Securing the Perimeter Thomas Lee Chief Technologist QA thomas.lee@qa

1

Securing the Perimeter

Thomas LeeChief Technologist

QA

[email protected]

2

Continuing from Yesterday

Scripting IPSec

NAT-T

3

Scripting IPSec

netsh ipsec is the starting point

4

NAT Traversal-the problem

NAT device cannot update IPSec auth-data• Hash includes IP address of source

• When natted, the recepient will get data from a ‘different’ IP address

IKE ports can not be changed (UDP 500)

See http://tinyurl.com/2j99q for more information about

NAT issues

5

NAT-T Changes

UDP encapsulation for ESP• A UDP header is placed between the outer IP header and the ESP

header, encapsulating the ESP PDU. The same ports that are used for IKE are used for UDP-encapsulated ESP traffic.

A modified IKE header format• The IPSec NAT-T IKE header contains a new Non-ESP Marker field that

allows a recipient to distinguish between a UDP-encapsulated ESP PDU and an IKE message. IPSec NAT-T-capable peers begin to use the new IKE header after they have determined that there is an intermediate NAT.

A new NAT-Keepalive packet• A UDP message that uses the same ports as IKE traffic, contains a

single byte (0xFF) and is used to refresh the UDP port mapping in a NAT for IKE and UDP-encapsulated ESP traffic to a private network host.•

A new Vendor ID IKE payload• This new payload contains a well-known hash value, which indicates

that the peer is capable of performing IPSec NAT-T.•

6

NAT-T (continued)

A new NAT-Discovery (NAT-D) IKE payload• This new payload contains a hash value that incorporates an address

and port number. An IPSec peer includes two NAT-Discovery payloads during Main Mode negotiation—one for the destination address and port and one for the source address and port. The recipient uses the NAT-Discovery payloads to discover whether a NAT translated addresses or port numbers, and, based on which addresses and ports were changed, which peers are located behind NATs.•

New encapsulation modes for UDP-encapsulated ESP transport mode and tunnel mode

• These two new encapsulation modes are specified during Quick Mode negotiation to inform the IPSec peer that UDP encapsulation for ESP PDUs should be used.•

A new NAT-Original Address (NAT-OA) IKE payload• This new payload contains the original (untranslated) address of the

IPSec peer. For UDP-encapsulated ESP transport mode, each peer sends the NAT-OA IKE payload during Quick Mode negotiation. The recipient stores this address in the parameters for the SA

7

NAT/IPSec – more Info

IKE Negotiation for IPSec Security Associations• http://www.microsoft.com/technet/community/columns/

cableguy/cg0602.mspx

Windows 2000 IPSec Web Site• http://www.microsoft.com/windows2000/technologies/

communications/ipsec/default.asp

L2TP/IPSec NAT-T Update for Windows XP and Windows

2000• http://support.microsoft.com/default.aspx?scid=kb;en-

us;818043

8

Agenda

Introduction

What is the Perimeter?

Securing with …• Using Microsoft Internet Security and Acceleration (ISA) Server

to Protect Perimeters

• Using Internet Connection Firewall (ICF) to Protect Clients

• Protecting Wireless Networks

• Protecting Communications by Using IPSec

9

Defense in Depth

A layered approach• Increases an attacker’s risk of detection

• Reduces an attacker’s chance of success

Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

OS hardening, update management, OS hardening, update management, authentication, HIDSauthentication, HIDS

Firewalls, VPN quarantineFirewalls, VPN quarantine

Guards, locks, tracking devicesGuards, locks, tracking devices

Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS

Application hardening, antivirusApplication hardening, antivirus

ACL, encryptionACL, encryption

User educationUser education

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

HostHost

ApplicationApplication

DataData

10

Agenda

Introduction

What is the perimeter?

Securing the perimeter with …• Using Microsoft Internet Security and Acceleration (ISA) Server





11

Perimeter Connections Overview

The Internet Branch offices Business partners Remote users Wireless networks Internet applications

Network perimeter includes connections to:

Business Partner

LAN

Main Office

LAN

Branch Office

LAN

Wireless Network

Remote User

Internet

12

Defending The Perimeter

Properly configured firewalls and border routers are the cornerstone for perimeter security

The Internet and mobility increase security risks

VPNs/ wireless networking soften the perimeter

Traditional packet-filtering firewalls block only network ports and computer addresses

Most modern attacks occur at the application layer

Perimeter security useless if breech is from the inside

13

Defending at the Client

The client is part of the perimeter too!

