* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download server
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
TV Everywhere wikipedia , lookup
Server Message Block wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Dynamic Host Configuration Protocol wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer security wikipedia , lookup
Cross-site scripting wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Distributed firewall wikipedia , lookup
Wireless security wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
SEC312 Enabling Secure Remote Access In your environment Steve Riley Sr. Program Manager Security Business and Technology Unit steriley@microsoft.com blogs.technet.com/steriley Our time today Solving the access vs. security dilemma  Understanding the three methods  External access to internal web-based applications  Providing users with “desktop over HTTPS” capabilities  Building full IP-based virtual private networks   When to choose which? The dilemma: access or security  More users require more access from more places     Increase in mobile workers and where they come from (homes, hotels, airports, hotspots) Wireless access is everywhere now No longer just “employee” access: business partners, customers But we can’t compromise security  Remote access increases security risks   Problems with implementing many current solutions    …unmanaged…unpatched…unprotected… High prices Difficult to deploy client side software Ugh! How do we do this? Internal Applications Via the Web Examples What’s in common? Internal application Runs on a web server New business requirement for providing access while not attached to corpnet E-mail (Outlook Web Access)  File sharing (SharePoint varieties)  Custom applications  Security issues  HTTPS is the transport   Provides the necessary privacy for protecting confidential information in transit over the Internet But what about checking the content? Intrusion detection (if you still do this)  Validating conformance to information dissemination policies—email, documents, …  Typical design  Good:  performance    Bad:  security   App  App AD DB Isolates access based on location Protects internal network Tunnel through outside firewall: no inspection Many holes in inside firewall for authentication Anonymous initial connections Improving security  Security goals Inspect SSL traffic  Maintain wire privacy  Enforce conformance to HTML/HTTP    Allow only known URL construction   Block misuse of the protocol Block URL-borne attacks Optionally  Pre-authenticate incoming connections Protect applications with ISA Server  ISA Server becomes the “bastion host”  <a x36dj23s http://... href… 2oipn49v ISA Server     App DB AD Web proxy terminates all connections Decrypts HTTPS Inspects content Inspects URL (with URLScan) Re-encrypts for delivery to web application Protect applications with ISA Server  404  ISA Server Easy authentication to Active Directory Pre-authenticate communications    App DB AD  ISA Server queries user for credentials Verifies against AD Embeds in HTTP headers to application server Requires FP1 New wizards and better rules AuthN delegation requirements    Authenticate at the perimeter Choice of domain membership or RADIUS Client to ISA Server: basic or forms-based authentication      ISA Server presents form and generates cookie Separate timeouts for public and private computers OWA form included; can copy and reuse code for your own forms-based applications ISA Server to web server: basic Won’t work with client certificates  ISA Server has no access to client’s private key Delegation process access-request 401 URL OWA form URL + basic creds form variables access-accept group attribs RADIUS browser WinLogon cookie AD ISA Server data token URL + basic creds data WinLogon token IIS URLScan 2.5  Policy-based URL evaluation Define what’s allowed; drop everything else  Just like you do in your firewall (right?)   Helps protect from attacks that— Request unusual actions  Have a large number of characters  Are encoded using an alternate character set   Can be used in conjunction with SSL inspection to detect attacks over SSL  Yes, the script-kiddie warez do this now, too URLScan specifics  URL canonicalization ..\..\cmd.exe URLScan specifics  URL canonicalization %2e%2e\%2e%2e\cmd.exe URLScan specifics  URL canonicalization %252e%252e\%252e%252e\cmd.exe ? URLScan specifics URL canonicalization  URL length  Content length  Content types  Permitted or blocked headers  Permitted or blocked verbs  Permitted or blocked file extensions  Recall the typical design (OWA example) ExFE SMTP ExBE AD New requirements, new designs   Move critical servers inside for better protection Add ISA Server to your existing DMZ  ISA Server ExFE SMTP   Increase security by publishing web-based applications Few interior FW holes  ExBE AD Use these exact words!  