NETWORK SECURITY

Agenda

• PKI Overview

• Secure Remote Access

• Secure Wireless

• Segmentation via IPsec

• Application Layer Firewalling

Symmetric Key Cryptography

Encryption

“The quick

brown fox

jumps over

the lazy

dog”

“AxCv;5bmEseTfid3)f

GsmWe#4^,sdgfMwir3

:dkJeTsY8R\s@!q3%”

“The quick

brown fox

jumps over

the lazy dog”

Decryption

Plain-text input Plain-text output Cipher-text

Same key (shared secret)

Public Key Encryption

Encryption

“The quick

brown fox

jumps over

the lazy

dog”

“Py75c%bn&*)9|fDe^b

DFaq#xzjFr@g5=&nm

dFg$5knvMd’rkvegMs”

“The quick

brown fox

jumps over

the lazy

dog”

Decryption

Clear-text Input Clear-text Output Cipher-text

Different keys

Recipient’s

public key

Recipient’s

private key

private public

Public Key Pros and Cons

• Weakness: • Extremely slow

• Susceptible to “known ciphertext” attack

• Problem of trusting public key (see later on PKI)

• Strength • Solves problem of passing the key

• Allows establishment of trust context between parties

Hybrid Encryption (Real World)

As above, repeated

for other recipients

or recovery agents

Digital

Envelope

Other recipient’s or

agent’s public key

(in certificate)

in recovery policy

Launch key for nuclear

missile “RedHeat”

is...

Symmetric key

encrypted asymmetrically

(e.g., RSA)

Digital

Envelope User’s

public key

(in certificate)

RNG

Randomly-

Generated symmetric

“session” key

Symmetric

encryption

(e.g. DES)

*#$fjda^j

u539!3t

t389E *&\@

5e%32\^kd

*#$fjda^j

u539!3t

t389E *&\@

5e%32\^kd

Launch key for nuclear

missile “RedHeat”

is...

Symmetric

decryption

(e.g. DES)

Digital

Envelope

Asymmetric

decryption of

“session” key (e.g. RSA)

Symmetric

“session” key

Session key must be

decrypted using the

recipient’s private key Digital envelope

contains “session”

key encrypted using

recipient’s public

key

Recipient’s

private key

Hybrid Decryption

Digitally Signing - Signing

Hash

Aksjdlka

alsjla394897

&(^&*kshfos

(*&E321029

83

“Py75c%bn&*)9|fDe^b

DFaq#xzjFr@g5=&nm

dFg$5knvMd’rkvegMs”

This is the

data that I

am sending

Encryption

Data Hash Encrypted Data Hash

Recipient’s private key

Data &

Encrypted Hash Sent

Digital Signing - Checking

Decryption

(Hash)

Message

Hash =

Decrypted

Message

Hash

“Py75c%bn&*)9|fDe^b

DFaq#xzjFr@g5=&nm

dFg$5knvMd’rkvegMs”

Data +

Encrypted

Hash

Compare

Clear-text Input Check Decrypted

Hash

public

Key Thoughts

• How do you design a PKI?

• By Geography?

• By PK Function?

• By Administration

• Internal or External?

• How Many Certificates

• Usage Times

What is Quarantine? • Health Checkup

• IT checks “health” of client - patch

level, AV, other scriptable checks

• Network Access Control

• Access/No Access using

RRAS & IAS

• Health Maintenance

• Quarantined clients are given access

to fix-up services

• Can’t protect against malicious users

From Home

Returning

Laptops

`

Unhealthy

Desktops

CM Profile

• Runs customizable

post connect script

• Script runs RQC notifier

with “results string”

Listener

• RQS receives Notifier

“results string”

• Compares results to

possible results

• Removes time-out if

response received but

client out of date

• Removes quarantine filter

if client up to date

Quarantine VSAs

• Timer limits time

window to receive

notify before auto

disconnect

• Q-filter sets

temporary route filter

to quarantine access

Internet Corpnet

Client RRAS IAS Quarantine

• IAS:

All VSA features

• RRAS:

VSA support & API to

remove quarantine

• Client/Server:

RQC, RQS

Classic VPN Quarantine (V1)

RQS = Remote Quarantine Server

RQC = Remote Quarantine Client

VSA = Vendor Specific Attributes

Classic VPN Quarantine

Connect

Authenticate

Authorize

Quarantine VSA

+ Normal Filters

Policy Check

Result Remove Quarantine

Quarantine

Access

Internet Corpnet

Client RRAS IAS Quarantine

Full Access

Secure Remote Access

• Expanding the managed network

• Where is the edge?

