active security common practices rafal lukawiecki strategic consultant, project botticelli ltd...

Download Active Security Common Practices Rafal Lukawiecki Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk www.projectbotticelli.co.uk

Post on 17-Jan-2016

232 views

Category:

Documents

11 download

Embed Size (px)

TRANSCRIPT

  • Active Security Common PracticesRafal LukawieckiStrategic Consultant, Project Botticelli Ltdrafal@projectbotticelli.co.ukwww.projectbotticelli.co.ukCopyright 2005 Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the Comments field in File/Properties.

    *

    ObjectivesUsing Defence-in-Depth overview main security problem areasReview major security protection technologiesBriefly look at security checklists for main Microsoft servers

    *

    Session AgendaDecomposing the Operating EnvironmentDefending:ApplicationsHostsNetworkMicrosoft Guidance Checklists

    *

    Decomposing the Operating Environment

    *

    Defense in DepthPolicies, Procedures, & AwarenessOS hardening, update management, authenticationFirewalls, VPN quarantineGuards, locks, tracking devices, HSMNetwork segments, IPSec, NIDSApplication hardening, antivirusACL, encryptionUser education against social engineeringPhysical SecurityPerimeterInternal NetworkHostApplicationData

    *

    Common Threat ClassificationSpoofed packets, etc.Buffer overflows, illicit paths, etc. SQL injection, XSS, input tampering, etc.NetworkHostApplicationThreats againstthe networkThreats against the hostThreats against the application

    *

    Examples of Network Threats

    *

    Examples of Host Threats

    *

    Examples of Application Threats

    *

    Typical Pattern of a Targeted AttackEnter the network through SQL Injection etc.Install or use port proxy software to open inbound connectionsRemotely control the host to mount further attacks from inside until a domain controller is accessibleGain control of the desired resourcesErase traces of attack and remove installed software

    *

    What to Do when under AttackEngage your Emergency Operating ProcedureOr increase the emergency level (yellow to red etc.)Follow these steps:Identify the nature of the attackLocalize the sourceProtect and save the evidenceFind other compromised machinesImmunise against this problem as soon as practical

    *

    Attack Vectors EntrypointsThat is what attacker is looking forYou always have themYou must protect them as well as you canBottom leaves (vectors) on the threat treeTree categories of entry:Social EngineeringUnpatched known vulnerabilitiesNew, generally unknown vulnerabilities

    *

    Application-Level EntrySocial engineeringTrojan via email or messengerApplication hardening is required to avoid most problemsBuffer overrunSecure Coding Practices for DevelopersAutomatic Patching for 3rd party appsE.g. InstallShield provides this as service

    *

    Host-Level EntryPatchingKnown vulnerabilities are typically exploited by worms and zombiesLeast-privilege PrincipleMost restrictive policiesMost restricted accountsActive ProtectionFuture direction for automatic out of pattern host behaviourVery promisingVirus ProtectionAttachment ExecutionSpyware Protection

    *

    Network-Level EntryFirewallsA must (even with Active Protection)!Multiple levels between perimetersWeak InfrastructureOlder, unpatched network equipmentDomain ControllersSpecial hardening requiredPhysical Security a mustActive DirectoryConsistency with policies needs to be verifiedAny unauthorised changes should be investigatedPhysical Security of backup is crucial

    *

    Typical Security Levels (Microsoft)Based on typical security-usability-cost requirements, Microsoft favours three generic security levels:LegacyAllowing compatibility with Windows 98, ME etc. generally most usable and fairly insecureEnterpriseTypical needs of usability based on Windows 2000 and XP clients with resilience against all popular attacksGenerally cost-effectiveHigh SecurityAdds pro-active security against future attacks based on highly restrictive policies at the cost of loss of use of many applications and other usability limitations and may use formal security modellingExpensive but may be worth the priceWindows Server 2003 Security Guide and other Microsoft security guidance documents make use of those terms

    *

    Defending Applications

    *

    Why Application Security MattersPerimeter defenses provide limited protectionMany host-based defenses are not application specificMost modern attacks occur at the application layer

    *

    Developers!From operational perspective, the problem is caused by the developers, of course Their applications have access to privileged resourcesThrough vulnerabilities those resources become compromisedSolving the problem requires an almost intimate relationship between development and operations

