model distributed… hey this is a good commercial model Encryption makes network based ones useless Encryption makes network based ones useless (mostly)(mostly)
Client Side ones have to be managed and their Client Side ones have to be managed and their policy distributedpolicy distributed
Heuristic systems are not very common (yet)Heuristic systems are not very common (yet)
Other Network Based DevicesOther Network Based Devices
Network based IDS/IPS/AV/ and Internal Network based IDS/IPS/AV/ and Internal Firewalls need to be placed where they Firewalls need to be placed where they can see traffic, where they can act upon itcan see traffic, where they can act upon it
Switches, can apply firewall like rules of Switches, can apply firewall like rules of what can go where when and howwhat can go where when and how
Your routing tables can act as Your routing tables can act as segmentation devices, so can IPSEC …segmentation devices, so can IPSEC …
What is IP Security (IPSec)?What is IP Security (IPSec)?A method to secure IP traffic at the transport levelA method to secure IP traffic at the transport levelA method to mutually authenticate end pointsA method to mutually authenticate end pointsFramework of open standards developed by the Internet Framework of open standards developed by the Internet Engineering Task Force (IETF)Engineering Task Force (IETF)
Uses of IPSec?Uses of IPSec?To ensure encrypted and authenticated communications at To ensure encrypted and authenticated communications at the IP layerthe IP layerTo provide transport security that is independent of To provide transport security that is independent of applications or application-layer protocolsapplications or application-layer protocolsProtects against Spoofing, Tampering in wire, Information Protects against Spoofing, Tampering in wire, Information DisclosureDisclosureCheap Firewall for Windows 2000Cheap Firewall for Windows 2000Provides mechanism for tunneling – probably as bad as Provides mechanism for tunneling – probably as bad as goodgood
Overview of IPSecOverview of IPSec
Host Based O/S DefencesHost Based O/S Defences
Much conventional technology is focused on this Much conventional technology is focused on this area – Host Hardeningarea – Host Hardening
Hardened Machines – components removed, Hardened Machines – components removed, configuration enforced, software execution configuration enforced, software execution controlled, Domain Awarecontrolled, Domain Aware
Authentication Schemes like Kerberos to ensure Authentication Schemes like Kerberos to ensure end points are who they say they are – Kerberos end points are who they say they are – Kerberos is one part of AD – not all of itis one part of AD – not all of it
Important to mutually authenticate – not just client to Important to mutually authenticate – not just client to serverserver
IPSEC can do IP network level end point IPSEC can do IP network level end point authenticationauthentication
Patch Management – Beware Myths Patch Management – Beware Myths around this….around this….
Patch Management is important- Patch Management is important- but not the be-all-but not the be-all-end-all of security – do it right=no bonus; wrong=jobend-all of security – do it right=no bonus; wrong=job
Goal is to eliminate discovered code vulnerabilityGoal is to eliminate discovered code vulnerability
If the human body did patch management like IT – If the human body did patch management like IT – we we would all be dead…would all be dead…
There have to be other defences in place to buy time There have to be other defences in place to buy time for yourself whilst you fix the vulnerabilityfor yourself whilst you fix the vulnerability
Zero Day exploits will be faster than any possible Zero Day exploits will be faster than any possible patch solution for many years to comepatch solution for many years to come
Many solutions coming from vendors and third parties Many solutions coming from vendors and third parties – but they wont fundamentally change this…yet– but they wont fundamentally change this…yet
Host Based FirewallsHost Based FirewallsGoal
Machines treat other network peers as hostile – untrusted
Blocks connections from outside sources unless they have been initiated locally first
Prevent “Drones” on the Internet and corporate networks compromised by Worms (of any vendors making)
XP and WS2003 built-in to OS, other OS third party providers
WF is on by default in almost all configurations
Effectiveness depends on when it boots, and what ports left open
WF - Boot time protection – runs in Kernel Mode
WF - Multiple profile support
Egress Filtering (outbound) still a major feature differential
Host Based Security TechnologiesHost Based Security TechnologiesAnti-Virus Anti-Virus
Looks for signatures of pathogens usually in Looks for signatures of pathogens usually in files, or email linked clients files, or email linked clients
Real-Time scanning for known issuesReal-Time scanning for known issues
Dependent on continual refresh of signaturesDependent on continual refresh of signatures
Host Based IDSHost Based IDS
Looks for patterns – at network packet or file Looks for patterns – at network packet or file level, frequently bundles host Firewall as welllevel, frequently bundles host Firewall as well
