Application Layer Firewalling With Application Layer Firewalling With ISA Server 2004ISA Server 2004

Fred BaumhardtFred BaumhardtLead Security Technology Architect Lead Security Technology Architect Microsoft EMEAMicrosoft EMEA

Call to ActionCall to Action

A quantum shift in thinking is needed to A quantum shift in thinking is needed to avoid a cataclysmic failure in global avoid a cataclysmic failure in global network securitynetwork security

I don’t have all the answers in this I don’t have all the answers in this session, lots of questionssession, lots of questions

We have all been lucky major global We have all been lucky major global worms have not carried class 0 (evil evil) worms have not carried class 0 (evil evil) payloads like format disk and flash BIOSpayloads like format disk and flash BIOS

Question all “experts” you hear and draw Question all “experts” you hear and draw your own conclusionyour own conclusion

AgendaAgenda

The roots of the Internet and securityThe roots of the Internet and security

The problem with conventional firewallsThe problem with conventional firewalls

Advantage of application layer inspectionAdvantage of application layer inspection

Application inspection with ISA serverApplication inspection with ISA server

Pre-authentication (OWA + IIS + Apache)Pre-authentication (OWA + IIS + Apache)

Inbound SSL termination and inspectionInbound SSL termination and inspection

Filtration of HTTP content and URLsFiltration of HTTP content and URLs

Other Application FiltersOther Application Filters

Putting it all together Putting it all together

Internet Security RootsInternet Security Roots

Lets be honest – from a security perspective: IPv4 is Lets be honest – from a security perspective: IPv4 is not great – not designed for Securitynot great – not designed for Security

The Internet used to require Security clearance to use – The Internet used to require Security clearance to use – physical access was restricted – no need for protocol physical access was restricted – no need for protocol securitysecurity

Resistance to Nuclear attack was more important than Resistance to Nuclear attack was more important than protecting trafficprotecting traffic

Everyone on the network was trustedEveryone on the network was trusted

TCP/IP was thus designed without security in mind – TCP/IP was thus designed without security in mind – added as a bolt-onadded as a bolt-on

Security and HTTPSecurity and HTTPWe assume that HTTP is good business protocol–We assume that HTTP is good business protocol–block almost all others outbound SO:block almost all others outbound SO:

Developers start using tunnelling over port 80- to Developers start using tunnelling over port 80- to deliver apps and data- call it web servicesdeliver apps and data- call it web services

Microsoft does it with Outlook and Exchange 2003 – Microsoft does it with Outlook and Exchange 2003 – we call it a feature (easy Outlook Conn)we call it a feature (easy Outlook Conn)

Joe Smith tunnels and uploads your HR database to Joe Smith tunnels and uploads your HR database to your competition – you call him a hackeryour competition – you call him a hacker

More concerned at blocking porn (by dest) than More concerned at blocking porn (by dest) than checking that the content is valid (by deep insp)checking that the content is valid (by deep insp)

TunnelingTunneling

When someone puts some sort of data in When someone puts some sort of data in one port/socket– encapsulates it in some one port/socket– encapsulates it in some sort of packet – and sends it do a sort of packet – and sends it do a destination you allow (because you think destination you allow (because you think it is doing something else)it is doing something else)

Example – HTTP-TUNNEL.com where Example – HTTP-TUNNEL.com where you stick any (eg terminal server) traffic you stick any (eg terminal server) traffic that is otherwise blocked- in TCP 80 and that is otherwise blocked- in TCP 80 and for 19.95 a month, they send it to the for 19.95 a month, they send it to the server you really want to talk to.server you really want to talk to.

HTTP TunnelHTTP Tunnel

Lets Rip open a packetLets Rip open a packetCurrently – most firewalls check only basic packet informationCurrently – most firewalls check only basic packet information

Real world equivalent of looking at the number and destination of a bus – Real world equivalent of looking at the number and destination of a bus – and not looking at the passengersand not looking at the passengers

Fundamental Assumptions L3/L4Fundamental Assumptions L3/L4We trust that traffic on a port is what we think it should We trust that traffic on a port is what we think it should be (TCP80==HTTP)be (TCP80==HTTP)

We implicitly trust that the traffic going through is We implicitly trust that the traffic going through is clean (as we admit we cant scan it)clean (as we admit we cant scan it)