RADIUS (1812, 1813/udp) HTTPS (443/tcp) Results Known good content  Known good URL  Known good user   Dare I say it… trusted access?  Remote Desktop Mechanisms A useful “middle ground” If Users require more access than is possible through standard web browser and web server But Full IP VPNs might be too expensive or too complex or provide too much access Then Consider technologies that display a desktop remotely, probably over HTTPS SSL VPNs Aren’t  VPNs  Appreciably simpler than other remote desktop alternatives  Any more secure than IPsec-based VPNs or HTTPS-protected access to published internal web sites Are  Poorly-named glomming on a trend  A “remote desktop in a browser”  Accessed via web-based front ends  Running proprietary protocols that require some ActiveX or Java add-on Why not call it what it is?  It’s just remote desktop or remote display Certainly not a new idea  Apparently not as sexy as “SSL VPN”   Two products can do this for you now Terminal Services—basic remote desktop display  Citrix Metaframe—more flexible preconfigured remote desktops and application groupings  Remote Desktop client Remote desktop MMC RDP in detail  Based on T-120 family of protocols  Multipoint Communications Service (MCS) (T.122,125)   Generic Conference Control (GCC)    Manages channels and session connections, controls resources Extends core T.Share functionality Two drivers    Channel assignment, priority levels, data segmentation wdtshare.sys—UI, compression, encryption, framing tdtcp.sys—package RDP onto TCP Permits up to 64,000 data transmission channels  Current version uses one channel for keyboard/mouse activity and display output RDP in detail Operates independent of network and transport protocols  Bandwidth preservation  Compression  Caching in RAM and to disk (up to 10 MB for bitmaps)   Supports Network Load Balancing RDP packet creation App App AppApplication App dataApp MCS channels App IP TCP stack wrapping/framing App App Server 2003 enhancements Can connect to real console in admin mode  Group policy control of various options  …profile paths…wallpaper…encryption… WMI provider for scripted TS configuration  ADSI provider for access to per-user TS profiles  TS Manager reduces automatic server enumeration  Can limit users to a single session  Security enhancements   Follows standard Windows paradigms better Remote Desktop Users (RDU) security group contains IDs of allowed users       Most people allow “Everyone” Permits controlling through group policy Can also use Security Policy Editor to grant permissions 128-bit RC4 (“high”) now the default Software Restriction Policies can limit the programs users are allowed to run Server certificates (TLS) in Windows Server 2003 Service Pack 1 Encryption options FIPS  Use Federal Information Processing compliant Standards 140-1 and 140-2 algorithms in both directions  If already configured in the system’s policy, you can’t change it here High  128-bit RC4 in both directions Client  Use whatever the client can support compatible Low  56-bit encryption from client to server; cleartext from server to client Securing Terminal Services  Typical layered approach Physical security of the server computer  Secure configuration of the operating system  Secure configuration of Terminal Services  Proper security of the network path   “Locking down Windows Server 2003 Terminal Server sessions”—registry settings for fine-grained control  Probably not necessary Stopping MITM attacks  Yes, RDP is vulnerable to MITM attacks  SecurityFocus (1 Apr 2003)   RDP, the good, the bad, and the ugly (28 May 2005)   http://www.oxid.it/downloads/rdp-gbu.pdf RDP’s flaw: it doesn’t authenticate the server to the client   http://www.securityfocus.com/archive/1/317244 This is a difficult lesson to learn (PPTP v1, WEP, …) The fix: RDP-TLS in Windows Server 2003 SP 1    Server sends digital certificate to client Standard TLS exchange for authentication and encryption http://support.microsoft.com/?id=895433 Important RDP settings TS Configuration | Connections | RDP-Tcp | Properties End a disconnected session: 3 hours  Active session limit: 1 day  Idle session limit: 15 minutes  TS over the web is cool Deployment Bandwidth Access Rapidly deploy several applications to many users Keep those applications up-to-date Lowest bandwidth requirements Ideal for dial-up scenarios Works