application layer firewalling with isa server 2004 fred baumhardt lead security technology architect...
TRANSCRIPT
Application Layer Firewalling With Application Layer Firewalling With ISA Server 2004ISA Server 2004
Fred BaumhardtFred BaumhardtLead Security Technology Architect Lead Security Technology Architect Microsoft EMEAMicrosoft EMEA
Call to ActionCall to Action
A quantum shift in thinking is needed to A quantum shift in thinking is needed to avoid a cataclysmic failure in global avoid a cataclysmic failure in global network securitynetwork security
I don’t have all the answers in this I don’t have all the answers in this session, lots of questionssession, lots of questions
We have all been lucky major global We have all been lucky major global worms have not carried class 0 (evil evil) worms have not carried class 0 (evil evil) payloads like format disk and flash BIOSpayloads like format disk and flash BIOS
Question all “experts” you hear and draw Question all “experts” you hear and draw your own conclusionyour own conclusion
AgendaAgenda
The roots of the Internet and securityThe roots of the Internet and security
The problem with conventional firewallsThe problem with conventional firewalls
Advantage of application layer inspectionAdvantage of application layer inspection
Application inspection with ISA serverApplication inspection with ISA server
Pre-authentication (OWA + IIS + Apache)Pre-authentication (OWA + IIS + Apache)
Inbound SSL termination and inspectionInbound SSL termination and inspection
Filtration of HTTP content and URLsFiltration of HTTP content and URLs
Other Application FiltersOther Application Filters
Putting it all together Putting it all together
Internet Security RootsInternet Security Roots
Lets be honest – from a security perspective: IPv4 is Lets be honest – from a security perspective: IPv4 is not great – not designed for Securitynot great – not designed for Security
The Internet used to require Security clearance to use – The Internet used to require Security clearance to use – physical access was restricted – no need for protocol physical access was restricted – no need for protocol securitysecurity
Resistance to Nuclear attack was more important than Resistance to Nuclear attack was more important than protecting trafficprotecting traffic
Everyone on the network was trustedEveryone on the network was trusted
TCP/IP was thus designed without security in mind – TCP/IP was thus designed without security in mind – added as a bolt-onadded as a bolt-on
Security and HTTPSecurity and HTTPWe assume that HTTP is good business protocol–We assume that HTTP is good business protocol–block almost all others outbound SO:block almost all others outbound SO:
Developers start using tunnelling over port 80- to Developers start using tunnelling over port 80- to deliver apps and data- call it web servicesdeliver apps and data- call it web services
Microsoft does it with Outlook and Exchange 2003 – Microsoft does it with Outlook and Exchange 2003 – we call it a feature (easy Outlook Conn)we call it a feature (easy Outlook Conn)
Joe Smith tunnels and uploads your HR database to Joe Smith tunnels and uploads your HR database to your competition – you call him a hackeryour competition – you call him a hacker
More concerned at blocking porn (by dest) than More concerned at blocking porn (by dest) than checking that the content is valid (by deep insp)checking that the content is valid (by deep insp)
TunnelingTunneling
When someone puts some sort of data in When someone puts some sort of data in one port/socket– encapsulates it in some one port/socket– encapsulates it in some sort of packet – and sends it do a sort of packet – and sends it do a destination you allow (because you think destination you allow (because you think it is doing something else)it is doing something else)
Example – HTTP-TUNNEL.com where Example – HTTP-TUNNEL.com where you stick any (eg terminal server) traffic you stick any (eg terminal server) traffic that is otherwise blocked- in TCP 80 and that is otherwise blocked- in TCP 80 and for 19.95 a month, they send it to the for 19.95 a month, they send it to the server you really want to talk to.server you really want to talk to.
