Technical Overview of SecurityTechnical Overview of Security

Fred BaumhardtFred BaumhardtLead Security Technology ArchitectLead Security Technology Architect

Microsoft EMEAMicrosoft EMEA

fred@microsoft.comfred@microsoft.com or MSN or MSN fredbaum@hotmail.comfredbaum@hotmail.com

Plan of ActionPlan of Action

This session is about questions – not answersThis session is about questions – not answers

Understand the Security ProblemUnderstand the Security Problem

Understand the Roots of Security and IPUnderstand the Roots of Security and IP

Look at Modern Security TechnologiesLook at Modern Security Technologies

Perimeter based- what is a perimeter anyway ?Perimeter based- what is a perimeter anyway ?

Network BasedNetwork Based

Host Based and Domain BasedHost Based and Domain Based

People…..the final frontier (and dumbest too) People…..the final frontier (and dumbest too)

The Datacenter Security ProblemThe Datacenter Security Problem

Some Core SystemsSome Core Systems

Internet SystemsInternet Systems

DepartmentsDepartments

ExtranetsExtranets

Branch OfficesBranch Offices

• Systems organically grown under “Project” contextSystems organically grown under “Project” context• No clear best practice from vendorsNo clear best practice from vendors• Security often bolted on as an afterthoughtSecurity often bolted on as an afterthought• Fear of change – Time to Market Fear of change – Time to Market • Branch has poor bandwidth and is under managedBranch has poor bandwidth and is under managed• Worm always smaller than patchWorm always smaller than patch

Project 1…n SystemProject 1…n System

The External User ProblemThe External User ProblemGrandmothers aren’t good at patching – Grandmothers aren’t good at patching – neither are vendors…yet neither are vendors…yet

People at large suffer from People at large suffer from itcanthappentome-itisitcanthappentome-itis

ADSL, Cable and other technologies make ADSL, Cable and other technologies make non-secure users the majority– most of non-secure users the majority– most of Internet IPs not policed or managedInternet IPs not policed or managed

External Drones can bring down your External Drones can bring down your network in seconds by DDoS, Co-network in seconds by DDoS, Co-ordinated attacks, relay pointsordinated attacks, relay points

Internal User Problems (abridged)Internal User Problems (abridged)

VPN and Remote Access put our “trusted” people VPN and Remote Access put our “trusted” people into the untrusted Internetinto the untrusted Internet

Users treat corporate assets as personal propertyUsers treat corporate assets as personal property

Infections come into our perimeter from mixing Infections come into our perimeter from mixing internal/external user roles – eg home use of internal/external user roles – eg home use of laptop to browse funbags.comlaptop to browse funbags.com

When Inside – Our users don’t follow/ know our When Inside – Our users don’t follow/ know our security policy (if we have one)security policy (if we have one)

Users versus IT department mentality (vice-versa)Users versus IT department mentality (vice-versa)

And Just When You Thought It And Just When You Thought It Couldn’t Get Worse….Couldn’t Get Worse….

The Network lets you downThe Network lets you down

Modern nets are generally large TCP/IP spaces Modern nets are generally large TCP/IP spaces segmented by one or two sets of firewalls to the segmented by one or two sets of firewalls to the Internet (the DMZ- more on this little gem later)Internet (the DMZ- more on this little gem later)

IT usually does little internal network protection IT usually does little internal network protection focusing on external Firewalls, and DMZ focusing on external Firewalls, and DMZ scenarios for securityscenarios for security

Attackers switch attacks to the application level Attackers switch attacks to the application level which network equipment can’t understandwhich network equipment can’t understand

The Security Strategy ToolboxThe Security Strategy Toolbox

Data and Resources:Data and Resources: ACLs, ACLs, EFS, AV, AD, App CodingEFS, AV, AD, App Coding

Application Defences:Application Defences: AV, AV, Content Scanning, Layer 7 (URL) Content Scanning, Layer 7 (URL) Switching, Secure apps like IIS, Switching, Secure apps like IIS, Exchange, authenticationExchange, authentication

Host Defences:Host Defences: Server Server Hardening, Host Intrusion Hardening, Host Intrusion Detection, IPSec Filtering, Detection, IPSec Filtering, Auditing, ADAuditing, AD

Network Defences:Network Defences: VLAN VLAN Access Control Lists, Internal Access Control Lists, Internal Firewall, Auditing, Intrusion Firewall, Auditing, Intrusion DetectionDetection

Perimeter Defences:Perimeter Defences: Packet Packet Filtering with stateful Inspection of Filtering with stateful Inspection of Packets, Intrusion Detection, ALF, Packets, Intrusion Detection, ALF, IDS/IPS, Pre-AuthenticationIDS/IPS, Pre-Authentication

..

Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

HostHost

ApplicationApplication

DataData

Purpose and Limitations of Purpose and Limitations of Perimeter DefencesPerimeter Defences

Properly configured firewalls and border routers are Properly configured firewalls and border routers are the cornerstone for perimeter security – and possibly the cornerstone for perimeter security – and possibly internally toointernally too

The Internet and mobility increase security risksThe Internet and mobility increase security risks

VPNs have “softened” the perimeter and, along with VPNs have “softened” the perimeter and, along with wireless networking, have essentially caused the wireless networking, have essentially caused the disappearance of the traditional concept of network disappearance of the traditional concept of network perimeter perimeter

Traditional packet-filtering firewalls block only Traditional packet-filtering firewalls block only network ports and computer addressesnetwork ports and computer addresses

Most modern attacks occur at the application layer Most modern attacks occur at the application layer

The DMZ…. A Favourite MythThe DMZ…. A Favourite MythIn military terms – it is where you put your In military terms – it is where you put your unwanted soldiers (they will die quickly)unwanted soldiers (they will die quickly)

An Area where neither side will place heavy An Area where neither side will place heavy weapons (except attacking side breaking the weapons (except attacking side breaking the DMZ rules)DMZ rules)

Internal NetworkInternal Network

InternetInternet

DMZDMZ

Internal NetworkInternal Network

InternetInternet

DMZDMZ

Traditional IT DMZsTraditional IT DMZsA Rear Firewall (or rear ruleset) is placed A Rear Firewall (or rear ruleset) is placed to protect internal network from DMZ in to protect internal network from DMZ in case of breach, from front firewallcase of breach, from front firewall

Placement of Semi-Trusted Machines – Placement of Semi-Trusted Machines – like Proxies, SMTP Relays, Web Servers like Proxies, SMTP Relays, Web Servers

Semi-Trusted is like Semi-PregnantSemi-Trusted is like Semi-Pregnant

Rear Firewalls look like Swiss CheeseRear Firewalls look like Swiss Cheese

At the application level all traffic that is At the application level all traffic that is needed is allowed – like DB ports, DC portsneeded is allowed – like DB ports, DC ports

Devices that filter aren’t application awareDevices that filter aren’t application aware

Firewall Perimeter TechnologyFirewall Perimeter TechnologyPacket inspection devices that take traffic on one side Packet inspection devices that take traffic on one side – and allow it or block it based on rules you define– and allow it or block it based on rules you define

Limited by what they inspect – source, destination, Limited by what they inspect – source, destination, port, sequence, TTL- new devices can inspect at the port, sequence, TTL- new devices can inspect at the data and application layerdata and application layer

Encryption can invalidate these defencesEncryption can invalidate these defences

Other Perimeter TechnologiesOther Perimeter Technologies

Intrusion Detection/Prevention – more laterIntrusion Detection/Prevention – more later

Anti-Virus, Anti-Spam Gateways – content filters, and Anti-Virus, Anti-Spam Gateways – content filters, and inspection devices for inbound or outbound trafficinspection devices for inbound or outbound traffic

ISA Server 2004 is custom built for this scenarioISA Server 2004 is custom built for this scenario

VPN solutions – for extending corporate resources – VPN solutions – for extending corporate resources – multi-factor, smart cards, Secure ID etc. – VPN multi-factor, smart cards, Secure ID etc. – VPN quarantine- park a user whilst their state and patch quarantine- park a user whilst their state and patch level is checkedlevel is checked

Private Perimeter Domains/Forests to power Windows Private Perimeter Domains/Forests to power Windows Security PolicySecurity Policy

VPN SecurityVPN SecurityWarning - Every time you connect into a network you Warning - Every time you connect into a network you extend the security perimeterextend the security perimeter

Harden your clients on the Internet or hackers will Harden your clients on the Internet or hackers will attack clients and ride the VPN, tokens wont help as attack clients and ride the VPN, tokens wont help as the VPN will already be establishedthe VPN will already be established

