Enabling Enabling SecureSecureRemote AccessRemote AccessIn your environmentIn your environmentSteve LambSteve Lamb

IT Pro Security EvangelistIT Pro Security Evangelisthttp://blogs.technet.com/steve_lambhttp://blogs.technet.com/steve_lamb

stephlam@microsoft.comstephlam@microsoft.com

Our time todayOur time todaySolving the access vs. security dilemmaSolving the access vs. security dilemmaUnderstanding the three methodsUnderstanding the three methods

External access to internal web-based External access to internal web-based applicationsapplicationsProviding users with “desktop over HTTPS” Providing users with “desktop over HTTPS” capabilitiescapabilitiesBuilding full IP-based virtual private networksBuilding full IP-based virtual private networks

When to choose which?When to choose which?

The dilemma: access or The dilemma: access or securitysecurityMore users require more access from more More users require more access from more

placesplacesIncrease in mobile workers and where they come Increase in mobile workers and where they come from (homes, hotels, airports, hotspots)from (homes, hotels, airports, hotspots)Wireless access is everywhere nowWireless access is everywhere nowNo longer just “employee” access: business No longer just “employee” access: business partners, customerspartners, customers

But we can’t compromise securityBut we can’t compromise securityRemote access increases security risksRemote access increases security risks

Unmanaged PCs and devicesUnmanaged PCs and devicesUnpatched and unprotected devicesUnpatched and unprotected devices

Difficult and expensive to implement current Difficult and expensive to implement current solutionssolutions

High pricesHigh pricesDifficult to deploy client side softwareDifficult to deploy client side software

Ugh! How do we Ugh! How do we dodo this? this?

Internal Internal ApplicationsApplicationsvia the Webvia the Web

ExamplesExamples

E-mail (Outlook Web Access)E-mail (Outlook Web Access)File sharing (SharePoint varieties)File sharing (SharePoint varieties)Custom applicationsCustom applications

What’s in common?What’s in common?Internal applicationInternal applicationRuns on a web serverRuns on a web serverNew business requirement for New business requirement for providing access while not attached to providing access while not attached to corpnetcorpnet

Security issuesSecurity issuesHTTPHTTPSS is the transport is the transport

Provides the necessary privacy for protecting Provides the necessary privacy for protecting confidential information in transit over the confidential information in transit over the InternetInternet

But what about checking the content?But what about checking the content?Intrusion detection (if you still do this)Intrusion detection (if you still do this)Validating conformance to information Validating conformance to information dissemination policies—email, documents, …dissemination policies—email, documents, …

Typical designTypical design

Good: Good: performance performanceIsolates access based on Isolates access based on locationlocationProtects internal networkProtects internal network

Bad: Bad: security securityTunnel through outside Tunnel through outside firewall: no inspectionfirewall: no inspectionMany holes in inside Many holes in inside firewall for authenticationfirewall for authenticationAnonymous initial Anonymous initial connectionsconnections

AppApp ADAD

AppApp

DBDB

Improving securityImproving security

Security goalsSecurity goalsInspect SSL trafficInspect SSL trafficMaintain wire privacyMaintain wire privacyEnforce conformance to HTML/HTTPEnforce conformance to HTML/HTTP

Block misuse of the protocolBlock misuse of the protocol

Allow only known URL constructionAllow only known URL constructionBlock URL-borne attacksBlock URL-borne attacks

OptionallyOptionallyPre-authenticate incoming connectionsPre-authenticate incoming connections

Protect the application Protect the application with ISA Serverwith ISA ServerBetter application-level securityBetter application-level securityISA Server becomes ISA Server becomes

the “bastion host”the “bastion host”Web proxy terminates Web proxy terminates all connectionsall connectionsDecrypts HTTPSDecrypts HTTPSInspects contentInspects contentInspects URL (with Inspects URL (with URLScan)URLScan)Re-encrypts for delivery Re-encrypts for delivery to web applicationto web applicationAppApp

ISAISAServerServer

DBDB ADAD

x36dj23sx36dj23s2oipn49v2oipn49v<a href…<a href…http://...http://...

