Application and Remote Access Security in Higher Education

Tom Bartlett, CISSPSecurity Solutions SpecialistMicrosoft Corporationtbart@microsoft.com

Tom Bartlett, CISSPSecurity Solutions SpecialistMicrosoft Corporationtbart@microsoft.com

Higher Education Challenges

Internal risks pose as much or more of a threat than the Internet

Unmanageable student machines Decentralized management of internal

resources Difficulty limiting access to resources do to

research and educational usage requirements

Firewalls in Higher Education Access Control lists and traditional firewalls No single entry point to secure Internal security zones needed to protect

specific groups of users, segments, applications or services

Need to allow relatively open access, but want to protect against known vulnerabilities and exploits

Security often being offered as a ‘service’, not a requirement

Application Layer Application Layer ContentContent

????????????????????????????????????????????

A Traditional Firewall’s View Of A Packet – unable to protect Applications

Only packet headers are inspected Application layer content appears as “black box”

IP HeaderIP HeaderSource Address,Dest. Address,

TTL, Checksum

TCP TCP HeaderHeaderSequence Number

Source Port,Destination Port,

Checksum

Forwarding decisions based on port numbers Legitimate traffic and application layer attacks use identical ports

Internet Expected HTTP Port 80 Traffic

Unexpected HTTP Port 80 Traffic

Attacks over Port 80

Non-HTTP Traffic over port 80

Web Servers

Application Layer Firewall View Of A Packet Packet headers and application content are inspected

Application Layer ContentApplication Layer Content<html><head><meta http-

quiv="content-type" content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"

IP HeaderIP Header

Source Address,Dest. Address,

TTL, Checksum

TCP TCP HeaderHeader

Sequence NumberSource Port,

Destination Port,Checksum

Forwarding decisions based on content Only legitimate and allowed traffic is processed

Internet Expected HTTP Traffic

Unexpected HTTP Traffic

Attacks

Non-HTTP Traffic

Web Servers

Application Layer Firewalls (ALF) and ISA Server 2004

IP/Port filtering is not enough anymore HTTP/S has become the carrier protocol of the internet –

Music/File swapping, IM, RPC over HTTP, Intranet Portals, SSL capabilities in Yukon and Longhorn.

Most exploits are occurring at the Application Layer ISA 2004 application filtering framework

Built in filters for common protocols Built in capabilities for advanced protection of many major MS

solutions including Exchange, IIS, IE, Intranet & RPC solutions Solutions focused approach, ease of extensibility, rich partner

community and product roadmap

Application Layer Inspection is useless without the ability to set app level security policies and make intelligent decisions based on what you are looking at!

SecurityDefense In Depth

Data and Resources

Application Defenses

Host Defenses

Network Defenses

Perimeter Defenses

Defense in Depth Protecting Networks Protecting Clients Providing secure access to applications Secure and manageable remote access

Threat modeling Third-party code inspection In Evaluation for CC EAL4+

Unused features off by default Reduce attack surface area Least Privilege

Deployment Kits and Guidance documents! Network Templates and Wizards Management and Monitoring Tools

Newsgroup Support Microsoft Security Summits Third-party support

Engineering Excellence

Protecting Networks with ISA Server 2004

Enterprise Class Firewall capabilities Application layer inspection allows more

advanced and intelligent management of traffic Network Segmentation for layered protections

Allows mitigation against worm outbreaks internally

Secure specific sets of resources, applications or services

Protecting and securely connecting Remote Locations

Securing the traffic Internally Limit traffic between segments to specific # of connections, types

of traffic & access to specific resources Certain ports will have to be opened for standard communication

between segments or to resources Application layer inspection provides the ability to allow approved

traffic–while still identifying & blocking exploits & inappropriate content that should be blocked

Labs Student Machines Other unmanaged

segments

Network Segmentation

Protecting Your Clients Application Layer protection for inbound and

outbound traffic HTTP inspection and Signature blocking Protect from browser vulnerabilities

Can be deployed in a service oriented single NIC configuration

Monitoring, Reporting and Managing Access based on User, Group, Computer, etc.

