Post on 31-Mar-2015
Seguridad en redes 802.1x y NAP
Alberto Camina AlvarezEMEA GTSC Spain Platform Support SpecialistMicrosoft Product Support Services
El modelo de Defensa en profundidad
Antivirus/ OS hardening, authentication, patch management, HIDS
Firewalls, Network Access Quarantine ControlGuards, locks, tracking devices
Network segments, IPSec, NIDS
Application hardening,
ACLs, encryption, EFS
Policies, Procedures, & AwarenessPolicies, Procedures, & Awareness
Physical SecurityPhysical Security
Perimeter
Internal Network
Host
Application
Data
Defensas Perimetrales.
Los firewalls bien configurados y los routers externos forman la principal frontera y punto de defensa de la seguridad de red.Internet y los nuevas tendencias en movilidad incrementan los problemas de seguridad.Las VPN han desdibujado el perímetro y junto con las redes wireless han hecho que el perímetro clásico de red haya desaparecido.
Defensas en el cliente.
Las defensas en el cliente se encargan de bloquear los ataques que han sobrepasado el perímetro de red externa o se han originado en la red interna.Las defensas en el Cliente incluyen:
Mejoras en seguridad en el sistema operativoAntivirusFirewalls Personales
En entornos sin administrar los usuarios pueden sobrepasar y desactivar las defensas en el cliente.
Metas de la seguridad en redes.
Perimeter
Defense
Client Defens
e
Intrusion
Detection
Network
Access Control
Confi-dentiali
ty
Secure
Remote
Access
ISA Server
ICF
802.1x / WPA
IPSec
Usando Defensas Perimetrales.
Visión de las redes actuales.Main OfficeMain Office
LAN
Business PartnerBusiness Partner
LAN
Branch OfficeBranch Office
Wireless
Network LAN
Remote User
Remote User
Network perimeters include connections to:
Network perimeters include connections to:
The InternetBranch officesBusiness partnersRemote usersWireless networksInternet applications
The InternetBranch officesBusiness partnersRemote usersWireless networksInternet applications
Internet
Diseño de Firewalls.
Screened SubnetInternet
LAN
Firewall
Diseño de Firewalls
Screened SubnetInternet
ExternalFirewall
LAN
InternalFirewall
Contra que no nos protegen los Firewall
Trafico malicioso que pasa por puertos abiertos y que no son inspeccionados por el Firewall.Cualquier tipo de trafico que pase dentro de un túnel o sesión encriptados.Ataques después de penetrar en la red.Usuarios y administradores que intencionadamente o accidentalmente instalan virus.Administradores que usan passwords débiles.
Software vs. Hardware Firewalls
Decision Factors Description
Flexibility Updating for latest vulnerabilities and patches is often easier with software-based firewalls
Extensibility Many hardware firewalls allow only limited customizability.
Choice of Vendors
Software firewalls allow you to choose from hardware for a wide variety of needs, and there is no reliance on single vendor for additional hardware.
Cost
Initial purchase price for hardware firewalls might be less. Software firewalls take advantage of low CPU costs. The hardware can be easily upgraded, and old hardware can be repurposed.
Complexity Hardware firewalls are often less complex.
Overall Suitability
The most important decision factor is whether a firewall can perform the required tasks. Often the lines between hardware and software firewalls are blurred.
Tipos de Firewalls.Filtrado de Paquetes.Inspección a nivel de aplicación.
Multi-layer Inspection(Including Application-Layer Filtering)
Multi-layer Inspection(Including Application-Layer Filtering)
Internet
META: Parar el 95% de los ataques en el perímetro de nuestra red.
Ataques de Denegación de servicio
Mandan trafico no esperado o malformado.Habitualmente atacan una vulnerabilidad conocida pero no parcheada.DoS puede:
Crear grandes perdidas de negocio.Puede dañar la reputación de los negocios.
DDoS
Wake up!
Ping!
Reply!
Securizando redes wireless
Problemas de seguridad en Wireless.Limitaciones de Wired Equivalent
Privacy (WEP)Static WEP keys are not dynamically changed and therefore are vulnerable to attack.There is no standard method for provisioning static WEP keys to clients.Scalability: Compromise of a static WEP key by anyone exposes everyone.
Limitations of MAC Address FilteringAttacker could spoof an allowed MAC address.