Protect the application Protect the application with ISA Serverwith ISA ServerBetter user authenticationBetter user authentication Easy authentication to Easy authentication to

Active DirectoryActive DirectoryPre-authenticate Pre-authenticate communicationscommunications

ISA Server queries user ISA Server queries user for credentialsfor credentialsVerifies against ADVerifies against ADEmbeds in HTTP headers Embeds in HTTP headers to application serverto application serverRequires FP1Requires FP1AppApp

ISAISAServerServer

DBDB ADAD

404404

New wizards and better New wizards and better HTTP rulesHTTP rules

AuthN delegation AuthN delegation requirementsrequirementsAuthenticate at the perimeterAuthenticate at the perimeter

Choice of domain membership or RADIUSChoice of domain membership or RADIUSClient to ISA Server:Client to ISA Server: basic or forms-based basic or forms-based authenticationauthentication

ISA Server presents form and generates cookieISA Server presents form and generates cookieSeparate timeouts for public and private Separate timeouts for public and private computerscomputersOWA form included; can copy and reuse code for OWA form included; can copy and reuse code for your own forms-based applicationsyour own forms-based applications

ISA Server to web server:ISA Server to web server: basic basicWon’t work with client certificatesWon’t work with client certificates

ISA Server has no access to client’s private keyISA Server has no access to client’s private key

Delegation processDelegation process

URLURL

access-acceptaccess-acceptgroup attribsgroup attribs

URL +URL +basic credsbasic creds

Win

Log

oW

inLog

onn

datadata

datadata

ADAD

IISIIS

ISA ServerISA Server

401401OWA formOWA form

URL + basic credsURL + basic credsform variablesform variables

RA

DIU

SR

AD

IUS

access-requestaccess-request

WinLogonWinLogon

tokentoken

toke

toke

nn

browserbrowser

cookiecookie

URLScan 2.5URLScan 2.5Policy-based URL evaluationPolicy-based URL evaluation

Define what’s allowed; drop everything elseDefine what’s allowed; drop everything elseJust like you do in your firewall (right?)Just like you do in your firewall (right?)

Helps protect from attacks that—Helps protect from attacks that—Request unusual actionsRequest unusual actionsHave a large number of charactersHave a large number of charactersAre encoded using an alternate character setAre encoded using an alternate character set

Can be used in conjunction with SSL Can be used in conjunction with SSL inspection to detect attacks over SSLinspection to detect attacks over SSL

Yes, the script-kiddie warez do this now, tooYes, the script-kiddie warez do this now, too

URLScan specificsURLScan specificsURL canonicalizationURL canonicalization

..\..\cmd.exe..\..\cmd.exe

URLScan specificsURLScan specificsURL canonicalizationURL canonicalization

%2e%2e\%2e%2e\cmd.exe%2e%2e\%2e%2e\cmd.exe

URLScan specificsURLScan specificsURL canonicalizationURL canonicalization

%352e%352e\%352e%352e\cmd.exe%352e%352e\%352e%352e\cmd.exe

??

URLScan specificsURLScan specificsURL canonicalizationURL canonicalizationURL lengthURL lengthContent lengthContent lengthContent typesContent typesPermitted or blocked headersPermitted or blocked headersPermitted or blocked verbsPermitted or blocked verbsPermitted or blocked file extensionsPermitted or blocked file extensions

Recall the typical design…Recall the typical design…OWA exampleOWA example

ExFEExFE SMTPSMTP

ExBEExBE ADAD

New requirements, new New requirements, new designsdesigns Move critical servers Move critical servers

inside for better inside for better protectionprotectionAdd ISA Server to Add ISA Server to your existing DMZyour existing DMZ

Use these exact Use these exact words!words!

Increase security by Increase security by publishing web-publishing web-based applicationsbased applicationsFew interior FW Few interior FW holesholes

RADIUS (1812, RADIUS (1812, 1813/udp)1813/udp)HTTPS (443/tcp)HTTPS (443/tcp)

ExFEExFE SMTPSMTP

ExBEExBE ADAD

ISAISAServerServer

ResultsResultsKnown good contentKnown good contentKnown good URLKnown good URLKnown good userKnown good user

Dare I say it… Dare I say it… trusted access?trusted access?

