酷米网(kmw.com),专注高端域名快速交易!

  1. 当前位置: 
  2. 首页 > 
  3. 域名资讯  > 服务器和域隔离 – 安全性方面下一个重大事件
服务器时间:2018-07-19 17:35:57 (CST +08:00)

服务器和域隔离 – 安全性方面下一个重大事件

2017-12-17 17:16:07     浏览量: 34

Evolving network securitynSEC302nnThe visionnnServer and Domain IsolationnUsing IPsecnnSteve RileynEnterprise Security Architect Security Business and Technology Unit steve.riley@microsoft.com http://blogs.technet.com/steriley http://blogs.technet.com/sterileynnEndpoints protect themselves from other systems Connections allowed only after authentication All communications are authenticated and authorized Host health is checkednnThe value propositionncorporate network overall s You can do m uch of thi today! Increased security for windows and Increase IT efficiency and ROI on active directory managementnnWithout isolationnAccess gr ed ant or deni ed based on ACLnnLife without isolationnUser authentication and authorization are the focus for most IT professionals Server and domain isolation will change this!nn4nnShar access i e s checked U ser i aut s hent cat i ed and aut i hor zed U ser at em pt t t s o access a fl shar ie enn1nCheck net or w k access per i ons m ssinn3nLocal polcy inn2nU ser aut hent cat on i i occur snnThe problemsnAll hosts on the network might not be trusted equally by all systems connectednDifficult to control who or what physically connects to the network Unmanaged hosts present infection threat Need to provide connectivity to outsiders but limit accessna.k.a. partners… vendors… customers… partners… vendors… customers…nnThe problemsnLarge “internal” networks might have internal” independent paths to the InternetnDifficult to monitor and control “the edge” anymore edge” External threats present somewhere on the internal networknnNetwork attack surface is all TCP/IP ports, trafficnPacket filtering (network firewall) helps, but not when clients communicate inside it Need defense-in-depth to include defense- inapplication layer network securitynnTheft and abuse of trusted user credentials often not recognized— recognized— until it’ too late! s it’nn© 2001 M i osof Cor at on.Al r ght r cr t por i l i s eser ved. Thi pr s esent i i f i or at onalpur at on s or nf m i poses onl M i osof m akes no w ar ant es,expr or i pled,i t s sum m ar y. cr t r i ess m i n hi y.nn1nn

,

The solutionnIsolate computers with IPsecnProtects all unicast traffic between trusted computers Provides end to end security Authenticates every packet (by default) Can encrypt every packet (optional) Customizable policy deployed in domain, no application changes necessarynnWhere does isolation fit?nSecur t def iy ense- nh ense-i -dept m odel nnnPart of a security defense-indefense- indepth approach Logically sits between the network and the host layersnnD at a Applcat on i i H ostnI at on sol innI er net or nt nal w k Per m et i er Physi secur t cal iy Polces,pr i ocedur and aw ar es, enessnnWhat are the main benefits?nReduces network attacks on isolated computers Helps protect against internal attacks Provides scalable authentication and encryption for all trafficnEven “unsecurable” stuff like SMB ☺ unsecurable”nnSolution BenefitsnnW hy I Psec? Psec? M y net or vendor says 802. can do t s! w k 1X hi W el they’ w rong.St t lthey’ re rong.St uned! aynnIPsec: the foundation IPsec:nCreate Active Directory–based IPsec Directory– policies with MMC Use one of three authentication methodsnKerberos Computer certificates Preshared keysnnSolution terminologynHostsnUntrusted Trustworthy TrustednnIsolation groupsnFoundational groups Additional groupsnnIPsec policies delivered to clients with AD Group Policy Available in Windows 2000, XP, 2003nnNetwork access groupsnn© 2001 M i osof Cor at on.Al r ght r cr t por i l i s eser ved. Thi pr s esent i i f i or at onalpur at on s or nf m i poses onl M i osof m akes no w ar ant es,expr or i pled,i t s sum m ar y. cr t r i ess m i n hi y.nn2nn

