leveraging your active directory (ad) for perimeter defense – inside and out (sec205) richard...
Post on 04-Jan-2016
218 Views
Preview:
TRANSCRIPT
Leveraging your Active Directory Leveraging your Active Directory (AD) for Perimeter Defense – (AD) for Perimeter Defense – Inside and Out (SEC205)Inside and Out (SEC205)
Richard WarrenRichard Warren
Internet and Security Training SpecialistInternet and Security Training Specialist
SEC205SEC205
AgendaAgenda
Security Issues TodaySecurity Issues Today
The “Inside” – Good or Bad?The “Inside” – Good or Bad?
Why Active Directory?Why Active Directory?
Internal Access with IntegrityInternal Access with Integrity
The Who and How of External AccessThe Who and How of External Access
When a Web Proxy is not EnoughWhen a Web Proxy is not Enough
At RiskAt Risk
14B devices on the Internet by 2010 35M remote users by 2005 65% increase in dynamic Web sites From 2000 to 2003 reported incidents rose from
21,756 to 137,529 Nearly 80 percent of 445 respondents surveyed said
the Internet has been a frequent point of attack, up from 57 percent just four years ago
90% detected security breaches 85% detected computer viruses 95% of all breaches avoidable with
an alternative configuration Approximately 70 percent of all Web attacks occur at
the application layer
The SoftThe SoftUnderbellyUnderbelly
Security Issues TodaySecurity Issues Today
1 Source: Forrester Research2 Source: Information Week, 26 November 2001
3 Source: Netcraft summary4 Source: CERT, 2005
5 Source: CSI/FBI Computer Crime and Security Survey6 Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002
7 Source: CERT, 20028 Source: Gartner Group
11
22
33
44
55
66
66
77
88
Attacks from Insiders!Attacks from Insiders!
Who can you trust?Who can you trust?
Large % of threats occur from the insideLarge % of threats occur from the inside
Users surfing inappropriate/malicious web sitesUsers surfing inappropriate/malicious web sites
Users not logging into the AD Domain (Security Policy)Users not logging into the AD Domain (Security Policy)
Users searching for web servers with confidential informationUsers searching for web servers with confidential information
Disgruntled Employees – Contractors – Office VisitorsDisgruntled Employees – Contractors – Office Visitors
Internet Access for your UsersInternet Access for your Users
Enable users to Enable users to communicate communicate across the across the InternetInternet
Enable users to Enable users to communicate communicate across the across the InternetInternet
• Use of instant messaging over the Internet may reveal Use of instant messaging over the Internet may reveal confidential informationconfidential information
• Users’ access to personal e-mail may bypass corproate e-Users’ access to personal e-mail may bypass corproate e-mail protectionmail protection
• Use of instant messaging over the Internet may reveal Use of instant messaging over the Internet may reveal confidential informationconfidential information
• Users’ access to personal e-mail may bypass corproate e-Users’ access to personal e-mail may bypass corproate e-mail protectionmail protection
Enable users to Enable users to access legitimate access legitimate information on information on the Internetthe Internet
Enable users to Enable users to access legitimate access legitimate information on information on the Internetthe Internet
• Users may inadvertently access insecure contentsUsers may inadvertently access insecure contents
• Difficult configuration may lead to mistakes that threaten Difficult configuration may lead to mistakes that threaten securitysecurity
• Users may access inappropriate Web sites and contentUsers may access inappropriate Web sites and content
• Peer-to-peer applications and illegal downloads may expose Peer-to-peer applications and illegal downloads may expose company to lawsuitscompany to lawsuits
• Users may inadvertently access insecure contentsUsers may inadvertently access insecure contents
• Difficult configuration may lead to mistakes that threaten Difficult configuration may lead to mistakes that threaten securitysecurity
• Users may access inappropriate Web sites and contentUsers may access inappropriate Web sites and content
• Peer-to-peer applications and illegal downloads may expose Peer-to-peer applications and illegal downloads may expose company to lawsuitscompany to lawsuits
Business Need: Risk to Organization:
Internet Access for your UsersInternet Access for your Users
Control and Control and monitor users’ monitor users’ Internet accessInternet access
Control and Control and monitor users’ monitor users’ Internet accessInternet access
• Limited application layer filtering prevents meaningful Limited application layer filtering prevents meaningful access controlaccess control
• Logs that are difficult to view may prevent administrators Logs that are difficult to view may prevent administrators from discovering problemsfrom discovering problems
• Lacking reporting capabilities prevent management from Lacking reporting capabilities prevent management from evaluating use of Internet by employeesevaluating use of Internet by employees
• Limited application layer filtering prevents meaningful Limited application layer filtering prevents meaningful access controlaccess control
• Logs that are difficult to view may prevent administrators Logs that are difficult to view may prevent administrators from discovering problemsfrom discovering problems
• Lacking reporting capabilities prevent management from Lacking reporting capabilities prevent management from evaluating use of Internet by employeesevaluating use of Internet by employees
Business Need: Risk to Organization:
Why Active Directory?Why Active Directory?