Lets Rip open a packetLets Rip open a packetCurrently – most firewalls check only basic packet informationCurrently – most firewalls check only basic packet information
Real world equivalent of looking at the number and destination of a bus – Real world equivalent of looking at the number and destination of a bus – and not looking at the passengersand not looking at the passengers
Fundamental Assumptions L3/L4Fundamental Assumptions L3/L4We trust that traffic on a port is what we think it should We trust that traffic on a port is what we think it should be (TCP80==HTTP)be (TCP80==HTTP)
We implicitly trust that the traffic going through is We implicitly trust that the traffic going through is clean (as we admit we cant scan it)clean (as we admit we cant scan it)
We don’t place these devices to protect from internal We don’t place these devices to protect from internal networks as our users are trustednetworks as our users are trusted
The user in machine 1.2.3.4 must be the one that The user in machine 1.2.3.4 must be the one that always uses that machinealways uses that machine
TCP 80 is almost always open to everywhere – The TCP 80 is almost always open to everywhere – The Universal Firewall Bypass and Avoidance ProtocolUniversal Firewall Bypass and Avoidance Protocol
Most of these mistakes result in a security breach Most of these mistakes result in a security breach which is usually blamed on the OS, or the app – but which is usually blamed on the OS, or the app – but came over networkcame over network
OK Guys, how would you do it ?OK Guys, how would you do it ?
Some keys to application inspectionSome keys to application inspection
Segmentation of Logical Components in network – Segmentation of Logical Components in network – ALF can only inspect to/from somewhereALF can only inspect to/from somewhere
Encryption only where required – with trusted context Encryption only where required – with trusted context – it usually invalidates inspection, IDS – it usually invalidates inspection, IDS
Understanding the purpose of the traffic you are Understanding the purpose of the traffic you are trying to filter, and blocking non consistent traffictrying to filter, and blocking non consistent traffic
Strategic depth-countermeasures covering entire Strategic depth-countermeasures covering entire classes of attacks, especially against wormsclasses of attacks, especially against worms
Heuristical systems supplemented with Heuristical systems supplemented with behavioural systems, and intelligencebehavioural systems, and intelligence
Built In Application FiltersBuilt In Application Filters
HTTPHTTP Syntax analysis, signature blockingSyntax analysis, signature blocking
OWAOWA Forms Based AuthenticationForms Based Authentication
SMTPSMTP Command and message filteringCommand and message filtering
RPCRPC Interface blockingInterface blocking
FTPFTP Read only supportRead only support
DNSDNS Intrusion detectionIntrusion detection
POP3POP3 Intrusion detectionIntrusion detection
H.323H.323 Allows H.323 trafficAllows H.323 traffic
MMSMMS Enables Microsoft media streamingEnables Microsoft media streaming
All filters: All filters: - validate protocol RFC conformance- validate protocol RFC conformance
- enable NAT traversal- enable NAT traversal
Examples Of 3rd Party Filter Add-onsExamples Of 3rd Party Filter Add-onsExpected to be available soon after ISA Server 2004 availabilityExpected to be available soon after ISA Server 2004 availability
FiltersFilters CompaniesCompanies
IMIM Akonix Akonix
SOCKS 5 SOCKS 5 CornerPost SoftwareCornerPost Software
SOAP/raw XML SOAP/raw XML Forum Systems, Inc.Forum Systems, Inc.
AntivirusAntivirus McAfee, GFI, PandaMcAfee, GFI, Panda
URL FilteringURL Filtering SurfControl, Futuresoft, FilterLogix, SurfControl, Futuresoft, FilterLogix, Cerberian, WavecrestCerberian, Wavecrest
Intrusion DetectionIntrusion Detection ISS, GFIISS, GFI
Many add-ons in other firewall areas availableMany add-ons in other firewall areas available
For details see:For details see: http://www.microsoft.com/isaserver/partnershttp://www.microsoft.com/isaserver/partners
RPC server RPC server (Exchange)(Exchange)RPC server RPC server (Exchange)(Exchange)
RPC client RPC client (Outlook)(Outlook)
RPC client RPC client (Outlook)(Outlook)
ServiceService UUIDUUID PortPort
ExchangeExchange {12341234-1111…{12341234-1111… 44024402
AD replicationAD replication {01020304-4444…{01020304-4444… 35443544
MMCMMC {19283746-7777…{19283746-7777… 92339233
RPC services grab random RPC services grab random high ports when they start, high ports when they start,
server maintains tableserver maintains table
RPC – A typical challengeRPC – A typical challengeRPC 101RPC 101
135/tcp135/tcp
Client connects to Client connects to portmapper on server portmapper on server
(port 135/tcp)(port 135/tcp)Client knows UUID Client knows UUID of service it wantsof service it wants
{12341234-1111…}{12341234-1111…}
Client accesses Client accesses application over application over
learned portlearned port
Client asks, “What Client asks, “What port is associated port is associated with my UUID?”with my UUID?”