on many devices, even some non-Windows Good for older hardware Remote desktop web connection connect to web page http://server/tsweb IIS with RDWC web browser download ActiveX control over HTTP (80/tcp) or HTTPS (443/tcp) connect to TS over RDP (3389/tcp) Terminal Server Full IP VPNs Requirements for remote-access VPN User authentication   Address management   Data encryption  Key management   Restrict network access only to authorized users Provide auditing and accounting records Assign client computer’s address on private network Provide address separation Encrypt user’s data over Internet Keep confidential information private Generate/refresh encryption keys for client and server Important terms Authenticatio Proof that all parties in a transaction are n who they say they are Privacy Only the parties entitled to see the transaction are able to see it Integrity Guarantees that information hasn’t been altered or corrupted enroute Non- Mutual, binding confirmation that a repudiation transaction occurred—the digital analog of a signed contract Authorization Ability to determine what privileges a user has after authentication Authentication What you know What you have  Static passwords One-time passwords (OTP)  Requires possession of a physical object     What you are  Supported for IPsec, SSL/TLS, EAP Authenticates the person     Cryptographic calculators Public key smartcards Fingerprint analysis Retinal scan Speech pattern recognition Not based on a device or knowledge which can be transferred Authorization  Reasons to care about authorization Untrusted users on internal net (vendors, contractors)  Need for different treatment of classes of users   Machine certificates are not enough Makes authorization difficult  Guest has the same privileges as Administrator   Issue addressed in L2TP+IPsec IPsec machine certificates provide integrity protection and encryption  L2TP provides user authentication  LDAP/RADIUS provide authorization  Privacy   What good is it to authenticate and then have data sent in the clear? Privacy achieved through encryption      Implies need for authentication and key management, protected ciphersuite negotiation L2TP+IPsec provides for tunnel authentication, key management, and protected ciphersuite negotiation EAP-TLS (PPTP) provides key management, mutual authentication and protected ciphersuite negotiation MS-CHAP v2 provides key management, mutual authentication for PPTP; encryption is MPPE Physical security does not ensure privacy  Are telco WANs really more secure than IP? Stateful vs. stateless encryption Stateful     Statele ss    Ability to decrypt a packet depends on previous packet(s) If previous packet(s) were lost, you also lose current packet If packets are sent out of order can result in loss where there was none Result is poor performance on lossy networks (like the Internet) Ability to decrypt a packet does not depend on previous packet(s) Method of choice for use over the Internet IPsec and MPPE are stateless Integrity protection What good is it to authenticate and then have your connection hijacked?  Want mutual authentication to ensure against rogue servers  Need per-packet integrity protection  L2TP+IPsec provides for integrity protection on all data and control packets  PPTP v2 (with MS-CHAP v2) offers per-packet integrity protection  Your choice of protocols PPTP     Authenticates human Assigns IP address to remote computer Encrypts session with MPPE (128-bit RC4) Requires good passwords to be secure  L2TP+IPs ec MS-CHAPv2 ciphers based on password  Works over NAT  L2TP    IPsec ESP transport mode    Authenticates human Assigns IP address to remote computer Mutually authenticates computer and server with digital certificates or preshared keys Encrypts session with 3DES Works over NAT finally L2TP+IPsec packet format App data IP np UDP L2TP PPP IP np IP IPsec UDP L2TP PPP App data App data IP np App data IP sec L2TP+IPsec client automatically generates IPsec security rule Windows L2TP always uses UDP source port 1701, dest port 1701 Outbound Filter Source IP = My IP address (Internet) Dest IP = Gateway IP Protocol = UDP Source port 1701, dest port any IPSec IKE negotiation is for dest port = any, so that filter mirror for inbound port = any Inbound Filter Source IP = Gateway IP Dest IP = My IP Address (Internet) Protocol = UDP Source port any, dest port 1701 Allows gateway to float response port (per L2TP RFC 2661) L2TP+IPsec connection is protected L2TP IPsec tunnel IKE negotiation, setup and management machine cert inside authN IPsec Establish IPsec SAs for L2TP port 1701/udp User authN policy