Network Security and ISA Server

Paul Hogan

Ward Solutions

Session Prerequisites

Hands-on experience with Windows 2000 or Windows Server 2003

Working knowledge of networking, including basics of security

Basic knowledge of network security-assessment strategies

Level 300

Agenda

10:00 11:00 Network Security

11:00 11:15 Break

11:30 12:00 Securing SQL Server

12:00 1:00 Lunch

1:00 2:00 Securing Exchange

2:30 2:15 Break

2:15 3:15 Lab Sessions

3:15 Q&A

This sessions are about…

…about operational security

The easy way is not always the secure way

Networks are usually designed in particular ways

In many cases, these practices simplify attacks

In some cases these practices enable attacks

In order to avoid these practices it helps to understand how an attacker can use them

This sessions are NOT …

a hacking tutorial

Hacking networks you own can be enlightening

HACKING NETWORKS YOU DO NOT OWN IS ILLEGAL

…demonstrating vulnerabilities in Windows

Everything we show stems from operational security or custom applications

Knowing how Windows operates is critical to avoiding problems

…for the faint of heart

The Sessions

The Network

External LAN

Internal LAN

ISA Server Firewall

IIS 6.0Windows 2003

Access Points

ISA Server Firewall

Introducing the Case-Study Scenario

Understanding Defense-in-Depth

Using a layered approach:Increases an attacker’s risk of detection Reduces an attacker’s chance of success

Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness

Guards, locks, tracking devicesPhysical securityPhysical security

Application hardeningApplication

OS hardening, authentication, security update management, antivirus updates, auditing

Host

Network segments, NIDSInternal network

Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter

Strong passwords, ACLs, backup and restore strategy

Data

Why Does Network Security Fail?

Network security fails in several common areas, including:Network security fails in several common areas, including:

Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date

Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date

What we will cover:

How to Implement Perimeter defenses

How ISA Server protects networks

Using Windows Firewalls to Protect Clients

How to Protect Wireless Networks

Purpose and Limitations of Perimeter Defenses

Properly configured firewalls and border routers are the cornerstone for perimeter security

The Internet and mobility increase security risks

VPNs have exposed a destructive, pernicious entry point for viruses and worms in many organizations

Traditional packet-filtering firewalls only block network ports and computer addresses

Most modern attacks occur at the application layer

Purpose and Limitations of Intrusion Detection

Detects the pattern of common attacks and records suspicious traffic in event logs and/or alerts administrators

Integrates with other firewall features to prevent common attacks

Threats and vulnerabilities are constantly evolving, which leaves systems vulnerable until a new attack is known and a new signature is created and distributed

Implementing Network-Based Intrusion-Detection Systems

Important points to note:Important points to note:

Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected

ISA Server 2004 provides network-based intrusion-detection abilities

Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected

ISA Server 2004 provides network-based intrusion-detection abilities

Provides rapid detection and reporting of external malware attacks

Provides rapid detection and reporting of external malware attacks

Network-based intrusion-detection system

Network-based intrusion-detection system

Perimeter Connections

The Internet Branch offices Business partners Remote users Wireless networks Internet applications

Network perimeters include connections to:

Business Partner

LAN

Main Office

LAN

LAN

Wireless Network

Remote User

Internet

Branch OfficeBranch Office

Firewall Design: Three Homed

Screened SubnetInternet

LAN

Firewall

Firewall Design: Back-to-Back

DMZInternet

ExternalFirewall

LANInternalFirewall

Software vs Hardware Firewalls

Decision Factors Description

Flexibility Updating for latest vulnerabilities and patches is easier with software-based firewalls.

Extensibility Many hardware firewalls only allow for limited customizability.

Choice of Vendors

Software firewalls allow you to choose from hardware for a wide variety of needs, and there is no reliance on single vendor for additional hardware.

CostsInitial purchase price for hardware firewalls may be less. Software firewalls take advantage of low CPU costs. The hardware can be easily upgraded and old hardware can be repurposed.

Complexity Hardware firewalls are often less complex.