Posible soluciones. Password-based Layer 2 Authentication
IEEE 802.1x PEAP/MSCHAP v2Certificate-based Layer 2 Authentication
IEEE 802.1x EAP-TLSOther Options
VPN Connectivity L2TP/IPsec (preferred) or PPTPDoes not allow for roamingUseful when using public wireless hotspotsNo computer authentication or processing of computer settings in Group Policy
IPSecInteroperability issues
Comparación de seguridad en WLAN.
WLAN Security Type
Security Level
Ease of Deployme
nt
Usability and
Integration
Static WEP Low High High
IEEE 802.1X PEAP
High Medium High
IEEE 802.1x TLS
High Low High
VPNHigh (L2TP/IPSec)
Medium Low
IPSec High Low Low
802.1xDefines port-based access control mechanism
Works on anything, wired or wirelessNo special encryption key requirements
Allows choice of authentication methods using Extensible Authentication Protocol (EAP)
Chosen by peers at authentication timeAccess point doesn’t care about EAP methods
Manages keys automaticallyNo need to preprogram wireless encryption keys
802.1x en 802.11
RADIUS802.11802.11 Associate
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/Identity
EAP-Response (credentials)
Radius-Access-Request
Radius-Access-Challenge
Radius-Access-Request
Radius-Access-Accept
EAPOL-Key (Key)
EAP-Success
Access AllowedAccess Allowed
Access BlockedAccess Blocked
Association
Access PointLaptop
Computer
Wireless
EthernetRadius Server
Requerimientos para 802.1x
Client: Windows XPServer: Windows Server 2003 IAS
Internet Authentication Service—our RADIUS serverCertificate on IAS computer
802.1x on Windows 2000Client and IAS must have SP3See KB article 313664No zero-configuration support in the clientSupports only EAP-TLS and MS-CHAPv2
Future EAP methods in Windows XP and Windows Server 2003 might not be backported
802.1x SetupConfigure Windows Server 2003 with IASConfigure Windows Server 2003 with IAS11
Join a domainJoin a domain22
Enroll computer certificateEnroll computer certificate33
Register IAS in Active DirectoryRegister IAS in Active Directory44
Configure RADIUS loggingConfigure RADIUS logging55
Add AP as RADIUS clientAdd AP as RADIUS client66
Configure AP for RADIUS and 802.1xConfigure AP for RADIUS and 802.1x77
Create wireless client access policyCreate wireless client access policy88
Configure clientsDon’t forget to import the root certificateConfigure clientsDon’t forget to import the root certificate
99
Políticas de acceso.
Policy conditionNAS-port-type matches Wireless IEEE 802.11 OR Wireless OtherWindows-group = <some group in AD>
Optional; allows administrative controlShould contain user
and computer accounts
Políticas de acceso.Profile
Time-out: 60 min. (802.11b) or 10 min. (802.11a/g)No regular authentication methodsEAP type: protected EAP; use computer certificateEncryption: only strongest (MPPE 128-bit)Attributes: Ignore-User-Dialin-Properties = True
Wi-Fi Protected Access WPA A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless (local area network ) LAN systemsWPA Requires 802.1x authentication for network accessGoals
Enhanced data encryptionProvide user authenticationBe forward compatible with 802.11iProvide non-RADIUS solution for Small/Home offices
Practicas Recomendadas.Use 802.1x authenticationUse 802.1x authentication
Organize wireless users and computers into groupsOrganize wireless users and computers into groups
Apply wireless access policies using Group PolicyApply wireless access policies using Group Policy
Use EAP-TLS for certificate-based authentication and PEAP for password-based authenticationUse EAP-TLS for certificate-based authentication and PEAP for password-based authentication
Configure your remote access policy to support user authentication as well as machine authentication
Configure your remote access policy to support user authentication as well as machine authenticationDevelop a method to deal with rogue access points, such as LAN-based 802.1x authentication, site surveys, network monitoring, and user education
Develop a method to deal with rogue access points, such as LAN-based 802.1x authentication, site surveys, network monitoring, and user education
Securizando comunicaciones con IPsec.
IPSecWhat is IP Security (IPSec)?