Remote DesktopRemote DesktopMechanismsMechanisms

A useful “middle ground”A useful “middle ground”

Users require more access than is Users require more access than is possible through standard web possible through standard web browser and web serverbrowser and web server

Full IP VPNs might be too expensive Full IP VPNs might be too expensive or too complex or provide too much or too complex or provide too much accessaccessConsider technologies that display a Consider technologies that display a desktop remotely, probably over desktop remotely, probably over HTTPSHTTPS

IfIf

ButBut

ThenThen

SSL VPNsSSL VPNs

Poorly-named glomming on a trendPoorly-named glomming on a trendA “remote desktop in a browser”A “remote desktop in a browser”Accessed via web-based front endsAccessed via web-based front endsRunning proprietary protocols that Running proprietary protocols that require some ActiveX or Java add-require some ActiveX or Java add-onon

VPNsVPNsAppreciably simpler than other Appreciably simpler than other remote desktop alternativesremote desktop alternativesAny more secure than IPsec-based Any more secure than IPsec-based VPNs or HTTPS-protected access to VPNs or HTTPS-protected access to published internal web sitespublished internal web sites

AreAre

Aren’tAren’t

Why not call it what it is?Why not call it what it is?It’s just remote desktop or remote displayIt’s just remote desktop or remote display

Certainly not a new ideaCertainly not a new ideaApparently not as sexy as “SSL VPN”Apparently not as sexy as “SSL VPN”

Two products can do this for you nowTwo products can do this for you nowTerminal Server—basic remote desktop displayTerminal Server—basic remote desktop displayCitrix Metaframe—more flexible preconfigured Citrix Metaframe—more flexible preconfigured remote desktops and application groupingsremote desktops and application groupings

Remote Desktop clientRemote Desktop client

Remote desktop MMCRemote desktop MMC

RDP in detailRDP in detailBased on T-120 family of protocolsBased on T-120 family of protocols

Multipoint Communications Service (MCS) Multipoint Communications Service (MCS) (T.122,125)(T.122,125)

Channel assignment, priority levels, data segmentationChannel assignment, priority levels, data segmentation

Generic Conference Control (GCC)Generic Conference Control (GCC)Manages channels and session connections, controls Manages channels and session connections, controls resourcesresources

Extends core T.Share functionalityExtends core T.Share functionality

Two driversTwo driverswdtshare.syswdtshare.sys—UI, compression, encryption, —UI, compression, encryption, framingframingtdtcp.systdtcp.sys—package RDP onto TCP—package RDP onto TCP

Permits up to 64,000 data transmission Permits up to 64,000 data transmission channelschannels

Current version uses one channel for Current version uses one channel for keyboard/mouse activity and display outputkeyboard/mouse activity and display output

RDP in detailRDP in detailOperates independent of network and Operates independent of network and transport protocolstransport protocolsBandwidth preservationBandwidth preservation

CompressionCompressionCaching in RAM and to disk (up to 10 MB for Caching in RAM and to disk (up to 10 MB for bitmaps)bitmaps)

Supports Network Load BalancingSupports Network Load Balancing

stackstack

wrapping/framingwrapping/framing

RDP packet creationRDP packet creation

Application dataApplication dataAppApp AppApp AppApp AppApp AppApp AppApp AppApp

MCSMCSchannechanne

lsls

AppApp

TCPTCPIPIP

Server 2003 Server 2003 enhancementsenhancementsCan connect to real console in admin modeCan connect to real console in admin mode

Group policy control of various optionsGroup policy control of various options……profile paths…wallpaper…encryption…profile paths…wallpaper…encryption…

WMI provider for scripted TS configurationWMI provider for scripted TS configurationADSI provider for access to per-user TS ADSI provider for access to per-user TS profilesprofilesTS Manager reduces automatic server TS Manager reduces automatic server enumerationenumerationCan limit users to a single sessionCan limit users to a single session

Security enhancementsSecurity enhancementsFollows standard Windows paradigms betterFollows standard Windows paradigms betterRemote Desktop Users (RDU) security group Remote Desktop Users (RDU) security group contains IDs of allowed userscontains IDs of allowed users

Most people allow “Everyone”Most people allow “Everyone”Permits controlling through group policyPermits controlling through group policy

Can also use Security Policy Editor to grant Can also use Security Policy Editor to grant permissionspermissions128-bit RC4 (“high”) now the default128-bit RC4 (“high”) now the defaultSoftware Restriction Policies can limit the Software Restriction Policies can limit the programs users are allowed to runprograms users are allowed to run

Encryption optionsEncryption optionsFIPSFIPS

compliantcompliantUse Federal Information Use Federal Information Processing Standards 140-1 and Processing Standards 140-1 and 140-2 algorithms in both 140-2 algorithms in both directionsdirectionsIf already configured in the If already configured in the system’s policy, you can’t system’s policy, you can’t change it herechange it here

HighHigh 128-bit RC4 in both directions128-bit RC4 in both directionsClientClient

compatiblecompatibleUse whatever the client can Use whatever the client can supportsupport

LowLow 56-bit encryption from client to 56-bit encryption from client to server; cleartext from server to server; cleartext from server to clientclient