Server matches UUID to Server matches UUID to the current port…the current port…
4402/tcp4402/tcp
Portmapper responds Portmapper responds with the port and closes with the port and closes
the connectionthe connection
4402/tcp4402/tcp
Due to the random nature of RPC, this is not Due to the random nature of RPC, this is not feasible over the Internetfeasible over the Internet
All 64,512 high ports & port 135 must be opened on All 64,512 high ports & port 135 must be opened on traditional firewallstraditional firewalls
RPC Filter Security RPC Filter Security Learn the protocol and use its features to improve securityLearn the protocol and use its features to improve security
Firewall only allows specific UUIDsFirewall only allows specific UUIDs
Only DC Replication, or Only Exchange/OutlookOnly DC Replication, or Only Exchange/Outlook
Not defined UUIDs such as MMC, Printing blockedNot defined UUIDs such as MMC, Printing blocked
Takes back control of RPC behaviour Takes back control of RPC behaviour
Tunneling not allowed – as syntax is checkedTunneling not allowed – as syntax is checked
Exchange specific – like enforce client encryptionExchange specific – like enforce client encryption
ISA Server with ISA Server with Feature Pack 1Feature Pack 1ISA Server with ISA Server with Feature Pack 1Feature Pack 1
Exchange Exchange / RPC / RPC ServerServer
Exchange Exchange / RPC / RPC ServerServer
Outlook/ Outlook/ RPC RPC
ClientClient
Outlook/ Outlook/ RPC RPC
ClientClient
RPCRPCRPCRPC
Internal networkInternal network
External networkExternal network
Protecting HTTPSProtecting HTTPS
Traditional Traditional firewallfirewall
Traditional Traditional firewallfirewall
WebWebSrv/ Srv/ OWA OWA
WebWebSrv/ Srv/ OWA OWA
clientclientclientclient
Web server prompts for Web server prompts for authentication — any authentication — any
Internet user can access Internet user can access this promptthis prompt
SSLSSLSSLSSL
SSL tunnels through SSL tunnels through traditional firewalls traditional firewalls
because it is encrypted…because it is encrypted…
……which allows viruses which allows viruses and worms to pass and worms to pass
through undetected…through undetected…
……and infect internal servers!and infect internal servers!
ISA Server 2004 ISA Server 2004 with HTTP Filterwith HTTP FilterISA Server 2004 ISA Server 2004 with HTTP Filterwith HTTP Filter
Basic authentication delegationBasic authentication delegation
ISA Server pre-authenticates ISA Server pre-authenticates users, eliminating multiple users, eliminating multiple
dialog boxes and only allowing dialog boxes and only allowing valid traffic throughvalid traffic through
URLScan for ISA ServerURLScan for ISA Server
SSL or SSL or HTTPHTTP
SSL or SSL or HTTPHTTP
SSLSSLSSLSSL
ISA Server can ISA Server can decrypt and inspect decrypt and inspect
SSL trafficSSL traffic
inspected traffic can be sent to the internal inspected traffic can be sent to the internal server re-encrypted or in the clear.server re-encrypted or in the clear.
