Upload
timothy-mccormick
View
228
Download
0
Embed Size (px)
DESCRIPTION
Today’s Agenda Blow through this real fast so it doesn’t look like we’re complaining (too much) Blow through this real fast so it doesn’t look like we’re complaining (too much) RPC operation, perception problems OWA VPNs IPSec Spend the bulk of our time here Spend the bulk of our time here Exchange publishing with ISA
Citation preview
SEC413: Protecting SEC413: Protecting Exchange And OWA Exchange And OWA With ISA ServerWith ISA Server
Today’s AgendaToday’s Agenda Blow through this real fast so it doesn’t Blow through this real fast so it doesn’t
look like we’re complaining (too much)look like we’re complaining (too much) RPC operation, perception problemsRPC operation, perception problems OWAOWA VPNsVPNs IPSecIPSec
Spend the bulk of our time hereSpend the bulk of our time here Exchange publishing with ISAExchange publishing with ISA
MAPI? No way!MAPI? No way! Uh, well, yes wayUh, well, yes way Users want full OutlookUsers want full Outlook®® functionality functionality Was difficult—impossible, even—for a Was difficult—impossible, even—for a
long timelong time RPC security problemsRPC security problems RPC performance problemsRPC performance problems RPC perception problemsRPC perception problems
Why’s RPC So Bad?Why’s RPC So Bad? Not in an enterprise, it isn’tNot in an enterprise, it isn’t But for carriers, or transmission over a But for carriers, or transmission over a
public network, it’s anathemapublic network, it’s anathema Er, assumed to be an anathema, anywayEr, assumed to be an anathema, anyway RPC has this dynamic port behavior, RPC has this dynamic port behavior,
which ISPs and ASPs don’t likewhich ISPs and ASPs don’t like
RPC 101RPC 101The serverThe server
Server registers application’s UUIDServer registers application’s UUID What’s a UUID?What’s a UUID?
““Universal” UIDUniversal” UID Every application’s UUID is, well, UUEvery application’s UUID is, well, UU Well-known and common across Well-known and common across
all platformsall platforms
RPC 101RPC 101The serverThe server
Then what?Then what? At service start, UUID is associated with free high At service start, UUID is associated with free high
TCP portTCP port Association is static for service lifetimeAssociation is static for service lifetime Not always the same port across restartsNot always the same port across restarts
Can you summarize this?Can you summarize this? Sure; Think of a tableSure; Think of a table
ServiceService UUIDUUID TCP PortTCP PortExchangeExchange {01020304-1111-2222-3333-aabbcc…{01020304-1111-2222-3333-aabbcc… 13281328MMCMMC {15161718-4444-5555-6666-ffeedd…{15161718-4444-5555-6666-ffeedd… 99659965AD replicationAD replication {28261513-9999-8888-7777-cdbeaf…{28261513-9999-8888-7777-cdbeaf… 26792679
RPC 101RPC 101The clientThe client
But wait; Is all this UUID stuff important?But wait; Is all this UUID stuff important? Sure; It’s how ISA makes the Sure; It’s how ISA makes the
Exchange-over-the-Internet thing easy!Exchange-over-the-Internet thing easy! How so?How so?
Client can’t know in advance which port a service Client can’t know in advance which port a service is onis on
Client learns port through a request-response Client learns port through a request-response exchange involving UUIDexchange involving UUID
Up next: The process!Up next: The process!
RPC 101RPC 101The clientThe client
1.1. Client connects to server on 135/tcp Client connects to server on 135/tcp (called the (called the portmapperportmapper))
2.2. Client knows UUID of service it wantsClient knows UUID of service it wants3.3. Client asks, “Portmapper, what’s the port Client asks, “Portmapper, what’s the port
associated with UUID associated with UUID nn?”?”4.4. Portmapper responds with associated port. Portmapper responds with associated port.