Plays a key role in Plays a key role in Distributed SecurityDistributed Security
Required for domain logon (authentication)Required for domain logon (authentication)
Grants access to resources (authorization)Grants access to resources (authorization)
Plays a key role in Plays a key role in Identity ManagementIdentity Management
Stores and protects identities Stores and protects identities
Why Active DirectoryWhy Active Directory
Plays a key role in Plays a key role in Windows manageabilityWindows manageability
Facilitates management of network resourcesFacilitates management of network resources
Facilitates delegation of administrative authorityFacilitates delegation of administrative authority
Enables centralized policy controlEnables centralized policy control
Plays a key role in enabling other technologiesPlays a key role in enabling other technologies
RRAS, Microsoft Certificate Services, Microsoft Exchange, RRAS, Microsoft Certificate Services, Microsoft Exchange, etc.etc.
Tremendously powerful resource – Use and Enforce It!!!Tremendously powerful resource – Use and Enforce It!!!
Web Access with IntegrityWeb Access with IntegrityInternal and ExternalInternal and External
Web Access with IntegrityWeb Access with Integrity
Application Layer FirewallsApplication Layer Firewalls
Inspect Intranet and Incoming External TrafficInspect Intranet and Incoming External Traffic
Monitor & Log Intranet Access by Monitor & Log Intranet Access by UsernameUsername!!
Web Access with IntegrityWeb Access with Integrity
Application Layer Firewalls (ISA Server 2004)Application Layer Firewalls (ISA Server 2004)
Most firewalls are external!Most firewalls are external!
What about the inside threat?What about the inside threat?
Protect Intranet Servers with Intelligent FirewallsProtect Intranet Servers with Intelligent Firewalls
Protect Web Servers in DMZ with application protectionProtect Web Servers in DMZ with application protection
Not only who but Not only who but what what is being sent to my serversis being sent to my servers
Use Application layer inspection for malicious trafficUse Application layer inspection for malicious traffic
Application Layer Application Layer ContentContent
????????????????????????????????????????????
A Traditional Firewall’s ViewA Traditional Firewall’s ViewOf A PacketOf A Packet
Only packet headers are inspectedOnly packet headers are inspected
Application layer content appears as “black box”Application layer content appears as “black box”IP HeaderIP Header
Source Address,Dest. Address,
TTL, Checksum
TCP TCP HeaderHeaderSequence Number
Source Port,Destination Port,
Checksum
Forwarding decisions based on port numbersForwarding decisions based on port numbers
Legitimate traffic and application layer attacks use identical portsLegitimate traffic and application layer attacks use identical ports
Internet Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic
Corporate Network
ISA Server’s View Of A PacketISA Server’s View Of A Packet
Packet headers and application content are inspectedPacket headers and application content are inspected
Application Layer ContentApplication Layer Content<html><head><meta http-
quiv="content-type" content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"
IP HeaderIP Header
Source Address,Dest. Address,
TTL, Checksum
TCP TCP HeaderHeader
Sequence NumberSource Port,
Destination Port,Checksum
Forwarding decisions based on contentForwarding decisions based on content
Only legitimate and allowed traffic is processedOnly legitimate and allowed traffic is processed
Internet Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic
Corporate Network
Integrity = Application Layer SecurityIntegrity = Application Layer Security
Most of today’s attacks are directed against applicationsMost of today’s attacks are directed against applications
Examples: Mail clients (worms, Trojan horse attacks), Web Examples: Mail clients (worms, Trojan horse attacks), Web browsers (malicious Java applets)browsers (malicious Java applets)
Applications encapsulate traffic in HTTP trafficApplications encapsulate traffic in HTTP traffic
Examples: Peer-to-peer, instant messagingExamples: Peer-to-peer, instant messaging
Traditional firewalls cannot determine what traffic is sent or Traditional firewalls cannot determine what traffic is sent or receivedreceived