,

Isolation scenariosnD om ai i ati n sol onnProtect hosts from unmanaged machines Enforces domain membership (yay!) by (yay!) requiring machine authentication All trusted machines can exchange traffic Encryption optional Can include stronger server isolationnnWith isolationnServer i ati sol onnAccess gr ed ant or deni ed based on ACLnnProtect high-value highservers Restrict connectivity to a defined subset of certain people and hosts Still must be domain computers Encryption optional but commonnn6nnShar access i e s checkednnCom put and user er ar aut e hent cat i ed and aut i hor zed U ser at em pt t t s o access a fl shar ie ennCheck net or w k Check net or w k access per i ons m ssi Access per i ons m ssi ( user ) ( Com put acct er )nnI negot at on KE i i begi nsnn1nn5 3nLocal Local polcy i polcy inn2 4nI succeeds, KE user aut occur hN snnHow does isolation work?nUses IPsec to— to—nHandle the computer account authentication Ensure data integrity Provide encryption (if required)nnImplementation PlanningnnUse group policy to— to—nDistribute the IPsec policies Authorize the computer and user accessnnHow do I implement isolation?nOrganize computers into isolation groups, based on— on—nSecurity requirements Data classificationnnFoundational groupsnNon-IPsec groups NonUntrusted systemsnDefault groupnnIdentify communication pathsnDefine what’ allowed, block everything s what’ elsennExemptionsnTrusted infrastructurennIPsec groupsnIsolation domainnDefault trusted groupnnCreate policies to enforce business requirements Identify and test a deployment strategynnBoundarynHigher risk trusted groupnn© 2001 M i osof Cor at on.Al r ght r cr t por i l i s eser ved. Thi pr s esent i i f i or at onalpur at on s or nf m i poses onl M i osof m akes no w ar ant es,expr or i pled,i t s sum m ar y. cr t r i ess m i n hi y.nn3nn

,

Traffic mapping— foundational mapping—nPlan all allowed data communications between foundational groupsnIn1 2 3 4 5 6 7nnAdditional isolation groupsnDriven by business requirementsnMight not be necessarynnFrom DnID ID ID BO BO UN UNnnTonEx BO UN EX UN BO EXnnBidirectio nalnYes Yes No Yes No No YesnnIPsecnNo Yes Yes Yes Yes No NonnFallbac knNo No Yes Yes Yes No NonnEncryptnNo No No No No No NonnFor example— example—nNo fallback allowed isolation groupnBlocks outbound communications to untrusted hostsnnRequire encryption isolation groupnHigh security group All data communications must use encryptionnnTraffic mapping— additional mapping—nIDn8 9 10 11 12 13 14nnNetwork access groupsnNAGs are used to explicitly allow or deny access to a system through the network Names reflect function— function—nANAG: DNAG: allow network access group deny network access groupnnFromnEN EN EN EN NF NF NFnnTonEX ID NF BO ID EX BOnnBidirection alnYes Yes Yes No Yes Yes YesnnIPsecnNo Yes Yes Yes Yes No YesnnFallbac knNo No No No No No NonnEncryptnNo Yes Yes Yes No No NonnCan contain users, computers or groups Defined in domain local groupsnnIPsec policy constructionnnDefined filter actionsnRequest modenAccept inbound in the clear Allow outbound in the clearnnSecure request modenAllow outbound in the clearnnFull require modenAll unicast communications require IPsecnnRequire encryption modenOnly negotiates encryptionnn© 2001 M i osof Cor at on.Al r ght r cr t por i l i s eser ved. Thi pr s esent i i f i or at onalpur at on s or nf m i poses onl M i osof m akes no w ar ant es,expr or i pled,i t s sum m ar y. cr t r i ess m i n hi y.nn4nn

