2
Continuing from Yesterday
Scripting IPSec
NAT-T
3
Scripting IPSec
netsh ipsec is the starting point
4
NAT Traversal-the problem
NAT device cannot update IPSec auth-data• Hash includes IP address of source
• When natted, the recepient will get data from a ‘different’ IP address
IKE ports can not be changed (UDP 500)
See http://tinyurl.com/2j99q for more information about
NAT issues
5
NAT-T Changes
UDP encapsulation for ESP• A UDP header is placed between the outer IP header and the ESP
header, encapsulating the ESP PDU. The same ports that are used for IKE are used for UDP-encapsulated ESP traffic.
A modified IKE header format• The IPSec NAT-T IKE header contains a new Non-ESP Marker field that
allows a recipient to distinguish between a UDP-encapsulated ESP PDU and an IKE message. IPSec NAT-T-capable peers begin to use the new IKE header after they have determined that there is an intermediate NAT.
A new NAT-Keepalive packet• A UDP message that uses the same ports as IKE traffic, contains a
single byte (0xFF) and is used to refresh the UDP port mapping in a NAT for IKE and UDP-encapsulated ESP traffic to a private network host.•
A new Vendor ID IKE payload• This new payload contains a well-known hash value, which indicates
that the peer is capable of performing IPSec NAT-T.•
6
NAT-T (continued)
A new NAT-Discovery (NAT-D) IKE payload• This new payload contains a hash value that incorporates an address
and port number. An IPSec peer includes two NAT-Discovery payloads during Main Mode negotiation—one for the destination address and port and one for the source address and port. The recipient uses the NAT-Discovery payloads to discover whether a NAT translated addresses or port numbers, and, based on which addresses and ports were changed, which peers are located behind NATs.•
New encapsulation modes for UDP-encapsulated ESP transport mode and tunnel mode
• These two new encapsulation modes are specified during Quick Mode negotiation to inform the IPSec peer that UDP encapsulation for ESP PDUs should be used.•
A new NAT-Original Address (NAT-OA) IKE payload• This new payload contains the original (untranslated) address of the
IPSec peer. For UDP-encapsulated ESP transport mode, each peer sends the NAT-OA IKE payload during Quick Mode negotiation. The recipient stores this address in the parameters for the SA
7
NAT/IPSec – more Info
IKE Negotiation for IPSec Security Associations• http://www.microsoft.com/technet/community/columns/
cableguy/cg0602.mspx
Windows 2000 IPSec Web Site• http://www.microsoft.com/windows2000/technologies/
communications/ipsec/default.asp
L2TP/IPSec NAT-T Update for Windows XP and Windows
2000• http://support.microsoft.com/default.aspx?scid=kb;en-
us;818043
8
Agenda
Introduction
What is the Perimeter?
Securing with …• Using Microsoft Internet Security and Acceleration (ISA) Server
to Protect Perimeters
• Using Internet Connection Firewall (ICF) to Protect Clients
• Protecting Wireless Networks
• Protecting Communications by Using IPSec
9
Defense in Depth
A layered approach• Increases an attacker’s risk of detection
• Reduces an attacker’s chance of success
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
OS hardening, update management, OS hardening, update management, authentication, HIDSauthentication, HIDS
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devicesGuards, locks, tracking devices
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User educationUser education
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
10
Agenda
Introduction
What is the perimeter?
Securing the perimeter with …• Using Microsoft Internet Security and Acceleration (ISA) Server
to Protect Perimeters
• Using Internet Connection Firewall (ICF) to Protect Clients
• Protecting Wireless Networks
• Protecting Communications by Using IPSec
11
Perimeter Connections Overview
The Internet Branch offices Business partners Remote users Wireless networks Internet applications
Network perimeter includes connections to:
Business Partner
LAN
Main Office
LAN
Branch Office
LAN
Wireless Network
Remote User
Internet
12
Defending The Perimeter
Properly configured firewalls and border routers are the cornerstone for perimeter security
The Internet and mobility increase security risks
VPNs/ wireless networking soften the perimeter
Traditional packet-filtering firewalls block only network ports and computer addresses
Most modern attacks occur at the application layer
Perimeter security useless if breech is from the inside
13
Defending at the Client
The client is part of the perimeter too!
Client defenses block attacks that bypass perimeter defenses or originate on
the internal network
Client defenses include, among others:
Operating system hardening
Antivirus software
Personal firewalls
Client defenses require configuring many computers
In unmanaged environments, users may bypass client defenses
14
What About Intrusion Detection?
Detects the pattern of common attacks, records
suspicious traffic in event logs, and/or alerts
administrators
Threats and vulnerabilities are constantly evolving, which
leaves systems vulnerable until a new attack is known
and a new signature is created and distributed
Is ID really helpful?