Caching URL and Domain based filtering Transparent Authentication capabilities Partner Add-ons

HTTP Filtering to protect clients

HTTP filtering can be used to protect web browsers

www.BADSITE.com

http://www.BADSITE.com/default.htm

Internal Client Browsing Internet

Exploit Blocked at ISA

Browser Browser EXPLOITEXPLOIT

Internet

Windows XP Service Pack 2 Windows Server 2003 Service Pack 1 Microsoft Windows AntiSpyware Software Restriction Policies Future: Network Access Protection

Host Isolation

Protecting and Providing Secure Access to Applications

and Services

Example:Securing Exchange Services

How Exchange RPC Works

Service UUID Port

ExchangeInfo Store

{0E4A0156-DD5D-11D2-8C2F-00CD4FB6BCDE}

4402

Active Directory

{E35114235-4B06-11D1-AB04-00C04C2DCD2}

3544

Performance Monitor

{A00C021C-2BE2-11D2-B678-0000F87A8F8E}

9233

RPC Server (Exchange)

RPC Client (Outlook)

TCP 135:

Port for {

0E4A…}Port 4402: D

ata

The RPC server maintains a table of Universally Unique Identifiers (UUID) and assigned port

1

The client connects to TCP port 135 on the server to query for the port associated with a UUID

2

The server responds with theassociated port

3

The client reconnects to server on the designated port to access Exchange

4

Server: Port 4

402

RPC and Traditional Firewalls

Open port 135 for incoming traffic

Open every port that RPC might use for incoming traffic

RPC Server (Exchange)

RPC Client (Outlook)

TCP 135:

Port for {

0E4A… ?Port 4402: D

ata

Server: Port 4

402

Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC

accessaccess

Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC

accessaccess

RPC and ISA Server RPC Server (Exchange)

RPC Client (Outlook)

TCP 135:

Port for {

0E4A… ?Port 4402: D

ata

Server: Port 4

402

Initial connection: Only allows valid RPC traffic Blocks non-Exchange queries

Secondary connection Only allows connection

to port used byExchange

Enforces encryption

OWA: Traditional Firewall

Web traffic to OWA is encrypted Standard SSL encryption Security against eavesdropping and impersonation

Limitation: Default OWA implementation does not protect against

application layer attacks

Exchange Server

OWA Traffic

Password Guessing

Web Server Attacks

SSL Tunnel

Web Server Attacks

Password Guessing

How ISA Server Protects OWA

Authentication Unauthorized requests are blocked before they reach the Exchange

server Enforces all OWA authentication methods Optional forms-based authentication prevents caching of credentials

Inspection Invalid HTTP requests or requests for non-OWA content are blocked Inspection of SSL traffic before it reaches Exchange server

Confidentiality Ensures encryption of traffic over the Internet Can prevent the downloading of attachments to client computers

Exchange Server

OWA Traffic

SSL Tunnel

InspectionAuthentication

Similar benefits and application layer filtering for publishing other Exchange Services SMTP RPC over HTTP(s) Active Sync Outlook Mobile Access

Additional Exchange Services

IIS, Web and Server Publishing

Securing Access to Web Resources

Inspect HTTP content before it reaches Web servers Central location to block disallowed Web requests and URLs Blocks disallowed or invalid HTTP syntax Blocks attacks based on signatures Inspect and bridge SSL Traffic

Unified view of Web resources Map different external names/paths to internal names/paths ISA Server can protect server farms or entire networks Link Translation

User authentication Active Directory, RADIUS or SecurID Credentials can be forwarded to published server

Enabling Universal Resource Access

Access to some university resources requires protocols other than HTTP FTP servers for access to files Database servers in DMZ or internal network Public DNS servers to locate company’s servers

Server publishing allows secure access to non-Web resources

ISA Server supports all IP-based protocols Application-layer filtering for selected protocols:

FTP, DNS, RPC, etc.