Client Based IDS systems, Firewalls can helpClient Based IDS systems, Firewalls can help

Most organisations infected recently by worms were Most organisations infected recently by worms were done by Laptops, or mobile assets VPNing back into done by Laptops, or mobile assets VPNing back into network, or coming back from external infectionnetwork, or coming back from external infection

VPN Quarantine such as Windows 2003 criticalVPN Quarantine such as Windows 2003 critical

Alternatives to VPNAlternatives to VPN

Mail – around 80% of the reason for VPN usageMail – around 80% of the reason for VPN usage

RPC/HTTP for Exchange 2003 <->Outlook 2003 mailRPC/HTTP for Exchange 2003 <->Outlook 2003 mail

Remote Mail Access Formats (OWA)Remote Mail Access Formats (OWA)

IMAP/POP3 not fully featured – avoid if possible IMAP/POP3 not fully featured – avoid if possible

SSL for Extranet enabled applicationsSSL for Extranet enabled applications

RPC Filtration with ISA serverRPC Filtration with ISA server

Network DefencesNetwork Defences

Conventional Networks don’t usually Conventional Networks don’t usually segment or use concepts such as segment or use concepts such as VLanning (virtual LANS)VLanning (virtual LANS)

Modern networks are one big open space Modern networks are one big open space under the water lineunder the water line

Once infections come in – the faster the Once infections come in – the faster the network the faster they spreadnetwork the faster they spread

Segmentation…. A previously naughty wordSegmentation…. A previously naughty word

Internet

Redundant RoutersRedundant Routers

Redundant FirewallsRedundant Firewalls

VLAN

VLANVLAN VLANVLAN VLANVLAN

Redundant Internal FWsRedundant Internal FWs

DNS &DNS & SMTPSMTPClient and Site VPNClient and Site VPN

Infrastructure Network – Internal Active Directory

INTERNAL

Perimeter

INTERNET

VLANVLAN VLANVLAN

Messaging Network – Exchange FE

VLANVLAN

Management Network – MOM, deployment

VLANVLAN

Client Networks 1…n

VLANVLAN

VLANVLAN VLANVLAN

RADIUS Network Intranet Network - Web Servers

Proxy

Data Network – SQL Server Clusters

Remote datacenter

VLANVLAN

NIC teams/2 switches

NIC teams/2 switches IDS/IPSIDS/IPS

Messaging Network – Exchange BE

Which leads us to encryption…Which leads us to encryption…

Use of Cryptography to encrypt the payload of a Use of Cryptography to encrypt the payload of a transmission – can be at:transmission – can be at:

Data Level – like Kerberos Keys, App SpecificData Level – like Kerberos Keys, App Specific

Transport Level – SSL – IPSEC etcTransport Level – SSL – IPSEC etc

Many different symmetric and Asymmetric algorithms – their Many different symmetric and Asymmetric algorithms – their strength determines effectstrength determines effect

Invalidates most IDS, Firewall inspection, logging, caching Invalidates most IDS, Firewall inspection, logging, caching etc. EG an SSL tunnel from client to web server invalidates:etc. EG an SSL tunnel from client to web server invalidates:

Front Firewall (all it sees is encrypted tunnel)Front Firewall (all it sees is encrypted tunnel)

Front IDS (all it sees is encrypted tunnel)Front IDS (all it sees is encrypted tunnel)

Encryption Everywhere is not necessarily the answerEncryption Everywhere is not necessarily the answer

So then we have Intrusion So then we have Intrusion Detection, That will stop’em….Detection, That will stop’em….

Detects the pattern of common attacks, records Detects the pattern of common attacks, records suspicious traffic in event logs, and/or alerts suspicious traffic in event logs, and/or alerts administrators, can collate patterns from nodesadministrators, can collate patterns from nodes

Threats and vulnerabilities are constantly evolving, Threats and vulnerabilities are constantly evolving, which leaves systems vulnerable until a new attack which leaves systems vulnerable until a new attack is known and a new signature is created and is known and a new signature is created and distributed… hey this is a good commercial model distributed… hey this is a good commercial model Encryption makes network based ones useless Encryption makes network based ones useless (mostly)(mostly)

Client Side ones have to be managed and their Client Side ones have to be managed and their policy distributedpolicy distributed