Types of Firewalls

Packet Filtering

Stateful Inspection

Application-Layer Inspection

Multi-layer inspectionMulti-layer inspection(including application-layer filtering)(including application-layer filtering)

InternetInternet

Agenda

Introduction/Defense in Depth

Using Perimeter Defenses

Using ISA Server to Protect Perimeters

Using Windows Firewall to Protect Clients

Protecting Wireless Networks

Protecting Networks by Using IPSec

Protecting Perimeters

ISA Server has full screening capabilities:

Packet filtering

Stateful inspection

Application-level inspection

ISA Server blocks all network traffic unless you allow it

ISA Server is ICSA and Common Criteria certified

Protecting Clients

Method Description

Proxy Functions Processes all requests for clients and never allows direct connections.

Client Support Support for all clients without special software. Installation of ISA Firewall software allows for greater functionality.

Rules Protocol Rules, Site and Content Rules, and Publishing Rules determine if access is allowed.

Add-onsInitial purchase price for hardware firewalls may be less. Software firewalls take advantage of low CPU costs. The hardware can be easily upgraded and old hardware can be repurposed.

Protecting Web Servers

Web Publishing Rules Protect Web servers behind the firewall from external

attacks by inspecting HTTP traffic and ensuring it is properly formatted and complies with standards.

Inspection of SSL traffic Inspects incoming encrypted Web requests for proper

formatting and standards compliance.

Will optionally re-encrypt the traffic before sending them to your Web server

URLScan

ISA Server Feature Pack 1 includes URLScan 2.5 for ISA ServerAllows URLScan ISAPI filter to be applied at the network perimeter General blocking for all Web servers behind the firewall Perimeter blocking for known and newly discovered attacks

Web Server 1

ISA Server

Web Server 2

Web Server 3

Protecting Exchange Server

Method Description

Mail Publishing Wizard

Configures ISA Server rules to securely publish internal mail services to external users.

Message Screener Screens e-mail messages that enter the internal network.

RPC Publishing Secure native protocol access for Outlook clients.

OWA Publishing Provides protection for remote Outlook users accessing Exchange Server over untrusted networks without a VPN.

Demonstration 1Application-Layer Inspection in

ISA Server

URL ScanWeb Publishing

Message Screener

Traffic that Bypasses Firewall Inspection

SSL tunnels through traditional firewalls because it is encrypted, which allows viruses and worms to pass through undetected and infect internal servers.

VPN traffic is encrypted and can’t be inspected

Instant Messenger (IM) traffic often is not inspected and may be used to transfer files in addition to be used for messaging.

Inspecting All Traffic

Use intrusion detection and other mechanisms to inspect VPN traffic after it has been decrypted

Remember: Defense in Depth

Use a firewall that can inspect SSL traffic

Expand inspection capabilities of your firewall

Use firewall add-ons to inspect IM traffic

SSL Inspection

SSL tunnels through traditional firewalls because it is encrypted, which allows viruses and worms to pass through undetected and infect internal servers.

ISA Server pre-authenticates users, eliminating multiple dialog boxes and allowing only valid traffic through.

ISA Server can decrypt and inspect SSL traffic. Inspected traffic can be sent to the internal server re-encrypted or in the clear.

ISA Server with Feature Pack 1

Client Internal ServerInternet

Demonstration 2SSL Inspection in ISA Server

ISA Server Hardening

Secure your Server Wizard

Review Bastion Host information in Security Guides

Disable unnecessary services

Harden the Network Stack

Disable unnecessary network protocols on the external network interface:

File and print sharing

Client for Microsoft Networks

NetBIOS over TCP/IP

Best Practices

Use access rules that only allow requests that are specifically allowed

Use ISA server’s authentication capabilities to restrict and log Internet access

Configure Web publishing rules only for specific URLs

Use SSL Inspection to inspect encrypted data that is entering your network

Demonstration 3Internet Connection Firewall

(ICF)

Configuring ICF ManuallyTesting ICF

Reviewing ICF Log FilesConfiguring Group Policy

Settings

Agenda

Introduction/Defense in Depth

Using Perimeter Defenses

Using ISA Server to Protect Perimeters

Using Windows Firewall to Protect Clients

Protecting Wireless Networks

Protecting Networks by Using IPSec

New Security Features in Windows Firewall

On by defaultOn by default

Boot-time securityBoot-time security

Global configuration and restore defaultsGlobal configuration and restore defaults

