DMZ Ology Front Traversaldownload.microsoft.com/download/0/b/e/0be6834f-4fd...DMZ Zoology Microsoft Confidential In military terms this is where you put your unwanted soldiers (they

12/04/2007 5:00 PM

2005 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 1

DMZ’ology

Fred BaumhardtSecurity Technology ArchitectMicrosoft Incubation EMEA

Microsoft Confidential

DMZ Ology•Whats the plan ?

This is not the way to protect your front DMZ perimeter

Front Traversal•How not to do it

12/04/2007 5:00 PM



What, How, and Why is a DMZ

DMZ Zoology


In military terms this is where you put your unwanted soldiers (they will die quickly), main weapon systems brought to bear on the area, monitoring total

Significant Border Perimeter with complete inspection through security Checkpoint, both sides agree before anything enters (rarely used)

An Area where neither side will place heavy weapons (except attacking side breaking the DMZ rules)

Internal Network

Internet

DMZ

Internal Network

Internet

DMZ

DMZ Zoology•Military Definition of a DMZ


1.78 Meter minimum height for SK soldier (black belt in martial arts required) US soldiers must be over 6 foot (1.82 M)

Patriotic Music played on blaring speakers to opposition with message boards doing psychological warfare

More than 1 million troops within 60

Km of DMZ

4 discovered tunnels in last 20

years under DMZ

Soldiers from both sides do patrols

inside the DMZ

DMZ Zoology•South Korean DMZ

A right way, and a wrong way

12/04/2007 5:00 PM




An Airport like zone taking traffic inbound and outbound, and routing it to a destination – NOT a military control area where little passes like reality.

All applications externalise access through this zone. Their data access requirements frequently invalidate rear FW protection rules

Privacy and Integrity requirements usually invalidate front end firewall rules by encrypting data through it !

But the name sounds “macho”

Internal Network

Internet

DMZ

Internal Network

Internet

DMZ

DMZ Zoology•IT Geek’s Definition of DMZ


Port Centric – not application centric designs defeated by port agnostic protocols like RPC

Lack of intelligence has caused other devices like Network IDS/IPS to emerge

Port consolidation around SMTP, HTTP(S) have continued to erode capability

Web Services have finished with the usefulness of the Old School Firewalls

DMZ Zoology•Firewall Management

Challenges


DMZ Zoology•Ideal DMZ Policy Enforcement


Good !!!!! – Only 2 Colours !!! (ignore Glass)

12/04/2007 5:00 PM




Bad!!!!! – Pictures ! Symbols – not for Real “Meat Eating” Firewall Admins


Firewalls should be built once and patched (maybe), but never touched afterwards – they should be black boxes

No I wont open a port for you – but I’ll let you tunnel through

Anything smart gets done by something else, load balancing by load balancers, IPS by IPS, etc

Devices not dynamic and not application centric

Attackers ARE application centric

DMZ Zoology•DMZ Management Challenges


Worms are Anonymous – they don’t carry your password database….

Pathogens Break protocol rules – you wrote a buffer for 72 characters – attacker sent you 182

Worms send clients something they didn’t ask for

Authenticate Traffic – Stops foreign

Infection

Enforce Protocol Rules at the Network

Device – things that break are dropped

Don’t process traffic that you didn’t ask

for, understand protocols and know

what to expect

DMZ Biology•Worm Pathology

Internet Authentication Server

Firewall

Mobile

External Clients

HTTP BASIC, Certificates, Limited VPN

Certificates, Full Forms

DC/GC

NTLM, Kerberos (R

PC, Kerberos), L

DAP

RADIUS (U1812-13 Default)

Full Forms, BASIC, VPN(all types), SecID

SSL TUNNEL

Internal Clients

DNS, HTTP(S), SMTP, FTP, RPC,

POP3, IMAP4, LDAP, IKE, VPNs

Firewall Client Protocol, (NTLM, Kerberos)

DMZ Zoology•Authentication at the Perimeter

12/04/2007 5:00 PM



Front Firewall Traversal

DMZ Traversal

Cleaning and Protecting Applications at the Front Door

Internet

DMZ

Authenticated Traffic uses Cryptography to protect credential/username, token, cookie, hash etc

Basic auth uses username (cleartext) and password (base64 encoding –obfuscated text) in header resulting in SSL to protect traffic

Forms based logons transfer data in clear text so require encryption for logon post, many logon tokens are weakly protected so require continual session protection

The presence of SSL causes a zero day exploit paradigm weakness

Front end firewalls thus penetrated by all encryption

Front Traversal•Most front firewalls traversed

Certificate, Forms, and Basic Authentication

demo

Multi Factor Auth from client to ISA Server 2006 using multiple

protocolsTraditional

firewall

Web

Srv/

OWA

client

Web server prompts for

authentication — any

Internet user can

access this prompt

SSL

SSL tunnels through

traditional firewalls

because it is encrypted…

…which allows viruses

and worms to pass

through undetected…

…and infect internal servers!