Client defenses block attacks that bypass perimeter defenses or originate on

the internal network

Client defenses include, among others:

Operating system hardening

Antivirus software

Personal firewalls

Client defenses require configuring many computers

In unmanaged environments, users may bypass client defenses

14

What About Intrusion Detection?

Detects the pattern of common attacks, records

suspicious traffic in event logs, and/or alerts

administrators

Threats and vulnerabilities are constantly evolving, which

leaves systems vulnerable until a new attack is known

and a new signature is created and distributed

Is ID really helpful?

15

Agenda

Introduction

What is the perimeter?

Securing the perimeter with …• Using Microsoft Internet Security and Acceleration (ISA) Server





16

Firewall Design: Three-Homed

DMZInternet

LAN

Firewall

17

Firewall Design: Back-to-Back

Internet

ExternalFirewall

LANInternalFirewall

DMZ

18

Malicious traffic that is passed on open ports and not inspected at

the application layer by the firewall

Any traffic that passes through an encrypted tunnel or session

Attacks after a network has been penetrated

Traffic that appears legitimate

Users and administrators who intentionally or accidentally install

viruses

Administrators who use weak passwords

What Firewalls Do NOT Protect Against

19

Software vs. Hardware Firewalls

Decision Factors Description

FlexibilityUpdating for latest vulnerabilities and patches is often easier with

software-based firewalls.

Extensibility Many hardware firewalls allow only limited customizability.

Choice of VendorsSoftware firewalls allow you to choose from hardware for a wide variety of

needs, and there is no reliance on single vendor for additional hardware.

Cost

Initial purchase price for hardware firewalls might be less. Software

firewalls take advantage of low CPU costs. The hardware can be easily

upgraded, and old hardware can be repurposed.

Complexity Hardware firewalls are often less complex.

Overall Suitability

The most important decision factor is whether a firewall can perform the

required tasks. Often the lines between hardware and software firewalls

are blurred.

20

Types of Firewall Functions

Packet Filtering

Stateful Inspection

Application-Layer Inspection

Multi-layer InspectionMulti-layer Inspection(Including Application-Layer Filtering)(Including Application-Layer Filtering)

InternetInternet

21

Protecting Perimeters

ISA Server has full screening capabilities:• Packet filtering

• Stateful inspection

• Application-level inspection

ISA Server blocks all network traffic unless you allow it

ISA Server provides secure VPN connectivity

ISA Server is ICSA certified and Common Criteria

certified

22

Demonstration 1Application-Layer Inspection in

ISA Server

Web Publishing

23

Traffic That Bypasses Firewall Inspection

SSL tunnels through traditional firewalls because it is encrypted,

which allows viruses and worms to pass through undetected and

infect internal servers

VPN traffic is encrypted and cannot be inspected

Instant Messenger (IM) traffic often is not inspected and might be

used to transfer files

24

Inspecting All Traffic

Use intrusion detection and other mechanisms to inspect VPN

traffic after it has been decrypted

• Remember: Defense in Depth

Use a firewall that can inspect SSL traffic

Expand inspection capabilities of your firewall

• Use firewall add-ons to inspect IM traffic

25

SSL Inspection

SSL tunnels through traditional firewalls because it is encrypted,

which allows viruses and worms to pass through undetected and

infect internal servers.

ISA Server can decrypt and inspect SSL traffic. Inspected traffic

can be sent to the internal server

re-encrypted or in the clear.

26

Demonstration 2

SSL Inspection in ISA Server

27

ISA Server Hardening

Harden the network stack

Disable unnecessary network protocols on the external

network interface:

• Client for Microsoft Networks

• File and Printer Sharing for Microsoft Networks

• NetBIOS over TCP/IP

28

Best Practices

Use access rules that only allow requests that are

specifically allowed

Use ISA Server’s authentication capabilities to

restrict and log Internet access

Configure Web publishing rules only for specific

destination sets

Use SSL Inspection to inspect encrypted data that

is entering your network

29

Agenda

Introduction







30

Overview of ICF

Internet Connection Firewall in Microsoft

Windows XP and Microsoft Windows Server 2003

Helps stop network-based attacks, such as

Blaster, by blocking all unsolicited inbound traffic

Ports can be opened for services running on the

computer

Enterprise administration through Group Policy

What It Is

What It Does

Key Features

31

Enabled by:

• Selecting one check box

• Network Setup Wizard

• New Connection Wizard

Enabled separately

for each network connection

Enabling ICF

32

Network services

Web-based applications

ICF Advanced Settings

33

Logging options

Log file options

ICF Security Logging

34

ICF in the Enterprise

Configure ICF by using Group Policy

Combine ICF with Network Access Quarantine Control

35

Use ICF for home offices and small business to provide protection for computers directly connected to the Internet