(Remember the previous table)(Remember the previous table)5.5. Server closes connectionServer closes connection6.6. Client reconnects to server on learned port to Client reconnects to server on learned port to
access applicationaccess application
RPC ProblemsRPC Problems That portmapper thing sounds pretty That portmapper thing sounds pretty
cool; So what are all these problems cool; So what are all these problems with RPC?with RPC?
Well, security, mainlyWell, security, mainly Can’t know in advance which port a Can’t know in advance which port a
service will registerservice will register Reduces firewall to Swiss cheeseReduces firewall to Swiss cheese Some services can be locked to a rangeSome services can be locked to a range Can also set generic rangeCan also set generic range Extra configuration, thoughExtra configuration, though
RPC ProblemsRPC Problems Anything else?Anything else? PerformancePerformance
Many RPC applications can’t handle Many RPC applications can’t handle Internet’s latency and jitter very wellInternet’s latency and jitter very well
PerceptionPerception RPC is an “RPC is an “intranetintranet” protocol! Not ” protocol! Not
something that belongs on the Internet!something that belongs on the Internet! ““Protocol purity” arguments are (finally!) Protocol purity” arguments are (finally!)
losing their validitylosing their validity That port numbers somehow prove traffic That port numbers somehow prove traffic
validity and intent; False!validity and intent; False!
Other AlternativesOther Alternatives Let’s just use OWA; After all, doesn’t Let’s just use OWA; After all, doesn’t
HTTP make the perfect transport?HTTP make the perfect transport? HTTP is an HTTP is an applicationapplication protocol; Just protocol; Just
because every firewall in the world passes because every firewall in the world passes 80/tcp doesn’t mean HTTP is good for 80/tcp doesn’t mean HTTP is good for carrying the world’s traffic!carrying the world’s traffic!
HTTP is inefficientHTTP is inefficient OWA feels slow because of SSLOWA feels slow because of SSL
Of course, RPC isn’t much faster…Of course, RPC isn’t much faster… Not everyone has or likes Not everyone has or likes
Internet ExplorerInternet Explorer
Other AlternativesOther Alternatives A VPN! Everybody loves VPNs!A VPN! Everybody loves VPNs!
VPNs excel for remote access VPNs excel for remote access fromfrom the the Internet Internet into into a corporate networka corporate network
For LAN users, VPNs introduce a For LAN users, VPNs introduce a difficult problemdifficult problem It’s the split-tunnel problem, right? What is it?It’s the split-tunnel problem, right? What is it? Briefly…Briefly…
IPSecIPSec Let’s use IPSec between the customer Let’s use IPSec between the customer
and the ASPand the ASP There’s the little NAT problem, remember?There’s the little NAT problem, remember?
Oh yeahOh yeah Yeah; Most ASPs and subscribers have Yeah; Most ASPs and subscribers have
NAT, unfortunatelyNAT, unfortunately IPSec breaks if NAT is in the pathIPSec breaks if NAT is in the path Your narrator hates NAT for this and many Your narrator hates NAT for this and many
other reasons; Details available!other reasons; Details available!
IPSec Through NATIPSec Through NAT Soon-to-be RFC specifying UDP Soon-to-be RFC specifying UDP
encapsulationencapsulation Stuff IPSec (IP protocols 51 and 51) into Stuff IPSec (IP protocols 51 and 51) into
UDP packetsUDP packets Header from hellHeader from hell
IP | UDP | IP | IPSec | next-prot | payloadIP | UDP | IP | IPSec | next-prot | payload Existing NAT devices can handle thisExisting NAT devices can handle this Requires support at endpointsRequires support at endpoints
Windows .NET Server includesWindows .NET Server includes Updates to Windows XP and 2000Updates to Windows XP and 2000
Enter ISA!Enter ISA! So this ISA thing has some real So this ISA thing has some real
merit, thenmerit, then It sure does; Amazing, isn’t it?It sure does; Amazing, isn’t it? Details coming up!Details coming up!