A method to secure IP trafficFramework of open standards developed by the Internet Engineering Task Force (IETF)
Why use IPSec?To ensure encrypted and authenticated communications at the IP layerTo provide transport security that is independent of applications or application-layer protocols
Basic permit/block packet filteringSecure internal LAN communicationsDomain replication through firewallsVPN across untrusted media
Escenarios de IPSec
Implementando el filtrado de Paquetes IPSec
Filters for allowed and blocked trafficNo actual negotiation of IPSec security associationsOverlapping filters—most specific match determines actionDoes not provide stateful filteringMust set "NoDefaultExempt = 1" to be secure
From IP To IP
Protocol
Src Port
Dest Port Action
AnyMy
Internet IP
Any N/A N/A Block
AnyMy
Internet IP
TCP Any 80 Permit
Trafico no filtrado por IPSecIP broadcast addresses
Cannot secure to multiple receivers Multicast addresses
From 224.0.0.0 through 239.255.255.255Kerberos—UDP source or destination port 88
Kerberos is a secure protocol, which the Internet Key Exchange (IKE) negotiation service may use for authentication of other computers in a domain
IKE—UDP destination port 500Required to allow IKE to negotiate parameters for IPSec security
Rendimiento de IPSecIPSec processing has some performance impact
IKE negotiation time—about 2–5 seconds initially
5 round tripsAuthentication—Kerberos or certificatesCryptographic key generation and encrypted messagesDone once per 8 hours by default, settable
Session rekey is fast—<1–2 seconds, 2 round trips, once per hour, settableEncryption of packets
How to improve?Offloading NICs do IPSec almost at wire speedUsing faster CPUs
Rendimiento de IPSec
Practicas Recomendadas.Plan your IPSec implementation carefullyPlan your IPSec implementation carefully
Choose between AH and ESPChoose between AH and ESP
Use Group Policy to implement IPSec PoliciesUse Group Policy to implement IPSec Policies
Consider the use of IPSec NICsConsider the use of IPSec NICs
Never use Shared Key authentication outside your test labNever use Shared Key authentication outside your test lab
Choose between certificates and Kerberos authenticationChoose between certificates and Kerberos authenticationUse care when requiring IPSec for communications with domain controllers and other infrastructure servers
Use care when requiring IPSec for communications with domain controllers and other infrastructure servers
Los problemas de 802.1X
Que es 802.1X?
Port-based access control method defined by IEEE http://standards.ieee.org/getieee802/download/802.1X-2001.pdf
EAP provides mutual authentication between devices ftp://ftp.rfc-editor.org/in-notes/rfc3748.txt
Works over anythingWiredWireless
ftp://ftp.rfc-editor.org/in-notes/rfc2549.txthttp://eagle.auc.ca/~dreid
Que necesitas para 802.1X?
Network infrastructure that supports it
Switches, mostly
Clients and servers that support itSupplicants included in Windows XP, 2003,VistaDownload for Windows 2000
Porque es perfecto en entornos wireless?
The supplicant (client) and authentication server (RADIUS) generate session keysKeys are never sent over the airNothing for an attacker to use to conduct impersonation or man-in-the-middle attacksCan manage centrally with GPOs
Por que no es tan perfecto para entornos wired?
No GPOs—and we can’t retrofitWorse…a fundamental protocol design flaw802.1X authenticates only at the start of traffic between client and switchAfter the switch port opens, everything after that is assumed to be valid
These kinds of assumptions allow MITM attacks!Does require physical access to the network
Ataques contra 802.1x
1.2.3.4aa:bb:cc:dd:e
e:ff
1.2.3.4aa:bb:cc:dd:e
e:ff
drop all inbound not for
me
…authenticate…
…authenticate…
Como funciona.
802.1X lacks per-packet authenticationIt assumes that the post-authentication traffic is valid—based on MAC and IP onlySwitch has no idea what’s happened!
Attacker can communicate only over UDP
Victim would reset any TCP reply it received but didn’t send (victim sees reply to shadow)
Ataques contra 802.1x
1.2.3.4aa:bb:cc:dd:e
e:ff
1.2.3.4aa:bb:cc:dd:e
e:ff
SYN
ACK-SYN
ACK-SYNACK-SYN
RST
ACK-RST
ACK-RSTACK-RST
Se puede mejorar!!
If the victim computer happens to run a personal firewall……which drops unsolicited ACK-SYNs…
It gets better!
El ataque … mejorado.
