Upload
ethan-lucas
View
221
Download
2
Tags:
Embed Size (px)
Citation preview
Securing Network – Wireless – and Connected Securing Network – Wireless – and Connected InfrastructuresInfrastructures
Fred Baumhardt Fred Baumhardt Infrastructure Solutions ConsultingInfrastructure Solutions Consulting
Microsoft Security Solutions, Feb 4Microsoft Security Solutions, Feb 4thth, 2003, 2003
AgendaAgenda Defining the Datacenter Network Defining the Datacenter Network
Security ProblemSecurity Problem Penetration Techniques and ToolsPenetration Techniques and Tools Network Defence-in-Depth StrategyNetwork Defence-in-Depth Strategy
Perimeter and Network DefencesPerimeter and Network Defences Operating System and Services DefencesOperating System and Services Defences Application DefencesApplication Defences Data DefencesData Defences
The Datacenter Problem We All The Datacenter Problem We All FaceFace
Some Core SystemsSome Core Systems
Internet SystemsInternet Systems
DepartmentsDepartments
ExtranetsExtranets
Branch OfficesBranch Offices
• Systems organically grown under “Project” contextSystems organically grown under “Project” context• No clear best practice from vendorsNo clear best practice from vendors• Security often bolted on as an afterthoughtSecurity often bolted on as an afterthought• Fear of change – Time to MarketFear of change – Time to Market
Project 1…n SystemProject 1…n System
The Big Picture of SecurityThe Big Picture of Security OS hardening is only one component of OS hardening is only one component of
security strategy AND security strategy AND Firewalls are not a Firewalls are not a PanaceaPanacea
Entering the Bank Branch doesn’t get Entering the Bank Branch doesn’t get you into the vaultyou into the vault
Security relies on multiple thingsSecurity relies on multiple things People and skillsPeople and skills Process and incident managementProcess and incident management Internal Technologies – E.G. OS, Internal Technologies – E.G. OS,
Management Tools, switches, IDS, ISAManagement Tools, switches, IDS, ISA Edge Technologies – Firewalls, ISA, IDSEdge Technologies – Firewalls, ISA, IDS
Threat ModellingThreat Modelling
Internal Users are usually far more Internal Users are usually far more dangerousdangerous
Normal employees have tools, Normal employees have tools, experience, and know your systems – experience, and know your systems – after all they use themafter all they use them
Customers usually take little internal Customers usually take little internal protection precautions – preferring to protection precautions – preferring to focus on external Firewalls, and DMZ focus on external Firewalls, and DMZ scenarios for securityscenarios for security
Data is now being hacked – not just Data is now being hacked – not just systemssystems
The First Phase of HackingThe First Phase of Hacking
Information Gathering and Information Gathering and IntelligenceIntelligence Port Scanning – Banner Grabbing – Port Scanning – Banner Grabbing –
TCP/IP Packet Profiling – TTL Packet TCP/IP Packet Profiling – TTL Packet ManipulatingManipulating
Researching network structure – Researching network structure – newsgroup posts, outbound emails, newsgroup posts, outbound emails, these all hold clues to network designthese all hold clues to network design
..
The Second Phase of The Second Phase of HackingHacking Analysis of Collected InformationAnalysis of Collected Information
Process relevant bits of data about Process relevant bits of data about target networktarget network
Formulate an attack planFormulate an attack plan For Example: Attacker wont use SUN For Example: Attacker wont use SUN
specific attacks on W2K Boxes, won’t specific attacks on W2K Boxes, won’t use NT Attacks on .NET etc..use NT Attacks on .NET etc..