ISA ConfigurationISA Configuration
The LATThe LAT LAT = local address tableLAT = local address table Defines what’s local and what’s Defines what’s local and what’s
external, from ISA’s POVexternal, from ISA’s POV More on network design laterMore on network design later
demodemo
Creating The LATCreating The LAT
Review Review LAT contentsLAT contents
Published serversPublished servers ExchangeExchange OWAOWA SMTPSMTP
Ancillary serversAncillary servers ADAD Internal DNSInternal DNS No external access: No publishing rulesNo external access: No publishing rules
ISA Server PublishingISA Server Publishing ISA proxy operates in two “directions”ISA proxy operates in two “directions”
Forward proxyForward proxy Reverse proxyReverse proxy
Forward proxyForward proxy Controlling where/when/how users access the Controlling where/when/how users access the
world beyond ISAworld beyond ISA Not used at all hereNot used at all here
Reverse proxyReverse proxy Controlling how the world accesses the network Controlling how the world accesses the network
behind ISAbehind ISA This is server and Web publishingThis is server and Web publishing
Reverse Proxy BehaviorReverse Proxy Behavior Two kindsTwo kinds
Server publishingServer publishing Web publishingWeb publishing
DifferencesDifferences Packet processing (header construction)Packet processing (header construction) Policy element involvementPolicy element involvement Listeners (for SSL and authentication)Listeners (for SSL and authentication) SSL handlingSSL handling
Packet ProcessingPacket Processing A.k.a., “transparent reverse proxy”A.k.a., “transparent reverse proxy”
Accepts connections from outsideAccepts connections from outside Generates new packetsGenerates new packets Preserves original address and portPreserves original address and port New TCP sequence numbersNew TCP sequence numbers
IssuesIssues Can’t load balance with current NLBCan’t load balance with current NLB Which ISA to send return traffic through?Which ISA to send return traffic through?
More On Packet ProcessingMore On Packet Processing Server publishing preserves client Server publishing preserves client
source address (“transparent NAT”)source address (“transparent NAT”) Might cause problems in complex Might cause problems in complex
routed networksrouted networks External addresses in DMZ, for instanceExternal addresses in DMZ, for instance ISA can’t be default gatewayISA can’t be default gateway
ISA SP1 includes new registry keyISA SP1 includes new registry key Changes Exchange RPC and FTPChanges Exchange RPC and FTP If present, rules now use ISAs inside IP as If present, rules now use ISAs inside IP as
source addresssource address
SSL HandlingSSL Handling Server publishing passes SSL through Server publishing passes SSL through
to destination Web serverto destination Web server Exchange OWA bugExchange OWA bug
Problem with linksProblem with links Fixed in ISA Service Pack 1Fixed in ISA Service Pack 1
Security?Security? Pros and cons; more laterPros and cons; more later
Policies And Their ElementsPolicies And Their Elements Protocol definitions for inbound trafficProtocol definitions for inbound traffic
The ones we need are already definedThe ones we need are already defined Site and content rulesSite and content rules
Where can a LAT member go?Where can a LAT member go? What can a LAT member see?What can a LAT member see?
Protocol rulesProtocol rules How can a LAT member operate?How can a LAT member operate?
Packet filtersPacket filters Nothing new neededNothing new needed
demodemo
Creating Default Site Creating Default Site And Content Rule; And Content Rule; Creating Default Creating Default Protocol RuleProtocol Rule
Review Review S/C and protocol ruleS/C and protocol rule
Site and content ruleSite and content rule Generic one allowing everything Generic one allowing everything
everywhere alwayseverywhere always Protocol ruleProtocol rule
Generic rule allowing everything alwaysGeneric rule allowing everything always Or: Outbound SMTP and DNS only, in Or: Outbound SMTP and DNS only, in
conjunction with client address sets conjunction with client address sets (more to come)(more to come)
Publishing RulesPublishing Rules Three publishing rulesThree publishing rules
Exchange RPC – for OutlookExchange RPC – for Outlook HTTPS – for OWAHTTPS – for OWA SMTP – for inbound mailSMTP – for inbound mail
Protocols already definedProtocols already defined ISA Server invisible otherwiseISA Server invisible otherwise
Will portscan it in a bitWill portscan it in a bit Let’s take a look!Let’s take a look!
