SEC413: Protecting SEC413: Protecting Exchange And OWA Exchange And OWA With ISA ServerWith ISA Server

Today’s AgendaToday’s Agenda Blow through this real fast so it doesn’t Blow through this real fast so it doesn’t

look like we’re complaining (too much)look like we’re complaining (too much) RPC operation, perception problemsRPC operation, perception problems OWAOWA VPNsVPNs IPSecIPSec

Spend the bulk of our time hereSpend the bulk of our time here Exchange publishing with ISAExchange publishing with ISA

MAPI? No way!MAPI? No way! Uh, well, yes wayUh, well, yes way Users want full OutlookUsers want full Outlook®® functionality functionality Was difficult—impossible, even—for a Was difficult—impossible, even—for a

long timelong time RPC security problemsRPC security problems RPC performance problemsRPC performance problems RPC perception problemsRPC perception problems

Why’s RPC So Bad?Why’s RPC So Bad? Not in an enterprise, it isn’tNot in an enterprise, it isn’t But for carriers, or transmission over a But for carriers, or transmission over a

public network, it’s anathemapublic network, it’s anathema Er, assumed to be an anathema, anywayEr, assumed to be an anathema, anyway RPC has this dynamic port behavior, RPC has this dynamic port behavior,

which ISPs and ASPs don’t likewhich ISPs and ASPs don’t like

RPC 101RPC 101The serverThe server

Server registers application’s UUIDServer registers application’s UUID What’s a UUID?What’s a UUID?

““Universal” UIDUniversal” UID Every application’s UUID is, well, UUEvery application’s UUID is, well, UU Well-known and common across Well-known and common across

all platformsall platforms

RPC 101RPC 101The serverThe server

Then what?Then what? At service start, UUID is associated with free high At service start, UUID is associated with free high

TCP portTCP port Association is static for service lifetimeAssociation is static for service lifetime Not always the same port across restartsNot always the same port across restarts

Can you summarize this?Can you summarize this? Sure; Think of a tableSure; Think of a table

ServiceService UUIDUUID TCP PortTCP PortExchangeExchange {01020304-1111-2222-3333-aabbcc…{01020304-1111-2222-3333-aabbcc… 13281328MMCMMC {15161718-4444-5555-6666-ffeedd…{15161718-4444-5555-6666-ffeedd… 99659965AD replicationAD replication {28261513-9999-8888-7777-cdbeaf…{28261513-9999-8888-7777-cdbeaf… 26792679

RPC 101RPC 101The clientThe client

But wait; Is all this UUID stuff important?But wait; Is all this UUID stuff important? Sure; It’s how ISA makes the Sure; It’s how ISA makes the

Exchange-over-the-Internet thing easy!Exchange-over-the-Internet thing easy! How so?How so?

Client can’t know in advance which port a service Client can’t know in advance which port a service is onis on

Client learns port through a request-response Client learns port through a request-response exchange involving UUIDexchange involving UUID

Up next: The process!Up next: The process!

RPC 101RPC 101The clientThe client

1.1. Client connects to server on 135/tcp Client connects to server on 135/tcp (called the (called the portmapperportmapper))

2.2. Client knows UUID of service it wantsClient knows UUID of service it wants3.3. Client asks, “Portmapper, what’s the port Client asks, “Portmapper, what’s the port

associated with UUID associated with UUID nn?”?”4.4. Portmapper responds with associated port. Portmapper responds with associated port.

(Remember the previous table)(Remember the previous table)5.5. Server closes connectionServer closes connection6.6. Client reconnects to server on learned port to Client reconnects to server on learned port to

access applicationaccess application

RPC ProblemsRPC Problems That portmapper thing sounds pretty That portmapper thing sounds pretty

cool; So what are all these problems cool; So what are all these problems with RPC?with RPC?

