DMZ Ology Front Traversaldownload.microsoft.com/download/0/b/e/0be6834f-4fd...DMZ Zoology Microsoft...
Transcript of DMZ Ology Front Traversaldownload.microsoft.com/download/0/b/e/0be6834f-4fd...DMZ Zoology Microsoft...
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 1
DMZ’ology
Fred BaumhardtSecurity Technology ArchitectMicrosoft Incubation EMEA
Microsoft Confidential
DMZ Ology•Whats the plan ?
This is not the way to protect your front DMZ perimeter
Front Traversal•How not to do it
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 2
What, How, and Why is a DMZ
DMZ Zoology
Microsoft Confidential
In military terms this is where you put your unwanted soldiers (they will die quickly), main weapon systems brought to bear on the area, monitoring total
Significant Border Perimeter with complete inspection through security Checkpoint, both sides agree before anything enters (rarely used)
An Area where neither side will place heavy weapons (except attacking side breaking the DMZ rules)
Internal Network
Internet
DMZ
Internal Network
Internet
DMZ
DMZ Zoology•Military Definition of a DMZ
Microsoft Confidential
1.78 Meter minimum height for SK soldier (black belt in martial arts required) US soldiers must be over 6 foot (1.82 M)
Patriotic Music played on blaring speakers to opposition with message boards doing psychological warfare
More than 1 million troops within 60
Km of DMZ
4 discovered tunnels in last 20
years under DMZ
Soldiers from both sides do patrols
inside the DMZ
DMZ Zoology•South Korean DMZ
A right way, and a wrong way
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 3
Microsoft Confidential
An Airport like zone taking traffic inbound and outbound, and routing it to a destination – NOT a military control area where little passes like reality.
All applications externalise access through this zone. Their data access requirements frequently invalidate rear FW protection rules
Privacy and Integrity requirements usually invalidate front end firewall rules by encrypting data through it !
But the name sounds “macho”
Internal Network
Internet
DMZ
Internal Network
Internet
DMZ
DMZ Zoology•IT Geek’s Definition of DMZ
Microsoft Confidential
Port Centric – not application centric designs defeated by port agnostic protocols like RPC
Lack of intelligence has caused other devices like Network IDS/IPS to emerge
Port consolidation around SMTP, HTTP(S) have continued to erode capability
Web Services have finished with the usefulness of the Old School Firewalls
DMZ Zoology•Firewall Management
Challenges
Microsoft Confidential
DMZ Zoology•Ideal DMZ Policy Enforcement
Microsoft Confidential
Good !!!!! – Only 2 Colours !!! (ignore Glass)
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 4
Microsoft Confidential
Bad!!!!! – Pictures ! Symbols – not for Real “Meat Eating” Firewall Admins
Microsoft Confidential
Firewalls should be built once and patched (maybe), but never touched afterwards – they should be black boxes
No I wont open a port for you – but I’ll let you tunnel through
Anything smart gets done by something else, load balancing by load balancers, IPS by IPS, etc
Devices not dynamic and not application centric
Attackers ARE application centric
DMZ Zoology•DMZ Management Challenges
Microsoft Confidential
Worms are Anonymous – they don’t carry your password database….
Pathogens Break protocol rules – you wrote a buffer for 72 characters – attacker sent you 182
Worms send clients something they didn’t ask for
Authenticate Traffic – Stops foreign
Infection
Enforce Protocol Rules at the Network
Device – things that break are dropped
Don’t process traffic that you didn’t ask
for, understand protocols and know
what to expect
DMZ Biology•Worm Pathology
Internet Authentication Server
Firewall
Mobile
External Clients
HTTP BASIC, Certificates, Limited VPN
Certificates, Full Forms
DC/GC
NTLM, Kerberos (R
PC, Kerberos), L
DAP
RADIUS (U1812-13 Default)
Full Forms, BASIC, VPN(all types), SecID
SSL TUNNEL
Internal Clients
DNS, HTTP(S), SMTP, FTP, RPC,
POP3, IMAP4, LDAP, IKE, VPNs
Firewall Client Protocol, (NTLM, Kerberos)
DMZ Zoology•Authentication at the Perimeter
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 5
Front Firewall Traversal
DMZ Traversal
Cleaning and Protecting Applications at the Front Door
Internet
DMZ
Authenticated Traffic uses Cryptography to protect credential/username, token, cookie, hash etc
Basic auth uses username (cleartext) and password (base64 encoding –obfuscated text) in header resulting in SSL to protect traffic
Forms based logons transfer data in clear text so require encryption for logon post, many logon tokens are weakly protected so require continual session protection
The presence of SSL causes a zero day exploit paradigm weakness
Front end firewalls thus penetrated by all encryption
Front Traversal•Most front firewalls traversed
Certificate, Forms, and Basic Authentication
demo
Multi Factor Auth from client to ISA Server 2006 using multiple
protocolsTraditional
firewall
Web
Srv/
OWA
client
Web server prompts for
authentication — any
Internet user can
access this prompt
SSL
SSL tunnels through
traditional firewalls
because it is encrypted…
…which allows viruses
and worms to pass
through undetected…
…and infect internal servers!