Dynamic port assignments require too many incoming Dynamic port assignments require too many incoming ports to be openedports to be opened
Examples: FTP, RPCExamples: FTP, RPC
Web Access with IntegrityWeb Access with Integrity
Stop unauthenticated access to your Intranet PortalsStop unauthenticated access to your Intranet Portals
Web Publishing Intranet Portal with ISA Server 2004Web Publishing Intranet Portal with ISA Server 2004
Force Authentication via Active DirectoryForce Authentication via Active Directory
Keep out anonymous connections without load on Web ServerKeep out anonymous connections without load on Web Server
Enforce users logon to Domain Enforce users logon to Domain
Ensure group policy and other security measures are enforcedEnsure group policy and other security measures are enforced
Web Access with IntegrityWeb Access with Integrity
Incoming Access – Connect to Secure Point of AccessIncoming Access – Connect to Secure Point of Access
Protect Web Servers in DMZ or Internal NetworkProtect Web Servers in DMZ or Internal Network
ISA Server 2004 - Web Publish (Reverse Proxy)ISA Server 2004 - Web Publish (Reverse Proxy)
Inspect Incoming Traffic via Web FiltersInspect Incoming Traffic via Web Filters
HTTP InspectionHTTP Inspection
Monitor for malicious web trafficMonitor for malicious web traffic
Web Access with IntegrityWeb Access with Integrity
Protect Exchange (Messaging) ServersProtect Exchange (Messaging) Servers
Outlook Web AccessOutlook Web Access
Outlook SSL Connections – Outlook 2003/Exchange 2003Outlook SSL Connections – Outlook 2003/Exchange 2003
Outlook Mobile Access/ Active SyncOutlook Mobile Access/ Active Sync
Full RPC Filtering for Exchange Only traffic to Exchange Full RPC Filtering for Exchange Only traffic to Exchange ServersServers
Web Server Attacks
Password Guessing
Web Access with IntegrityWeb Access with Integrity
AuthenticationAuthentication
Unauthorized requests are blocked before they reach the Exchange serverUnauthorized requests are blocked before they reach the Exchange server
Enforces all OWA authentication methods at the firewallEnforces all OWA authentication methods at the firewall
Provide forms-based authentication at the firewall before reaching OWAProvide forms-based authentication at the firewall before reaching OWA
InspectionInspection
Invalid HTTP requests or requests for non-OWA content are blockedInvalid HTTP requests or requests for non-OWA content are blocked
Inspection of SSL traffic before it reaches Exchange server*Inspection of SSL traffic before it reaches Exchange server*
ConfidentialityConfidentiality
Ensures encryption of traffic over the Internet at the firewallEnsures encryption of traffic over the Internet at the firewall
Can prevent the downloading of attachments to client computers separate Can prevent the downloading of attachments to client computers separate from intranet usersfrom intranet users
OWA Traffic
SSL Tunnel
InspectionAuthentication
Internet
Exchange Server OWA Front End
*Note: Full ISA inspection is not available if GZip compression is used by OWA.*Note: Full ISA inspection is not available if GZip compression is used by OWA.
Authentication FrameworkAuthentication Framework
Multi-source authenticationMulti-source authentication
Firewall client authentication (Web Proxy)Firewall client authentication (Web Proxy)
TransparentTransparent user authentication user authentication
Application transparent, Protocol independentApplication transparent, Protocol independent
Kerberos/NTLMKerberos/NTLM
Web proxy authenticationWeb proxy authentication
Proxy auth, Reverse proxy auth, Pass through auth, SSL bridgingProxy auth, Reverse proxy auth, Pass through auth, SSL bridging
Basic, digest, NTLM, Kerberos, CertificatesBasic, digest, NTLM, Kerberos, Certificates
RADIUS authentication, SecurID authenticationRADIUS authentication, SecurID authentication
CRL supportCRL support
Extensible authentication/authorization frameworkExtensible authentication/authorization framework
Web Publishing with ISA ServerWeb Publishing with ISA Server
Using Active Directory Integrated Web AccessUsing Active Directory Integrated Web Access
DemoDemo
The Who and How of External AccessThe Who and How of External Access
Who? – External AccessWho? – External Access
Who?Who?
Who is getting out of your network?Who is getting out of your network?
Vendors – Visitors – ConsultantsVendors – Visitors – Consultants
And what are they doing?And what are they doing?