Well, security, mainlyWell, security, mainly Can’t know in advance which port a Can’t know in advance which port a

service will registerservice will register Reduces firewall to Swiss cheeseReduces firewall to Swiss cheese Some services can be locked to a rangeSome services can be locked to a range Can also set generic rangeCan also set generic range Extra configuration, thoughExtra configuration, though

RPC ProblemsRPC Problems Anything else?Anything else? PerformancePerformance

Many RPC applications can’t handle Many RPC applications can’t handle Internet’s latency and jitter very wellInternet’s latency and jitter very well

PerceptionPerception RPC is an “RPC is an “intranetintranet” protocol! Not ” protocol! Not

something that belongs on the Internet!something that belongs on the Internet! ““Protocol purity” arguments are (finally!) Protocol purity” arguments are (finally!)

losing their validitylosing their validity That port numbers somehow prove traffic That port numbers somehow prove traffic

validity and intent; False!validity and intent; False!

Other AlternativesOther Alternatives Let’s just use OWA; After all, doesn’t Let’s just use OWA; After all, doesn’t

HTTP make the perfect transport?HTTP make the perfect transport? HTTP is an HTTP is an applicationapplication protocol; Just protocol; Just

because every firewall in the world passes because every firewall in the world passes 80/tcp doesn’t mean HTTP is good for 80/tcp doesn’t mean HTTP is good for carrying the world’s traffic!carrying the world’s traffic!

HTTP is inefficientHTTP is inefficient OWA feels slow because of SSLOWA feels slow because of SSL

Of course, RPC isn’t much faster…Of course, RPC isn’t much faster… Not everyone has or likes Not everyone has or likes

Internet ExplorerInternet Explorer

Other AlternativesOther Alternatives A VPN! Everybody loves VPNs!A VPN! Everybody loves VPNs!

VPNs excel for remote access VPNs excel for remote access fromfrom the the Internet Internet into into a corporate networka corporate network

For LAN users, VPNs introduce a For LAN users, VPNs introduce a difficult problemdifficult problem It’s the split-tunnel problem, right? What is it?It’s the split-tunnel problem, right? What is it? Briefly…Briefly…

IPSecIPSec Let’s use IPSec between the customer Let’s use IPSec between the customer

and the ASPand the ASP There’s the little NAT problem, remember?There’s the little NAT problem, remember?

Oh yeahOh yeah Yeah; Most ASPs and subscribers have Yeah; Most ASPs and subscribers have

NAT, unfortunatelyNAT, unfortunately IPSec breaks if NAT is in the pathIPSec breaks if NAT is in the path Your narrator hates NAT for this and many Your narrator hates NAT for this and many

other reasons; Details available!other reasons; Details available!

IPSec Through NATIPSec Through NAT Soon-to-be RFC specifying UDP Soon-to-be RFC specifying UDP

encapsulationencapsulation Stuff IPSec (IP protocols 51 and 51) into Stuff IPSec (IP protocols 51 and 51) into

UDP packetsUDP packets Header from hellHeader from hell

IP | UDP | IP | IPSec | next-prot | payloadIP | UDP | IP | IPSec | next-prot | payload Existing NAT devices can handle thisExisting NAT devices can handle this Requires support at endpointsRequires support at endpoints

Windows .NET Server includesWindows .NET Server includes Updates to Windows XP and 2000Updates to Windows XP and 2000

Enter ISA!Enter ISA! So this ISA thing has some real So this ISA thing has some real

merit, thenmerit, then It sure does; Amazing, isn’t it?It sure does; Amazing, isn’t it? Details coming up!Details coming up!