ISA Server 2006

with HTTP Filter

Basic and Forms authentication delegation

ISA Server pre-authenticates

users, with Single Sign-on and

only allows auth’d users – it

also issues forms cookies,

timeouts, and Attachment

Blocking for OWA

ISA Server HTTP Filter

SSL or HTTPSSL

ISA Server can decrypt

and inspect SSL traffic

and only passes

authenticated traffic-no

worms as they are

anonymous

inspected traffic can be sent to the internal

server re-encrypted or in the clear.

URLScan for

ISA Server

HTTP filter for ISA Server can

stop Web attacks at the network

edge, even over encrypted

inbound SSL

Internet

Front TraversalAuthentication Delegation

12/04/2007 5:00 PM



Front TraversalProtocol Filtration

• SMTunnel and other applications carry payloads

through TCP 25

• Attacks like VRFY overflows send long SMTP

commands to servers that don’t trap buffers – then

exploit code o/flow

• Protocol Filtration in App Firewalls and IPS are an

excellent defence for these cases


Authorized SSL VPN applications “injected” into existing infrastructure

Front TraversalThe Front End Portal Approach


SSL VPN solution comprised of:

Tunneling – Transferring web and non-web application traffic over SSL;

Client-Side Security – Security compliance check, cache cleaning, timeouts

Authentication – User directories (e.g. Active Directory), strong authentication support, Single-Sign-On

Authorization – Allow/Deny access to applications

Portal – User experience, GUI

Applications

Client

Web

Simple TCP

Other non-

WebManagement

Authentication

Authorization

Portal

Tunneling

Security SSL VPN

Gateway

Front TraversalSSL VPN Class Device


Front TraversalWhy push protection forward

12/04/2007 5:00 PM



Rear Firewall Traversal

DMZ Traversal

Internal Network

DMZ

Full Tunnel Penetration (IPSEC tunnels et al)

Reverse Proxy with Protocol Inspection and Auth

Selective port opening w/ application aware device

Selective Port Opening with Dumb device

Rear Traversal•Rear End Traversal

Exchange 2007 Enterprise Topology

Enterprise NetworkOther

SMTPServer

s

Mailbox

Routing

HygieneRouting Policy

Voice

Messaging

Client Access

PBX

or VoIP

Public

Folders

Fax

ApplicationsOWA

ProtocolsActiveSync, POP,

IMAP, RPC / HTTP

…ProgrammabilityWeb services,

Web parts

Unified

Messaging

Edge

Transport

Hub

Transport

Mailbox

I

N

T

E

RN

E

T

TCP 80 for HTTP 143 for IMAP 110 for POP 25 for SMTP

691 for Link State Algorithm routing protocol (2000)

TCP/UDP port 389 for LDAP to Directory Service

TCP port 3268 for LDAP to Global Catalog Server

TCP/UDP port 88 for Kerberos authentication

TCP/UDP port 53 - DNS

TCP port 135 - RPC endpoint mapper

TCP ports 1024+ - RPC service ports (unless DC and Exchange Restricted to a range)

IIPSec between the front-end and back-end, open the appropriate ports (ESP, AH)

UDP port 500 –.

Rear Traversal•Ports required by Exchange

2000•Ports required by Exchange

2003

12/04/2007 5:00 PM



Client Port(s) Server Port Service

1024-65535/TCP 135/TCP RPC *

1024-65535/TCP/UDP 389/TCP/UDP LDAP

1024-65535/TCP 636/TCP LDAP SSL

1024-65535/TCP 3268/TCP LDAP GC

1024-65535/TCP 3269/TCP LDAP GC SSL

53,1024-65535/TCP/UDP 53/TCP/UDP DNS

1024-65535/TCP/UDP 88/TCP/UDP Kerberos

1024-65535/TCP 445/TCP SMB

1024-65535/TCP 135/TCP RPC *

137/UDP 137/UDP NetBIOS Name

138/UDP 138/UDP NetBIOS Netlogon and Browsing

1024-65535/TCP 139/TCP NetBIOS Session

1024-65535/TCP 42/TCP WINS Replication

Not Applicable ICMP Group Policy

Windows Server 2003 and Windows 2000 Server

Mixed-mode domain with either Windows NT domain controllers or legacy clients or trust

relationship between two Server 2003-based or 2000 Server-based domain controllers that are not in the same forest,

Rear Traversal•Windows for any forest traffic

Forest Permissions Warning !