enforcement RADIUS AD DC No traffic gets in until:   IPsec SAs are established—strong security based on mutual certificate trust User authenticated in L2TP—all protected by IPSec. PPP could use CHAP, MS-CHAP (userid/password), EAP (smartcard or token card); RADIUS client in gateway permits single sign-on for Active Directory user accounts Where do you put the RRAS server? How about on the firewall? How RRAS+ISA secures connections  Broad protocol support    Authentication     PPTP and L2TP/IPSec IPSec NAT traversal (NAT-T) for connectivity across any network Active Directory uses existing Windows accounts, supports PKI for two factor authentication RADIUS uses non-Windows accounts databases with standards-based integration SecurID provides strong, two-factor authentication using tokens and RSA authentication servers All inbound and outbound traffic is inspected by ISA Server’s protocol filters How RRAS+ISA controls access  Multi-network support   Control which portions of your network are accessible from remote locations Application layer firewall Inspects all traffic to and from remote clients  Ensures conformance to protocol specifications   Network quarantine Perform security checks on client before it’s allowed access to the internal network  Provide mechanism for out-of-date clients to update themselves  Network access quarantine  Client script checks whether client meets corporate security policies Personal firewall enabled?  Latest virus definitions used?  Required patches installed?  Routing table updates disabled?  Password-protected screen saver enabled?  If checks succeed, client gets full access  If checks fail client gets disconnected after timeout period  VPN quarantine process (1) RRAS+ISA assigns client to quarantined VPN clients network, allowing access to limited resources Internal network Quarantine resources RRAS+ISA assigns client to VPN clients network, providing access to internal network Script on client computer checks configuration settings    Client computer connects Script sends “success” notification to RRAS+ISA VPN quarantine process (2) RRAS+ISA assigns client to quarantined VPN clients network, allowing access to limited resources Quarantine resources RRAS+ISA will disconnect client after timeout expires Script on client computer checks configuration settings  Client can update from quarantine resources Client computer connects Script does not send “success” notification to RRAS+ISA Quarantine architecture Quarantine Internet RAS client CM profile • Runs customizable post connect script • Script runs RQC notifier with “results string” RRAS+ISA Listener • RQS receives notifier “results string” • Compares results to possible results • Removes time-out if response received but client out of date • Removes quarantine filter if client up to date IAS Server Quarantine VSAs • Timer limits time window to receive notify before auto disconnect • Q-filter sets temporary route filter to quarantine access How Microsoft Does VPN Current state of RAS at Microsoft      Two-factor authentication for VPN Client placed in quarantine upon connecting Security checks performed while in quarantine Additional usability and security checks run outside of quarantine as part of the connection Three types of connection options:     Direct dial Microsoft-contracted 3rd-party ISP VPN over the Internet (this is >85% of use) All connections end with a VPN session RAS service—quick facts    User base: ~55,000 Microsoft employees and ~25,000 contract employees worldwide Average of 45,000 unique RAS users per month worldwide Remote access devices globally    95 VPN servers, 17 RADIUS servers 18 standalone Cisco dial devices, 51 dial modules on shared Cisco network device Typical weekly RAS connections ~193,233 Total direct dial Total VPN Total RAS over Internet Average connection duration (min.) 11,268 173,532 10,759 134     Special implications of VPN Most use of VPN comes from unsecured networks  Verifying the identity of VPN users requires a higher bar  The higher bandwidth enabled by broadband also increase effectiveness of brute force attacks  Servicing the security needs of a remotely located client brings additional challenges  The RAS security threats Malicious users Unpatched vulnerabilities and weak configurations expose valid network credentials Home users’ machines are frequently attacked Remote network access secured only by passwords Unauthorized activity with valid credentials is difficult to detect and prevent Malicious software Unmanaged and infected remote devices put corporate resources at risk Viruses, trojans, worms Always-on