demodemo
Creating The Creating The Publishing RulesPublishing Rules
ReviewReviewPublishing rulesPublishing rules
Describe functionality of each ruleDescribe functionality of each rule Exchange RPC – for OutlookExchange RPC – for Outlook HTTPS – for OWAHTTPS – for OWA SMTP – for inbound mailSMTP – for inbound mail
Exchange RPCExchange RPC Mapped protocol: “Exchange RPC”Mapped protocol: “Exchange RPC” E-RPC rule allowsE-RPC rule allows
Exchange UUID, none othersExchange UUID, none others Authentication carried inside RPCAuthentication carried inside RPC New mail notification (more on this later)New mail notification (more on this later)
OperationOperation Rule examines portmapper trafficRule examines portmapper traffic Opens packet filter only if correct UUIDOpens packet filter only if correct UUID Filter is between client:port and ISA:portFilter is between client:port and ISA:port ISA generates new packets to ExchangeISA generates new packets to Exchange
HTTPS (SSL)HTTPS (SSL) Mapped protocol: “HTTPS server”Mapped protocol: “HTTPS server” ISA listens on 443/tcpISA listens on 443/tcp Receives inbound trafficReceives inbound traffic Regenerates new packets and forwards Regenerates new packets and forwards
to OWA serverto OWA server Preserves source address and port, Preserves source address and port,
rememberremember
HTTPS (SSL)HTTPS (SSL)SecuritySecurity
What if inspection is required?What if inspection is required? Use Web publishing instead (and listeners!)Use Web publishing instead (and listeners!) ISA boxes will need more power—consider hardware ISA boxes will need more power—consider hardware
encryption cardsencryption cards SSL terminationSSL termination
SSL stops at ISA; cleartext from ISA to OWASSL stops at ISA; cleartext from ISA to OWA Certificate per ISA serverCertificate per ISA server
SSL bridgingSSL bridging SSL from client to ISA; new SSL from ISA to OWASSL from client to ISA; new SSL from ISA to OWA Need certificates for ISA and OWA serversNeed certificates for ISA and OWA servers
HTTPS (SSL)HTTPS (SSL)BugBug
Problem is with SSL terminationProblem is with SSL termination ISA accepts HTTPS from clientISA accepts HTTPS from client Sends HTTP to OWASends HTTP to OWA OWA’s links, then, are HTTP rather OWA’s links, then, are HTTP rather
than HTTPSthan HTTPS Client surfing breaksClient surfing breaks
HTTPS (SSL)HTTPS (SSL)SolutionSolution
Need to have special HTTP headerNeed to have special HTTP header FrontEndHttps: OnFrontEndHttps: On In stream between OWA and ExchangeIn stream between OWA and Exchange
ISA Service Pack 1ISA Service Pack 1 New registry keyNew registry key Adds header to OWA-Exchange streamAdds header to OWA-Exchange stream
SMTPSMTP Mapped protocol: “SMTP server”Mapped protocol: “SMTP server” Typical ISA reverse proxy behaviorTypical ISA reverse proxy behavior SMTP filter provides protectionSMTP filter provides protection
Attachment dispositionAttachment disposition Rejected senders and domainsRejected senders and domains SMTP command validation and limitationsSMTP command validation and limitations Keyword filteringKeyword filtering
demodemo
Portscan ThePortscan TheISA computerISA computer
Review Review ISA’s securityISA’s security
Visible portsVisible ports 25/tcp25/tcp SMTPSMTP 135/tcp135/tcp RPC portmapperRPC portmapper 443/tcp443/tcp SSLSSL
ISA drops packets not matching ISA drops packets not matching published servicespublished services Better than sending RST (reset)Better than sending RST (reset) IPSec filtering also silenty drops unmatched IPSec filtering also silenty drops unmatched
traffictraffic IP stack filtering doesn’tIP stack filtering doesn’t
Good Internet CitizenshipGood Internet Citizenship Improve resistance to compromiseImprove resistance to compromise Allow only outbound SMTP and DNSAllow only outbound SMTP and DNS
For new connections onlyFor new connections only Doesn’t block outbound return trafficDoesn’t block outbound return traffic