ISA ConfigurationISA Configuration

The LATThe LAT LAT = local address tableLAT = local address table Defines what’s local and what’s Defines what’s local and what’s

external, from ISA’s POVexternal, from ISA’s POV More on network design laterMore on network design later

demodemo

Creating The LATCreating The LAT

Review Review LAT contentsLAT contents

Published serversPublished servers ExchangeExchange OWAOWA SMTPSMTP

Ancillary serversAncillary servers ADAD Internal DNSInternal DNS No external access: No publishing rulesNo external access: No publishing rules

ISA Server PublishingISA Server Publishing ISA proxy operates in two “directions”ISA proxy operates in two “directions”

Forward proxyForward proxy Reverse proxyReverse proxy

Forward proxyForward proxy Controlling where/when/how users access the Controlling where/when/how users access the

world beyond ISAworld beyond ISA Not used at all hereNot used at all here

Reverse proxyReverse proxy Controlling how the world accesses the network Controlling how the world accesses the network

behind ISAbehind ISA This is server and Web publishingThis is server and Web publishing

Reverse Proxy BehaviorReverse Proxy Behavior Two kindsTwo kinds

Server publishingServer publishing Web publishingWeb publishing

DifferencesDifferences Packet processing (header construction)Packet processing (header construction) Policy element involvementPolicy element involvement Listeners (for SSL and authentication)Listeners (for SSL and authentication) SSL handlingSSL handling

Packet ProcessingPacket Processing A.k.a., “transparent reverse proxy”A.k.a., “transparent reverse proxy”

Accepts connections from outsideAccepts connections from outside Generates new packetsGenerates new packets Preserves original address and portPreserves original address and port New TCP sequence numbersNew TCP sequence numbers

IssuesIssues Can’t load balance with current NLBCan’t load balance with current NLB Which ISA to send return traffic through?Which ISA to send return traffic through?

More On Packet ProcessingMore On Packet Processing Server publishing preserves client Server publishing preserves client

source address (“transparent NAT”)source address (“transparent NAT”) Might cause problems in complex Might cause problems in complex

routed networksrouted networks External addresses in DMZ, for instanceExternal addresses in DMZ, for instance ISA can’t be default gatewayISA can’t be default gateway

ISA SP1 includes new registry keyISA SP1 includes new registry key Changes Exchange RPC and FTPChanges Exchange RPC and FTP If present, rules now use ISAs inside IP as If present, rules now use ISAs inside IP as

source addresssource address

SSL HandlingSSL Handling Server publishing passes SSL through Server publishing passes SSL through

to destination Web serverto destination Web server Exchange OWA bugExchange OWA bug

Problem with linksProblem with links Fixed in ISA Service Pack 1Fixed in ISA Service Pack 1

Security?Security? Pros and cons; more laterPros and cons; more later

Policies And Their ElementsPolicies And Their Elements Protocol definitions for inbound trafficProtocol definitions for inbound traffic

The ones we need are already definedThe ones we need are already defined Site and content rulesSite and content rules

Where can a LAT member go?Where can a LAT member go? What can a LAT member see?What can a LAT member see?

Protocol rulesProtocol rules How can a LAT member operate?How can a LAT member operate?

Packet filtersPacket filters Nothing new neededNothing new needed

demodemo

Creating Default Site Creating Default Site And Content Rule; And Content Rule; Creating Default Creating Default Protocol RuleProtocol Rule

Review Review S/C and protocol ruleS/C and protocol rule

Site and content ruleSite and content rule Generic one allowing everything Generic one allowing everything

everywhere alwayseverywhere always Protocol ruleProtocol rule

Generic rule allowing everything alwaysGeneric rule allowing everything always Or: Outbound SMTP and DNS only, in Or: Outbound SMTP and DNS only, in

conjunction with client address sets conjunction with client address sets (more to come)(more to come)

Publishing RulesPublishing Rules Three publishing rulesThree publishing rules

Exchange RPC – for OutlookExchange RPC – for Outlook HTTPS – for OWAHTTPS – for OWA SMTP – for inbound mailSMTP – for inbound mail

Protocols already definedProtocols already defined ISA Server invisible otherwiseISA Server invisible otherwise

Will portscan it in a bitWill portscan it in a bit Let’s take a look!Let’s take a look!