15
Agenda
Introduction
What is the perimeter?
Securing the perimeter with …• Using Microsoft Internet Security and Acceleration (ISA) Server
to Protect Perimeters
• Using Internet Connection Firewall (ICF) to Protect Clients
• Protecting Wireless Networks
• Protecting Communications by Using IPSec
16
Firewall Design: Three-Homed
DMZInternet
LAN
Firewall
17
Firewall Design: Back-to-Back
Internet
ExternalFirewall
LANInternalFirewall
DMZ
18
Malicious traffic that is passed on open ports and not inspected at
the application layer by the firewall
Any traffic that passes through an encrypted tunnel or session
Attacks after a network has been penetrated
Traffic that appears legitimate
Users and administrators who intentionally or accidentally install
viruses
Administrators who use weak passwords
What Firewalls Do NOT Protect Against
19
Software vs. Hardware Firewalls
Decision Factors Description
FlexibilityUpdating for latest vulnerabilities and patches is often easier with
software-based firewalls.
Extensibility Many hardware firewalls allow only limited customizability.
Choice of VendorsSoftware firewalls allow you to choose from hardware for a wide variety of
needs, and there is no reliance on single vendor for additional hardware.
Cost
Initial purchase price for hardware firewalls might be less. Software
firewalls take advantage of low CPU costs. The hardware can be easily
upgraded, and old hardware can be repurposed.
Complexity Hardware firewalls are often less complex.
Overall Suitability
The most important decision factor is whether a firewall can perform the
required tasks. Often the lines between hardware and software firewalls
are blurred.
20
Types of Firewall Functions
Packet Filtering
Stateful Inspection
Application-Layer Inspection
Multi-layer InspectionMulti-layer Inspection(Including Application-Layer Filtering)(Including Application-Layer Filtering)
InternetInternet
21
Protecting Perimeters
ISA Server has full screening capabilities:• Packet filtering
• Stateful inspection
• Application-level inspection
ISA Server blocks all network traffic unless you allow it
ISA Server provides secure VPN connectivity
ISA Server is ICSA certified and Common Criteria
certified
22
Demonstration 1Application-Layer Inspection in
ISA Server
Web Publishing
23
Traffic That Bypasses Firewall Inspection
SSL tunnels through traditional firewalls because it is encrypted,
which allows viruses and worms to pass through undetected and
infect internal servers
VPN traffic is encrypted and cannot be inspected
Instant Messenger (IM) traffic often is not inspected and might be
used to transfer files
24
Inspecting All Traffic
Use intrusion detection and other mechanisms to inspect VPN
traffic after it has been decrypted
• Remember: Defense in Depth
Use a firewall that can inspect SSL traffic
Expand inspection capabilities of your firewall
• Use firewall add-ons to inspect IM traffic
25
SSL Inspection
SSL tunnels through traditional firewalls because it is encrypted,
which allows viruses and worms to pass through undetected and
infect internal servers.
ISA Server can decrypt and inspect SSL traffic. Inspected traffic
can be sent to the internal server
re-encrypted or in the clear.
26
Demonstration 2
SSL Inspection in ISA Server
27
ISA Server Hardening
Harden the network stack
Disable unnecessary network protocols on the external
network interface:
• Client for Microsoft Networks
• File and Printer Sharing for Microsoft Networks
• NetBIOS over TCP/IP
28
Best Practices
Use access rules that only allow requests that are
specifically allowed
Use ISA Server’s authentication capabilities to
restrict and log Internet access
Configure Web publishing rules only for specific
destination sets
Use SSL Inspection to inspect encrypted data that
is entering your network
29
Agenda
Introduction
What is the Perimeter?
Securing with …• Using Microsoft Internet Security and Acceleration (ISA) Server
to Protect Perimeters
• Using Internet Connection Firewall (ICF) to Protect Clients
• Protecting Wireless Networks
• Protecting Communications by Using IPSec
30
Overview of ICF
Internet Connection Firewall in Microsoft
Windows XP and Microsoft Windows Server 2003
Helps stop network-based attacks, such as
Blaster, by blocking all unsolicited inbound traffic
Ports can be opened for services running on the
computer
Enterprise administration through Group Policy
What It Is
What It Does
Key Features
31
Enabled by:
• Selecting one check box
• Network Setup Wizard
• New Connection Wizard
Enabled separately
for each network connection
Enabling ICF
32
Network services
Web-based applications
ICF Advanced Settings
33
Logging options
Log file options
ICF Security Logging
34
ICF in the Enterprise
Configure ICF by using Group Policy
Combine ICF with Network Access Quarantine Control
35
Use ICF for home offices and small business to provide protection for computers directly connected to the Internet
Do not turn on ICF for a VPN connection (but do enable ICF for the underlying LAN or dial-up connection
Configure service definitions for each ICF connection through which you want the service to work
Set the size of the security log to 16 megabytes to prevent an overflow that might be caused by denial-of-service attacks
Best Practices
36
Demonstration 3Internet Connection Firewall (ICF)
Configuring ICF ManuallyTesting ICF
Reviewing ICF Log FilesConfiguring Group Policy Settings
37
Agenda
Introduction
What is the Perimeter?
