Title

Title Welcome The Role of the Firewall in Defense in Depth Test 1 Presented by Bryan Bain, Security+, SSCP Sr. Director of Security Marketing

The Role Of The Firewall Has Changed • Hardening the perimeter is impossible. • Worms have changed the rules. • We must shift our approach from reacting to a set of known vulnerabilities to a proactive stance against unknown vulnerabilities.

Hardening is Impossible The Workforce is Increasingly Mobile

Worms Have Changed The Rules • Protecting the network is more important than protecting any one individual node. • A shift from a reactive stance against known vulnerabilities to a proactive stance against unknown vulnerabilities is necessary, especially at the end-points. • Application Layer firewalls are integrating “scan and block” • Application Layer firewalls are integrating IPS

Proactive Application Layer Protection Deep-Packet Application Inspection Commodity Stateful Network Inspection

Defense-in-Depth • Perimeter Defenses: packet filtering, stateful packet inspection, intrusion detection. • Network Defenses: VLAN access control lists (ACLs), internal firewalls, auditing, intrusion detection. • Application Defenses: AV, content screening, Layer 7 (URL) translation, application layer filtering, Secure Exchange, Secure IIS • Host Defenses: server hardening, host-based intrusion prevention, filtering, auditing.

IP Header Source Address,Dest. Address,TTL, Checksum TCP Header Sequence NumberSource Port,Destination Port,Checksum Application Layer Content ???????????????????????????????????????????? • Forwarding decisions based on port numbers • Legitimate traffic and application layer attacks use identical ports Corporate Network Internet Expected HTTP Traffic Unexpected HTTP Traffic Attacks Non-HTTP Traffic What Can We Do At The Perimeter? • A traditional firewall’s view of a packet • Only packet headers are inspected • Application layer content appears as “black box”

Network / Transport Layer Protection • Packet Filtering • Stateful Packet Filtering • High performance • Good access control • Full seven-layer protocol awareness • Insufficient application awareness • Insufficient payload inspection • ACK denial-of-service • IP fragment Denial-of-service • SYN, Land, Tear Drop • Session Hijacking ( TCP sequence number manipulation) • Port Scans • IP address sweep scans }

Layer ¾ Devices Offer No Protection • SMTP Buffer Overflow • Rogue RPC • DNS Query Malformed Packets • FTP Port Injection • Directory Traversal • Nimda, MS/Doom, Slammer Worms • Content-borne malware }

IP Header Source Address,Dest. Address,TTL, Checksum TCP Header Sequence NumberSource Port,Destination Port,Checksum Application Layer Content <html><head><meta http- quiv="content-type" content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet" Corporate Network Internet Expected HTTP Traffic What’s a Security Admin To Do? • ISA Server’s view of a packet • Packet headers and application content are inspected Unexpected HTTP Traffic Attacks Non-HTTP Traffic

Defense in Depth Architecture • Layered defenses • Protection at the edge • Protection at the application domain • Protection at the server • Integration with infrastructure • Information store • Application transport stack • Application APIs • Zero-day protection

Protection at this level is intended to prevent unauthorized access to services on the corporate network that are not explicitly allowed for remote access. The Internet Edge firewall should NOT be your most secure or sophisticated firewall, it should be your fastest. Basic packet filtering and allow inbound traffic only to services published for remote use. Ring 1: Internet Network Edge Ring 1 Ring 1: The Internet Network Edge requires high speed packet processing to quickly determine the destination port and validity of layer 4 and below information.

Protection at this level is intended to provide user/group agnostic stateful packet inspection of both inbound and outbound traffic. Traffic moving inbound and outbound to and from the Internet is distributed among a great number of backbone edge firewalls. This allows for less traffic per firewall and a greater degree of protection. Stateful packet inspection and RFC compliance checking. Content filtering of both inbound and outbound traffic. These firewalls are user/group agnostic and do not provide granular user/group access control. Ring 2: Backbone Edge Ring 2 Ring 2: The Backbone Edge provides a common network to which all other corporate network segments connect.

Protection at this level is intended to provide deep application layer inspection and strong user/group based access control for inbound and outbound access. The Asset Network Edge firewall should be your MOST SOPHISTICATED firewall. All incoming traffic is subjected to deep application layer inspection. All egress traffic is inspected according to granular user/group-based access control permissions. Ring 3: Asset Network Edge Ring 3 Ring 3: The Asset Network Edge requires strong outbound user/group access control.