Configure with group policy or TS Configure with group policy or TS consoleconsole

Securing Terminal ServerSecuring Terminal ServerTypical layered approachTypical layered approach

Physical security of the server computerPhysical security of the server computerSecure configuration of the operating systemSecure configuration of the operating systemSecure configuration of Terminal ServerSecure configuration of Terminal ServerProper security of the network pathProper security of the network path

““Locking down Windows Server 2003 Locking down Windows Server 2003 Terminal Server sessions”—registry settings Terminal Server sessions”—registry settings for fine-grained controlfor fine-grained control

Probably not necessaryProbably not necessary

Some RDP configuration Some RDP configuration settingssettings

End a disconnected session: 3 hoursEnd a disconnected session: 3 hoursActive session limit: 1 dayActive session limit: 1 dayIdle session limit: 15 minutesIdle session limit: 15 minutes

TS Configuration | Connections |TS Configuration | Connections |RDP-Tcp | PropertiesRDP-Tcp | Properties

TS over the web is coolTS over the web is cool

Rapidly deploy several applications Rapidly deploy several applications to many usersto many usersKeep those applications up-to-dateKeep those applications up-to-date

Lowest bandwidth requirementsLowest bandwidth requirementsIdeal for dial-up scenariosIdeal for dial-up scenarios

Works on many devices, even some Works on many devices, even some non-Windowsnon-WindowsGood for older hardwareGood for older hardware

DeploymeDeploymentnt

BandwidthBandwidth

AccessAccess

Terminal Server over the Terminal Server over the webweb

webwebbrowserbrowser

IIS withIIS withRDWCRDWC

TerminaTerminallServerServer

connect to web connect to web pagepagehttp://http://serverserver/tswe/tswebb

download ActiveX download ActiveX controlcontrol

over HTTP (80/tcp)over HTTP (80/tcp)or HTTPS (443/tcp)or HTTPS (443/tcp)

connect to TSconnect to TSover RDP (3389/tcp)over RDP (3389/tcp)

Full IP VPNsFull IP VPNs

Requirements for remote-Requirements for remote-access VPNaccess VPNUser User

authenticatiauthenticationon

Restrict network access only to Restrict network access only to authorized usersauthorized usersProvide auditing and accounting Provide auditing and accounting recordsrecords

Address Address managemenmanagemen

tt

Assign client computer’s address Assign client computer’s address on private networkon private networkProvide address separationProvide address separation

Data Data encryptionencryption

Encrypt user’s data over InternetEncrypt user’s data over InternetKeep confidential information Keep confidential information privateprivate

Key Key managemenmanagemen

tt

Generate/refresh encryption Generate/refresh encryption keys for client and serverkeys for client and server

Important termsImportant termsAuthenticationAuthentication Proof that all parties in a Proof that all parties in a

transaction are who they say transaction are who they say they arethey are

PrivacyPrivacy Only the parties entitled to see Only the parties entitled to see the transaction are able to see itthe transaction are able to see it

IntegrityIntegrity Guarantees that information Guarantees that information hasn’t been altered or corrupted hasn’t been altered or corrupted enrouteenroute

Non-Non-repudiationrepudiation

Mutual, binding confirmation Mutual, binding confirmation that a transaction occurred—the that a transaction occurred—the digital analog of a signed digital analog of a signed contractcontract

AuthorizationAuthorization Ability to determine what Ability to determine what privileges a user has after privileges a user has after authenticationauthentication

AuthenticationAuthenticationWhat What

you you knowknow

Static passwordsStatic passwordsOne-time passwords (OTP)One-time passwords (OTP)

What What you you

havehave

Requires possession of a physical Requires possession of a physical objectobject

Cryptographic calculators Cryptographic calculators Public key smartcards Public key smartcards

Supported for IPsec, SSL/TLS, EAPSupported for IPsec, SSL/TLS, EAP

What What you areyou are

Authenticates the personAuthenticates the personFingerprint analysisFingerprint analysisRetinal scanRetinal scanSpeech pattern recognitionSpeech pattern recognition

Not based on a device or knowledge Not based on a device or knowledge which can be transferredwhich can be transferredSupported for EAPSupported for EAP

AuthorizationAuthorizationReasons to care about authorizationReasons to care about authorization

Untrusted users on internal net (vendors, Untrusted users on internal net (vendors, contractors)contractors)Need for different treatment of classes of usersNeed for different treatment of classes of users

