17
Securing Network – Wireless – and Connected Infrastructures Fred Baumhardt Fred Baumhardt Infrastructure Solutions Consulting Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 Microsoft Security Solutions, Feb 4 th th , 2003 , 2003

Securing Network – Wireless – and Connected Infrastructures

Embed Size (px)

Citation preview

Page 1: Securing Network – Wireless – and Connected Infrastructures

Securing Network – Wireless – and Connected Infrastructures

Fred Baumhardt Fred Baumhardt Infrastructure Solutions ConsultingInfrastructure Solutions Consulting

Microsoft Security Solutions, Feb 4Microsoft Security Solutions, Feb 4thth, 2003, 2003

Page 2: Securing Network – Wireless – and Connected Infrastructures

AgendaAgenda Defining the Datacenter Network Defining the Datacenter Network

Security ProblemSecurity Problem Penetration Techniques and ToolsPenetration Techniques and Tools Network Defence-in-Depth StrategyNetwork Defence-in-Depth Strategy

Perimeter and Network DefencesPerimeter and Network Defences Operating System and Services DefencesOperating System and Services Defences Application DefencesApplication Defences Data DefencesData Defences

Page 3: Securing Network – Wireless – and Connected Infrastructures

The Datacenter Problem We All The Datacenter Problem We All FaceFace

Some Core SystemsSome Core Systems

Internet SystemsInternet Systems

DepartmentsDepartments

ExtranetsExtranets

Branch OfficesBranch Offices

• Systems organically grown under “Project” contextSystems organically grown under “Project” context• No clear best practice from vendorsNo clear best practice from vendors• Security often bolted on as an afterthoughtSecurity often bolted on as an afterthought• Fear of change – Time to MarketFear of change – Time to Market

Project 1…n SystemProject 1…n System

Page 4: Securing Network – Wireless – and Connected Infrastructures

The Big Picture of SecurityThe Big Picture of Security OS hardening is only one component of OS hardening is only one component of

security strategy AND security strategy AND Firewalls are not a Firewalls are not a PanaceaPanacea

Entering the Bank Branch doesn’t get Entering the Bank Branch doesn’t get you into the vaultyou into the vault

Security relies on multiple thingsSecurity relies on multiple things People and skillsPeople and skills Process and incident managementProcess and incident management Internal Technologies – E.G. OS, Internal Technologies – E.G. OS,

Management Tools, switches, IDS, ISAManagement Tools, switches, IDS, ISA Edge Technologies – Firewalls, ISA, IDSEdge Technologies – Firewalls, ISA, IDS

Page 5: Securing Network – Wireless – and Connected Infrastructures

Threat ModellingThreat Modelling

Internal Users are usually far more Internal Users are usually far more dangerousdangerous

Normal employees have tools, Normal employees have tools, experience, and know your systems – experience, and know your systems – after all they use themafter all they use them

Customers usually take little internal Customers usually take little internal protection precautions – preferring to protection precautions – preferring to focus on external Firewalls, and DMZ focus on external Firewalls, and DMZ scenarios for securityscenarios for security

Data is now being hacked – not just Data is now being hacked – not just systemssystems

Page 6: Securing Network – Wireless – and Connected Infrastructures

The First Phase of HackingThe First Phase of Hacking

Information Gathering and Information Gathering and IntelligenceIntelligence Port Scanning – Banner Grabbing – Port Scanning – Banner Grabbing –

TCP/IP Packet Profiling – TTL Packet TCP/IP Packet Profiling – TTL Packet ManipulatingManipulating

Researching network structure – Researching network structure – newsgroup posts, outbound emails, newsgroup posts, outbound emails, these all hold clues to network designthese all hold clues to network design

..

Page 7: Securing Network – Wireless – and Connected Infrastructures

The Second Phase of The Second Phase of HackingHacking Analysis of Collected InformationAnalysis of Collected Information

Process relevant bits of data about Process relevant bits of data about target networktarget network

Formulate an attack planFormulate an attack plan For Example: Attacker wont use SUN For Example: Attacker wont use SUN

specific attacks on W2K Boxes, won’t specific attacks on W2K Boxes, won’t use NT Attacks on .NET etc..use NT Attacks on .NET etc..

Hacker Forums, websites, exploit Hacker Forums, websites, exploit cataloguescatalogues

Page 8: Securing Network – Wireless – and Connected Infrastructures

The Third Phase of HackingThe Third Phase of Hacking

The CompromiseThe Compromise OS Specific AttacksOS Specific Attacks Denial of Service AttacksDenial of Service Attacks Application Attacks Application Attacks

Buffer OverflowsBuffer Overflows URL String AttacksURL String Attacks InjectionInjection Cross-site Scripting AttacksCross-site Scripting Attacks

Compromised system jumps into anotherCompromised system jumps into another

Page 9: Securing Network – Wireless – and Connected Infrastructures

Networking and SecurityNetworking and Security

The network component is the The network component is the single most important aspect to single most important aspect to securitysecurity

Wireless is based on Radio Wireless is based on Radio transmission and reception – not transmission and reception – not bounded by wiresbounded by wires

Some sort of encryption is thus Some sort of encryption is thus required to protect open mediumrequired to protect open medium