XML/SOAP Filtering (EAI, .NET and Biztalk/XML Solutions)

XML/SOAP Filtering

Offload and/or enhance Security from Biztalk/IIS and .NET applications

Forum’s Application Filter for ISA provides Schema Validation Message Level Access Control Authorization Management to Web Services Permissions enforcement XML Content Filtering Protection against SOAP/XML DOS attacks Archiving SSL Termination

Secure & Manageable Remote Access

ISA Server 2004 - Enterprise VPN Solution Access Controls and traffic segregation De-tunnel & inspect traffic at Application Layer Multiple Authentication options Integrated Client in Windows

Simplified client deployment (built in) Logon via VPN

PPTP, IPSEC/L2TP Integrated support and use of Quarantine

Network Access Quarantine

Client script checks whether client meets organizational security policies Personal firewall enabled? Latest virus definitions used? Required patches installed?

If checks succeed, client gets full access If checks fail client gets disconnected after

timeout period

Goal: Prevent VPN clients that don’t Goal: Prevent VPN clients that don’t meet security requirements from meet security requirements from

accessing networkaccessing network

Goal: Prevent VPN clients that don’t Goal: Prevent VPN clients that don’t meet security requirements from meet security requirements from

accessing networkaccessing network

ISA Server 2004 Enterprise ADAM Based configuration No AD dependency, but AD can still be used…

User/Group database (and integrated Authentication) Credential store Certificate authority Management Redundant ADAM stores

Enterprise Monitoring via MOM Management Pack Enterprise logging via a SQL Database Enterprise Policies and central policy management NLB enhancements and integrated management CARP (Cached Array Routing Protocol) Multi or dedicated function arrays Role based management

Third-party Add-onsFiltering Area CompanyIM Akonix

SOCKS 5 CornerPost Software

SOAP/XML Forum Systems, Inc.

Pop-up blocking/HTML filterURL RedirectionSecureNat Web Auth

Collective Software

Antivirus McAfee, GFI, Panda

URL Filtering SurfControl, Futuresoft, FilterLogix, SecureComputing, WebSense

Intrusion Detection ISS, GFI

For details see:For details see: http://www.microsoft.com/isaserver/partnershttp://www.microsoft.com/isaserver/partners

More Options for Customers

ISA Server 2004 OEM Appliance Pre-hardened and Pre-test Hardened configuration for reduced attack surface Easy to purchase, set up and deploy

Added Value and Customer Choice Out-of-box configuration tools Web-based administration Customized and fully integrated

deployment options

New World-Wide Industry Partnerships Celestix Networks, Hewlett-Packard

and Network Engines

Microsoft Baseline Security Analyzer (MBSA) v1.2Microsoft Baseline Security Analyzer (MBSA) v1.2Virus Cleaner ToolsVirus Cleaner ToolsSystems Management Server (SMS) 2003Systems Management Server (SMS) 2003Software Update Services (SUS) SP1Software Update Services (SUS) SP1Internet Security and Acceleration (ISA) Server 2004 Internet Security and Acceleration (ISA) Server 2004 Standard EditionStandard EditionWindows XP Service Pack 2Windows XP Service Pack 2

Patching Technology Improvements (MSI Patching Technology Improvements (MSI 3.0)3.0)Systems Management Server 2003 SP1Systems Management Server 2003 SP1Microsoft Operations Manager 2005Microsoft Operations Manager 2005Windows malicious software removal toolWindows malicious software removal tool

Windows Server 2003 Service Pack 1Windows Server 2003 Service Pack 1Windows Update Services Windows Update Services ISA Server 2004 Enterprise EditionISA Server 2004 Enterprise EditionWindows Rights Management Services SP1Windows Rights Management Services SP1Windows AntiSpywareWindows AntiSpywareSystem Center 2005System Center 2005Windows Server 2003 “R2”Windows Server 2003 “R2”Visual Studio 2005Visual Studio 2005

Vulnerability Assessment and Vulnerability Assessment and RemediationRemediationActive Protection Technologies Active Protection Technologies AntivirusAntivirus

PriorPrior

H2 04H2 04

FutureFuture

20052005

Security Technologies Timeline