Protection at this level is intended to provide the last layer of defense for your vital assets. Host-based firewalls control which applications can send and receive data. IPSec policy can be used to control what is allowed from and to specific hosts. Anti-virus Anti-spam Anti-malware Ring 4: Host-based Security Ring 4 Ring 4: Host-based Security is the most important and most neglected security ring. It includes host-based firewalls, disabling unused services to minimize an applications “attack surface”, and ensuring that applications are properly configured.

Exchange Prescriptive Security Model • Layered defenses • Protection at the edge • Protection at the SMTP gateway • Protection at the server • Integration with infrastructure • Information store • SMTP transport stack • Exchange MTA • OWA • Zero-day protection

How is This Different? • Break the problem down in layers • Identify the privacy, authentication / authorization, and integrity issues at each layer of the OSI stack • Secure from the inside and look out • Each application has its own security requirements / declarations • Defined in Active Directory • Best Practice = Positive Security Policy • Only propagate traffic that satisfies the application’s security declarations • Active Directory is the “silver bullet”

Microsoft Exchange Asset Protection Challenges The Holy Trinity of Messaging Security: • Confidentiality • Managing access within compliance controls • Prevent eavesdropping and unauthorized data export • Integrity • Compromise of message data stores • Malicious code insertion • Availability • Limit service downtime • Avert exploit related outages

Secure Messaging Essentials • Using standards to increase email security: • RFC 2821, RFC 2822, MIME, S/MIME, and TLS • Mitigating the threats associated with Spam and Malware • Mitigate content-borne exploits

Using Standards to Increase Email Security • RFC 2821 • Things that happen at the TCP/IP layer and below • The MTA • Identity RFC 2821issues, the message envelop • RFC 2822 • Inspect the message body • RFC 2045-9 • MIME • Secure content management • Identify and block malware • E-mail policy enforcement Peel The Onion Security Concerns at Every Layer

Email Sits On Top of TCP/IP • A wide variety of TCP/IP risks • IP datagrams and source IP addresses are easily spoofed • IP fragmentation can fool simple firewalls and IDS sensors • IP is not usually encrypted • TCP state machines enable attackers to consume resources and deny services • TCP connections can be spoofed • TCP connections are easy to reset • DDoS attacks can consume all resources and open process clots on servers • DNS information is typically not authenticated, yet must be trusted • DNS root servers are outside company’s the scope of control • Solving these problems are not unique to messaging

RFC 2821- The Message Envelope

Authentication & Authorization Is the sender who he claims to be? Is the MTA and open relay? Is source routing allowed? Privacy Can anyone read this message? Integrity Security Issues within RFC 2821

Authentication & Authorization Privacy Integrity How many of these? DNS lookup? LDAP lookup? Storage issues? Bandwidth issues? No ‘quit’? Security Issues Within RFC 2821

Securing RFC 2821 • Authentication & Authorization • Bastion Authentication at the NS Series SMTP gateway • Proper Mail Server Configuration • No open relay • Sender ID • Publish DNS records declaring who can send mail for a particular domain (“Sender Permitted From”) • Parse those records and define policies for the recipient SMTP MTA

Securing RFC 2821 • Privacy • Transport Layer Security (TLS) • Encrypt the data path between cooperating MTAs • Digital Certificates • Required to bring up the SSL/TLS channel • Integrity • Smart MTAs • Email rate limiting • Resource conservation mode • SMTP ext. (size) • LDAP & DNS rate limiting

RFC 2822 – The Message Body

Security Issues Within RFC 2822 • Authentication & Authorization • Envelope != Body • Privacy • Plaintext message • Integrity • Confusing headers • Spam • Bodies that contain malware

Securing RFC 2822 • Virtually Impossible • Authentication & Authorization • The envelope and body headers often do not match for legitimate reasons. • Privacy • Use S/MIME with PGP or PKI • Built into Outlook • Integrity • Clean up headers and MIME formatting prior to Spam filtering

Securing HTML Email • Three options for identifying content type: • MIME Type • Name • Fingerprint (image)

