application and remote access security in higher education tom bartlett, cissp security solutions...
TRANSCRIPT
![Page 1: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/1.jpg)
Application and Remote Access Security in Higher Education
Tom Bartlett, CISSPSecurity Solutions SpecialistMicrosoft [email protected]
Tom Bartlett, CISSPSecurity Solutions SpecialistMicrosoft [email protected]
![Page 2: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/2.jpg)
Higher Education Challenges
Internal risks pose as much or more of a threat than the Internet
Unmanageable student machines Decentralized management of internal
resources Difficulty limiting access to resources do to
research and educational usage requirements
![Page 3: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/3.jpg)
Firewalls in Higher Education Access Control lists and traditional firewalls No single entry point to secure Internal security zones needed to protect
specific groups of users, segments, applications or services
Need to allow relatively open access, but want to protect against known vulnerabilities and exploits
Security often being offered as a ‘service’, not a requirement
![Page 4: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/4.jpg)
Application Layer Application Layer ContentContent
????????????????????????????????????????????
A Traditional Firewall’s View Of A Packet – unable to protect Applications
Only packet headers are inspected Application layer content appears as “black box”
IP HeaderIP HeaderSource Address,Dest. Address,
TTL, Checksum
TCP TCP HeaderHeaderSequence Number
Source Port,Destination Port,
Checksum
Forwarding decisions based on port numbers Legitimate traffic and application layer attacks use identical ports
Internet Expected HTTP Port 80 Traffic
Unexpected HTTP Port 80 Traffic
Attacks over Port 80
Non-HTTP Traffic over port 80
Web Servers
![Page 5: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/5.jpg)
Application Layer Firewall View Of A Packet Packet headers and application content are inspected
Application Layer ContentApplication Layer Content<html><head><meta http-
quiv="content-type" content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"
IP HeaderIP Header
Source Address,Dest. Address,
TTL, Checksum
TCP TCP HeaderHeader
Sequence NumberSource Port,
Destination Port,Checksum
Forwarding decisions based on content Only legitimate and allowed traffic is processed
Internet Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic
Web Servers
![Page 6: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/6.jpg)
Application Layer Firewalls (ALF) and ISA Server 2004
IP/Port filtering is not enough anymore HTTP/S has become the carrier protocol of the internet –
Music/File swapping, IM, RPC over HTTP, Intranet Portals, SSL capabilities in Yukon and Longhorn.
Most exploits are occurring at the Application Layer ISA 2004 application filtering framework
Built in filters for common protocols Built in capabilities for advanced protection of many major MS
solutions including Exchange, IIS, IE, Intranet & RPC solutions Solutions focused approach, ease of extensibility, rich partner
community and product roadmap
Application Layer Inspection is useless without the ability to set app level security policies and make intelligent decisions based on what you are looking at!
![Page 7: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/7.jpg)
SecurityDefense In Depth
Data and Resources
Application Defenses
Host Defenses
Network Defenses
Perimeter Defenses
![Page 8: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/8.jpg)
Defense in Depth Protecting Networks Protecting Clients Providing secure access to applications Secure and manageable remote access
![Page 9: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/9.jpg)
Threat modeling Third-party code inspection In Evaluation for CC EAL4+
Unused features off by default Reduce attack surface area Least Privilege
Deployment Kits and Guidance documents! Network Templates and Wizards Management and Monitoring Tools
Newsgroup Support Microsoft Security Summits Third-party support
Engineering Excellence
![Page 10: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/10.jpg)
Protecting Networks with ISA Server 2004
Enterprise Class Firewall capabilities Application layer inspection allows more
advanced and intelligent management of traffic Network Segmentation for layered protections
Allows mitigation against worm outbreaks internally
Secure specific sets of resources, applications or services
Protecting and securely connecting Remote Locations
![Page 11: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/11.jpg)
Securing the traffic Internally Limit traffic between segments to specific # of connections, types
of traffic & access to specific resources Certain ports will have to be opened for standard communication
between segments or to resources Application layer inspection provides the ability to allow approved
traffic–while still identifying & blocking exploits & inappropriate content that should be blocked
![Page 12: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/12.jpg)
Labs Student Machines Other unmanaged
segments
Network Segmentation
![Page 13: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/13.jpg)
Protecting Your Clients Application Layer protection for inbound and
outbound traffic HTTP inspection and Signature blocking Protect from browser vulnerabilities
Can be deployed in a service oriented single NIC configuration
Monitoring, Reporting and Managing Access based on User, Group, Computer, etc.