Machine certificates are not enoughMachine certificates are not enoughMakes authorization difficultMakes authorization difficultGuest has the same privileges as AdministratorGuest has the same privileges as Administrator

Issue addressed in L2TP+IPsecIssue addressed in L2TP+IPsecIPsec machine certificates provide integrity IPsec machine certificates provide integrity protection and encryptionprotection and encryptionL2TP provides user authenticationL2TP provides user authenticationLDAP/RADIUS provide authorizationLDAP/RADIUS provide authorization

PrivacyPrivacyWhat good is it to authenticate and then What good is it to authenticate and then have data sent in the clear?have data sent in the clear?Privacy achieved through encryptionPrivacy achieved through encryption

Implies need for authentication and key Implies need for authentication and key management, protected ciphersuite negotiationmanagement, protected ciphersuite negotiationL2TP+IPsec provides for tunnel authentication, L2TP+IPsec provides for tunnel authentication, key management, and protected ciphersuite key management, and protected ciphersuite negotiationnegotiationEAP-TLS (PPTP) provides key management, EAP-TLS (PPTP) provides key management, mutual authentication and protected ciphersuite mutual authentication and protected ciphersuite negotiationnegotiationMS-CHAP v2 provides key management, mutual MS-CHAP v2 provides key management, mutual authentication for PPTP; encryption is MPPEauthentication for PPTP; encryption is MPPE

Physical security does not ensure privacy Physical security does not ensure privacy Are telco WANs really more secure than IP?Are telco WANs really more secure than IP?

Stateful vs. stateless Stateful vs. stateless encryptionencryptionStatefuStatefu

llAbility to decrypt a packet depends on Ability to decrypt a packet depends on previous packet(s)previous packet(s)If previous packet(s) were lost, you If previous packet(s) were lost, you also lose current packetalso lose current packetIf packets are sent out of order can If packets are sent out of order can result in loss where there was noneresult in loss where there was noneResult is poor performance on lossy Result is poor performance on lossy networks (like the Internet)networks (like the Internet)

StateleStatelessss

Ability to decrypt a packet does not Ability to decrypt a packet does not depend on previous packet(s)depend on previous packet(s)Method of choice for use over the Method of choice for use over the InternetInternetIPsec and MPPE are statelessIPsec and MPPE are stateless

Integrity protectionIntegrity protectionWhat good is it to authenticate and then What good is it to authenticate and then have your connection hijacked?have your connection hijacked?Want mutual authentication to ensure Want mutual authentication to ensure against rogue serversagainst rogue serversNeed per-packet integrity protectionNeed per-packet integrity protection

L2TP+IPsec provides for integrity protection on L2TP+IPsec provides for integrity protection on all data and control packetsall data and control packetsPPTP v2 (with MS-CHAP v2) offers per-packet PPTP v2 (with MS-CHAP v2) offers per-packet integrity protectionintegrity protection

Your choice of protocolsYour choice of protocolsPPTPPPTP Authenticates humanAuthenticates human

Assigns IP address to remote computerAssigns IP address to remote computerEncrypts session with MPPE (128-bit Encrypts session with MPPE (128-bit RC4)RC4)Requires good passwords to be secureRequires good passwords to be secure

MS-CHAPv2 ciphers based on passwordMS-CHAPv2 ciphers based on password

Works over NATWorks over NAT

L2TP+IPsL2TP+IPsecec

L2TPL2TPAuthenticates humanAuthenticates humanAssigns IP address to remote computerAssigns IP address to remote computer

IPsec ESP transport modeIPsec ESP transport modeMutually authenticates computer and server Mutually authenticates computer and server with digital certificates or preshared keyswith digital certificates or preshared keysEncrypts session with 3DESEncrypts session with 3DES

Works over NAT finallyWorks over NAT finally

UDPUDP L2TPL2TP PPPPPP IPIP npnp App dataApp data

L2TP+IPsec packet formatL2TP+IPsec packet format

App dataApp data

IPIP npnp App dataApp data

UDPUDP L2TPL2TP PPPPPP IPIP npnp App dataApp data

IPIP IPsecIPsec UDPUDP L2TPL2TP PPPPPP IPIP npnp App dataApp data IPIPsecsec

L2TP+IPsec client L2TP+IPsec client automaticallyautomaticallygenerates IPsec security rulegenerates IPsec security rule

Outbound FilterOutbound FilterSource IP = My IP address Source IP = My IP address (Internet)(Internet)Dest IP = Gateway IPDest IP = Gateway IPProtocol = UDPProtocol = UDPSource port 1701, dest port Source port 1701, dest port anyany