We don’t place these devices to protect from internal We don’t place these devices to protect from internal networks as our users are trustednetworks as our users are trusted

The user in machine 1.2.3.4 must be the one that The user in machine 1.2.3.4 must be the one that always uses that machinealways uses that machine

TCP 80 is almost always open to everywhere – The TCP 80 is almost always open to everywhere – The Universal Firewall Bypass and Avoidance ProtocolUniversal Firewall Bypass and Avoidance Protocol

Most of these mistakes result in a security breach Most of these mistakes result in a security breach which is usually blamed on the OS, or the app – but which is usually blamed on the OS, or the app – but came over networkcame over network

OK Guys, how would you do it ?OK Guys, how would you do it ?

Some keys to application inspectionSome keys to application inspection

Segmentation of Logical Components in network – Segmentation of Logical Components in network – ALF can only inspect to/from somewhereALF can only inspect to/from somewhere

Encryption only where required – with trusted context Encryption only where required – with trusted context – it usually invalidates inspection, IDS – it usually invalidates inspection, IDS

Understanding the purpose of the traffic you are Understanding the purpose of the traffic you are trying to filter, and blocking non consistent traffictrying to filter, and blocking non consistent traffic

Strategic depth-countermeasures covering entire Strategic depth-countermeasures covering entire classes of attacks, especially against wormsclasses of attacks, especially against worms

Heuristical systems supplemented with Heuristical systems supplemented with behavioural systems, and intelligencebehavioural systems, and intelligence

Built In Application FiltersBuilt In Application Filters

HTTPHTTP Syntax analysis, signature blockingSyntax analysis, signature blocking

OWAOWA Forms Based AuthenticationForms Based Authentication

SMTPSMTP Command and message filteringCommand and message filtering

RPCRPC Interface blockingInterface blocking

FTPFTP Read only supportRead only support

DNSDNS Intrusion detectionIntrusion detection

POP3POP3 Intrusion detectionIntrusion detection

H.323H.323 Allows H.323 trafficAllows H.323 traffic

MMSMMS Enables Microsoft media streamingEnables Microsoft media streaming

All filters: All filters: - validate protocol RFC conformance- validate protocol RFC conformance

- enable NAT traversal- enable NAT traversal

Examples Of 3rd Party Filter Add-onsExamples Of 3rd Party Filter Add-onsExpected to be available soon after ISA Server 2004 availabilityExpected to be available soon after ISA Server 2004 availability

FiltersFilters CompaniesCompanies

IMIM Akonix Akonix

SOCKS 5 SOCKS 5 CornerPost SoftwareCornerPost Software

SOAP/raw XML SOAP/raw XML Forum Systems, Inc.Forum Systems, Inc.

AntivirusAntivirus McAfee, GFI, PandaMcAfee, GFI, Panda

URL FilteringURL Filtering SurfControl, Futuresoft, FilterLogix, SurfControl, Futuresoft, FilterLogix, Cerberian, WavecrestCerberian, Wavecrest

Intrusion DetectionIntrusion Detection ISS, GFIISS, GFI

Many add-ons in other firewall areas availableMany add-ons in other firewall areas available

For details see:For details see: http://www.microsoft.com/isaserver/partnershttp://www.microsoft.com/isaserver/partners

RPC server RPC server (Exchange)(Exchange)RPC server RPC server (Exchange)(Exchange)

RPC client RPC client (Outlook)(Outlook)

RPC client RPC client (Outlook)(Outlook)

ServiceService UUIDUUID PortPort

ExchangeExchange {12341234-1111…{12341234-1111… 44024402

AD replicationAD replication {01020304-4444…{01020304-4444… 35443544

MMCMMC {19283746-7777…{19283746-7777… 92339233

RPC services grab random RPC services grab random high ports when they start, high ports when they start,

server maintains tableserver maintains table

RPC – A typical challengeRPC – A typical challengeRPC 101RPC 101

135/tcp135/tcp

Client connects to Client connects to portmapper on server portmapper on server

(port 135/tcp)(port 135/tcp)Client knows UUID Client knows UUID of service it wantsof service it wants

{12341234-1111…}{12341234-1111…}

Client accesses Client accesses application over application over

learned portlearned port

Client asks, “What Client asks, “What port is associated port is associated with my UUID?”with my UUID?”