Hacker Forums, websites, exploit Hacker Forums, websites, exploit cataloguescatalogues
The Third Phase of HackingThe Third Phase of Hacking
The CompromiseThe Compromise OS Specific AttacksOS Specific Attacks Denial of Service AttacksDenial of Service Attacks Application Attacks Application Attacks
Buffer OverflowsBuffer Overflows URL String AttacksURL String Attacks InjectionInjection Cross-site Scripting AttacksCross-site Scripting Attacks
Compromised system jumps into anotherCompromised system jumps into another
Networking and SecurityNetworking and Security
The network component is the The network component is the single most important aspect to single most important aspect to securitysecurity
Wireless is based on Radio Wireless is based on Radio transmission and reception – not transmission and reception – not bounded by wiresbounded by wires
Some sort of encryption is thus Some sort of encryption is thus required to protect open mediumrequired to protect open medium
Ethernet is also just about as Ethernet is also just about as insecureinsecure
Network Problems ctdNetwork Problems ctd
Use encryption and authentication to Use encryption and authentication to control access to networkcontrol access to network WEP – Wired Equivalent PrivacyWEP – Wired Equivalent Privacy 802.1X - using Public Key Cryptography802.1X - using Public Key Cryptography Mutually authenticating client and networkMutually authenticating client and network
Securing a Wireless ConnectionSecuring a Wireless Connection
Three major strategiesThree major strategies WEP – basic low security simple solutionWEP – basic low security simple solution VPN – use an encrypted tunnel assuming VPN – use an encrypted tunnel assuming
network is untrustednetwork is untrusted 802.1X family – Use PKI to encrypt 802.1X family – Use PKI to encrypt
seamlessly from client to access pointseamlessly from client to access point Usually complex to implement but then seamless Usually complex to implement but then seamless
to userto user Substantial investment in PKISubstantial investment in PKI
Also vendor specific like LeapAlso vendor specific like Leap
What about the wired What about the wired network ?network ? This is where the hackers kill youThis is where the hackers kill you Currently a “total trust” modelCurrently a “total trust” model
You can ping HR database, or chairman's You can ping HR database, or chairman's PC, or accounting system in TokyoPC, or accounting system in Tokyo
We assume anyone who can get in to our We assume anyone who can get in to our internal network is trusted – and well internal network is trusted – and well intentionedintentioned
Ethernet and TCP/IP is fundamentally Ethernet and TCP/IP is fundamentally insecureinsecure
InternetInternet
Corporate Net in ReadingCorporate Net in Reading
Router CRouter C Router DRouter D
Corporate Net or ClientCorporate Net or Client
Host
AHost
B
IP TunnelIP Tunnel
VPNVPN
Extend the “internal” network space to clients in Extend the “internal” network space to clients in internetinternet
Extends the security perimeter to the clientExtends the security perimeter to the client Main systems are PPTP – L2TP/IPSECMain systems are PPTP – L2TP/IPSEC
How the Architecture Can How the Architecture Can Prevent AttackPrevent Attack Internet
Redundant RoutersRedundant Routers
Redundant FirewallsRedundant Firewalls
VLAN
VLANVLAN VLANVLAN VLANVLAN
Redundant Internal FirewallsRedundant Internal FirewallsDNS &DNS & SMTPSMTP Client and Site VPNClient and Site VPN
Infrastructure Network – Internal Active Directory
INTERNAL
Perimeter
INTERNET
BORDER
VLANVLAN VLANVLAN
Messaging Network – Exchange
VLANVLAN
Management Network – MOM, deployment
VLANVLAN
Client Network
VLANVLAN
VLANVLAN VLANVLAN
RADIUS Network Intranet Network - Web Servers
Proxy
Data Network – SQL Server Clusters
Remote datacenter
Infrastructure Network – Infrastructure Network – Perimeter Active DirectoryPerimeter Active Directory
VLANVLAN
NIC teams/2 switches
NIC teams/2 switches Intrusion Intrusion DetectionDetection
..
How do I do it ?How do I do it ? A Flat DMZ Design to push intelligent inspection outwardsA Flat DMZ Design to push intelligent inspection outwards ISA layer 7 filtration – RPC – SMTP – HTTP - ISA layer 7 filtration – RPC – SMTP – HTTP - Switches that act like firewallsSwitches that act like firewalls IPSec where required between serversIPSec where required between servers Group Policy to Manage SecurityGroup Policy to Manage Security 802.1X or VPN into ISA servers treating Wireless as Hostile802.1X or VPN into ISA servers treating Wireless as Hostile Internal IDS installedInternal IDS installed
Exchange ServerExchange Server
TCP 443: HTTPSTCP 443: HTTPS
Stateful PacketStateful PacketFilteringFilteringFirewallFirewall
Application Application Filtering Filtering Firewall (ISA Firewall (ISA Server)Server)
TCP 80: HTTPTCP 80: HTTPInternetInternet
TCP 443: HTTPS OrTCP 443: HTTPS Or
WirelessWireless
Call To ActionCall To Action
Take Action – your network Take Action – your network transport is insecuretransport is insecure
Read and use security operations Read and use security operations guides for each technology you useguides for each technology you use
Mail me with questions – Mail me with questions – [email protected]@microsoft.com If I didn’t want to talk to you I would If I didn’t want to talk to you I would
put a fake addressput a fake address Use the free MS tools to establish a Use the free MS tools to establish a
baseline and stay on itbaseline and stay on it Attack yourself – you will learnAttack yourself – you will learn
____________________________________________________________
Wherever you go – go securely !