Windows 2000 and Windows Server 2003 try to

contact the remote user's PDC emulator master

for resolution of remote user names over UDP

138. Make sure that all Windows 2000-based member servers and Windows Server 2003-

based member servers in DMZs that will be

granting access to resources have UDP 138

connectivity to the remote PDC of the domain in

question !

RPC server

(Exchange)

RPC client

(Outlook)

Service UUID Port

Exchange {12341234-1111… 4402

AD replication {01020304-4444… 3544

MMC {19283746-7777… 9233

RPC services grab random

high ports when they start,

server maintains table

135/tcp

Client connects to

portmapper on server

(port 135/tcp)Client knows UUID

of service it wants

{12341234-1111…}

Client accesses

application over

learned port

Client asks, ―What

port is associated

with my UUID?‖

Server matches UUID to

the current port…

4402/tcp

Portmapper responds with the port

and closes the connection (not

secondary connection)

4402/tcp

Due to the random nature of RPC, this is not

feasible over the InternetAll 64,512 high ports & port 135 must be opened on traditional

firewalls

RPC•Killing Firewalls since 1983

•RPC invalidates port approaches

RPC•Traversing Rear FW RPC

•Option 1

Limiting Port Ranges used by RPC - KB 154596•Allows all BEHAVIOURS to pass through

•Does not stop any specific attack or

application

•Requires setting on destination machine as it

controls the RPC DCE sequence

•Uses Internet key under:

HKLM\Software\Microsoft\Rpc\Internet, add

the values "Ports" (MULTI_SZ),

"PortsInternetAvailable" (REG_SZ), and

"UseInternetPorts" (REG_SZ). •

•Recommended minimum port range is 100

•Cant use DCOM RPC through NAT. DCOM stores raw IP

addresses in the interface marshalling packets. If the client

cannot connect to the address specified in the packet, DCOM

fails

http://support.microsoft.com/kb/154596

12/04/2007 5:00 PM



Option 2 Inspection through RPC aware firewall

demo

RPC Protocol Protection by UUID

This is a complete rear firewall bypass – don't fool yourself otherwise.

You can use IPSEC tunnel filtering at host, and client to limit ports inside tunnel at either endpoint

You don't have to encrypt the traffic – you can leave it ESP Null (and use Authenticated Header only), most analysers cant tell the difference

Best way to automate the process is to use the security configuration wizard in Windows Server 2003 to set up the IPSEC policy for you.

IPSEC •Traversing Rear FW

•Option 3 IPSEC encapsulation

IPSEC •Traversing Rear FW

•Option 3 IPSEC encapsulation

KB 233256 has info on passing IPSEC through firewalls – summarised here: DMZ Evolution

Change of Times, Change of Threats, Change of Tactics

http://support.microsoft.com/kb/233256/

12/04/2007 5:00 PM



Portal or Reverse type proxy solution in front – with domain isolation for rear zones

Firewall auths everything than it can, protocol inspects the rest, and sends traffic to constrained networks

Firewall is changing most IPs to look like they come from it so IPSEC tunnels internally work from Firewall.

Re-MZ•Combine Front End and

•Rear end traversal tactics

Internet

Redundant Routers

Auth Firewalls – Intelligent Application Gateways

Control Zone Control Zone Control Zone

Presentation Outbound Proxy Zone

Infrastructure Network– Internal Active Directory

Control Zone Control Zone

Messaging Network – Exchange FE

Control Zone

Management Network – MOM, deployment

Control Zone

Client Networks 1…n

Control Zone

Control Zone Control Zone

RADIUS Network Intranet Network - Web Servers

Inbound Proxy

Data Network – SQL Server Clusters

Control Zone

NIC teams/switches

Messaging Network – Exchange BE

Control ZoneControl Zone

Application Servers

Control Zone

Control Zone

ExtranetData

Network – SQL Control Zone

Domain Isolation•Wipe Out Attack Classes

• example

The People, The Culture, and the technology have to evolve

This is an example of architecture that has to change

Summary•The model has to change

We are better at this stuff than they think…

Documents

DMZ Ology Front Traversaldownload.microsoft.com/download/0/b/e/0be6834f-4fd...DMZ Zoology Microsoft Confidential In military terms this is where you put your unwanted soldiers (they