    *

    Security BaselineUse vendor-recommended security baselinesSuch as Microsoft Exchange Server Security Guidelines etc.Define a universal security baseline for all application serversBase your baseline on OS vendor recommendations, such as Windows Server 2003 Security Guide server rolesImplement them as a policyActive Directory Group Policies are an excellent way to manage themUse resulting policy tool to verify if policy applies to hosts as requiredVerification of compliance is an ongoing activity

    *

    In-House ApplicationsMost enterprises use a number of own, self-developer applications for a number of key business activitiesThose applications rarely meet stringent security design requirementsDeveloper security education is critically importantExisting applications need to be treated as evil until proven to be safe through Threat Modelling

    *

    Treating Unproven ApplicationsUntil proven to be secure, treat all applications as evilRestrict access only to users on need-to-use basisRestrict remote useIsolate to dedicated application serversRestrict servers through IPSec policies to only allow communication that applications explicitly requireMonitor usage pattern to establish a baseline and raise alarm when patterns varyEnable stringent auditingRequest a formal threat analysis if above restrictions are too severe

    *

    Developer RelationsFor future in-house and outsourced development, formally request that all new application state their required security policy and comply with baseline policiesDeal with exceptions very carefullyInsist that application is tested under restrictive security conditions before being beta tested or pilotedEstablish an operational point of contact for developer queries

    *

    Secure Development.NET applications can use a number of new and powerful security techniquesAdvocate that future development should use .NET Framework and its security models where possibleActual development language is not essential as long as the framework is usedOther middleware environments may require you to integrate their security subsystems into OS, Host and Network security more manuallySometimes this is a significant weakness

    *

    Recommended .NET Security Mechanisms.NET Code Access Security.NET EvidenceUsing digital signatures, developers create cryptographically strong IDs for their applicationsYou can use those Strong Names (SNs) for creating policies that allow or disallow whole classes of applications from runningYou control associated policies.NET Isolated StorageA new feature allowing applications to create a virtual file system in a manner that is more resistant to cross-application attacks

    *

    Defending Hosts

    *

    OS HardeningUse most up-to-date security patches and service packsWindows XP SP2Windows Firewall with application-specific settingsAttachment Execution protectionPop-up BlockerMemory Protection (only some CPUs)RPC/DCOM ImprovementsMay cause compatibility problems with legacy applications, so you may need to bypass or amend this featureApply your policy-based security baseline

    *

    Patch ManagementApproaches:SMS (System Management Server)Do-it-yourself, time-consuming but most flexibleSoftware Update ServicesYoure in control, but only for Windows OSWindows UpdateLittle enterprise control, only Windows OS, most pervasiveApplication-vendorInstallshield Update, HP Software Update and many othersUse tools, such as MBSA, to discover missing patchesMicrosoft Baseline Security Analyser

    *

    Virus ProtectionDefence in-DepthOn clientsOn serversOn firewallsEnsure full compliance, especially with signature update serviceConsider dual-vendor approach:Major system on hostsSecondary system from a different vendor on firewalls and communication servers (email etc.)

    *

    Attachment Execution#1 of Social Engineering attacks (so called Layer 8 Vulnerabilities)Education is main defenceNewer software can handle attachments in a protected, safer mannerOutlook 2003XP SP2Extends to 3rd party applicationsControl via GPOs

    *

    Spyware (Malware) Protection90% machines have malicious software, on average 28 separate spyware programs (report by Earthlink & Webroot)ZombiesNetwork bandwidth and CPU degradationCommercial secrets leakedPrivacy destroyedBest practice:SpyBot Search and Destroy (www.spybot.info)Microsoft AntiSpyware (in beta)AdAware

    *

    Traffic FilteringIn addition to network firewalls, consider enabling incoming and outgoing traffic filtering on each hostDefence in-depthApplication and user-specificOnly enable protocols and ports required by applications running on the hostXP SP2 helps in this on workstationsIPSec rulesets are a great tool for this

    *

    Defending Network

    *

    Many PerimetersExternal Network EdgeBetween you and internet etc.DMZ De-militarized ZoneBetween network edge and all protected resourcesOnly minimal protection possibleDefault Security ZoneThe traditional LANHigh Security ZoneNetwork inside networkFor key assetsPerimeter (Edge) of IsolationAssets physically not connected to networksUseful for some key as

Recommended

View more >