• VPN Quarantine

• End Point Compliance

• VPN-less connections

• SSL VPNs

• Smartphones / Devices

• Smartcard Authentication

Secure Wireless Basics

• Shifting the entry barrier

• Key themes

• Security

• Management

• Usability

• Hidden SSID • Does not provide any real security • Easily discoverable in well-used environments • Windows client experience is impacted

• MAC Filtering • Does not scale • NIC management issue • MAC is spoofable

• “Shared” mode • Sounds like more security but is actually worse • Not to be confused with Pre-Shared Key (PSK) which is more secure

• Open networks and VPN’s • Grants everyone access to the wireless segment • Great for hotspots, not for your business

Security Best Practices

What NOT to do

Secure Wireless Deployment Components

Wireless Clients

Wireless Access

Points

Radio Types: 802.11 a/b/g

Network Authentication: 802.1X,

WPA, WPA2/802.11i*

Encryption: WEP, TKIP, AES

RADIUS Server

RADIUS

EAP/TLS

PEAP-MSCHAPv2

Remote Access Policies

User account

database

Remote Access permissions

Credentials = Passwords

Certificate Authority

(optional)

Credentials = Certificates

Domain and Server Isolation

Un-trusted

zone

Isolated and

Trusted

`

Unmanaged Devices

Active Directory

Domain Controller

Trusted Optional

authentication Required

authentication

X

How it works

Domain credentials identify

“trusted” vs “un-trusted”

Trusted machines with

credentials can communicate

Un-trusted machines cannot

communicate to Trusted or

Isolated and Trusted machines

Domain machines can

communicate to “unmanaged”

machines

Infrastructure

Servers

Authenticating

Host Firewalls

X

Available today with Windows 2000, XP and Server 2003

Threats That IPsec Mitigates:

• Tampering with data in transit

• Unauthenticated access to trusted systems

• Including worm propagation from untrusted systems

• Man-in-the-middle attacks

• Spoofing

• Eavesdropping on network traffic

• And others….

IPsec Modes of Operation

• Tunnel Mode

• Classic VPN

• Network-to-Network

• Host-to-Network

• Transport Mode

• Host-to-Host

• In Network Isolation

• Group to group

• An Isolation Group can contain 1 or 10000 hosts!

Methods for IPsec Protection • AH

• Mutual authentication of endpoints

• End-to-end IP header integrity

• Will not traverse a NAT device

• ESP

• Mutual authentication of endpoints

• Option to use encryption

• Will traverse a NAT device

Lets Rip open a packet • Currently – most firewalls check only basic packet information

• Real world equivalent of looking at the number and destination of a bus – and not looking at the passengers

Control Internet access, protect clients from malicious Internet traffic

Application Layer Content:

???????????????????????????????

???????????????????????????????

???????????????????????????????

Only packet headers are inspected

Application layer content appears as “black box”

TCP Header:

Sequence Number

Source Port,

Destination Port,

Checksum

IP Header:

Source Address,

Dest. Address,

TTL,

Checksum

Forwarding decisions based on port numbers

Legitimate traffic and application layer attacks use identical ports

A Traditional Firewall’s View

Internet

Expected HTTP Traffic

Unexpected HTTP Traffic

Attacks

Non-HTTP Traffic Corporate Network

Control Internet access, protect clients from malicious Internet traffic

Application Layer Content:

GET www.contoso.com/partners/default.htm

IP Header:

Source Address,

Dest. Address,

TTL,

Checksum

TCP Header:

Sequence Number

Source Port,

Destination Port,

Checksum

Forwarding decisions based on content

Only legitimate HTTP traffic is sent to Web server

ISA Server’s View of a Packet Packet headers and application content are inspected

Internet

Allowed HTTP Traffic

Prohibited HTTP Traffic

Attacks

Non-HTTP Traffic Corporate Network

RPC server

(Exchange)

RPC client

(Outlook)

Problem – RPC Protocol Standard Firewall Challenge

Service UUID Port

Exchange {12341234-1111… 4402

AD replication {01020304-4444… 3544

MMC {19283746-7777… 9233

RPC services grab random

high ports when they start,

server maintains table

135/tcp

Client connects to

portmapper on server

(port 135/tcp) Client knows UUID

of service it wants

{12341234-1111…}

Client accesses

application over

learned port

Client asks, “What

port is associated

with my UUID?”

Server matches UUID to

the current port…

4402/tcp

Portmapper responds

with the port and closes

the connection

4402/tcp

Due to the random nature of RPC, this is not feasible over

the Internet

All 64,512 high ports & port 135 must be opened on traditional

firewalls

Traditional

firewall

OWA client

OWA server prompts for

authentication — any

Internet user can

access this prompt

SSL

SSL tunnels through

traditional firewalls

because it is encrypted…

…which allows viruses

and worms to pass

through undetected…

…and infect internal servers!

ISA Server 2004

Basic authentication delegation

ISA Server pre-authenticates

users, eliminating multiple

dialog boxes and only allowing

valid traffic through

URLScan for ISA Server

SSL or

HTTP

SSL

ISA Server can

decrypt and inspect

SSL traffic

inspected traffic can be sent to the internal

server re-encrypted or in the clear.

URLScan for

ISA Server

URLScan for ISA Server can stop

Web attacks at the network edge,

even over encrypted SSL

Internet

Securely make email available to outside employees