1.2.3.4aa:bb:cc:dd:e
e:ff
1.2.3.4aa:bb:cc:dd:e
e:ff
SYN
ACK-SYN
ACK-SYNACK-SYN
ACK
Soluciones.
Despite what the networking vendors claim, 802.1X is inappropriate for preventing rogue access to the networkGood security mechanisms never assume that computers are playing nicely
802.1X makes this incorrect assumptionIPsec does not
If you’re worried about bad guys flooding your network…
Then 802.1X + IPsec is the way to go
Trusted users disclosing high value dataCompromise of trusted credentialsUntrusted computers compromising other untrusted computersLoss of physical security of trusted computersLack of compliance mechanisms for trusted computers
Preparándose para Network Access Protection ( NAP ).
Deploy domain isolation to become familiar with IPsec conceptsNAP will provide a richer enforcement mechanism, while adding to server and domain isolationPlan and model to add health authentication and other compliance enforcement mechanisms network access protection provides
More guidance available during Longhorn beta
El futuro de IPsec
Server 2003, Windows XP
Isolation by domain or server• Authentication of machine, but no
health check
Windows firewall integration• Authenticated bypass capability
Overhead offload• 10/100mb NIC—lower CPU
“Longhorn” and beyond
Extensible isolation• User and machine credentials• Health certificates
Firewall integration• Windows filtering platform
Improved administration• One-size-fits-all policy
Extensible performance• Gig-E offload for lower CPU
Protección de redes con NAP
Internet
Intranet
`
Remote Employees
Remote Access Gateway
Web Server
Customers
Perimeter
X Infrastructure ServersExtranet
Server
`
Un mundo conectado
Interconnected networksDistributed dataMobile workersBusiness extranetsRemote access Web servicesWirelessMobile smart devices
Visión de la arquitectura de NAP
MS Network Policy Server
Quarantine Server (QS)
Client
NAP Agent
Health policyUpdates
HealthStatements
NetworkAccessRequests
System Health Servers
Remediation Servers
HealthCertificate
Network Access Devices and Servers
System Health Agent MS and 3rd Parties
System Health Validator
Enforcement Client (DHCP, IPsec, 802.1X, VPN)
Client• SHA – Health agents check client state• QA – Coordinates SHA/EC• EC – Method of enforcement
Remediation Server• Serves up patches, AV signatures, etc.
Network Policy Server• QS – Coordinates SHV • SHV – Validates client health
System Health Server• Provides client compliance
policies
Network Access Protection enforcement methods
Internet Protocol security (IPsec)-protected communicationsIEEE 802.1X-authenticated network connectionsRemote access virtual private network (VPN) connectionsDynamic Host Configuration Protocol (DHCP) configuration
Requesting access. Here’s my new
health status.
Protección con NAP
MS NPSClient
802.1xSwitch
Remediation Servers
May I have access?Here’s my current health status.
Should this client be restricted basedon its health?
Ongoing policy updates to Network Policy Server
You are given restricted accessuntil fix-up.
Can I have updates?
Here you go.
According to policy, the client is not up to date. Quarantine client, request it to update.
Restricted Network
Client is granted access to full intranet.
System Health Servers
According to policy, the client is up to date.
Grant access.
NAP client with limited access
DHCP server
Remediation servers
VPN server
Network Policy Server (NPS)
Active Directory
Intranet
Restricted network
Perimeter network
Health certificate server (HCS)
IEEE 802.1X devices
Internet
Policyservers
Componentes de NAP
NAP client
DHCP server
Remediation server
NPS
DHCP messages
Remote Authentication Dial-in User Service (RADIUS) messages
Systemhealth
updates
HCSHypertext Transfer Protocol over Secure
Sockets Layer (SSL) (HTTPS) messages
Interacción de los componentes de NAP
NAP client NPS
System health requirement
queries
VPN serverProtected Extensible Authentication
Protocol (PEAP) messages over the
Point-to-Point Protocol (PPP)
IEEE 802.1X devices
PEAP messages over EAP over LAN (EAPOL)
Policy server
Interacción de los componentes de NAP(2)
RADIUS messages
Componentes de arquitectura cliente de NAP
System Health Agent (SHA)NAP AgentNAP Enforcement Client (EC)
IPsec NAP ECEAPHost NAP ECVPN NAP ECDHCP NAP EC
PREGUNTAS ?