Server matches UUID to Server matches UUID to the current port…the current port…

4402/tcp4402/tcp

Portmapper responds Portmapper responds with the port and closes with the port and closes

the connectionthe connection

4402/tcp4402/tcp

Due to the random nature of RPC, this is not Due to the random nature of RPC, this is not feasible over the Internetfeasible over the Internet

All 64,512 high ports & port 135 must be opened on All 64,512 high ports & port 135 must be opened on traditional firewallstraditional firewalls

RPC Filter Security RPC Filter Security Learn the protocol and use its features to improve securityLearn the protocol and use its features to improve security

Firewall only allows specific UUIDsFirewall only allows specific UUIDs

Only DC Replication, or Only Exchange/OutlookOnly DC Replication, or Only Exchange/Outlook

Not defined UUIDs such as MMC, Printing blockedNot defined UUIDs such as MMC, Printing blocked

Takes back control of RPC behaviour Takes back control of RPC behaviour

Tunneling not allowed – as syntax is checkedTunneling not allowed – as syntax is checked

Exchange specific – like enforce client encryptionExchange specific – like enforce client encryption

ISA Server with ISA Server with Feature Pack 1Feature Pack 1ISA Server with ISA Server with Feature Pack 1Feature Pack 1

Exchange Exchange / RPC / RPC ServerServer

Exchange Exchange / RPC / RPC ServerServer

Outlook/ Outlook/ RPC RPC

ClientClient

Outlook/ Outlook/ RPC RPC

ClientClient

RPCRPCRPCRPC

Internal networkInternal network

External networkExternal network

Protecting HTTPSProtecting HTTPS

Traditional Traditional firewallfirewall

Traditional Traditional firewallfirewall

WebWebSrv/ Srv/ OWA OWA

WebWebSrv/ Srv/ OWA OWA

clientclientclientclient

Web server prompts for Web server prompts for authentication — any authentication — any

Internet user can access Internet user can access this promptthis prompt

SSLSSLSSLSSL

SSL tunnels through SSL tunnels through traditional firewalls traditional firewalls

because it is encrypted…because it is encrypted…

……which allows viruses which allows viruses and worms to pass and worms to pass

through undetected…through undetected…

……and infect internal servers!and infect internal servers!

ISA Server 2004 ISA Server 2004 with HTTP Filterwith HTTP FilterISA Server 2004 ISA Server 2004 with HTTP Filterwith HTTP Filter

Basic authentication delegationBasic authentication delegation

ISA Server pre-authenticates ISA Server pre-authenticates users, eliminating multiple users, eliminating multiple

dialog boxes and only allowing dialog boxes and only allowing valid traffic throughvalid traffic through

URLScan for ISA ServerURLScan for ISA Server

SSL or SSL or HTTPHTTP

SSL or SSL or HTTPHTTP

SSLSSLSSLSSL

ISA Server can ISA Server can decrypt and inspect decrypt and inspect

SSL trafficSSL traffic

inspected traffic can be sent to the internal inspected traffic can be sent to the internal server re-encrypted or in the clear.server re-encrypted or in the clear.

URLScan for URLScan for ISA ServerISA Server

HTTP filter for ISA Server can HTTP filter for ISA Server can stop Web attacks at the network stop Web attacks at the network

edge, even over encrypted edge, even over encrypted inbound SSLinbound SSL

InternetInternet

Pre-AuthenticationPre-Authentication

No L7 password = no access to internal system No L7 password = no access to internal system – excellent failsafe– excellent failsafe

Potential attackers go from 7 Billion to the number Potential attackers go from 7 Billion to the number of people who have credentials to your networkof people who have credentials to your network

Worms will not have your credentials (hopefully Worms will not have your credentials (hopefully ))

ISA 2000 can also do this by RSA secure ID for ISA 2000 can also do this by RSA secure ID for HTTP (though not for RPC/HTTP with sec ID)HTTP (though not for RPC/HTTP with sec ID)

Cookie pre-authentication for Outlook Web Cookie pre-authentication for Outlook Web Access 2003 also availableAccess 2003 also available

Protecting HTTP and (S) cont.Protecting HTTP and (S) cont.The Big PictureThe Big Picture