Peer to Peer File Sharing – Instant Messaging File TransferPeer to Peer File Sharing – Instant Messaging File Transfer
How? – External AccessHow? – External Access
Leverage Active Directory:Leverage Active Directory:
Integrated Web Proxy with ISA Server 2004Integrated Web Proxy with ISA Server 2004
Ensure only authorized users have external accessEnsure only authorized users have external access
Base external access via AD groupsBase external access via AD groups
Log access based on Log access based on USER NAMEUSER NAME and not IP Address and not IP Address
Know your exit points to external networksKnow your exit points to external networks
How many DMZ’s? Departmental external access?How many DMZ’s? Departmental external access?
Force all access through secure Web ProxiesForce all access through secure Web Proxies
How? – External AccessHow? – External Access
Provides superior application-layer protection for Provides superior application-layer protection for corporate clientscorporate clients
Enforces corporate policiesEnforces corporate policiesLimits access to Limits access to allowed sitesallowed sites
Limits access to Limits access to allowed protocolsallowed protocols
Provides for user Provides for user and group based and group based rulesrules
Lets rules apply Lets rules apply based on schedulebased on schedule
Partners provide easy extensibilityPartners provide easy extensibilityVirus checkingVirus checking
Web access blocking based on database of problematic sitesWeb access blocking based on database of problematic sites
How? – External AccessHow? – External Access
HTTP FilteringHTTP Filtering
Flexible control over allowed contentFlexible control over allowed content
Web Proxy Access with ISA ServerWeb Proxy Access with ISA Server
Using Active Directory Integrated Web ProxyUsing Active Directory Integrated Web Proxy
DemoDemo
Web Proxy – Intelligent?Web Proxy – Intelligent?
Port 80 Outbound – and away we go!Port 80 Outbound – and away we go!
Peer to Peer Applications search for thisPeer to Peer Applications search for this
Instant Messaging uses Port 80 HttpInstant Messaging uses Port 80 Http
How do you stop it?How do you stop it?
Web & Application FiltersWeb & Application Filters
Search for Signatures of these applications Search for Signatures of these applications
ISA Server has built-in web/application filtersISA Server has built-in web/application filters
Block the apps even in HTTP trafficBlock the apps even in HTTP traffic
Prevent tunneling of other protocols in httpPrevent tunneling of other protocols in http
When a Web Proxy is Not EnoughWhen a Web Proxy is Not Enough
Inspect HTTP Traffic with ISA 2004 Inspect HTTP Traffic with ISA 2004
Don’t just cacheDon’t just cache
Inspect inbound web trafficInspect inbound web traffic
Secure what leaves your networkSecure what leaves your network
Know what leaves and who sent it!!Know what leaves and who sent it!!
Force all Users to logon to the Domain for External AccessForce all Users to logon to the Domain for External Access
Log users by nameLog users by name
Leveraging Active Directory for Leveraging Active Directory for Perimeter DefensePerimeter Defense
Data and Resources
Application Defenses
Host Defenses
Network Defenses
Perimeter Defenses Perimeter Defense Protect Intranet Servers Lock Down Web Access Active Directory Integration
Application Layer firewalls are becoming increasingly more important HTTP Tunneling SSL encryption Anonymous connections
Community ResourcesCommunity Resources
Community ResourcesCommunity Resources
http://www.microsoft.com/communities/default.mspxhttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)Most Valuable Professional (MVP)
http://www.microsoft.com/communities/http://www.microsoft.com/communities/mvpmvp
NewsgroupsNewsgroups
Converse online with Microsoft Newsgroups,Converse online with Microsoft Newsgroups,including Worldwideincluding Worldwide
http://communities2.microsoft.com/communities/newsgroups/en-us/defhttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspxault.aspx
User Groups - Meet and learn with your peersUser Groups - Meet and learn with your peers
http://www.microsoft.com/communities/usergroups/default.mspxhttp://www.microsoft.com/communities/usergroups/default.mspx
Microsoft Learning ResourcesMicrosoft Learning Resources
Come and talk to Microsoft Learning to find out more about developing your skills, you can kind us in the ‘Ask the Experts’ area
Special offers on Microsoft Certification from Microsoft Learning
Click here to access free Microsoft Learning Assessments http://www.microsoft.com/learning/assessment/ind/default.asp
and FREE elearning for Microsoft Visual Studio 2005 and Microsoft SQL Server 2005 with free Assessments and E-Learninghttp://www.microsoft.com/learning/mcp/
© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
top related