ISA Server 2006
with HTTP Filter
Basic and Forms authentication delegation
ISA Server pre-authenticates
users, with Single Sign-on and
only allows auth’d users – it
also issues forms cookies,
timeouts, and Attachment
Blocking for OWA
ISA Server HTTP Filter
SSL or HTTPSSL
ISA Server can decrypt
and inspect SSL traffic
and only passes
authenticated traffic-no
worms as they are
anonymous
inspected traffic can be sent to the internal
server re-encrypted or in the clear.
URLScan for
ISA Server
HTTP filter for ISA Server can
stop Web attacks at the network
edge, even over encrypted
inbound SSL
Internet
Front TraversalAuthentication Delegation
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 6
Front TraversalProtocol Filtration
• SMTunnel and other applications carry payloads
through TCP 25
• Attacks like VRFY overflows send long SMTP
commands to servers that don’t trap buffers – then
exploit code o/flow
• Protocol Filtration in App Firewalls and IPS are an
excellent defence for these cases
Microsoft Confidential
Authorized SSL VPN applications “injected” into existing infrastructure
Front TraversalThe Front End Portal Approach
Microsoft Confidential
SSL VPN solution comprised of:
Tunneling – Transferring web and non-web application traffic over SSL;
Client-Side Security – Security compliance check, cache cleaning, timeouts
Authentication – User directories (e.g. Active Directory), strong authentication support, Single-Sign-On
Authorization – Allow/Deny access to applications
Portal – User experience, GUI
Applications
Client
Web
Simple TCP
Other non-
WebManagement
Authentication
Authorization
Portal
Tunneling
Security SSL VPN
Gateway
Front TraversalSSL VPN Class Device
Microsoft Confidential
Front TraversalWhy push protection forward
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 7
Rear Firewall Traversal
DMZ Traversal
Internal Network
DMZ
Full Tunnel Penetration (IPSEC tunnels et al)
Reverse Proxy with Protocol Inspection and Auth
Selective port opening w/ application aware device
Selective Port Opening with Dumb device
Rear Traversal•Rear End Traversal
Exchange 2007 Enterprise Topology
Enterprise NetworkOther
SMTPServer
s
Mailbox
Routing
HygieneRouting Policy
Voice
Messaging
Client Access
PBX
or VoIP
Public
Folders
Fax
ApplicationsOWA
ProtocolsActiveSync, POP,
IMAP, RPC / HTTP
…ProgrammabilityWeb services,
Web parts
Unified
Messaging
Edge
Transport
Hub
Transport
Mailbox
I
N
T
E
RN
E
T
TCP 80 for HTTP 143 for IMAP 110 for POP 25 for SMTP
691 for Link State Algorithm routing protocol (2000)
TCP/UDP port 389 for LDAP to Directory Service
TCP port 3268 for LDAP to Global Catalog Server
TCP/UDP port 88 for Kerberos authentication
TCP/UDP port 53 - DNS
TCP port 135 - RPC endpoint mapper
TCP ports 1024+ - RPC service ports (unless DC and Exchange Restricted to a range)
IIPSec between the front-end and back-end, open the appropriate ports (ESP, AH)
UDP port 500 –.
Rear Traversal•Ports required by Exchange
2000•Ports required by Exchange
2003
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 8
Client Port(s) Server Port Service
1024-65535/TCP 135/TCP RPC *
1024-65535/TCP/UDP 389/TCP/UDP LDAP
1024-65535/TCP 636/TCP LDAP SSL
1024-65535/TCP 3268/TCP LDAP GC
1024-65535/TCP 3269/TCP LDAP GC SSL
53,1024-65535/TCP/UDP 53/TCP/UDP DNS
1024-65535/TCP/UDP 88/TCP/UDP Kerberos
1024-65535/TCP 445/TCP SMB
1024-65535/TCP 135/TCP RPC *
137/UDP 137/UDP NetBIOS Name
138/UDP 138/UDP NetBIOS Netlogon and Browsing
1024-65535/TCP 139/TCP NetBIOS Session
1024-65535/TCP 42/TCP WINS Replication
Not Applicable ICMP Group Policy
Windows Server 2003 and Windows 2000 Server
Mixed-mode domain with either Windows NT domain controllers or legacy clients or trust
relationship between two Server 2003-based or 2000 Server-based domain controllers that are not in the same forest,
Rear Traversal•Windows for any forest traffic
Forest Permissions Warning !