Understanding the protocol – how it works, Understanding the protocol – how it works, what its rules are, and what to expect is what its rules are, and what to expect is criticalcritical

Inbound HTTPS termination is easy (you Inbound HTTPS termination is easy (you control the cert) outbound is difficultcontrol the cert) outbound is difficult

Human behaviour is easy – FW admins Human behaviour is easy – FW admins close all ports so we use 80, thus we need close all ports so we use 80, thus we need to learn now to filter 80to learn now to filter 80

Web Publishing ProtectionWeb Publishing Protection

Worms usually go by IP or network range, they Worms usually go by IP or network range, they seldom know the FQDN (yet)seldom know the FQDN (yet)

Publish by FQDN Publish by FQDN https://mail.yc.com/exchangehttps://mail.yc.com/exchange

Nothing gets in unless it asks firewall for the exact Nothing gets in unless it asks firewall for the exact URL (in HTTP language) not just URL (in HTTP language) not just 212.30.12.1:T80212.30.12.1:T80

Use HTTP Filter verbs – signature strings, and Use HTTP Filter verbs – signature strings, and method blocking to eliminate entire classes of method blocking to eliminate entire classes of attacksattacks

Lets look at some examplesLets look at some examples

Example:Example:Protecting A Web ServerProtecting A Web Server

GeneralGeneral Limit header length, query and URL length.Limit header length, query and URL length.

Verify normalization.Verify normalization.

MethodsMethods Allow only specified methods:Allow only specified methods:

GET, HEAD, POSTGET, HEAD, POST

ExtensionsExtensions Block specified extensions (allow all others):Block specified extensions (allow all others):

.exe, .bat, .cmd, .com, .htw, .ida, .exe, .bat, .cmd, .com, .htw, .ida, idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .pol,pol,.dat , …...dat , …..

SignaturesSignatures

(Request URL)(Request URL)

Block content containing these signaturesBlock content containing these signatures

.. , ./ , \ , : , % , &.. , ./ , \ , : , % , &

Demonstration of HTTP FiltrationDemonstration of HTTP Filtration

Example:Example:Protocol Level Countermeasures HTTPProtocol Level Countermeasures HTTP

GeneralGeneral Limit header length, query and URL length.Limit header length, query and URL length.

Verify normalization.Verify normalization.

MethodsMethods Allow only specified methods:Allow only specified methods:

GET, HEAD, POSTGET, HEAD, POST

ExtensionsExtensions Block specified extensions (allow all others):Block specified extensions (allow all others):

.exe, .bat, .cmd, .com, .htw, .ida, .exe, .bat, .cmd, .com, .htw, .ida, idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .pol,pol,.dat , …...dat , …..

SignaturesSignatures

(Request URL)(Request URL)

Block content containing these signaturesBlock content containing these signatures

.. , ./ , \ , : , % , &.. , ./ , \ , : , % , &

Example:Example:Blocking Apps Over HTTPBlocking Apps Over HTTP

ApplicationApplication Search inSearch in HTTP headerHTTP header SignatureSignature

MSN MessengerMSN Messenger Request headersRequest headers User-Agent:User-Agent: MSN MessengerMSN Messenger

Windows MessengerWindows Messenger Request headersRequest headers User-Agent:User-Agent: MSMSGSMSMSGS

AOL Messenger (and AOL Messenger (and Gecko browsers)Gecko browsers)

Request headersRequest headers User-Agent:User-Agent: Gecko/Gecko/

Yahoo MessengerYahoo Messenger Request headersRequest headers HostHost msg.yahoo.commsg.yahoo.com

KazaaKazaa Request headersRequest headers P2P-AgentP2P-Agent Kazaa, KazaaclientKazaa, Kazaaclient::

KazaaKazaa Request headersRequest headers User-Agent:User-Agent: KazaaClient KazaaClient

KazaaKazaa Request headersRequest headers X-Kazaa-Network:X-Kazaa-Network: KaZaAKaZaA

GnutellaGnutella Request headersRequest headers User-Agent:User-Agent: GnutellaGnutella

GnucleusGnucleus

EdonkeyEdonkey Request headersRequest headers User-Agent:User-Agent: e2dke2dk

MorpheusMorpheus Response headerResponse header ServerServer MorpheusMorpheus

DNS ProtectionDNS Protection

Rudimentary Rudimentary protectionprotection

General anti-General anti-tunneling tunneling protection protection through T/U 53through T/U 53

Mail ProtectionMail Protection

Lots of Antispam and antivirus vendors cover the Lots of Antispam and antivirus vendors cover the relay points- what about:relay points- what about:

IS TCP 25 really SMTP?IS TCP 25 really SMTP?

