Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs...
Transcript of Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs...
![Page 1: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/1.jpg)
NETWORK SECURITY
![Page 2: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/2.jpg)
Agenda
• PKI Overview
• Secure Remote Access
• Secure Wireless
• Segmentation via IPsec
• Application Layer Firewalling
![Page 3: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/3.jpg)
Symmetric Key Cryptography
Encryption
“The quick
brown fox
jumps over
the lazy
dog”
“AxCv;5bmEseTfid3)f
GsmWe#4^,sdgfMwir3
:dkJeTsY8R\s@!q3%”
“The quick
brown fox
jumps over
the lazy dog”
Decryption
Plain-text input Plain-text output Cipher-text
Same key (shared secret)
![Page 4: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/4.jpg)
Public Key Encryption
Encryption
“The quick
brown fox
jumps over
the lazy
dog”
“Py75c%bn&*)9|fDe^b
DFaq#xzjFr@g5=&nm
dFg$5knvMd’rkvegMs”
“The quick
brown fox
jumps over
the lazy
dog”
Decryption
Clear-text Input Clear-text Output Cipher-text
Different keys
Recipient’s
public key
Recipient’s
private key
private public
![Page 5: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/5.jpg)
Public Key Pros and Cons
• Weakness: • Extremely slow
• Susceptible to “known ciphertext” attack
• Problem of trusting public key (see later on PKI)
• Strength • Solves problem of passing the key
• Allows establishment of trust context between parties
![Page 6: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/6.jpg)
Hybrid Encryption (Real World)
As above, repeated
for other recipients
or recovery agents
Digital
Envelope
Other recipient’s or
agent’s public key
(in certificate)
in recovery policy
Launch key for nuclear
missile “RedHeat”
is...
Symmetric key
encrypted asymmetrically
(e.g., RSA)
Digital
Envelope User’s
public key
(in certificate)
RNG
Randomly-
Generated symmetric
“session” key
Symmetric
encryption
(e.g. DES)
*#$fjda^j
u539!3t
t389E *&\@
5e%32\^kd
![Page 7: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/7.jpg)
*#$fjda^j
u539!3t
t389E *&\@
5e%32\^kd
Launch key for nuclear
missile “RedHeat”
is...
Symmetric
decryption
(e.g. DES)
Digital
Envelope
Asymmetric
decryption of
“session” key (e.g. RSA)
Symmetric
“session” key
Session key must be
decrypted using the
recipient’s private key Digital envelope
contains “session”
key encrypted using
recipient’s public
key
Recipient’s
private key
Hybrid Decryption
![Page 8: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/8.jpg)
Digitally Signing - Signing
Hash
Aksjdlka
alsjla394897
&(^&*kshfos
(*&E321029
83
“Py75c%bn&*)9|fDe^b
DFaq#xzjFr@g5=&nm
dFg$5knvMd’rkvegMs”
This is the
data that I
am sending
Encryption
Data Hash Encrypted Data Hash
Recipient’s private key
Data &
Encrypted Hash Sent
![Page 9: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/9.jpg)
Digital Signing - Checking
Decryption
(Hash)
Message
Hash =
Decrypted
Message
Hash
“Py75c%bn&*)9|fDe^b
DFaq#xzjFr@g5=&nm
dFg$5knvMd’rkvegMs”
Data +
Encrypted
Hash
Compare
Clear-text Input Check Decrypted
Hash
public
![Page 10: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/10.jpg)
Key Thoughts
• How do you design a PKI?
• By Geography?
• By PK Function?
• By Administration
• Internal or External?
• How Many Certificates
• Usage Times
![Page 11: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/11.jpg)
What is Quarantine? • Health Checkup
• IT checks “health” of client - patch
level, AV, other scriptable checks
• Network Access Control
• Access/No Access using
RRAS & IAS
• Health Maintenance
• Quarantined clients are given access
to fix-up services
• Can’t protect against malicious users
From Home
Returning
Laptops
`
Unhealthy
Desktops
![Page 12: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/12.jpg)
CM Profile
• Runs customizable
post connect script
• Script runs RQC notifier
with “results string”
Listener
• RQS receives Notifier
“results string”
• Compares results to
possible results
• Removes time-out if
response received but
client out of date
• Removes quarantine filter
if client up to date
Quarantine VSAs
• Timer limits time
window to receive
notify before auto
disconnect
• Q-filter sets
temporary route filter
to quarantine access
Internet Corpnet
Client RRAS IAS Quarantine
• IAS:
All VSA features
• RRAS:
VSA support & API to
remove quarantine
• Client/Server:
RQC, RQS
Classic VPN Quarantine (V1)
RQS = Remote Quarantine Server
RQC = Remote Quarantine Client
VSA = Vendor Specific Attributes
![Page 13: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/13.jpg)
Classic VPN Quarantine
Connect
Authenticate
Authorize
Quarantine VSA
+ Normal Filters
Policy Check
Result Remove Quarantine
Quarantine
Access
Internet Corpnet
Client RRAS IAS Quarantine
Full Access
![Page 14: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/14.jpg)
Secure Remote Access
• Expanding the managed network
• Where is the edge?