URLScan for URLScan for ISA ServerISA Server
HTTP filter for ISA Server can HTTP filter for ISA Server can stop Web attacks at the network stop Web attacks at the network
edge, even over encrypted edge, even over encrypted inbound SSLinbound SSL
InternetInternet
Pre-AuthenticationPre-Authentication
No L7 password = no access to internal system No L7 password = no access to internal system – excellent failsafe– excellent failsafe
Potential attackers go from 7 Billion to the number Potential attackers go from 7 Billion to the number of people who have credentials to your networkof people who have credentials to your network
Worms will not have your credentials (hopefully Worms will not have your credentials (hopefully ))
ISA 2000 can also do this by RSA secure ID for ISA 2000 can also do this by RSA secure ID for HTTP (though not for RPC/HTTP with sec ID)HTTP (though not for RPC/HTTP with sec ID)
Cookie pre-authentication for Outlook Web Cookie pre-authentication for Outlook Web Access 2003 also availableAccess 2003 also available
Protecting HTTP and (S) cont.Protecting HTTP and (S) cont.The Big PictureThe Big Picture
Understanding the protocol – how it works, Understanding the protocol – how it works, what its rules are, and what to expect is what its rules are, and what to expect is criticalcritical
Inbound HTTPS termination is easy (you Inbound HTTPS termination is easy (you control the cert) outbound is difficultcontrol the cert) outbound is difficult
Human behaviour is easy – FW admins Human behaviour is easy – FW admins close all ports so we use 80, thus we need close all ports so we use 80, thus we need to learn now to filter 80to learn now to filter 80
Web Publishing ProtectionWeb Publishing Protection
Worms usually go by IP or network range, they Worms usually go by IP or network range, they seldom know the FQDN (yet)seldom know the FQDN (yet)
Publish by FQDN Publish by FQDN https://mail.yc.com/exchangehttps://mail.yc.com/exchange
Nothing gets in unless it asks firewall for the exact Nothing gets in unless it asks firewall for the exact URL (in HTTP language) not just URL (in HTTP language) not just 212.30.12.1:T80212.30.12.1:T80
Use HTTP Filter verbs – signature strings, and Use HTTP Filter verbs – signature strings, and method blocking to eliminate entire classes of method blocking to eliminate entire classes of attacksattacks
Lets look at some examplesLets look at some examples
Example:Example:Protecting A Web ServerProtecting A Web Server
GeneralGeneral Limit header length, query and URL length.Limit header length, query and URL length.
Verify normalization.Verify normalization.
MethodsMethods Allow only specified methods:Allow only specified methods:
GET, HEAD, POSTGET, HEAD, POST
ExtensionsExtensions Block specified extensions (allow all others):Block specified extensions (allow all others):
.exe, .bat, .cmd, .com, .htw, .ida, .exe, .bat, .cmd, .com, .htw, .ida, idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .pol,pol,.dat , …...dat , …..
SignaturesSignatures
(Request URL)(Request URL)
Block content containing these signaturesBlock content containing these signatures
.. , ./ , \ , : , % , &.. , ./ , \ , : , % , &
Example:Example:Protocol Level Countermeasures HTTPProtocol Level Countermeasures HTTP
GeneralGeneral Limit header length, query and URL length.Limit header length, query and URL length.
Verify normalization.Verify normalization.
MethodsMethods Allow only specified methods:Allow only specified methods:
GET, HEAD, POSTGET, HEAD, POST
ExtensionsExtensions Block specified extensions (allow all others):Block specified extensions (allow all others):
.exe, .bat, .cmd, .com, .htw, .ida, .exe, .bat, .cmd, .com, .htw, .ida, idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .pol,pol,.dat , …...dat , …..
SignaturesSignatures
(Request URL)(Request URL)
Block content containing these signaturesBlock content containing these signatures
.. , ./ , \ , : , % , &.. , ./ , \ , : , % , &
Example:Example:Blocking Apps Over HTTPBlocking Apps Over HTTP
ApplicationApplication Search inSearch in HTTP headerHTTP header SignatureSignature
MSN MessengerMSN Messenger Request headersRequest headers User-Agent:User-Agent: MSN MessengerMSN Messenger
Windows MessengerWindows Messenger Request headersRequest headers User-Agent:User-Agent: MSMSGSMSMSGS
AOL Messenger (and AOL Messenger (and Gecko browsers)Gecko browsers)
Request headersRequest headers User-Agent:User-Agent: Gecko/Gecko/
Yahoo MessengerYahoo Messenger Request headersRequest headers HostHost msg.yahoo.commsg.yahoo.com
KazaaKazaa Request headersRequest headers P2P-AgentP2P-Agent Kazaa, KazaaclientKazaa, Kazaaclient::
KazaaKazaa Request headersRequest headers User-Agent:User-Agent: KazaaClient KazaaClient
KazaaKazaa Request headersRequest headers X-Kazaa-Network:X-Kazaa-Network: KaZaAKaZaA
GnutellaGnutella Request headersRequest headers User-Agent:User-Agent: GnutellaGnutella
GnucleusGnucleus
EdonkeyEdonkey Request headersRequest headers User-Agent:User-Agent: e2dke2dk
MorpheusMorpheus Response headerResponse header ServerServer MorpheusMorpheus
DNS ProtectionDNS Protection
Rudimentary Rudimentary protectionprotection
General anti-General anti-tunneling tunneling protection protection through T/U 53through T/U 53
Mail ProtectionMail Protection
Lots of Antispam and antivirus vendors cover the Lots of Antispam and antivirus vendors cover the relay points- what about:relay points- what about:
IS TCP 25 really SMTP?IS TCP 25 really SMTP?