Is someone sending a buffer overflow to the RCPT: Is someone sending a buffer overflow to the RCPT: command ?command ?

Can I block someone using the VRFY command ?Can I block someone using the VRFY command ?

Can I strip an attachment, or block a userCan I strip an attachment, or block a user

Why not do the Protocol level protection at the Why not do the Protocol level protection at the network device, use the firewall to add a layer of network device, use the firewall to add a layer of defence for the mail system. defence for the mail system.

Mail Filtration ExamplesMail Filtration Examples

Requires another box Requires another box to do the storage of to do the storage of mailmail

Must link the box to Must link the box to ISA via RPCISA via RPC

Applies Protocol Applies Protocol validation and some validation and some keyword and keyword and attachment strippingattachment stripping

Def in Dep – not Def in Dep – not primary mail solutionprimary mail solution

Encapsulated TrafficEncapsulated Traffic

IPSEC (AH and ESP), PPTP etc can not IPSEC (AH and ESP), PPTP etc can not be scanned at ISA server if published or be scanned at ISA server if published or allowed throughallowed through

If you tunnel traffic through these ports If you tunnel traffic through these ports ISA will log the tunnel – can not look ISA will log the tunnel – can not look inside unless it is terminating the VPNinside unless it is terminating the VPN

Your call – open more ports with app Your call – open more ports with app filters or tunnel traffic through with no filters or tunnel traffic through with no inspection – most DC protocols have no inspection – most DC protocols have no filtersfilters

Be aware of the implications of NATBe aware of the implications of NAT

VPN TerminationVPN Termination

ISA currently does intra-tunnel VPN ISA currently does intra-tunnel VPN inspection, so traffic coming in via VPN will inspection, so traffic coming in via VPN will be inspected at the application layerbe inspected at the application layer

VPN Client Traffic is treated as a dedicated VPN Client Traffic is treated as a dedicated network – so you can control where it goes network – so you can control where it goes and its Application Filter rulesand its Application Filter rules

Windows Server 2003 Quarantine with ISA Windows Server 2003 Quarantine with ISA VPN fully supported – excellent functionalityVPN fully supported – excellent functionality

Extending The PlatformExtending The Platform

Firewalls are placed in different locations Firewalls are placed in different locations for different reasons. Understand the for different reasons. Understand the requirement and filter accordinglyrequirement and filter accordingly

Extend core functionality with protocol Extend core functionality with protocol filters covering your specific scenariofilters covering your specific scenario

No one device will ever be the silver bullet, No one device will ever be the silver bullet, solutions are more important than devicessolutions are more important than devices

One Vision for Secure NetworkingOne Vision for Secure NetworkingInternet

Redundant Routers

ISA Firewalls

VLAN

VLAN

DC + Infrastructure

NIC teams/2 switches

VLAN

Front-end

VLAN

Backend

Intrusion Detection Intrusion Detection Intrusion Detection

First Tier Firewalls

URL Filtering for OWARPC Termination for Outlook

One or more Switches Implement VLANs and Control Inter-VLAN Traffic like Firewalls do – VLANs are not bullet proof (but neither are servers)Traffic is allowed or blocked based on requirements of the application, filters understand and enforce these requirements..

Debunking Network Security MythsDebunking Network Security Myths

People DON’T play by the rules – unless you People DON’T play by the rules – unless you make them and ports are not intent – you make them and ports are not intent – you need to checkneed to check

Hardware devices are NOT more secure – Hardware devices are NOT more secure – they are more convenient – that’s allthey are more convenient – that’s all

Invest in getting to know the device, what it Invest in getting to know the device, what it can/t do – don’t buy what you know – buy what can/t do – don’t buy what you know – buy what you needyou need

Don’t let just the network people control and Don’t let just the network people control and purchase firewalls – it takes application purchase firewalls – it takes application awarenessawareness

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.