• VPN Quarantine
• End Point Compliance
• VPN-less connections
• SSL VPNs
• Smartphones / Devices
• Smartcard Authentication
![Page 15: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/15.jpg)
Secure Wireless Basics
• Shifting the entry barrier
• Key themes
• Security
• Management
• Usability
![Page 16: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/16.jpg)
• Hidden SSID • Does not provide any real security • Easily discoverable in well-used environments • Windows client experience is impacted
• MAC Filtering • Does not scale • NIC management issue • MAC is spoofable
• “Shared” mode • Sounds like more security but is actually worse • Not to be confused with Pre-Shared Key (PSK) which is more secure
• Open networks and VPN’s • Grants everyone access to the wireless segment • Great for hotspots, not for your business
Security Best Practices
What NOT to do
![Page 17: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/17.jpg)
Secure Wireless Deployment Components
Wireless Clients
Wireless Access
Points
Radio Types: 802.11 a/b/g
Network Authentication: 802.1X,
WPA, WPA2/802.11i*
Encryption: WEP, TKIP, AES
RADIUS Server
RADIUS
EAP/TLS
PEAP-MSCHAPv2
Remote Access Policies
User account
database
Remote Access permissions
Credentials = Passwords
Certificate Authority
(optional)
Credentials = Certificates
![Page 18: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/18.jpg)
Domain and Server Isolation
Un-trusted
zone
Isolated and
Trusted
`
Unmanaged Devices
Active Directory
Domain Controller
Trusted Optional
authentication Required
authentication
X
How it works
Domain credentials identify
“trusted” vs “un-trusted”
Trusted machines with
credentials can communicate
Un-trusted machines cannot
communicate to Trusted or
Isolated and Trusted machines
Domain machines can
communicate to “unmanaged”
machines
Infrastructure
Servers
Authenticating
Host Firewalls
X
Available today with Windows 2000, XP and Server 2003
![Page 19: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/19.jpg)
Threats That IPsec Mitigates:
• Tampering with data in transit
• Unauthenticated access to trusted systems
• Including worm propagation from untrusted systems
• Man-in-the-middle attacks
• Spoofing
• Eavesdropping on network traffic
• And others….
![Page 20: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/20.jpg)
IPsec Modes of Operation
• Tunnel Mode
• Classic VPN
• Network-to-Network
• Host-to-Network
• Transport Mode
• Host-to-Host
• In Network Isolation
• Group to group
• An Isolation Group can contain 1 or 10000 hosts!
![Page 21: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/21.jpg)
Methods for IPsec Protection • AH
• Mutual authentication of endpoints
• End-to-end IP header integrity
• Will not traverse a NAT device
• ESP
• Mutual authentication of endpoints
• Option to use encryption
• Will traverse a NAT device
![Page 22: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/22.jpg)
Lets Rip open a packet • Currently – most firewalls check only basic packet information
• Real world equivalent of looking at the number and destination of a bus – and not looking at the passengers
![Page 23: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/23.jpg)
Control Internet access, protect clients from malicious Internet traffic
Application Layer Content:
???????????????????????????????
???????????????????????????????
???????????????????????????????
Only packet headers are inspected
Application layer content appears as “black box”
TCP Header:
Sequence Number
Source Port,
Destination Port,
Checksum
IP Header:
Source Address,
Dest. Address,
TTL,
Checksum
Forwarding decisions based on port numbers
Legitimate traffic and application layer attacks use identical ports
A Traditional Firewall’s View
Internet
Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic Corporate Network
![Page 24: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/24.jpg)
Control Internet access, protect clients from malicious Internet traffic
Application Layer Content:
GET www.contoso.com/partners/default.htm
IP Header:
Source Address,
Dest. Address,
TTL,
Checksum
TCP Header:
Sequence Number
Source Port,
Destination Port,
Checksum
Forwarding decisions based on content
Only legitimate HTTP traffic is sent to Web server
ISA Server’s View of a Packet Packet headers and application content are inspected
Internet
Allowed HTTP Traffic
Prohibited HTTP Traffic
Attacks
Non-HTTP Traffic Corporate Network
![Page 25: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/25.jpg)
RPC server
(Exchange)
RPC client
(Outlook)
Problem – RPC Protocol Standard Firewall Challenge
Service UUID Port
Exchange {12341234-1111… 4402
AD replication {01020304-4444… 3544
MMC {19283746-7777… 9233
RPC services grab random
high ports when they start,
server maintains table
135/tcp
Client connects to
portmapper on server
(port 135/tcp) Client knows UUID
of service it wants
{12341234-1111…}
Client accesses
application over
learned port
Client asks, “What
port is associated
with my UUID?”
Server matches UUID to
the current port…
4402/tcp
Portmapper responds
with the port and closes
the connection
4402/tcp
Due to the random nature of RPC, this is not feasible over
the Internet
All 64,512 high ports & port 135 must be opened on traditional
firewalls
![Page 26: Implementing Network Securityonline.aoi.edu.au/documents/1361152703PPT2.pdf · CM Profile •Runs customizable post connect script •Script runs RQC notifier with “results string”](https://reader030.fdocuments.in/reader030/viewer/2022040503/5e2c06b55202257fe23d3c49/html5/thumbnails/26.jpg)
Traditional
firewall
OWA client
OWA server prompts for
authentication — any
Internet user can
access this prompt
SSL
SSL tunnels through
traditional firewalls
because it is encrypted…
…which allows viruses
and worms to pass
through undetected…
…and infect internal servers!
ISA Server 2004
Basic authentication delegation
ISA Server pre-authenticates
users, eliminating multiple
dialog boxes and only allowing
valid traffic through
URLScan for ISA Server
SSL or
HTTP
SSL
ISA Server can
decrypt and inspect
SSL traffic
inspected traffic can be sent to the internal
server re-encrypted or in the clear.
URLScan for
ISA Server
URLScan for ISA Server can stop
Web attacks at the network edge,
even over encrypted SSL
Internet
Securely make email available to outside employees