Inbound FilterInbound FilterSource IP = Gateway IPSource IP = Gateway IPDest IP = My IP Address Dest IP = My IP Address (Internet)(Internet)Protocol = UDPProtocol = UDPSource port any, dest port Source port any, dest port 17011701

Windows L2TP always uses Windows L2TP always uses UDP source port 1701, UDP source port 1701, dest port 1701dest port 1701

Allows gateway to Allows gateway to float response port float response port (per L2TP RFC (per L2TP RFC 2661)2661)

IPSec IKE negotiation is IPSec IKE negotiation is for dest port = any, so for dest port = any, so that filter mirror for that filter mirror for inbound port = anyinbound port = any

L2TP+IPsec connection is L2TP+IPsec connection is protectedprotectedIPsec IKE IPsec IKE

negotiation,negotiation,machine cert machine cert authNauthN

Establish IPsec Establish IPsec SAs forSAs forL2TP port L2TP port 1701/udp1701/udp

L2TP tunnel setup L2TP tunnel setup andandmanagement inside management inside IPsecIPsec

User User authNauthN

RADIURADIUSS

AD DCAD DCpolicypolicyenforcemenforcem

entent

No traffic gets in until:No traffic gets in until:IPsec SAs are established—strong security based on mutual IPsec SAs are established—strong security based on mutual certificate trust certificate trust User authenticated in L2TP—User authenticated in L2TP—all protected by IPSec. PPP could all protected by IPSec. PPP could use CHAP, MS-CHAP (userid/password), EAP (smartcard or use CHAP, MS-CHAP (userid/password), EAP (smartcard or token card); RADIUS client in gateway permits single sign-on token card); RADIUS client in gateway permits single sign-on for Active Directory user accountsfor Active Directory user accountsUser access control policy OK—RRAS server, IAS, and ADUser access control policy OK—RRAS server, IAS, and AD

Where do you put the Where do you put the RRAS server?RRAS server?

How about How about onon the the firewall?firewall?

How RRAS+ISA secures How RRAS+ISA secures client connectionsclient connections

Broad protocol supportBroad protocol supportPPTP and L2TP/IPSecPPTP and L2TP/IPSecIPSec NAT traversal (NAT-T) for connectivity IPSec NAT traversal (NAT-T) for connectivity across any network across any network

AuthenticationAuthenticationActive Directory uses existing Windows accounts, Active Directory uses existing Windows accounts, supports PKI for two factor authenticationsupports PKI for two factor authenticationRADIUS uses non-Windows accounts databases RADIUS uses non-Windows accounts databases with standards-based integrationwith standards-based integrationSecurID provides strong, two-factor SecurID provides strong, two-factor authentication using tokens and RSA authentication using tokens and RSA authentication serversauthentication servers

All inbound and outbound traffic is inspected All inbound and outbound traffic is inspected by ISA Server’s protocol filtersby ISA Server’s protocol filters

How RRAS+ISA controls How RRAS+ISA controls network accessnetwork accessMulti-network supportMulti-network support

Control which portions of your network are Control which portions of your network are accessible from remote locationsaccessible from remote locations

Application layer firewallApplication layer firewallInspects all traffic to and from remote clientsInspects all traffic to and from remote clientsEnsures conformance to protocol specificationsEnsures conformance to protocol specifications

Network quarantineNetwork quarantinePerform security checks on client before it’s Perform security checks on client before it’s allowed access to the internal networkallowed access to the internal networkProvide mechanism for out-of-date clients to Provide mechanism for out-of-date clients to update themselvesupdate themselves

Network access Network access quarantinequarantineClient script checks whether client meets Client script checks whether client meets

corporate security policiescorporate security policiesPersonal firewall enabled?Personal firewall enabled?Latest virus definitions used?Latest virus definitions used?Required patches installed?Required patches installed?Routing table updates disabled?Routing table updates disabled?Password-protected screen saver enabled?Password-protected screen saver enabled?