Caching URL and Domain based filtering Transparent Authentication capabilities Partner Add-ons
![Page 14: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/14.jpg)
HTTP Filtering to protect clients
HTTP filtering can be used to protect web browsers
www.BADSITE.com
http://www.BADSITE.com/default.htm
Internal Client Browsing Internet
Exploit Blocked at ISA
Browser Browser EXPLOITEXPLOIT
Internet
![Page 15: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/15.jpg)
Windows XP Service Pack 2 Windows Server 2003 Service Pack 1 Microsoft Windows AntiSpyware Software Restriction Policies Future: Network Access Protection
Host Isolation
![Page 16: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/16.jpg)
Protecting and Providing Secure Access to Applications
and Services
![Page 17: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/17.jpg)
Example:Securing Exchange Services
![Page 18: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/18.jpg)
How Exchange RPC Works
Service UUID Port
ExchangeInfo Store
{0E4A0156-DD5D-11D2-8C2F-00CD4FB6BCDE}
4402
Active Directory
{E35114235-4B06-11D1-AB04-00C04C2DCD2}
3544
Performance Monitor
{A00C021C-2BE2-11D2-B678-0000F87A8F8E}
9233
RPC Server (Exchange)
RPC Client (Outlook)
TCP 135:
Port for {
0E4A…}Port 4402: D
ata
The RPC server maintains a table of Universally Unique Identifiers (UUID) and assigned port
1
The client connects to TCP port 135 on the server to query for the port associated with a UUID
2
The server responds with theassociated port
3
The client reconnects to server on the designated port to access Exchange
4
Server: Port 4
402
![Page 19: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/19.jpg)
RPC and Traditional Firewalls
Open port 135 for incoming traffic
Open every port that RPC might use for incoming traffic
RPC Server (Exchange)
RPC Client (Outlook)
TCP 135:
Port for {
0E4A… ?Port 4402: D
ata
Server: Port 4
402
Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC
accessaccess
Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC
accessaccess
![Page 20: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/20.jpg)
RPC and ISA Server RPC Server (Exchange)
RPC Client (Outlook)
TCP 135:
Port for {
0E4A… ?Port 4402: D
ata
Server: Port 4
402
Initial connection: Only allows valid RPC traffic Blocks non-Exchange queries
Secondary connection Only allows connection
to port used byExchange
Enforces encryption
![Page 21: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/21.jpg)
OWA: Traditional Firewall
Web traffic to OWA is encrypted Standard SSL encryption Security against eavesdropping and impersonation
Limitation: Default OWA implementation does not protect against
application layer attacks
Exchange Server
OWA Traffic
Password Guessing
Web Server Attacks
SSL Tunnel
![Page 22: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/22.jpg)
Web Server Attacks
Password Guessing
How ISA Server Protects OWA
Authentication Unauthorized requests are blocked before they reach the Exchange
server Enforces all OWA authentication methods Optional forms-based authentication prevents caching of credentials
Inspection Invalid HTTP requests or requests for non-OWA content are blocked Inspection of SSL traffic before it reaches Exchange server
Confidentiality Ensures encryption of traffic over the Internet Can prevent the downloading of attachments to client computers
Exchange Server
OWA Traffic
SSL Tunnel
InspectionAuthentication
![Page 23: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/23.jpg)
Similar benefits and application layer filtering for publishing other Exchange Services SMTP RPC over HTTP(s) Active Sync Outlook Mobile Access
Additional Exchange Services
![Page 24: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/24.jpg)
IIS, Web and Server Publishing
![Page 25: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/25.jpg)
Securing Access to Web Resources
Inspect HTTP content before it reaches Web servers Central location to block disallowed Web requests and URLs Blocks disallowed or invalid HTTP syntax Blocks attacks based on signatures Inspect and bridge SSL Traffic
Unified view of Web resources Map different external names/paths to internal names/paths ISA Server can protect server farms or entire networks Link Translation
User authentication Active Directory, RADIUS or SecurID Credentials can be forwarded to published server
![Page 26: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/26.jpg)
Enabling Universal Resource Access
Access to some university resources requires protocols other than HTTP FTP servers for access to files Database servers in DMZ or internal network Public DNS servers to locate company’s servers
Server publishing allows secure access to non-Web resources
ISA Server supports all IP-based protocols Application-layer filtering for selected protocols:
FTP, DNS, RPC, etc.