,

Selecting a deployment strategynBuild upnPolicy has exemptions, but no requirements for IPsec on secure subnets Request mode filter action is used with secure subnet filter lists Subnets are slowly added to secure subnet filter list and testednnIPsec policies for MSS solutionnnDeploy by groupnIPsec policy defined and linked Use groups to control application of the policynnIsolation ScenariosnnIsolation in actionnAct ve D i ect y i r or D om ai n Cont oler r l ( exem pt ed)nnD om ai n I at on sol i U n- r ed t ustnO pt onal i out bound aut hent cat on i innSer ver I at on sol inRequi ed r aut hent cat on i innX XnU nm anaged D evi ces Aut hent cat ng i i H ost Fi ew als r lnnDomain isolationnD om ai n cont oler r lnnDomain isolationnD om ai n cont oler r lnnU ser : any t ype Pi succeeds ng ot s f l her ai Ser : ver dom ai i ati n sol on I Psec polcy Act ve i i ( equi es I r r Psec f al or l t af i except f I P) r fc or CMnnU ser : dom ai n m em ber Clent i : Wi ndow s XP SP2 Tr ed m achi ust ne Pi succeeds, ng ot s succeed her over I ec PsnnClent i : Wi ndow s XP SP2 U nt ust or r ed non- Psec capabl I e non-nnSer : ver dom ai i ati n sol on I Psec polcy Act ve i i ( equi es I r r Psec f al or l t af i except f I P) r fc or CMnn© 2001 M i osof Cor at on.Al r ght r cr t por i l i s eser ved. Thi pr s esent i i f i or at onalpur at on s or nf m i poses onl M i osof m akes no w ar ant es,expr or i pled,i t s sum m ar y. cr t r i ess m i n hi y.nn5nn

,

Server isolationnD om ai n cont oler r lnnServer isolationnD om ai n cont oler r lnnU ser : dom ai n m em ber Clent i : Wi ndow s XP SP2 “CLI T2” EN T2” Tr ed m achi ust ne Pi succeeds ng ot s f l her ai because I f l KE aisnnAut i i onl f hor zat on y or CLI T1 i gr EN n oup polcy i vi “Access t s com put a hi er f om net ork” r ght r w k” innU ser : dom ai n m em ber Clent i : Wi ndow s XP SP2 “CLI T1” EN T1” Tr ed m achi ust ne Pi succeeds, ng ot her succeed over I ec PsnnAut i i onl f hor zat on y or CLI T1 and thi user EN s i gr n oup polcy i vi “Access t s com put a hi er f om net ork” r ght r w k” innSer : ver server i ati sol on I Psec polcy Act ve i i ( equi es I r r Psec f al or l t af i except f I P) r fc or CMnnSer : ver server i ati sol on I Psec polcy Act ve i i ( equi es I r r Psec f al or l t af i except f I P) r fc or CMnnThe Brokenness of 802.1XnnWhat is 802.1X?nPort-based access control method defined by IEEE Porthttp://standards.ieee.org/getieee802/download/802. 1X-2001.pdf 1XEAP provides mutual authentication between devices ftp://ftp.rfc-editor.org/in-notes/rfc3748.txt ftp://ftp.rfc- editor.org/inWorks over anything Wired Wirelessnnhttp://eagle.auc.ca/~dreid -notes/rfc2549.txt ftp://ftp.rfc-editor.org/inhttp://eagle.auc.ca/~dreid ftp://ftp.rfc-editor.org/innnWhat do you need for 802.1X?nNetwork infrastructure that supports itnSwitches, mostlynnWhy is it perfect for wireless?nThe supplicant (client) and authentication server (RADIUS) generate session keys Keys are never sent over the air Nothing for an attacker to use to conduct impersonation or man-in-theman- in- themiddle attacks Can manage centrally with GPOsnnClients and servers that support itnSupplicants included in Windows XP, 2003 Download for Windows 2000nn© 2001 M i osof Cor at on.Al r ght r cr t por i l i s eser ved. Thi pr s esent i i f i or at onalpur at on s or nf m i poses onl M i osof m akes no w ar ant es,expr or i pled,i t s sum m ar y. cr t r i ess m i n hi y.nn6nn