If checks succeed, client gets full accessIf checks succeed, client gets full accessIf checks fail client gets disconnected after If checks fail client gets disconnected after timeout periodtimeout period

VPN quarantine process VPN quarantine process (1)(1)

Internal networkQuarantine

resources

Client computerconnects

RRAS+ISA assigns client to quarantined VPN clients network, allowing access to limited resources

Script on clientcomputer checks configuration settings

Script sends “success” notification to RRAS+ISA

RRAS+ISA assigns client to VPN clients network, providing access to internal network

VPN quarantine process VPN quarantine process (2)(2)

Quarantine resources

Client computerconnects

RRAS+ISA assigns client to quarantined VPN clients network, allowing access to limited resources

Script on clientcomputer checks configuration settings

Script does not send “success” notification to RRAS+ISA

Client can update from quarantine resources

RRAS+ISA will disconnect client after timeout expires

Quarantine architectureQuarantine architecture

CM profileCM profile• Runs Runs

customizablecustomizablepost connect post connect scriptscript

• Script runs RQC Script runs RQC notifier with notifier with “results string”“results string”

ListenerListener• RQS receives notifierRQS receives notifier

“results string”“results string”• Compares results toCompares results to

possible resultspossible results• Removes time-out ifRemoves time-out if

response received butresponse received butclient out of dateclient out of date

• Removes quarantine filterRemoves quarantine filterif client up to dateif client up to date

Quarantine VSAsQuarantine VSAs• Timer limits Timer limits

timetimewindow to window to receive notify receive notify before auto before auto disconnectdisconnect

• Q-filter sets Q-filter sets temporary route temporary route filter to filter to quarantine quarantine accessaccess

RAS clientRAS client RRAS+ISARRAS+ISA

IAS IAS ServerServer

QuarantiQuarantinene

Internet

So What to Do So What to Do Now?Now?

ResourcesResources

Everything about VPN and RRAShttp://www.microsoft.com/vpnhttp://www.microsoft.com/vpn

ISA Server info and deployment guidesISA Server info and deployment guideshttp://www.microsoft.com/isaserverhttp://www.microsoft.com/isaserver

Terminal Serverhttp://www.microsoft.com/terminalserverhttp://www.microsoft.com/terminalserver

Now available!Now available!Order online:Order online:http://www.awprofessionhttp://www.awprofessional.com/title/0321336437al.com/title/0321336437Use promo codeUse promo codeJJSR6437JJSR6437

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Thanks to Steve Thanks to Steve RileyRiley

steriley@microsoft.comwho wrote this who wrote this presentationpresentation

How MicrosoftHow MicrosoftDoes VPNDoes VPN

Current state of RAS at Current state of RAS at MicrosoftMicrosoftTwo-factor authentication for VPN Two-factor authentication for VPN

Client placed in quarantine upon connecting Client placed in quarantine upon connecting Security checks performed while in Security checks performed while in quarantinequarantineAdditional usability and security checks run Additional usability and security checks run outside of quarantine as part of the outside of quarantine as part of the connectionconnectionThree types of connection options:Three types of connection options:

Direct dialDirect dialMicrosoft-contracted 3Microsoft-contracted 3rdrd-party ISP-party ISPVPN over the Internet (this is >85% of use)VPN over the Internet (this is >85% of use)

All connections end with a VPN sessionAll connections end with a VPN session

RAS service—quick factsRAS service—quick factsUser base: ~55,000 Microsoft employees User base: ~55,000 Microsoft employees and ~25,000 contract employees worldwideand ~25,000 contract employees worldwideAverage of 45,000 unique RAS users per Average of 45,000 unique RAS users per month worldwidemonth worldwideRemote access devices globallyRemote access devices globally

95 VPN servers, 17 RADIUS servers95 VPN servers, 17 RADIUS servers18 standalone Cisco dial devices, 51 dial modules 18 standalone Cisco dial devices, 51 dial modules on shared Cisco network deviceon shared Cisco network device

Typical weekly RAS connectionsTypical weekly RAS connections ~193,233~193,233

Total direct dialTotal direct dial 11,268 11,268Total VPNTotal VPN 173,532 173,532Total RAS over InternetTotal RAS over Internet 10,759 10,759Average connection duration (min.)Average connection duration (min.) 134 134

Special implications of Special implications of VPNVPNMost use of VPN comes from unsecured Most use of VPN comes from unsecured

networksnetworksVerifying the identity of VPN users requires a Verifying the identity of VPN users requires a higher barhigher barThe higher bandwidth enabled by broadband The higher bandwidth enabled by broadband also increase effectiveness of brute force also increase effectiveness of brute force attacksattacksServicing the security needs of a remotely Servicing the security needs of a remotely located client brings additional challengeslocated client brings additional challenges

