Download Securing Network

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
Document related concepts

Policies promoting wireless broadband in the United States wikipedia , lookup

Net neutrality law wikipedia , lookup

Net bias wikipedia , lookup

Deep packet inspection wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Computer network wikipedia , lookup

Computer security wikipedia , lookup

Network tap wikipedia , lookup

Airborne Networking wikipedia , lookup

Wireless security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Virtual LAN wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Securing Network – Wireless – and Connected
Infrastructures
Fred Baumhardt
Infrastructure Solutions Consulting
Microsoft Security Solutions, Feb 4th, 2003
Agenda



Defining the Datacenter Network
Security Problem
Penetration Techniques and Tools
Network Defence-in-Depth Strategy




Perimeter and Network Defences
Operating System and Services Defences
Application Defences
Data Defences
The Datacenter Problem We All
Face
•
•
•
•
Systems organically grown under “Project” context
No clear best practice from vendors
Security often bolted on as an afterthought
Fear of change – Time to Market
Some Core Systems
Extranets
Internet Systems
Project 1…n System
Branch Offices
Departments
The Big Picture of Security



OS hardening is only one component of
security strategy AND Firewalls are not a
Panacea
Entering the Bank Branch doesn’t get
you into the vault
Security relies on multiple things




People and skills
Process and incident management
Internal Technologies – E.G. OS,
Management Tools, switches, IDS, ISA
Edge Technologies – Firewalls, ISA, IDS
Threat Modelling




Internal Users are usually far more
dangerous
Normal employees have tools,
experience, and know your systems –
after all they use them
Customers usually take little internal
protection precautions – preferring to
focus on external Firewalls, and DMZ
scenarios for security
Data is now being hacked – not just
systems
The First Phase of Hacking

Information Gathering and
Intelligence
Port Scanning – Banner Grabbing –
TCP/IP Packet Profiling – TTL Packet
Manipulating
 Researching network structure –
newsgroup posts, outbound emails,
these all hold clues to network design

.
The Second Phase of
Hacking

Analysis of Collected Information
Process relevant bits of data about
target network
 Formulate an attack plan
 For Example: Attacker wont use SUN
specific attacks on W2K Boxes, won’t
use NT Attacks on .NET etc..
 Hacker Forums, websites, exploit
catalogues

The Third Phase of Hacking

The Compromise



OS Specific Attacks
Denial of Service Attacks
Application Attacks





Buffer Overflows
URL String Attacks
Injection
Cross-site Scripting Attacks
Compromised system jumps into another
Networking and Security




The network component is the
single most important aspect to
security
Wireless is based on Radio
transmission and reception – not
bounded by wires
Some sort of encryption is thus
required to protect open medium
Ethernet is also just about as
insecure
Network Problems ctd

Use encryption and authentication to
control access to network



WEP – Wired Equivalent Privacy
802.1X - using Public Key Cryptography
Mutually authenticating client and network
Securing a Wireless Connection

Three major strategies



WEP – basic low security simple solution
VPN – use an encrypted tunnel assuming
network is untrusted
802.1X family – Use PKI to encrypt
seamlessly from client to access point



Usually complex to implement but then seamless
to user
Substantial investment in PKI
Also vendor specific like Leap
What about the wired
network ?


This is where the hackers kill you
Currently a “total trust” model



You can ping HR database, or chairman's
PC, or accounting system in Tokyo
We assume anyone who can get in to our
internal network is trusted – and well
intentioned
Ethernet and TCP/IP is fundamentally
insecure
VPN



Extend the “internal” network space to clients in
internet
Extends the security perimeter to the client
Main systems are PPTP – L2TP/IPSEC
Corporate Net or Client
IP Tunnel
A
Host
Corporate Net in Reading
Router D
Router C
B
Host
Internet
How the Architecture Can
Prevent Attack
I
N
T
E
R
N
E
T
B
O
R
D
E
R
P
e
r
i
m
e
t
e
r
Internet
Redundant Routers
Redundant Firewalls
VLAN
VLAN
.
VLAN
Client and Site VPN
DNS & SMTP
Proxy
Redundant Internal Firewalls
Infrastructure Network –
Perimeter Active Directory
NIC teams/2 switches
VLAN
I
N
T
E
R
N
A
L
Intrusion
Detection
NIC teams/2 switches
VLAN
Remote data
center
Data Network – SQL Server
Clusters
VLAN
Messaging Network – Exchange
Infrastructure Network
– Internal Active Directory
VLAN
Management Network – MOM, deployment
VLAN
VLAN
VLAN
Client Network
VLAN
RADIUS Network
VLAN
Intranet Network - Web Servers
How do I do it ?







A Flat DMZ Design to push intelligent inspection outwards
ISA layer 7 filtration – RPC – SMTP – HTTP Switches that act like firewalls
IPSec where required between servers
Group Policy to Manage Security
802.1X or VPN into ISA servers treating Wireless as Hostile
Internal IDS installed
TCP 443: HTTPS Or
TCP 443: HTTPS
Internet
Stateful Packet
Filtering
Firewall
TCP 80: HTTP
Application
Filtering
Firewall (ISA
Server)
Wireless
Exchange Server
Call To Action



Take Action – your network
transport is insecure
Read and use security operations
guides for each technology you use
Mail me with questions –
[email protected]



If I didn’t want to talk to you I would
put a fake address
Use the free MS tools to establish a
baseline and stay on it
Attack yourself – you will learn
Wherever you go – go securely !
____________________________________________________________
Related documents
Document 8758227
Document 8758227
Chapter07
Chapter07
Review Questions of Switching Networks
Review Questions of Switching Networks
Network Designs
Network Designs
Release notes_1.3
Release notes_1.3
NTC 242 LEARNING TEAM ACME MANUFACTURING Problem
NTC 242 LEARNING TEAM ACME MANUFACTURING Problem
Networking
Networking
Basic Configuration of WAP4410N
Basic Configuration of WAP4410N
What are the Advantages and Disadvantages of a Policy
What are the Advantages and Disadvantages of a Policy
Slide 1 - ECE Users Pages
Slide 1 - ECE Users Pages
Westermo Group
Westermo Group
Secure Cloud Computing with a Virtualized Network Infrastructure Bell Labs
Secure Cloud Computing with a Virtualized Network Infrastructure Bell Labs
PPT-2 - Convergence Technology Center
PPT-2 - Convergence Technology Center
Ethernet Link SMS-800
Ethernet Link SMS-800
VLAN History
VLAN History
CCNA3:LAN
CCNA3:LAN
Технология на програмирането
Технология на програмирането
The Virtual Local Area Network (VLAN) Technology
The Virtual Local Area Network (VLAN) Technology
Controller
Controller
the document
the document
ppt in chapter 14
ppt in chapter 14
[2016-NEW!] 200-120 New Questions and Answers -
[2016-NEW!] 200-120 New Questions and Answers -