Do not turn on ICF for a VPN connection (but do enable ICF for the underlying LAN or dial-up connection

Configure service definitions for each ICF connection through which you want the service to work

Set the size of the security log to 16 megabytes to prevent an overflow that might be caused by denial-of-service attacks

Best Practices

36

Demonstration 3Internet Connection Firewall (ICF)

Configuring ICF ManuallyTesting ICF

Reviewing ICF Log FilesConfiguring Group Policy Settings

37

Agenda

Introduction







38

Limitations of Wired Equivalent Privacy (WEP)• Static WEP keys are not dynamically changed and therefore

are vulnerable to attack.• There is no standard method for provisioning static WEP

keys to clients.• Scalability: Compromise of a static WEP key by anyone

exposes everyone.

Limitations of MAC Address Filtering• Attacker could spoof an allowed MAC address.

Wireless Security Issues

39

Password-based Layer 2 Authentication• IEEE 802.1x PEAP/MSCHAP v2

Certificate-based Layer 2 Authentication• IEEE 802.1x EAP-TLS

Other Options• VPN Connectivity

– L2TP/IPsec (preferred) or PPTP

– Does not allow for roaming

– Useful when using public wireless hotspots

– No computer authentication or processing of computer settings in Group Policy

• IPSec– Interoperability issues

Possible Solutions

40

WLAN Security Type Security LevelEase of

Deployment

Usability and

Integration

Static WEP Low High High

IEEE 802.1X PEAP High Medium High

IEEE 802.1x TLS High Low High

VPNHigh

(L2TP/IPSec)Medium Low

IPSec High Low Low

WLAN Security Comparisons

41

Defines port-based access control mechanism

• Works on anything, wired or wireless

• No special encryption key requirements

Allows choice of authentication methods using Extensible

Authentication Protocol (EAP)

• Chosen by peers at authentication time

• Access point doesn’t care about EAP methods

Manages keys automatically

• No need to preprogram wireless encryption keys

802.1x

42

EthernetEthernet

Access PointAccess Point

Radius ServerRadius Server

EAPOL-StartEAPOL-Start

EAP-Response/IdentityEAP-Response/Identity

Radius-Access-ChallengeRadius-Access-Challenge

EAP-Response EAP-Response (credentials)(credentials)

Access BlockedAccess Blocked

AssociationAssociation

Radius-Access-AcceptRadius-Access-Accept

EAP-Request/IdentityEAP-Request/Identity

EAP-RequestEAP-Request

Radius-Access-RequestRadius-Access-Request

Radius-Access-RequestRadius-Access-Request

RADIUSRADIUS

Laptop ComputerLaptop Computer

WirelessWireless

802.11802.11802.11 Associate802.11 Associate

EAP-SuccessEAP-Success

Access AllowedAccess AllowedEAPOL-Key (Key)EAPOL-Key (Key)

802.1x on 802.11

43

System Requirements for 802.1x

Client: Windows XP

Server: Windows Server 2003 IAS• Internet Authentication Service—our RADIUS server• Certificate on IAS computer

802.1x on Windows 2000• Client and IAS must have SP3• See KB article 313664• No zero-configuration support in the client• Supports only EAP-TLS and MS-CHAPv2

– Future EAP methods in Windows XP and Windows Server 2003 might not be backported

44

802.1x Setup

1. Configure Windows Server 2003 with IAS

2. Join a domain

3. Enroll computer certificate

4. Register IAS in Active Directory

5. Configure RADIUS logging

6. Add AP as RADIUS client

7. Configure AP for RADIUS and 802.1x

8. Create wireless client access policy

9. Configure clients

• Don’t forget to import the root certificate

45

Access Policy

Policy condition• NAS-port-type matches

Wireless IEEE 802.11 OR Wireless Other

• Windows-group = <some group in AD>– Optional; allows administrative

control– Should contain user and

computer accounts

46

Access Policy Profile

Profile• Time-out: 60 min. (802.11b) or

10 min. (802.11a/g)

• No regular authentication methods

• EAP type: protected EAP; use computer certificate

• Encryption: only strongest (MPPE 128-bit)

• Attributes: Ignore-User-Dialin-Properties = True

47

A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems

WPA Requires 802.1x authentication for network access

Goals• Enhanced data encryption

• Provide user authentication

• Be forward compatible with 802.11i

• Provide non-RADIUS solution for Small/Home offices

Wi-Fi Alliance began certification testing for interoperability on WPA products in February 2003

Wireless Protected Access (WPA)

48

Best Practices

Use 802.1x authentication

Organize wireless users and computers into groups

Apply wireless access policies using Group Policy

Use EAP-TLS for certificate-based authentication and PEAP for password-based authentication

Configure your remote access policy to support user authentication as well as machine authentication

Develop a method to deal with rogue access points, such as LAN-based 802.1x authentication, site surveys, network monitoring, and user education

49

Agenda

Introduction







50

What is IP Security (IPSec)?