,

Why is it useless for wired?nNo GPOs— and we can’ retrofit t GPOs— can’ W orse… a fundamental protocol design orse… flaw 802.1X authenticates only at the start of traffic between client and switch After the switch port opens, everything after that is assumed to be validnThese kinds of assumptions allow MITM attacks! Does require physical access to the networknnThe attackn… aut hent cate… i e…nn1. 3. 2. 4 aa: cc: ee:f bb: dd: fnndr al i op l nbound not f m e ornn1. 3. 2. 4 aa: cc: ee:f bb: dd: fnnWhy does it work?n802.1X lacks per-packet perauthentication It assumes that the postpostauthentication traffic is valid— valid— based on MAC and IP only Switch has no idea what’ happened! s what’ Attacker can communicate only over UDPnVictim would reset any TCP reply it received but didn’ send (victim sees t didn’ reply to shadow)nnThe attacknACK-RST ACKSYN ACKACKRSTnn1. 3. 2. 4 aa: cc: ee:f bb: dd: fnnACK-RST ACKSYN ACKACK-nnSYNn1. 3. 2. 4 aa: cc: ee:f bb: dd: fnnBut wait!nIf the victim computer happens to run a personal firewall… firewall… … which drops unsolicited ACK-SYNs… ACK- SYNs…nnThe attack… improved attack…nACKSYN ACK-nn1. 3. 2. 4 aa: cc: ee:f bb: dd: fnnIt gets better!nnACKSYN ACK-nnACK SYNn1. 3. 2. 4 aa: cc: ee:f bb: dd: fnn© 2001 M i osof Cor at on.Al r ght r cr t por i l i s eser ved. Thi pr s esent i i f i or at onalpur at on s or nf m i poses onl M i osof m akes no w ar ant es,expr or i pled,i t s sum m ar y. cr t r i ess m i n hi y.nn7nn

,

©2001 M i cr os of t Cor por at i on. Al l r i ght s r es er ved.

Thi s pr es ent at i on i s f or i nf or m at i onal pur pos es onl y. M i cr os of t m akes no w ar r ant i es , expr es s or i m pl i ed, i n t hi s s um m ar y. 8

,

©2001 M i cr os of t Cor por at i on. Al l r i ght s r es er ved.

Thi s pr es ent at i on i s f or i nf or m at i onal pur pos es onl y. M i cr os of t m akes no w ar r ant i es , expr es s or i m pl i ed, i n t hi s s um m ar y. 9

,

Microsoft IT implementationnM i osof Cor at N et or cr t por e w knSecur et eN X XnU1 U2 U3nnPreparing for Network Access Protection Deploy domain isolation to become familiar with IPsec concepts NAP will provide a richer enforcement mechanism, while adding to server and domain isolation Plan and model to add health authentication and other compliance enforcement mechanisms network access protection providesnMore guidance available during Longhorn betannBnBoundar y M achi nes ( 000) 5,nLabs Pocket PC M AC 000 75, 000 XBox 2, 18, 000 D H C P W I N SnnClent Ser s, i s, ver H om e LAN s, Tr w or hy Labs ust t ( 240, 000)nnU nt ust or hy r w tnD C I A SnnD N SnnACL Cont oled r lnnI r r ur ( nf ast uct e 500)nnPer i t m t ed I r r ur nf ast uct enI er nt net Ser s ver Busi ness Par ner t s Ext anet r ( 800) 1,nnD Taps ( connect vi y t no i t o Cor et pN )nnExt nalExcl ons er usinnIPsec roadmapnSer 2003,W i ver ndow s XPnI at on by dom ai or ser sol i n ver • Aut hent cat on ofm achi but no i i ne, heal h check t Wi ndow s fr al i egr i i ew l nt at on • Aut hent cat bypass capabii y i ed lt O ver head of l foad • 10/100m b N I — l er CPU C— ow CnnLearn moren“Longhorn” and beyond n”nExt ensi e i at on bl sol i • U ser and m achi cr ne edent al i s • H eal h cer ii es t t fcat Fi ew al i egr i r l nt at on •W i ndow s fl er ng pl f m it i at or I pr m oved adm i st at on ni r i • O ne- ze- i s- lpolcy si f i ne- ze- ts al Ext ensi e per or ance bl f m • G i - of l g- foad f l er CPU or ow gEnnServer and domain isolation using IPsec and Group Policynhttp://go.microsoft.com/fwlink/?linkid= 33947nnMicrosoft IT experiences with domain isolationnhttp://www.microsoft.com/technet/itsolu tions/msit/security/IPsecdomisolwp.mspxnnIPsec resourcesnhttp://www.microsoft.com/ipsec http://www.microsoft.com/ipsecnnSteve Riey lnst eve. l riey@ m i crosof . t com ht p: bl t //bl t . eriey // ogs. echnet com /st lnn© 2001 M i osof Cor at on.Al r ght r cr t por i l i s eser ved. Thi pr s esent i i f i or at onalpur at on s or nf m i poses onl M i osof m akes no w ar ant es,expr or i pled,i t s sum m ar y. cr t r i ess m i n hi y.nn10nn