Embedded Content Issues Anything not supposed to be sent in email: • Malware • Viruses • Worms • Bots • Spyware • Malicious Mobile Code • Spam

Secure Content Management Requirements • 'Zero-Day Mitigation against attacks' that take advantage of software vulnerabilities for which there are no available fixes, neither virus signatures nor security patches. • Protection during the time lag between the emersion of a new virus, worm, hostile mobile code or other yet unknown malicious code – and the signature update required by the anti virus scanner to unerringly block the new threat. • Guards corporations during the time lag between the appearance of a new exploit and the availability/roll-out of a security patch. • The release of a single Microsoft Windows security patch often takes 60 to 90 days. • Microsoft Windows cumulative patches - service packs plugging several security holes at once - are released just about once every one to three years, • “Malicious hackers are getting much more sophisticated and faster at exploiting application vulnerabilities. The threat of zero-day attacks that take advantage of software vulnerabilities for which there are no available fixes are starting to be viewed as a major threat to data security.” • “The 2003 onslaught of viruses and worms such as Blaster, Nachi, and SoBig not only highlights the importance of keeping security solutions up to date, it also shines a spotlight on the growing need for more proactive security products and services.” (IDC, August 2004) • (IDC, August 2004)

Improving Confidentiality • SMTP was not designed to protect message confidentiality. • Messages are exposed to anyone who has the tools to sniff packets flowing by. • Given the mobile nature of today’s workforce, messages can be more exposed than you think.

Improving Confidentiality withAuthorization &Trust • Authorization • Authentication at the Bastion Host • Policy based access enforcement • Outbound and Inbound policy enforcement • Client Side Policy Enforcement • Establish Trust relationship between client and host • Trust continually tested against behavior

Authentication occurs at the Exchange Server – Attacker is already in your network! Conventional Process ----------------- ----------------------------------------------------------------------------------------------------- Exchange Server Exchange Authentication Establishes connection with Exchange Server without knowing if connection request is valid for Exchange ? User Authentication Internet Client

Authentication occurs at the Firewall, Before gaining access to the Exchange Server Authentication at the Bastion Host Exchange Server ----------------- ----------------------------------------------------------------------------------------------------- Exchange Authentication (At the Firewall) Only establish connection if user and request are validated NS Series Authentication Active Directory Radius Internet Client

Improving Confidentiality withPre-authentication at the NS Gateway • Works with Outlook 2003, OWA, OMA and Exchange ActiveSync • Prevents unauthenticated connections from reaching the Exchange Server Web site • Attackers cannot launch password guessing and DoS attacks using unauthenticated connections • Only after user is authenticated and authorized is the connection allowed to the Exchange site • Multiple authentication options available: • Windows integrated and basic authentication • Forms-based authentication • Two-factor authentication • RADIUS authentication

Improving Confidentiality withOutlook Web Access Forms-based Authentication • Works with OWA • Prevents “piggybacking” attacks • Prevents caching of user credentials and intruder re-use of user credentials • Automatically logs off users when they leave OWA site • Automatically logs off users after pre-configured time-out period • Automatically logs off users when they close the browser • Prevents accessing attachments with sensitive corporate data

Improving Confidentiality withSecure Exchange RPC Filter • Supports anywhere information access using full Outlook MAPI client (97/98/2000/2002/2003) • Users use the same mail program no matter the location • NS firewall powered by ISA Server 2004 only firewall solution that can provide same level of access for full Outlook MAPI client from any location in a secure manner • Forces encrypted channel between Outlook MAPI client and Exchange • Blocks Blaster and other RPC worms • Enables the “Outlook Just Works” scenarios • Outlook 2003 can use both Secure Exchange RPC and RPC over HTTP (SSL VPN) to access Exchange information

Improving Integrity Two important measures of integrity: • Messaging data is free from corruption. • Messages are protected against tampering. Objective: Keep bad or corrupt data out of the message store.