Much harder toMuch harder to Download code onto compromised Download code onto compromised
servers (no TFTP now)servers (no TFTP now) Hijack as DDoS constellation memberHijack as DDoS constellation member
Use client address sets and Use client address sets and protocol rulesprotocol rules
demodemo
Creating The Client Creating The Client Address Set And The Address Set And The Protocol RulesProtocol Rules
Review Review Client address setClient address set
Address set for SMTP Address set for SMTP bridgehead serversbridgehead servers Need only oneNeed only one Contains IP addresses (or range) Contains IP addresses (or range)
of all serversof all servers Component of protocol ruleComponent of protocol rule
Review Review Protocol rulesProtocol rules
Limit what LAT computers can Limit what LAT computers can do outbounddo outbound Not what they can respond to, howeverNot what they can respond to, however
Need two rulesNeed two rules Use existing protocol definitionsUse existing protocol definitions
““DNS query”DNS query” ““SMTP”SMTP”
Rule applies to client address set Rule applies to client address set created earliercreated earlier
New Mail NotificationNew Mail Notification
SetupSetup1.1. User logs into ExchangeUser logs into Exchange2.2. Client picks random high UDP port Client picks random high UDP port
(“new-mail-port”)(“new-mail-port”)3.3. Exchange adds entry to tableExchange adds entry to table
UserUser Client IP addressClient IP address New-mail-portNew-mail-portZaphodBZaphodB 131.107.39.42131.107.39.42 3729137291ArthurDArthurD 157.54.42.69157.54.42.69 1219312193FordPFordP 42.204.231.23942.204.231.239 5341253412
You’ve Got Mail!You’ve Got Mail!1.1. Exchange has new mail for userExchange has new mail for user2.2. Exchange looks in table, finds user’s Exchange looks in table, finds user’s
IP address and new-mail-portIP address and new-mail-port3.3. Exchange sends single UDP packet to Exchange sends single UDP packet to
client, indicating new mail is on serverclient, indicating new mail is on server
ISA’s Exchange RPC rule ISA’s Exchange RPC rule accommodates this transparently—no accommodates this transparently—no special configuration requiredspecial configuration required
Problems With NATProblems With NAT Client accessed through NAT addressClient accessed through NAT address UDP registration done with original UDP registration done with original
address, thoughaddress, though UDP packet to NAT-address:new-mail-port UDP packet to NAT-address:new-mail-port
will get droppedwill get dropped No NAT editors for thisNo NAT editors for this
Second MethodSecond Method Client usually makes RPC connection Client usually makes RPC connection
to server every 30-90 secondsto server every 30-90 seconds Server inserts new mail notification Server inserts new mail notification
flag into return packetsflag into return packets But, it’s broken!But, it’s broken!
Doesn’t work if there’s an error in the Doesn’t work if there’s an error in the RPC packetsRPC packets
Outlook stops processing the packet, Outlook stops processing the packet, never sees notification flag at endnever sees notification flag at end
There is a QFE to fix it both for There is a QFE to fix it both for Outlook 2000 and Outlook XPOutlook 2000 and Outlook XP
WorkaroundsWorkarounds Outlook 2000Outlook 2000
Press [F9] to checkPress [F9] to check Outlook XPOutlook XP
Press [F9] to checkPress [F9] to check Configure pollingConfigure polling Simple request-response over RPCSimple request-response over RPC As before, if packet has error, client As before, if packet has error, client
doesn’t see flag – QFE fixes this toodoesn’t see flag – QFE fixes this too
Other Network Other Network RequirementsRequirements
Network designNetwork design Simple—deceptively so, reallySimple—deceptively so, really No notion of “front-net” and “back-net”No notion of “front-net” and “back-net”
If the inside firewall allows connections If the inside firewall allows connections from the DMZ, what good is it?from the DMZ, what good is it?