demodemo

Creating The Creating The Publishing RulesPublishing Rules

ReviewReviewPublishing rulesPublishing rules

Describe functionality of each ruleDescribe functionality of each rule Exchange RPC – for OutlookExchange RPC – for Outlook HTTPS – for OWAHTTPS – for OWA SMTP – for inbound mailSMTP – for inbound mail

Exchange RPCExchange RPC Mapped protocol: “Exchange RPC”Mapped protocol: “Exchange RPC” E-RPC rule allowsE-RPC rule allows

Exchange UUID, none othersExchange UUID, none others Authentication carried inside RPCAuthentication carried inside RPC New mail notification (more on this later)New mail notification (more on this later)

OperationOperation Rule examines portmapper trafficRule examines portmapper traffic Opens packet filter only if correct UUIDOpens packet filter only if correct UUID Filter is between client:port and ISA:portFilter is between client:port and ISA:port ISA generates new packets to ExchangeISA generates new packets to Exchange

HTTPS (SSL)HTTPS (SSL) Mapped protocol: “HTTPS server”Mapped protocol: “HTTPS server” ISA listens on 443/tcpISA listens on 443/tcp Receives inbound trafficReceives inbound traffic Regenerates new packets and forwards Regenerates new packets and forwards

to OWA serverto OWA server Preserves source address and port, Preserves source address and port,

rememberremember

HTTPS (SSL)HTTPS (SSL)SecuritySecurity

What if inspection is required?What if inspection is required? Use Web publishing instead (and listeners!)Use Web publishing instead (and listeners!) ISA boxes will need more power—consider hardware ISA boxes will need more power—consider hardware

encryption cardsencryption cards SSL terminationSSL termination

SSL stops at ISA; cleartext from ISA to OWASSL stops at ISA; cleartext from ISA to OWA Certificate per ISA serverCertificate per ISA server

SSL bridgingSSL bridging SSL from client to ISA; new SSL from ISA to OWASSL from client to ISA; new SSL from ISA to OWA Need certificates for ISA and OWA serversNeed certificates for ISA and OWA servers

HTTPS (SSL)HTTPS (SSL)BugBug

Problem is with SSL terminationProblem is with SSL termination ISA accepts HTTPS from clientISA accepts HTTPS from client Sends HTTP to OWASends HTTP to OWA OWA’s links, then, are HTTP rather OWA’s links, then, are HTTP rather

than HTTPSthan HTTPS Client surfing breaksClient surfing breaks

HTTPS (SSL)HTTPS (SSL)SolutionSolution

Need to have special HTTP headerNeed to have special HTTP header FrontEndHttps: OnFrontEndHttps: On In stream between OWA and ExchangeIn stream between OWA and Exchange

ISA Service Pack 1ISA Service Pack 1 New registry keyNew registry key Adds header to OWA-Exchange streamAdds header to OWA-Exchange stream

SMTPSMTP Mapped protocol: “SMTP server”Mapped protocol: “SMTP server” Typical ISA reverse proxy behaviorTypical ISA reverse proxy behavior SMTP filter provides protectionSMTP filter provides protection

Attachment dispositionAttachment disposition Rejected senders and domainsRejected senders and domains SMTP command validation and limitationsSMTP command validation and limitations Keyword filteringKeyword filtering

demodemo

Portscan ThePortscan TheISA computerISA computer

Review Review ISA’s securityISA’s security

Visible portsVisible ports 25/tcp25/tcp SMTPSMTP 135/tcp135/tcp RPC portmapperRPC portmapper 443/tcp443/tcp SSLSSL

ISA drops packets not matching ISA drops packets not matching published servicespublished services Better than sending RST (reset)Better than sending RST (reset) IPSec filtering also silenty drops unmatched IPSec filtering also silenty drops unmatched

traffictraffic IP stack filtering doesn’tIP stack filtering doesn’t

Good Internet CitizenshipGood Internet Citizenship Improve resistance to compromiseImprove resistance to compromise Allow only outbound SMTP and DNSAllow only outbound SMTP and DNS