Heuristic systems are not very common (yet)Heuristic systems are not very common (yet)

Other Network Based DevicesOther Network Based Devices

Network based IDS/IPS/AV/ and Internal Network based IDS/IPS/AV/ and Internal Firewalls need to be placed where they Firewalls need to be placed where they can see traffic, where they can act upon itcan see traffic, where they can act upon it

Switches, can apply firewall like rules of Switches, can apply firewall like rules of what can go where when and howwhat can go where when and how

Your routing tables can act as Your routing tables can act as segmentation devices, so can IPSEC …segmentation devices, so can IPSEC …

What is IP Security (IPSec)?What is IP Security (IPSec)?A method to secure IP traffic at the transport levelA method to secure IP traffic at the transport levelA method to mutually authenticate end pointsA method to mutually authenticate end pointsFramework of open standards developed by the Internet Framework of open standards developed by the Internet Engineering Task Force (IETF)Engineering Task Force (IETF)

Uses of IPSec?Uses of IPSec?To ensure encrypted and authenticated communications at To ensure encrypted and authenticated communications at the IP layerthe IP layerTo provide transport security that is independent of To provide transport security that is independent of applications or application-layer protocolsapplications or application-layer protocolsProtects against Spoofing, Tampering in wire, Information Protects against Spoofing, Tampering in wire, Information DisclosureDisclosureCheap Firewall for Windows 2000Cheap Firewall for Windows 2000Provides mechanism for tunneling – probably as bad as Provides mechanism for tunneling – probably as bad as goodgood

Overview of IPSecOverview of IPSec

Host Based O/S DefencesHost Based O/S Defences

Much conventional technology is focused on this Much conventional technology is focused on this area – Host Hardeningarea – Host Hardening

Hardened Machines – components removed, Hardened Machines – components removed, configuration enforced, software execution configuration enforced, software execution controlled, Domain Awarecontrolled, Domain Aware

Authentication Schemes like Kerberos to ensure Authentication Schemes like Kerberos to ensure end points are who they say they are – Kerberos end points are who they say they are – Kerberos is one part of AD – not all of itis one part of AD – not all of it

Important to mutually authenticate – not just client to Important to mutually authenticate – not just client to serverserver

IPSEC can do IP network level end point IPSEC can do IP network level end point authenticationauthentication

Patch Management – Beware Myths Patch Management – Beware Myths around this….around this….

Patch Management is important- Patch Management is important- but not the be-all-but not the be-all-end-all of security – do it right=no bonus; wrong=jobend-all of security – do it right=no bonus; wrong=job

Goal is to eliminate discovered code vulnerabilityGoal is to eliminate discovered code vulnerability

If the human body did patch management like IT – If the human body did patch management like IT – we we would all be dead…would all be dead…

There have to be other defences in place to buy time There have to be other defences in place to buy time for yourself whilst you fix the vulnerabilityfor yourself whilst you fix the vulnerability

Zero Day exploits will be faster than any possible Zero Day exploits will be faster than any possible patch solution for many years to comepatch solution for many years to come

Many solutions coming from vendors and third parties Many solutions coming from vendors and third parties – but they wont fundamentally change this…yet– but they wont fundamentally change this…yet

Host Based FirewallsHost Based FirewallsGoal

Machines treat other network peers as hostile – untrusted

Blocks connections from outside sources unless they have been initiated locally first

Prevent “Drones” on the Internet and corporate networks compromised by Worms (of any vendors making)

XP and WS2003 built-in to OS, other OS third party providers

WF is on by default in almost all configurations

Effectiveness depends on when it boots, and what ports left open

WF - Boot time protection – runs in Kernel Mode

WF - Multiple profile support

Egress Filtering (outbound) still a major feature differential

Host Based Security TechnologiesHost Based Security TechnologiesAnti-Virus Anti-Virus

Looks for signatures of pathogens usually in Looks for signatures of pathogens usually in files, or email linked clients files, or email linked clients

Real-Time scanning for known issuesReal-Time scanning for known issues

Dependent on continual refresh of signaturesDependent on continual refresh of signatures

Host Based IDSHost Based IDS

Looks for patterns – at network packet or file Looks for patterns – at network packet or file level, frequently bundles host Firewall as welllevel, frequently bundles host Firewall as well

Sends information to central point for gatheringSends information to central point for gathering