Windows 2000 and Windows Server 2003 try to
contact the remote user's PDC emulator master
for resolution of remote user names over UDP
138. Make sure that all Windows 2000-based member servers and Windows Server 2003-
based member servers in DMZs that will be
granting access to resources have UDP 138
connectivity to the remote PDC of the domain in
question !
RPC server
(Exchange)
RPC client
(Outlook)
Service UUID Port
Exchange {12341234-1111… 4402
AD replication {01020304-4444… 3544
MMC {19283746-7777… 9233
RPC services grab random
high ports when they start,
server maintains table
135/tcp
Client connects to
portmapper on server
(port 135/tcp)Client knows UUID
of service it wants
{12341234-1111…}
Client accesses
application over
learned port
Client asks, ―What
port is associated
with my UUID?‖
Server matches UUID to
the current port…
4402/tcp
Portmapper responds with the port
and closes the connection (not
secondary connection)
4402/tcp
Due to the random nature of RPC, this is not
feasible over the InternetAll 64,512 high ports & port 135 must be opened on traditional
firewalls
RPC•Killing Firewalls since 1983
•RPC invalidates port approaches
RPC•Traversing Rear FW RPC
•Option 1
Limiting Port Ranges used by RPC - KB 154596•Allows all BEHAVIOURS to pass through
•Does not stop any specific attack or
application
•Requires setting on destination machine as it
controls the RPC DCE sequence
•Uses Internet key under:
HKLM\Software\Microsoft\Rpc\Internet, add
the values "Ports" (MULTI_SZ),
"PortsInternetAvailable" (REG_SZ), and
"UseInternetPorts" (REG_SZ). •
•Recommended minimum port range is 100
•Cant use DCOM RPC through NAT. DCOM stores raw IP
addresses in the interface marshalling packets. If the client
cannot connect to the address specified in the packet, DCOM
fails
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 9
Option 2 Inspection through RPC aware firewall
demo
RPC Protocol Protection by UUID
This is a complete rear firewall bypass – don't fool yourself otherwise.
You can use IPSEC tunnel filtering at host, and client to limit ports inside tunnel at either endpoint
You don't have to encrypt the traffic – you can leave it ESP Null (and use Authenticated Header only), most analysers cant tell the difference
Best way to automate the process is to use the security configuration wizard in Windows Server 2003 to set up the IPSEC policy for you.
IPSEC •Traversing Rear FW
•Option 3 IPSEC encapsulation
IPSEC •Traversing Rear FW
•Option 3 IPSEC encapsulation
KB 233256 has info on passing IPSEC through firewalls – summarised here: DMZ Evolution
Change of Times, Change of Threats, Change of Tactics
12/04/2007 5:00 PM
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 10
Portal or Reverse type proxy solution in front – with domain isolation for rear zones
Firewall auths everything than it can, protocol inspects the rest, and sends traffic to constrained networks
Firewall is changing most IPs to look like they come from it so IPSEC tunnels internally work from Firewall.
Re-MZ•Combine Front End and
•Rear end traversal tactics
Internet
Redundant Routers
Auth Firewalls – Intelligent Application Gateways
Control Zone Control Zone Control Zone
Presentation Outbound Proxy Zone
Infrastructure Network– Internal Active Directory
Control Zone Control Zone
Messaging Network – Exchange FE
Control Zone
Management Network – MOM, deployment
Control Zone
Client Networks 1…n
Control Zone
Control Zone Control Zone
RADIUS Network Intranet Network - Web Servers
Inbound Proxy
Data Network – SQL Server Clusters
Control Zone
NIC teams/switches
Messaging Network – Exchange BE
Control ZoneControl Zone
Application Servers
Control Zone
Control Zone
ExtranetData
Network – SQL Control Zone
Domain Isolation•Wipe Out Attack Classes
• example
The People, The Culture, and the technology have to evolve
This is an example of architecture that has to change
Summary•The model has to change
We are better at this stuff than they think…