Microsoft Exchange Attack Vectors • Blended Threats • Compromised LAN and VPN based hosts • Anonymous External Attacks • Embedded Vandals • Malware and Virus • Encrypted Vehicles • Directed Attacks • Script Kiddies • Black Hats • Protocol Based Exploits • Method Attacks • DDOS and Availability Compromise

Microsoft Internet Security and Acceleration (ISA) Server 2004 Exchange Protection - Defense in depth • Network Protection • Encrypted Content Inspection (VPN/SSL) • RPC and HTTP Proxy • Content Filtering and Application Inspection • Method Policing • Exploit Detection • Authentication • Forms Based Authentication • Bastion Authentication • Full AD Integration • Access Control • Inbound and Outbound Policy Enforcement

HTTP Security Filter • Fully inspects incoming Outlook 2003 RPC over HTTP, OWA, OMA and Exchange ActiveSync connections • Prevents HTTP-based hacker exploits that steal or destroy Exchange hosted information • Microsoft has done the footwork ahead of time to provide information about proprietary HTTP extensions; these are used to configure the HTTP Security filter • Blocks sending and receiving forbidden file types • Blocks buffer overflows • Blocks everything except what is required for RPC over HTTP, OWA, OMA and Exchange ActiveSync connections

SSL to SSL Bridging • Non-ISA Server 2004 firewalls pass exploits, worms and hack/attack communications uninspected through the firewall • ISA Server 2004 prevents hackers, worms and other exploits from being hidden inside an “SSL tunnel”

SSL to SSL Bridging • One of the NS/ISA Server 2004 major differentiating technologies. • Enables the HTTP Security Filter to perform stateful application layer inspection on information moving through the firewall. • Works with Outlook 2003 SSL “VPN”, OWA, OMA, and Exchange ActiveSync • Also enables application layer inspection for HTTP commands made to any other SSL “VPN” solution

SSL SSL SSL or HTTP Internet client OWA Traditional firewall • Basic authentication delegation ISA Server can stop Web attacks at the network edge, even over encrypted SSL • Application Layer Filtering with ISA Server OWA server prompts for authentication — any Internet user can access this prompt ISA Server ALF ISA Server pre-authenticates users, eliminating multiple dialog boxes and only allowing valid traffic through ISA Server can decrypt and inspect SSL traffic SSL creates an express lane through enterprise defenses because it is encrypted… …which allows viruses and worms to pass through undetected… Inspected traffic can be sent to the internal server re-encrypted or in the clear. …and infect internal servers…

SMTP Security Filter and SMTP Message Screener • Works with Full Outlook MAPI client, Outlook Express, generic SMTP e-mail clients and inbound Internet mail server connections • Prevents buffer overflow attacks against Exchange SMTP services • SMTP message screener offloads processing of spam and unwanted e-mail attachments from dedicated e-mail hygiene devices • Message screener blocks based on attachments, keywords, and source and destination addresses • Increases performance of e-mail solution and allows mail to appear in users’ inboxes more quickly

Improving Integrity withLayered Anti-Virus Protection Scan messages in three locations: • At the gateway • Content filtering • SPAM filtering • On the Exchange servers • On the client

Extend core ISA functionality with: Thoroughly tested 3rd-party plugins Fully integrated into NEWS Completely supported 6-month plan: Web content filtering Secure Computing SmartFilter SurfControl Web Filter Sybari Antigen Anti-Spam Sybari Advanced Spam Defense SOAP/XML Forum XWALL Improving Integrity withNetwork Engines ISA plugin Cooperative Enforcement (NICE)

The Network Engines NS Series Security Appliance Family Full-featured 3rd Generation Network Security Appliance: • Application Layer Protection Powered by Microsoft® Internet Security and Acceleration (ISA) Server 2004 • Hardened/ Headless • “One Touch” Update Management • Remote Management with NEWS™ (Network Engines Web Services)

Title

Title

Presentation Transcript

Title or Title

Title Title

Title title title title Title title title

Title Here Title Here Title Here

Poster Title Poster Title Poster Title Poster Title

Title guarantee; Title report; Chain of title; Title search.

title title

title sub-title

Title Text Title Text Title Text Title Text Title Text Title Text Title Text Title Text

Title Text Title Text Title Text Title Text Title Text Title

Title Sub-title

Title or Title

PRESENTATION TITLE PRESENTATION TITLE PRESENTATION TITLE

Poster Title Poster Title Poster Title

Title / Title

Title Title Title Title Title Title Title Title Title Title

TITLE TITLE TITLE Author School, Address

TITLE TITLE TITLE Authors School, Address

title title

Title Long Title

TITLE TITLE TITLE Author School, Address

title title title