Securing with …• Using Microsoft Internet Security and Acceleration (ISA) Server
to Protect Perimeters
• Using Internet Connection Firewall (ICF) to Protect Clients
• Protecting Wireless Networks
• Protecting Communications by Using IPSec
38
Limitations of Wired Equivalent Privacy (WEP)• Static WEP keys are not dynamically changed and therefore
are vulnerable to attack.• There is no standard method for provisioning static WEP
keys to clients.• Scalability: Compromise of a static WEP key by anyone
exposes everyone.
Limitations of MAC Address Filtering• Attacker could spoof an allowed MAC address.
Wireless Security Issues
39
Password-based Layer 2 Authentication• IEEE 802.1x PEAP/MSCHAP v2
Certificate-based Layer 2 Authentication• IEEE 802.1x EAP-TLS
Other Options• VPN Connectivity
– L2TP/IPsec (preferred) or PPTP
– Does not allow for roaming
– Useful when using public wireless hotspots
– No computer authentication or processing of computer settings in Group Policy
• IPSec– Interoperability issues
Possible Solutions
40
WLAN Security Type Security LevelEase of
Deployment
Usability and
Integration
Static WEP Low High High
IEEE 802.1X PEAP High Medium High
IEEE 802.1x TLS High Low High
VPNHigh
(L2TP/IPSec)Medium Low
IPSec High Low Low
WLAN Security Comparisons
41
Defines port-based access control mechanism
• Works on anything, wired or wireless
• No special encryption key requirements
Allows choice of authentication methods using Extensible
Authentication Protocol (EAP)
• Chosen by peers at authentication time
• Access point doesn’t care about EAP methods
Manages keys automatically
• No need to preprogram wireless encryption keys
802.1x
42
EthernetEthernet
Access PointAccess Point
Radius ServerRadius Server
EAPOL-StartEAPOL-Start
EAP-Response/IdentityEAP-Response/Identity
Radius-Access-ChallengeRadius-Access-Challenge
EAP-Response EAP-Response (credentials)(credentials)
Access BlockedAccess Blocked
AssociationAssociation
Radius-Access-AcceptRadius-Access-Accept
EAP-Request/IdentityEAP-Request/Identity
EAP-RequestEAP-Request
Radius-Access-RequestRadius-Access-Request
Radius-Access-RequestRadius-Access-Request
RADIUSRADIUS
Laptop ComputerLaptop Computer
WirelessWireless
802.11802.11802.11 Associate802.11 Associate
EAP-SuccessEAP-Success
Access AllowedAccess AllowedEAPOL-Key (Key)EAPOL-Key (Key)
802.1x on 802.11
43
System Requirements for 802.1x
Client: Windows XP
Server: Windows Server 2003 IAS• Internet Authentication Service—our RADIUS server• Certificate on IAS computer
802.1x on Windows 2000• Client and IAS must have SP3• See KB article 313664• No zero-configuration support in the client• Supports only EAP-TLS and MS-CHAPv2
– Future EAP methods in Windows XP and Windows Server 2003 might not be backported
44
802.1x Setup
1. Configure Windows Server 2003 with IAS
2. Join a domain
3. Enroll computer certificate
4. Register IAS in Active Directory
5. Configure RADIUS logging
6. Add AP as RADIUS client
7. Configure AP for RADIUS and 802.1x
8. Create wireless client access policy
9. Configure clients
• Don’t forget to import the root certificate
45
Access Policy
Policy condition• NAS-port-type matches
Wireless IEEE 802.11 OR Wireless Other
• Windows-group = <some group in AD>– Optional; allows administrative
control– Should contain user and
computer accounts
46
Access Policy Profile
Profile• Time-out: 60 min. (802.11b) or
10 min. (802.11a/g)
• No regular authentication methods
• EAP type: protected EAP; use computer certificate
• Encryption: only strongest (MPPE 128-bit)
• Attributes: Ignore-User-Dialin-Properties = True
47
A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems
WPA Requires 802.1x authentication for network access
Goals• Enhanced data encryption
• Provide user authentication
• Be forward compatible with 802.11i
• Provide non-RADIUS solution for Small/Home offices
Wi-Fi Alliance began certification testing for interoperability on WPA products in February 2003
Wireless Protected Access (WPA)
48
Best Practices
Use 802.1x authentication
Organize wireless users and computers into groups
Apply wireless access policies using Group Policy
Use EAP-TLS for certificate-based authentication and PEAP for password-based authentication
Configure your remote access policy to support user authentication as well as machine authentication
Develop a method to deal with rogue access points, such as LAN-based 802.1x authentication, site surveys, network monitoring, and user education
49
Agenda
Introduction
What is the Perimeter?
