12/04/2007 5:00 PM 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 1 DMZ’ology Fred Baumhardt Security Technology Architect Microsoft Incubation EMEA Microsoft Confidential DMZ Ology •Whats the plan ? This is not the way to protect your front DMZ perimeter Front Traversal •How not to do it
10
Embed
DMZ Ology Front Traversaldownload.microsoft.com/download/0/b/e/0be6834f-4fd...DMZ Zoology Microsoft Confidential In military terms this is where you put your unwanted soldiers (they
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 1
DMZ’ology
Fred BaumhardtSecurity Technology ArchitectMicrosoft Incubation EMEA
Microsoft Confidential
DMZ Ology•Whats the plan ?
This is not the way to protect your front DMZ perimeter
Front Traversal•How not to do it
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 2
What, How, and Why is a DMZ
DMZ Zoology
Microsoft Confidential
In military terms this is where you put your unwanted soldiers (they will die quickly), main weapon systems brought to bear on the area, monitoring total
Significant Border Perimeter with complete inspection through security Checkpoint, both sides agree before anything enters (rarely used)
An Area where neither side will place heavy weapons (except attacking side breaking the DMZ rules)
Internal Network
Internet
DMZ
Internal Network
Internet
DMZ
DMZ Zoology•Military Definition of a DMZ
Microsoft Confidential
1.78 Meter minimum height for SK soldier (black belt in martial arts required) US soldiers must be over 6 foot (1.82 M)
Patriotic Music played on blaring speakers to opposition with message boards doing psychological warfare
More than 1 million troops within 60
Km of DMZ
4 discovered tunnels in last 20
years under DMZ
Soldiers from both sides do patrols
inside the DMZ
DMZ Zoology•South Korean DMZ
A right way, and a wrong way
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 3
Microsoft Confidential
An Airport like zone taking traffic inbound and outbound, and routing it to a destination – NOT a military control area where little passes like reality.
All applications externalise access through this zone. Their data access requirements frequently invalidate rear FW protection rules
Privacy and Integrity requirements usually invalidate front end firewall rules by encrypting data through it !
But the name sounds “macho”
Internal Network
Internet
DMZ
Internal Network
Internet
DMZ
DMZ Zoology•IT Geek’s Definition of DMZ
Microsoft Confidential
Port Centric – not application centric designs defeated by port agnostic protocols like RPC
Lack of intelligence has caused other devices like Network IDS/IPS to emerge
Port consolidation around SMTP, HTTP(S) have continued to erode capability
Web Services have finished with the usefulness of the Old School Firewalls
DMZ Zoology•Firewall Management
Challenges
Microsoft Confidential
DMZ Zoology•Ideal DMZ Policy Enforcement
Microsoft Confidential
Good !!!!! – Only 2 Colours !!! (ignore Glass)
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 4
Microsoft Confidential
Bad!!!!! – Pictures ! Symbols – not for Real “Meat Eating” Firewall Admins
Microsoft Confidential
Firewalls should be built once and patched (maybe), but never touched afterwards – they should be black boxes
No I wont open a port for you – but I’ll let you tunnel through
Anything smart gets done by something else, load balancing by load balancers, IPS by IPS, etc
Devices not dynamic and not application centric
Attackers ARE application centric
DMZ Zoology•DMZ Management Challenges
Microsoft Confidential
Worms are Anonymous – they don’t carry your password database….
Pathogens Break protocol rules – you wrote a buffer for 72 characters – attacker sent you 182
Worms send clients something they didn’t ask for
Authenticate Traffic – Stops foreign
Infection
Enforce Protocol Rules at the Network
Device – things that break are dropped
Don’t process traffic that you didn’t ask
for, understand protocols and know
what to expect
DMZ Biology•Worm Pathology
Internet Authentication Server
Firewall
Mobile
External Clients
HTTP BASIC, Certificates, Limited VPN
Certificates, Full Forms
DC/GC
NTLM, Kerberos (R
PC, Kerberos), L
DAP
RADIUS (U1812-13 Default)
Full Forms, BASIC, VPN(all types), SecID
SSL TUNNEL
Internal Clients
DNS, HTTP(S), SMTP, FTP, RPC,
POP3, IMAP4, LDAP, IKE, VPNs
Firewall Client Protocol, (NTLM, Kerberos)
DMZ Zoology•Authentication at the Perimeter
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 5
Front Firewall Traversal
DMZ Traversal
Cleaning and Protecting Applications at the Front Door
Basic auth uses username (cleartext) and password (base64 encoding –obfuscated text) in header resulting in SSL to protect traffic
Forms based logons transfer data in clear text so require encryption for logon post, many logon tokens are weakly protected so require continual session protection
The presence of SSL causes a zero day exploit paradigm weakness
Front end firewalls thus penetrated by all encryption
Front Traversal•Most front firewalls traversed
Certificate, Forms, and Basic Authentication
demo
Multi Factor Auth from client to ISA Server 2006 using multiple
protocolsTraditional
firewall
Web
Srv/
OWA
client
Web server prompts for
authentication — any
Internet user can
access this prompt
SSL
SSL tunnels through
traditional firewalls
because it is encrypted…
…which allows viruses
and worms to pass
through undetected…
…and infect internal servers!
ISA Server 2006
with HTTP Filter
Basic and Forms authentication delegation
ISA Server pre-authenticates
users, with Single Sign-on and
only allows auth’d users – it
also issues forms cookies,
timeouts, and Attachment
Blocking for OWA
ISA Server HTTP Filter
SSL or HTTPSSL
ISA Server can decrypt
and inspect SSL traffic
and only passes
authenticated traffic-no
worms as they are
anonymous
inspected traffic can be sent to the internal
server re-encrypted or in the clear.
URLScan for
ISA Server
HTTP filter for ISA Server can
stop Web attacks at the network
edge, even over encrypted
inbound SSL
Internet
Front TraversalAuthentication Delegation
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 6
Front TraversalProtocol Filtration
• SMTunnel and other applications carry payloads
through TCP 25
• Attacks like VRFY overflows send long SMTP
commands to servers that don’t trap buffers – then
exploit code o/flow
• Protocol Filtration in App Firewalls and IPS are an
excellent defence for these cases
Microsoft Confidential
Authorized SSL VPN applications “injected” into existing infrastructure
Front TraversalThe Front End Portal Approach
Microsoft Confidential
SSL VPN solution comprised of:
Tunneling – Transferring web and non-web application traffic over SSL;