broadband Internet access heightens exposure Addressing the security threats threat requireme nt solution Malicious users Malicious software Two-factor authentication Enforce remote system security configuration Smartcards for RAS logon Connection Manager and RAS Quarantine Strengthening identity with smartcards     Replaced building access cards with proximity+smartcards Remote access policy (RAP) deployed on VPN/RADIUS infrastructure Uses existing self-hosted PKI for digital certificate management Centralized card management team formed to manage card creation, distribution, and support Securing the RAS client  Infrastructure components    Windows 2003 RRAS server (~400-600 ports configured per server) RQS on RRAS server Internet Authentication Services (IAS)      Responsible for authentication and policy setting Can apply different policies based on back end rules (this is how exceptions are granted) Connection Manager Administration Kit (CMAK) ISA Server 2004 Client side components   Custom connection created with CMAK Security scanning scripts—”Secure Remote User” (SRU) Why ISA Server 2004?  Packet size limitation with RADIUS that limits the size of the filter list  Microsoft needs more servers in the quarantine network then the limit allows for:     DCs SRU Servers DNS Management of filter lists is easier with ISA Server 2004 then using IAS filters Connection Manager Provides mechanism to manage phone book entries for service  Enables entry points for actions executed during connection experience  Pre-initialize  Pre-connect  Post-connect  Pre-tunnel  Post-tunnel   SRU runs in various places during the connection Connection Manager Secure Remote User (SRU) Designed and developed by Microsoft IT Enterprise Application Services (EAS)  Performs critical security checks  Windows Firewall on  Internet Connection Sharing off  Patch management  Anti-virus using Computer Associates eTrust  Operating system version compliance   Very flexible, self updating and gathers metrics from the users perspective RAS infrastructure Custom automated reporting User session data transfers, regional IAS / RADIUS servers Active Directory, User groups, Global catalog Domain controller SQL Server central database store Lightweight Directory Access Protocol (LDAP) authorization Secure Remote Procedure Call (RPC) domain authentication IAS proxy server RADIUS authorization Microsoft user account authentication EAP-TLS security authentication (smart card) r a te rpo ft co undary o s o ro Mic work b net Corporate network resources IAS / RADIUS server Direct dial Cisco router Internet Routing and Remote Access VPN server Telephone service MS-CHAP v2 authentication ISP VPN tunnel over broadband connection VPN tunnel over ISP using EAP-TLS connection using VPN tunnel EAP-TLS over dial-up connection Analog / ISDN dial connection through ISP Analog / ISDN dial connection Legend data transfer path authentication transfer path physical dial connections Modem CHAP authentication Remote client Smart card The user experience Average connect experience worldwide is under two minutes  Failed security check results in opportunity to remediate    Microsoft IT design decision Incorrect smartcard PIN results in quick notification Since PIN unlocks card, decision is made locally  Five incorrect PIN entries will lock the smartard; takes a help desk call to unlock  Lessons we learned  Manage change—minimize overlaps       Provide internal and external sites where users can obtain security tools Consider analog dial-up users when designing security scripts Communicate and set user expectations clearly The solution is only as good as the components   Deploy smartcards first Then Connection Manager and security scanning second Monitor and measure each required element Don’t wait until using RAS to bring machine into compliance—encourage proactive security practices So What to Do Now? Resources Everything about VPN and RRAS http://www.microsoft.com/vpn ISA Server info and deployment guides http://www.microsoft.com/isaserver Terminal Server http://www.microsoft.com/terminalserver http://www.awprofessional.com/title/0321336437 promo code: JJSR6437 Steve Riley steriley@microsoft.com blogs.technet.com/steriley http://www.awprofessional.com/title/0321336437 promo code: JJSR6437 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. We invite you to participate in our online evaluation on CommNet, accessible Friday only If you choose to complete the evaluation online, there is no need to complete the paper evaluation © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                            