Securing with …• Using Microsoft Internet Security and Acceleration (ISA) Server
to Protect Perimeters
• Using Internet Connection Firewall (ICF) to Protect Clients
• Protecting Wireless Networks
• Protecting Communications by Using IPSec
50
What is IP Security (IPSec)?
• A method to secure IP traffic
• Framework of open standards developed by the Internet Engineering Task Force (IETF)
Why use IPSec?
• To ensure encrypted and authenticated communications at the IP layer
• To provide transport security that is independent of applications or application-layer protocols
Overview of IPSec
51
Basic permit/block
packet filtering
Secure internal LAN
communications
Domain replication
through firewalls
VPN across untrusted
media
IPSec Scenarios
52
Filters for allowed and blocked traffic
No actual negotiation of IPSec security associations
Overlapping filters—most specific match determines action
Does not provide stateful filtering
Must set "NoDefaultExempt = 1" to be secure
From IP To IP Protocol Src Port Dest Port Action
AnyMy Internet
IPAny N/A N/A Block
AnyMy Internet
IPTCP Any 80 Permit
Implementing IPSec Packet Filtering
53
Spoofed IP packets containing queries or malicious
content can still reach open ports through firewalls
IPSec does not provide stateful inspection
Many hacker tools use source ports 80, 88, 135, and so
on, to connect to any destination port
Packet Filtering Is Not Sufficient to Protect Server
54
IP broadcast addresses• Cannot secure to multiple receivers
Multicast addresses• From 224.0.0.0 through 239.255.255.255
Kerberos—UDP source or destination port 88• Kerberos is a secure protocol, which the Internet Key Exchange
(IKE) negotiation service may use for authentication of other computers in a domain
IKE—UDP destination port 500• Required to allow IKE to negotiate parameters for IPSec security
Windows Server 2003 configures only IKE default exemption
Traffic Not Filtered by IPSec
55
Secure Internal Communications
Use IPSec to provide mutual device authentication• Use certificates or Kerberos• Preshared key suitable for testing only
Use Authentication Header (AH) to ensure packet integrity• AH provides packet integrity• AH does not encrypt, allowing for network intrusion detection
Use Encapsulation Security Payload (ESP) to encrypt sensitive traffic• ESP provides packet integrity and confidentiality• Encryption prevents packet inspection
Carefully plan which traffic should be secured
56
IPSec for Domain Replication
Use IPSec for replication through firewalls• On each domain controller, create an IPSec policy to secure all
traffic to the other domain controller’s IP address
Use ESP 3DES for encryption
Allow traffic through the firewall:• UDP Port 500 (IKE)• IP protocol 50 (ESP)
57
Best Practices
Plan your IPSec implementation carefully
Choose between AH and ESP
Use Group Policy to implement IPSec Policies
Consider the use of IPSec NICs
Never use Shared Key authentication outside your test lab
Choose between certificates and Kerberos authentication
Use care when requiring IPSec for communications with domain controllers and other infrastructure servers
58
Demonstration 4IPSec
Configuring and Testing a Simple IPSec PolicyConfiguring and Testing an IPSec Packet Filter
59
Session Summary
Introduction/Defense in Depth
Using Perimeter Defenses
Using ISA Server to Protect Perimeters
Using ICF to Protect Clients
Protecting Wireless Networks
Protecting Networks by Using IPSec
60
Next Steps
1. Stay informed about security Sign up for security bulletins:
http://www.microsoft.com/security/security_bulletins/alerts2.asp Get the latest Microsoft security guidance:
http://www.microsoft.com/security/guidance/
2. Get additional security training Find online and in-person training seminars:
http://www.microsoft.com/seminar/events/security.mspx Find a local CTEC for hands-on training:
http://www.microsoft.com/learning/
61
For More Information
Microsoft Security Site (all audiences)• http://www.microsoft.com/security
TechNet Security Site (IT professionals)• http://www.microsoft.com/technet/security
MSDN Security Site (developers)• http://msdn.microsoft.com/security
62
Questions and Answers
63