For new connections onlyFor new connections only Doesn’t block outbound return trafficDoesn’t block outbound return traffic

Much harder toMuch harder to Download code onto compromised Download code onto compromised

servers (no TFTP now)servers (no TFTP now) Hijack as DDoS constellation memberHijack as DDoS constellation member

Use client address sets and Use client address sets and protocol rulesprotocol rules

demodemo

Creating The Client Creating The Client Address Set And The Address Set And The Protocol RulesProtocol Rules

Review Review Client address setClient address set

Address set for SMTP Address set for SMTP bridgehead serversbridgehead servers Need only oneNeed only one Contains IP addresses (or range) Contains IP addresses (or range)

of all serversof all servers Component of protocol ruleComponent of protocol rule

Review Review Protocol rulesProtocol rules

Limit what LAT computers can Limit what LAT computers can do outbounddo outbound Not what they can respond to, howeverNot what they can respond to, however

Need two rulesNeed two rules Use existing protocol definitionsUse existing protocol definitions

““DNS query”DNS query” ““SMTP”SMTP”

Rule applies to client address set Rule applies to client address set created earliercreated earlier

New Mail NotificationNew Mail Notification

SetupSetup1.1. User logs into ExchangeUser logs into Exchange2.2. Client picks random high UDP port Client picks random high UDP port

(“new-mail-port”)(“new-mail-port”)3.3. Exchange adds entry to tableExchange adds entry to table

UserUser Client IP addressClient IP address New-mail-portNew-mail-portZaphodBZaphodB 131.107.39.42131.107.39.42 3729137291ArthurDArthurD 157.54.42.69157.54.42.69 1219312193FordPFordP 42.204.231.23942.204.231.239 5341253412

You’ve Got Mail!You’ve Got Mail!1.1. Exchange has new mail for userExchange has new mail for user2.2. Exchange looks in table, finds user’s Exchange looks in table, finds user’s

IP address and new-mail-portIP address and new-mail-port3.3. Exchange sends single UDP packet to Exchange sends single UDP packet to

client, indicating new mail is on serverclient, indicating new mail is on server

ISA’s Exchange RPC rule ISA’s Exchange RPC rule accommodates this transparently—no accommodates this transparently—no special configuration requiredspecial configuration required

Problems With NATProblems With NAT Client accessed through NAT addressClient accessed through NAT address UDP registration done with original UDP registration done with original

address, thoughaddress, though UDP packet to NAT-address:new-mail-port UDP packet to NAT-address:new-mail-port

will get droppedwill get dropped No NAT editors for thisNo NAT editors for this

Second MethodSecond Method Client usually makes RPC connection Client usually makes RPC connection

to server every 30-90 secondsto server every 30-90 seconds Server inserts new mail notification Server inserts new mail notification

flag into return packetsflag into return packets But, it’s broken!But, it’s broken!

Doesn’t work if there’s an error in the Doesn’t work if there’s an error in the RPC packetsRPC packets

Outlook stops processing the packet, Outlook stops processing the packet, never sees notification flag at endnever sees notification flag at end

There is a QFE to fix it both for There is a QFE to fix it both for Outlook 2000 and Outlook XPOutlook 2000 and Outlook XP

WorkaroundsWorkarounds Outlook 2000Outlook 2000

Press [F9] to checkPress [F9] to check Outlook XPOutlook XP

Press [F9] to checkPress [F9] to check Configure pollingConfigure polling Simple request-response over RPCSimple request-response over RPC As before, if packet has error, client As before, if packet has error, client

doesn’t see flag – QFE fixes this toodoesn’t see flag – QFE fixes this too

Other Network Other Network RequirementsRequirements

Network designNetwork design Simple—deceptively so, reallySimple—deceptively so, really No notion of “front-net” and “back-net”No notion of “front-net” and “back-net”

If the inside firewall allows connections If the inside firewall allows connections from the DMZ, what good is it?from the DMZ, what good is it?