Sends information to central point for gatheringSends information to central point for gathering
Some can look for behaviour deltasSome can look for behaviour deltas
Host Domain Security DesignHost Domain Security Design
Domain
Department OU
Secured XP Users OU
Windows XP OU
Desktop OU
Laptop OU
Domain Policy
Secured XP Users Policy Laptop
Policy
Desktop Policy
AD is amongst the best AD is amongst the best security toolssecurity tools
Frequent Re-application of Frequent Re-application of host security policyhost security policy
Hierarchical ApplicationHierarchical Application
NTFS, Registry, Permissions, NTFS, Registry, Permissions, Security Settings, Groups, Security Settings, Groups, Services all can be controlled Services all can be controlled – thousand plus settings– thousand plus settings
Further settings can be Further settings can be applied in custom templatesapplied in custom templates
Host Based ChallengesHost Based Challenges
Unless Technologies are Behavioural or Heuristic Unless Technologies are Behavioural or Heuristic they are linked to signatures of attack patterns, they are linked to signatures of attack patterns, which means latency in policy deploymentwhich means latency in policy deployment
AD is 90min+-30 for policy size – and it doesn’t AD is 90min+-30 for policy size – and it doesn’t apply everything if host changed – only if server apply everything if host changed – only if server changeschanges
Deploying Policy and its response time can be an Deploying Policy and its response time can be an issue – Slammer took 9 secs to bring down networkissue – Slammer took 9 secs to bring down network
Behavioural Heuristics is coming – which will Behavioural Heuristics is coming – which will actively build profiles and stop things outside themactively build profiles and stop things outside them
Security AuditingSecurity Auditing
Understand what is going on – in Human terms Auditing is Understand what is going on – in Human terms Auditing is the most important thingthe most important thing
If someone walks up to the bank and takes out a machine If someone walks up to the bank and takes out a machine gun – someone will noticegun – someone will notice
Anyone could break into anywhere if given enough Anyone could break into anywhere if given enough explosives, people, and attitude explosives, people, and attitude
What stops them is that someone notices and counteracts What stops them is that someone notices and counteracts them – police, army, SWAT, etcthem – police, army, SWAT, etc
Ultimately, Security is about having Ultimately, Security is about having enough defences in place to stop enough defences in place to stop someone from doing something- until you someone from doing something- until you notice them doing it and stop themnotice them doing it and stop them
If you don’t notice them doing it – then all If you don’t notice them doing it – then all your efforts will eventually failyour efforts will eventually fail
and finally….. we have the applicationand finally….. we have the application
The application is what the IT asset exists to do The application is what the IT asset exists to do – securing it is critical– securing it is critical
Depends on guidance from vendors, Depends on guidance from vendors, architecture, and required privileges and designarchitecture, and required privileges and design
Secure by Design, Default, and in Deployment Secure by Design, Default, and in Deployment is the Microsoft guidance other vendors have is the Microsoft guidance other vendors have theirstheirs
Too many application details to mentionToo many application details to mention
Common Database Server Threats Common Database Server Threats and Countermeasures and Countermeasures
SQL Server
Browser Web App
Unauthorized External Access
SQL Injection
Password Cracking Network
Eavesdropping
Network VulnerabilitiesFailure to block SQL ports
Configuration VulnerabilitiesOverprivileged service account
Weak permissionsNo certificate
Web App VulnerabilitiesOverprivileged accounts
Weak input validation
Internal Firewall
Perimeter Firewall
Exchange ArchitectureExchange Architecture
Front End BackendFirewallPotentialFirewall
Mail Server
Internal Clients
Internal Net
TCP80, TCP443 for Web
TCP80 TCP443 encapsulating RPC
TCP25 for inbound and outbound mail
TCP25 in/outTCP443 InTCP80 In
RPC or RPC oHT
Too many to list (see slide)
DC/GC
RP
C, G
C, K
erb,
Net
logo
n
Depends on Auth Status
..
Closing Out Our TourClosing Out Our TourSecurity is about natively stopping them Security is about natively stopping them doing bad/dumb things for just long doing bad/dumb things for just long enough for you to notice, and take enough for you to notice, and take corrective action whilst allowing everything corrective action whilst allowing everything else to workelse to work
YouYou have to know how your system works have to know how your system works
You have to assume they know how it You have to assume they know how it works (obscurity is no defence)works (obscurity is no defence)
Any questions…..Any questions…..
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.