Is someone sending a buffer overflow to the RCPT: Is someone sending a buffer overflow to the RCPT: command ?command ?
Can I block someone using the VRFY command ?Can I block someone using the VRFY command ?
Can I strip an attachment, or block a userCan I strip an attachment, or block a user
Why not do the Protocol level protection at the Why not do the Protocol level protection at the network device, use the firewall to add a layer of network device, use the firewall to add a layer of defence for the mail system. defence for the mail system.
Mail Filtration ExamplesMail Filtration Examples
Requires another box Requires another box to do the storage of to do the storage of mailmail
Must link the box to Must link the box to ISA via RPCISA via RPC
Applies Protocol Applies Protocol validation and some validation and some keyword and keyword and attachment strippingattachment stripping
Def in Dep – not Def in Dep – not primary mail solutionprimary mail solution
Encapsulated TrafficEncapsulated Traffic
IPSEC (AH and ESP), PPTP etc can not IPSEC (AH and ESP), PPTP etc can not be scanned at ISA server if published or be scanned at ISA server if published or allowed throughallowed through
If you tunnel traffic through these ports If you tunnel traffic through these ports ISA will log the tunnel – can not look ISA will log the tunnel – can not look inside unless it is terminating the VPNinside unless it is terminating the VPN
Your call – open more ports with app Your call – open more ports with app filters or tunnel traffic through with no filters or tunnel traffic through with no inspection – most DC protocols have no inspection – most DC protocols have no filtersfilters
Be aware of the implications of NATBe aware of the implications of NAT
VPN TerminationVPN Termination
ISA currently does intra-tunnel VPN ISA currently does intra-tunnel VPN inspection, so traffic coming in via VPN will inspection, so traffic coming in via VPN will be inspected at the application layerbe inspected at the application layer
VPN Client Traffic is treated as a dedicated VPN Client Traffic is treated as a dedicated network – so you can control where it goes network – so you can control where it goes and its Application Filter rulesand its Application Filter rules
Windows Server 2003 Quarantine with ISA Windows Server 2003 Quarantine with ISA VPN fully supported – excellent functionalityVPN fully supported – excellent functionality
Extending The PlatformExtending The Platform
Firewalls are placed in different locations Firewalls are placed in different locations for different reasons. Understand the for different reasons. Understand the requirement and filter accordinglyrequirement and filter accordingly
Extend core functionality with protocol Extend core functionality with protocol filters covering your specific scenariofilters covering your specific scenario
No one device will ever be the silver bullet, No one device will ever be the silver bullet, solutions are more important than devicessolutions are more important than devices
One Vision for Secure NetworkingOne Vision for Secure NetworkingInternet
Redundant Routers
ISA Firewalls
VLAN
VLAN
DC + Infrastructure
NIC teams/2 switches
VLAN
Front-end
VLAN
Backend
Intrusion Detection Intrusion Detection Intrusion Detection
First Tier Firewalls
URL Filtering for OWARPC Termination for Outlook
One or more Switches Implement VLANs and Control Inter-VLAN Traffic like Firewalls do – VLANs are not bullet proof (but neither are servers)Traffic is allowed or blocked based on requirements of the application, filters understand and enforce these requirements..
Debunking Network Security MythsDebunking Network Security Myths
People DON’T play by the rules – unless you People DON’T play by the rules – unless you make them and ports are not intent – you make them and ports are not intent – you need to checkneed to check
Hardware devices are NOT more secure – Hardware devices are NOT more secure – they are more convenient – that’s allthey are more convenient – that’s all
Invest in getting to know the device, what it Invest in getting to know the device, what it can/t do – don’t buy what you know – buy what can/t do – don’t buy what you know – buy what you needyou need
Don’t let just the network people control and Don’t let just the network people control and purchase firewalls – it takes application purchase firewalls – it takes application awarenessawareness
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.