Some can look for behaviour deltasSome can look for behaviour deltas

Host Domain Security DesignHost Domain Security Design

Domain

Department OU

Secured XP Users OU

Windows XP OU

Desktop OU

Laptop OU

Domain Policy

Secured XP Users Policy Laptop

Policy

Desktop Policy

AD is amongst the best AD is amongst the best security toolssecurity tools

Frequent Re-application of Frequent Re-application of host security policyhost security policy

Hierarchical ApplicationHierarchical Application

NTFS, Registry, Permissions, NTFS, Registry, Permissions, Security Settings, Groups, Security Settings, Groups, Services all can be controlled Services all can be controlled – thousand plus settings– thousand plus settings

Further settings can be Further settings can be applied in custom templatesapplied in custom templates

Host Based ChallengesHost Based Challenges

Unless Technologies are Behavioural or Heuristic Unless Technologies are Behavioural or Heuristic they are linked to signatures of attack patterns, they are linked to signatures of attack patterns, which means latency in policy deploymentwhich means latency in policy deployment

AD is 90min+-30 for policy size – and it doesn’t AD is 90min+-30 for policy size – and it doesn’t apply everything if host changed – only if server apply everything if host changed – only if server changeschanges

Deploying Policy and its response time can be an Deploying Policy and its response time can be an issue – Slammer took 9 secs to bring down networkissue – Slammer took 9 secs to bring down network

Behavioural Heuristics is coming – which will Behavioural Heuristics is coming – which will actively build profiles and stop things outside themactively build profiles and stop things outside them

Security AuditingSecurity Auditing

Understand what is going on – in Human terms Auditing is Understand what is going on – in Human terms Auditing is the most important thingthe most important thing

If someone walks up to the bank and takes out a machine If someone walks up to the bank and takes out a machine gun – someone will noticegun – someone will notice

Anyone could break into anywhere if given enough Anyone could break into anywhere if given enough explosives, people, and attitude explosives, people, and attitude

What stops them is that someone notices and counteracts What stops them is that someone notices and counteracts them – police, army, SWAT, etcthem – police, army, SWAT, etc

Ultimately, Security is about having Ultimately, Security is about having enough defences in place to stop enough defences in place to stop someone from doing something- until you someone from doing something- until you notice them doing it and stop themnotice them doing it and stop them

If you don’t notice them doing it – then all If you don’t notice them doing it – then all your efforts will eventually failyour efforts will eventually fail

and finally….. we have the applicationand finally….. we have the application

The application is what the IT asset exists to do The application is what the IT asset exists to do – securing it is critical– securing it is critical

Depends on guidance from vendors, Depends on guidance from vendors, architecture, and required privileges and designarchitecture, and required privileges and design

Secure by Design, Default, and in Deployment Secure by Design, Default, and in Deployment is the Microsoft guidance other vendors have is the Microsoft guidance other vendors have theirstheirs

Too many application details to mentionToo many application details to mention

Common Database Server Threats Common Database Server Threats and Countermeasures and Countermeasures

SQL Server

Browser Web App

Unauthorized External Access

SQL Injection

Password Cracking Network

Eavesdropping

Network VulnerabilitiesFailure to block SQL ports

Configuration VulnerabilitiesOverprivileged service account

Weak permissionsNo certificate

Web App VulnerabilitiesOverprivileged accounts

Weak input validation

Internal Firewall

Perimeter Firewall

Exchange ArchitectureExchange Architecture

Front End BackendFirewallPotentialFirewall

Mail Server

Internal Clients

Internal Net

TCP80, TCP443 for Web

TCP80 TCP443 encapsulating RPC

TCP25 for inbound and outbound mail

TCP25 in/outTCP443 InTCP80 In

RPC or RPC oHT

Too many to list (see slide)

DC/GC

RP

C, G

C, K

erb,

Net

logo

n

Depends on Auth Status

..

Closing Out Our TourClosing Out Our TourSecurity is about natively stopping them Security is about natively stopping them doing bad/dumb things for just long doing bad/dumb things for just long enough for you to notice, and take enough for you to notice, and take corrective action whilst allowing everything corrective action whilst allowing everything else to workelse to work

YouYou have to know how your system works have to know how your system works

You have to assume they know how it You have to assume they know how it works (obscurity is no defence)works (obscurity is no defence)

Any questions…..Any questions…..

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.