Ethernet is also just about as Ethernet is also just about as insecureinsecure

Page 10: Securing Network – Wireless – and Connected Infrastructures

Network Problems ctdNetwork Problems ctd

Use encryption and authentication to Use encryption and authentication to control access to networkcontrol access to network WEP – Wired Equivalent PrivacyWEP – Wired Equivalent Privacy 802.1X - using Public Key Cryptography802.1X - using Public Key Cryptography Mutually authenticating client and networkMutually authenticating client and network

Page 11: Securing Network – Wireless – and Connected Infrastructures

Securing a Wireless ConnectionSecuring a Wireless Connection

Three major strategiesThree major strategies WEP – basic low security simple solutionWEP – basic low security simple solution VPN – use an encrypted tunnel assuming VPN – use an encrypted tunnel assuming

network is untrustednetwork is untrusted 802.1X family – Use PKI to encrypt 802.1X family – Use PKI to encrypt

seamlessly from client to access pointseamlessly from client to access point Usually complex to implement but then seamless Usually complex to implement but then seamless

to userto user Substantial investment in PKISubstantial investment in PKI

Also vendor specific like LeapAlso vendor specific like Leap

Page 12: Securing Network – Wireless – and Connected Infrastructures

What about the wired What about the wired network ?network ? This is where the hackers kill youThis is where the hackers kill you Currently a “total trust” modelCurrently a “total trust” model

You can ping HR database, or chairman's You can ping HR database, or chairman's PC, or accounting system in TokyoPC, or accounting system in Tokyo

We assume anyone who can get in to our We assume anyone who can get in to our internal network is trusted – and well internal network is trusted – and well intentionedintentioned

Ethernet and TCP/IP is fundamentally Ethernet and TCP/IP is fundamentally insecureinsecure

Page 13: Securing Network – Wireless – and Connected Infrastructures

InternetInternet

Corporate Net in ReadingCorporate Net in Reading

Router CRouter C Router DRouter D

Corporate Net or ClientCorporate Net or Client

Host

AHost

B

IP TunnelIP Tunnel

VPNVPN

Extend the “internal” network space to clients in Extend the “internal” network space to clients in internetinternet

Extends the security perimeter to the clientExtends the security perimeter to the client Main systems are PPTP – L2TP/IPSECMain systems are PPTP – L2TP/IPSEC

Page 14: Securing Network – Wireless – and Connected Infrastructures

How the Architecture Can How the Architecture Can Prevent AttackPrevent Attack Internet

Redundant RoutersRedundant Routers

Redundant FirewallsRedundant Firewalls

VLAN

VLANVLAN VLANVLAN VLANVLAN

Redundant Internal FirewallsRedundant Internal FirewallsDNS &DNS & SMTPSMTP Client and Site VPNClient and Site VPN

Infrastructure Network – Internal Active Directory

INTERNAL

Perimeter

INTERNET

BORDER

VLANVLAN VLANVLAN

Messaging Network – Exchange

VLANVLAN

Management Network – MOM, deployment

VLANVLAN

Client Network

VLANVLAN

VLANVLAN VLANVLAN

RADIUS Network Intranet Network - Web Servers

Proxy

Data Network – SQL Server Clusters

Remote datacenter

Infrastructure Network – Infrastructure Network – Perimeter Active DirectoryPerimeter Active Directory

VLANVLAN

NIC teams/2 switches

NIC teams/2 switches Intrusion Intrusion DetectionDetection

..

Page 15: Securing Network – Wireless – and Connected Infrastructures

How do I do it ?How do I do it ? A Flat DMZ Design to push intelligent inspection outwardsA Flat DMZ Design to push intelligent inspection outwards ISA layer 7 filtration – RPC – SMTP – HTTP - ISA layer 7 filtration – RPC – SMTP – HTTP - Switches that act like firewallsSwitches that act like firewalls IPSec where required between serversIPSec where required between servers Group Policy to Manage SecurityGroup Policy to Manage Security 802.1X or VPN into ISA servers treating Wireless as Hostile802.1X or VPN into ISA servers treating Wireless as Hostile Internal IDS installedInternal IDS installed

Exchange ServerExchange Server

TCP 443: HTTPSTCP 443: HTTPS

Stateful PacketStateful PacketFilteringFilteringFirewallFirewall

Application Application Filtering Filtering Firewall (ISA Firewall (ISA Server)Server)

TCP 80: HTTPTCP 80: HTTPInternetInternet

TCP 443: HTTPS OrTCP 443: HTTPS Or

WirelessWireless

Page 16: Securing Network – Wireless – and Connected Infrastructures

Call To ActionCall To Action

Take Action – your network Take Action – your network transport is insecuretransport is insecure

Read and use security operations Read and use security operations guides for each technology you useguides for each technology you use

Mail me with questions – Mail me with questions – [email protected]@microsoft.com If I didn’t want to talk to you I would If I didn’t want to talk to you I would

put a fake addressput a fake address Use the free MS tools to establish a Use the free MS tools to establish a

baseline and stay on itbaseline and stay on it Attack yourself – you will learnAttack yourself – you will learn

Page 17: Securing Network – Wireless – and Connected Infrastructures

____________________________________________________________

Wherever you go – go securely !