All services live behind ISAAll services live behind ISA ISA only allows inbound communication ISA only allows inbound communication
to known servers over known protocolsto known servers over known protocols No firewall traversal problems for No firewall traversal problems for
authenticationauthentication
Network DiagramNetwork Diagram
ISAISA
routerroutereDNSeDNS
iDNSiDNS ExchExchclustercluster OWAOWA SMTPSMTP
ADAD
InternetInternet
Clients Behind FirewallsClients Behind Firewalls It’s still an RPC connectionIt’s still an RPC connection
To ISA, not ExchangeTo ISA, not Exchange Some networks might not permit thisSome networks might not permit this
Possibly might if ports are knownPossibly might if ports are known Need to fix Exchange RPC listener’s portsNeed to fix Exchange RPC listener’s ports
Service Pack 1, againService Pack 1, again Uses same registry keys as does Uses same registry keys as does
Exchange to perform same functionExchange to perform same function
Border RoutersBorder Routers Put anti-spoofing rules herePut anti-spoofing rules here
Eliminates most conditions for DDoS Eliminates most conditions for DDoS attacks and constellationsattacks and constellations
Rule typesRule types Inbound rule for blocking DDoS attacksInbound rule for blocking DDoS attacks Outbound rule for preventing Outbound rule for preventing
constellation membershipconstellation membership Block private addressesBlock private addresses Block source-routed packetsBlock source-routed packets Block fragments – with caution!Block fragments – with caution!
Router ConfigurationRouter Configuration Inbound: Block whereInbound: Block where
source address = own subnetsource address = own subnet Outbound: Block whereOutbound: Block where
source address ≠ own subnetsource address ≠ own subnet Private addresses: Block all wherePrivate addresses: Block all where
source|destination = RFC 1918source|destination = RFC 1918 Source routed: Block all whereSource routed: Block all where
source route is specifiedsource route is specified Fragments: Block allFragments: Block all
Most fragments are parts of attacksMost fragments are parts of attacks Except IPSec and VPNs, howeverExcept IPSec and VPNs, however
DNS ConfigurationDNS Configuration Need two DNS serversNeed two DNS servers
Internal, for servers to find each other Internal, for servers to find each other and for ADand for AD
External, for SMTP to find the worldExternal, for SMTP to find the world Called “split” DNSCalled “split” DNS
External DNS lives outside ISA – it’s the External DNS lives outside ISA – it’s the only thing that doesonly thing that does
““Split-split” DNS prevents Split-split” DNS prevents cache-poisoning attackscache-poisoning attacks See See http://www.sans.orghttp://www.sans.org for details for details
DNS RecordsDNS Records For internal DNS, dynamic registration For internal DNS, dynamic registration
is fineis fine For externalFor external
““A” records for Exchange, OWA, and A” records for Exchange, OWA, and SMTP serversSMTP servers
““MX” records for SMTP serversMX” records for SMTP servers ““A” records actually point to ISA’s A” records actually point to ISA’s
external interfaceexternal interface
More InformationMore Information http://www.microsoft.com/isaserverhttp://www.microsoft.com/isaserver http://www.isainfo.orghttp://www.isainfo.org Microsoft Consulting ServicesMicrosoft Consulting Services Coming soon – your local Coming soon – your local
Exchange ASP!Exchange ASP!
如果您有任何问题,请加入如果您有任何问题,请加入微软中文新闻组微软中文新闻组继续讨论继续讨论加入微软中文新闻组加入微软中文新闻组http://www.microsoft.com/china/communityhttp://www.microsoft.com/china/community
© 2002 Microsoft Corporation. All rights reserved.© 2002 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.