Local subnet restrictionsLocal subnet restrictions

Command-line supportCommand-line support

On with no exceptionsOn with no exceptions

Windows Firewall exceptions listWindows Firewall exceptions list

Multiple profilesMultiple profiles

RPC supportRPC support

Unattended setup supportUnattended setup support

Configuring Windows Firewall for Antivirus Defense

Agenda

Introduction/Defense in Depth

Using Perimeter Defenses

Using ISA Server to Protect Perimeters

Using Windows Firewall to Protect Clients

Protecting Wireless Networks

Protecting Networks by Using IPSec

Limitations of Wired Equivalent Privacy (WEP) WEP is inherently weak to due poor key exchange. WEP keys are not dynamically changed and therefore

vulnerable to attack. No method for provisioning WEP keys to clients.Limitations of MAC Address Filtering Scalability - Must be administered and propagated to all APs.

List may have a size limit. No way to associate a MAC to a username. User could neglect to report a lost card. Attacker could spoof an allowed MAC address.

Wireless Security Issues

VPN Connectivity PPTP L2TP Third PartyIPSec Many vendorsPassword-based Layer 2 Authentication Cisco LEAP RSA/Secure ID IEEE 802.1x PEAP/MSCHAP v2Certificate-based Layer 2 Authentication IEEE 802.1x EAP/TLS

Possible Solutions

WLAN Security Type Security Level Ease of Deployment Usability and Integration

IEEE 802.11 Low High High

VPN Medium Medium Low

Password-based Medium Medium High

IPSec High Low Low

IEEE 802.1x TLS High Low High

WLAN Security Comparisons

Defines port-based access control mechanism

Works on anything, wired and wireless

Access point must support 802.1X

No special encryption key requirements

Allows choice of authentication methods using EAP

Chosen by peers at authentication time

Access point doesn’t care about EAP methods

Manages keys automatically

No need to preprogram wireless encryption keys

802.1X

802.1X using EAP/TLS or MSCHAPv2

Domain Controller

DHCPExchange

File Server

Certification Authority

RADIUS (IAS)

Server Certificate

802.11/.1XAccess Point

Laptop

Domain User/Machine

CertificateEAP Connection1, 2, 6 3, 5, 7

4

A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems

Goals Enhanced Data Encryption Provide user authentication Be forward compatible with 802.11i Provide non-RADIUS solution for Small/Home offices (WPA-PSK)

Products shipping

Wi-Fi Protected Access (WPA)

Best Practices

Use 802.1x authentication

Organize wireless users and computers into groups

Apply wireless access policies using Group Policy

Use EAP/TLS and 128 bit WEP

Set clients to force user authentication as well as machine authentication

Develop a method to manage rogue APs such as LAN based 802.1x authentication and wireless sniffers.

Malicious traffic that is passed on open ports and not inspected by the firewall

Any traffic that passes through an encrypted tunnel or session

Attacks after a network has been penetrated

Traffic that appears legitimate

Users and administrators who intentionally or accidentally install viruses

Administrators who use weak passwords

What Firewalls Do NOT Protect Against

Understanding Application and Database Attacks

Common application and database attacks include:Common application and database attacks include:

Buffer overruns:Buffer overruns:

Write applications in managed code Write applications in managed code

SQL injection attacks:SQL injection attacks:

Validate input for correct size and type Validate input for correct size and type

Attacks: Buffer Overflow

Aka the “Boundary Condition Error”: Stuff more data into a buffer than it can handle. The resulting overflowed data “falls” into a precise location and is executed by the system

Local overflows are executed while logged into the target system

Remote overflows are executed by processes running on the target that the attacker “connects” to

Result: Commands are executed at the privilege level of the overflowed program

Attacks: Input validation

An process does not “strip” input before processing it, ie special shell characters such as semicolon and pipe symbols

An attacker provides data in unexpected fields, ie SQL database parameters

Implementing Application Layer Filtering

Application layer filtering includes the following:Application layer filtering includes the following:

Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data

Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol

Session Summary

Introduction/Defense in Depth

Using Perimeter Defenses

Using ISA Server to Protect Perimeters

Using ICF to Protect Clients

Protecting Wireless Networks

Questions and Answers