All services live behind ISAAll services live behind ISA ISA only allows inbound communication ISA only allows inbound communication

to known servers over known protocolsto known servers over known protocols No firewall traversal problems for No firewall traversal problems for

authenticationauthentication

Network DiagramNetwork Diagram

ISAISA

routerroutereDNSeDNS

iDNSiDNS ExchExchclustercluster OWAOWA SMTPSMTP

ADAD

InternetInternet

Clients Behind FirewallsClients Behind Firewalls It’s still an RPC connectionIt’s still an RPC connection

To ISA, not ExchangeTo ISA, not Exchange Some networks might not permit thisSome networks might not permit this

Possibly might if ports are knownPossibly might if ports are known Need to fix Exchange RPC listener’s portsNeed to fix Exchange RPC listener’s ports

Service Pack 1, againService Pack 1, again Uses same registry keys as does Uses same registry keys as does

Exchange to perform same functionExchange to perform same function

Border RoutersBorder Routers Put anti-spoofing rules herePut anti-spoofing rules here

Eliminates most conditions for DDoS Eliminates most conditions for DDoS attacks and constellationsattacks and constellations

Rule typesRule types Inbound rule for blocking DDoS attacksInbound rule for blocking DDoS attacks Outbound rule for preventing Outbound rule for preventing

constellation membershipconstellation membership Block private addressesBlock private addresses Block source-routed packetsBlock source-routed packets Block fragments – with caution!Block fragments – with caution!

Router ConfigurationRouter Configuration Inbound: Block whereInbound: Block where

source address = own subnetsource address = own subnet Outbound: Block whereOutbound: Block where

source address ≠ own subnetsource address ≠ own subnet Private addresses: Block all wherePrivate addresses: Block all where

source|destination = RFC 1918source|destination = RFC 1918 Source routed: Block all whereSource routed: Block all where

source route is specifiedsource route is specified Fragments: Block allFragments: Block all

Most fragments are parts of attacksMost fragments are parts of attacks Except IPSec and VPNs, howeverExcept IPSec and VPNs, however

DNS ConfigurationDNS Configuration Need two DNS serversNeed two DNS servers

Internal, for servers to find each other Internal, for servers to find each other and for ADand for AD

External, for SMTP to find the worldExternal, for SMTP to find the world Called “split” DNSCalled “split” DNS

External DNS lives outside ISA – it’s the External DNS lives outside ISA – it’s the only thing that doesonly thing that does

““Split-split” DNS prevents Split-split” DNS prevents cache-poisoning attackscache-poisoning attacks See See http://www.sans.orghttp://www.sans.org for details for details

DNS RecordsDNS Records For internal DNS, dynamic registration For internal DNS, dynamic registration

is fineis fine For externalFor external

““A” records for Exchange, OWA, and A” records for Exchange, OWA, and SMTP serversSMTP servers

““MX” records for SMTP serversMX” records for SMTP servers ““A” records actually point to ISA’s A” records actually point to ISA’s

external interfaceexternal interface

More InformationMore Information http://www.microsoft.com/isaserverhttp://www.microsoft.com/isaserver http://www.isainfo.orghttp://www.isainfo.org Microsoft Consulting ServicesMicrosoft Consulting Services Coming soon – your local Coming soon – your local

Exchange ASP!Exchange ASP!

如果您有任何问题，请加入如果您有任何问题，请加入微软中文新闻组微软中文新闻组继续讨论继续讨论加入微软中文新闻组加入微软中文新闻组http://www.microsoft.com/china/communityhttp://www.microsoft.com/china/community

© 2002 Microsoft Corporation. All rights reserved.© 2002 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.