![Page 27: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/27.jpg)
XML/SOAP Filtering (EAI, .NET and Biztalk/XML Solutions)
![Page 28: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/28.jpg)
XML/SOAP Filtering
Offload and/or enhance Security from Biztalk/IIS and .NET applications
Forum’s Application Filter for ISA provides Schema Validation Message Level Access Control Authorization Management to Web Services Permissions enforcement XML Content Filtering Protection against SOAP/XML DOS attacks Archiving SSL Termination
![Page 29: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/29.jpg)
Secure & Manageable Remote Access
ISA Server 2004 - Enterprise VPN Solution Access Controls and traffic segregation De-tunnel & inspect traffic at Application Layer Multiple Authentication options Integrated Client in Windows
Simplified client deployment (built in) Logon via VPN
PPTP, IPSEC/L2TP Integrated support and use of Quarantine
![Page 30: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/30.jpg)
Network Access Quarantine
Client script checks whether client meets organizational security policies Personal firewall enabled? Latest virus definitions used? Required patches installed?
If checks succeed, client gets full access If checks fail client gets disconnected after
timeout period
Goal: Prevent VPN clients that don’t Goal: Prevent VPN clients that don’t meet security requirements from meet security requirements from
accessing networkaccessing network
Goal: Prevent VPN clients that don’t Goal: Prevent VPN clients that don’t meet security requirements from meet security requirements from
accessing networkaccessing network
![Page 31: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/31.jpg)
![Page 32: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/32.jpg)
ISA Server 2004 Enterprise ADAM Based configuration No AD dependency, but AD can still be used…
User/Group database (and integrated Authentication) Credential store Certificate authority Management Redundant ADAM stores
Enterprise Monitoring via MOM Management Pack Enterprise logging via a SQL Database Enterprise Policies and central policy management NLB enhancements and integrated management CARP (Cached Array Routing Protocol) Multi or dedicated function arrays Role based management
![Page 33: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/33.jpg)
Third-party Add-onsFiltering Area CompanyIM Akonix
SOCKS 5 CornerPost Software
SOAP/XML Forum Systems, Inc.
Pop-up blocking/HTML filterURL RedirectionSecureNat Web Auth
Collective Software
Antivirus McAfee, GFI, Panda
URL Filtering SurfControl, Futuresoft, FilterLogix, SecureComputing, WebSense
Intrusion Detection ISS, GFI
For details see:For details see: http://www.microsoft.com/isaserver/partnershttp://www.microsoft.com/isaserver/partners
![Page 34: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/34.jpg)
More Options for Customers
ISA Server 2004 OEM Appliance Pre-hardened and Pre-test Hardened configuration for reduced attack surface Easy to purchase, set up and deploy
Added Value and Customer Choice Out-of-box configuration tools Web-based administration Customized and fully integrated
deployment options
New World-Wide Industry Partnerships Celestix Networks, Hewlett-Packard
and Network Engines
![Page 35: Application and Remote Access Security in Higher Education Tom Bartlett, CISSP Security Solutions Specialist Microsoft Corporation tbart@microsoft.com](https://reader035.vdocument.in/reader035/viewer/2022062410/56649d995503460f94a83732/html5/thumbnails/35.jpg)
Microsoft Baseline Security Analyzer (MBSA) v1.2Microsoft Baseline Security Analyzer (MBSA) v1.2Virus Cleaner ToolsVirus Cleaner ToolsSystems Management Server (SMS) 2003Systems Management Server (SMS) 2003Software Update Services (SUS) SP1Software Update Services (SUS) SP1Internet Security and Acceleration (ISA) Server 2004 Internet Security and Acceleration (ISA) Server 2004 Standard EditionStandard EditionWindows XP Service Pack 2Windows XP Service Pack 2
Patching Technology Improvements (MSI Patching Technology Improvements (MSI 3.0)3.0)Systems Management Server 2003 SP1Systems Management Server 2003 SP1Microsoft Operations Manager 2005Microsoft Operations Manager 2005Windows malicious software removal toolWindows malicious software removal tool
Windows Server 2003 Service Pack 1Windows Server 2003 Service Pack 1Windows Update Services Windows Update Services ISA Server 2004 Enterprise EditionISA Server 2004 Enterprise EditionWindows Rights Management Services SP1Windows Rights Management Services SP1Windows AntiSpywareWindows AntiSpywareSystem Center 2005System Center 2005Windows Server 2003 “R2”Windows Server 2003 “R2”Visual Studio 2005Visual Studio 2005
Vulnerability Assessment and Vulnerability Assessment and RemediationRemediationActive Protection Technologies Active Protection Technologies AntivirusAntivirus
PriorPrior
H2 04H2 04
FutureFuture
20052005
Security Technologies Timeline