• A method to secure IP traffic

• Framework of open standards developed by the Internet Engineering Task Force (IETF)

Why use IPSec?

• To ensure encrypted and authenticated communications at the IP layer

• To provide transport security that is independent of applications or application-layer protocols

Overview of IPSec

51

Basic permit/block

packet filtering

Secure internal LAN

communications

Domain replication

through firewalls

VPN across untrusted

media

IPSec Scenarios

52

Filters for allowed and blocked traffic

No actual negotiation of IPSec security associations

Overlapping filters—most specific match determines action

Does not provide stateful filtering

Must set "NoDefaultExempt = 1" to be secure

From IP To IP Protocol Src Port Dest Port Action

AnyMy Internet

IPAny N/A N/A Block

AnyMy Internet

IPTCP Any 80 Permit

Implementing IPSec Packet Filtering

53

Spoofed IP packets containing queries or malicious

content can still reach open ports through firewalls

IPSec does not provide stateful inspection

Many hacker tools use source ports 80, 88, 135, and so

on, to connect to any destination port

Packet Filtering Is Not Sufficient to Protect Server

54

IP broadcast addresses• Cannot secure to multiple receivers

Multicast addresses• From 224.0.0.0 through 239.255.255.255

Kerberos—UDP source or destination port 88• Kerberos is a secure protocol, which the Internet Key Exchange

(IKE) negotiation service may use for authentication of other computers in a domain

IKE—UDP destination port 500• Required to allow IKE to negotiate parameters for IPSec security

Windows Server 2003 configures only IKE default exemption

Traffic Not Filtered by IPSec

55

Secure Internal Communications

Use IPSec to provide mutual device authentication• Use certificates or Kerberos• Preshared key suitable for testing only

Use Authentication Header (AH) to ensure packet integrity• AH provides packet integrity• AH does not encrypt, allowing for network intrusion detection

Use Encapsulation Security Payload (ESP) to encrypt sensitive traffic• ESP provides packet integrity and confidentiality• Encryption prevents packet inspection

Carefully plan which traffic should be secured

56

IPSec for Domain Replication

Use IPSec for replication through firewalls• On each domain controller, create an IPSec policy to secure all

traffic to the other domain controller’s IP address

Use ESP 3DES for encryption

Allow traffic through the firewall:• UDP Port 500 (IKE)• IP protocol 50 (ESP)

57

Best Practices

Plan your IPSec implementation carefully

Choose between AH and ESP

Use Group Policy to implement IPSec Policies

Consider the use of IPSec NICs

Never use Shared Key authentication outside your test lab

Choose between certificates and Kerberos authentication

Use care when requiring IPSec for communications with domain controllers and other infrastructure servers

58

Demonstration 4IPSec

Configuring and Testing a Simple IPSec PolicyConfiguring and Testing an IPSec Packet Filter

59

Session Summary

Introduction/Defense in Depth

Using Perimeter Defenses

Using ISA Server to Protect Perimeters

Using ICF to Protect Clients

Protecting Wireless Networks

Protecting Networks by Using IPSec

60

Next Steps

1. Stay informed about security Sign up for security bulletins:

http://www.microsoft.com/security/security_bulletins/alerts2.asp Get the latest Microsoft security guidance:

http://www.microsoft.com/security/guidance/

2. Get additional security training Find online and in-person training seminars:

http://www.microsoft.com/seminar/events/security.mspx Find a local CTEC for hands-on training:

http://www.microsoft.com/learning/

61

For More Information

Microsoft Security Site (all audiences)• http://www.microsoft.com/security

TechNet Security Site (IT professionals)• http://www.microsoft.com/technet/security

MSDN Security Site (developers)• http://msdn.microsoft.com/security

62

Questions and Answers

Securing the Perimeter Thomas Lee Chief Technologist QA thomas.lee@qa

Documents

Transcript of Securing the Perimeter Thomas Lee Chief Technologist QA thomas.lee@qa