The RAS security threatsThe RAS security threats

Malicious usersMalicious usersUnpatched vulnerabilities and weak Unpatched vulnerabilities and weak configurations expose valid network configurations expose valid network credentialscredentialsHome users’ machines are frequently Home users’ machines are frequently attackedattackedRemote network access secured only by Remote network access secured only by passwordspasswordsUnauthorized activity with valid credentials Unauthorized activity with valid credentials is difficult to detect and preventis difficult to detect and prevent

Malicious softwareMalicious softwareUnmanaged and infected remote devices put Unmanaged and infected remote devices put corporate resources at riskcorporate resources at riskViruses, trojans, wormsViruses, trojans, wormsAlways-on broadband Internet access Always-on broadband Internet access heightens exposureheightens exposure

Addressing the security Addressing the security threatsthreatsthreatthreat MaliciousMalicious

usersusersMalicious Malicious softwaresoftware

requiremerequirementnt

Two-factor Two-factor authenticatioauthenticationn

Enforce remote Enforce remote system security system security configurationconfiguration

solutionsolution Smartcards Smartcards for RAS logonfor RAS logon

Connection Connection Manager and Manager and RAS RAS QuarantineQuarantine

Strengthening identity Strengthening identity with smartcardswith smartcardsSmart card chip added Smart card chip added

to existing building to existing building access cardsaccess cardsRemote access policy Remote access policy (RAP) deployed on (RAP) deployed on VPN/RADIUS VPN/RADIUS infrastructureinfrastructureUses existing self-Uses existing self-hosted PKI for digital hosted PKI for digital certificate managementcertificate managementCentralized card Centralized card management team management team formed to manage card formed to manage card creation, distribution, creation, distribution, and supportand support

Securing the RAS clientSecuring the RAS clientInfrastructure componentsInfrastructure components

Windows 2003 RRAS server (~400-600 ports Windows 2003 RRAS server (~400-600 ports configured per server)configured per server)RQS on RRAS serverRQS on RRAS serverInternet Authentication Services (IAS)Internet Authentication Services (IAS)

Responsible for authentication and policy settingResponsible for authentication and policy settingCan apply different policies based on back end rules Can apply different policies based on back end rules (this is how exceptions are granted)(this is how exceptions are granted)

Connection Manager Administration Kit (CMAK)Connection Manager Administration Kit (CMAK)ISA Server 2004ISA Server 2004

Client side componentsClient side componentsCustom connection created with CMAKCustom connection created with CMAKSecurity scanning scripts—”Secure Remote User” Security scanning scripts—”Secure Remote User” (SRU)(SRU)

Why ISA Server 2004?Why ISA Server 2004?Packet size limitation with RADIUS that limits Packet size limitation with RADIUS that limits the size of the filter listthe size of the filter list

Microsoft needs more servers in the quarantine Microsoft needs more servers in the quarantine network then the limit allows for:network then the limit allows for:

DCsDCsSRU ServersSRU ServersDNSDNS

Management of filter lists is easier with ISA Management of filter lists is easier with ISA Server 2004 then using IAS filtersServer 2004 then using IAS filters

Connection ManagerConnection ManagerProvides mechanism to manage phone book Provides mechanism to manage phone book entries for serviceentries for serviceEnables entry points for actions executed Enables entry points for actions executed during connection experienceduring connection experience

Pre-initializePre-initializePre-connectPre-connectPost-connectPost-connectPre-tunnelPre-tunnelPost-tunnelPost-tunnel

SRU runs in various places during the SRU runs in various places during the connectionconnection

Secure Remote User Secure Remote User (SRU)(SRU)Designed and developed by Microsoft IT Designed and developed by Microsoft IT

Enterprise Application Services (EAS)Enterprise Application Services (EAS)Performs critical security checksPerforms critical security checks

Windows Firewall onWindows Firewall onInternet Connection Sharing offInternet Connection Sharing offPatch managementPatch managementAnti-virus using Computer Associates eTrustAnti-virus using Computer Associates eTrustOperating system version complianceOperating system version compliance

Very flexible, self updating and gathers Very flexible, self updating and gathers metrics from the users perspectivemetrics from the users perspective

RAS InfrastructureRAS InfrastructureCustom automated reporting

VPN tunnel over broadband connection

using EAP-TLS

VPN tunnel over ISP

connection using

EAP-TLSVPN tunnel over dial-up connection

Active Directory,User groups, Global catalog

Analog / ISDNdial connection

Analog / ISDN dial connection

through ISP

Smart card

Internet

ISP

Routing and Remote Access

VPN server

IAS / RADIUSserver

IAS proxy serverRADIUS authorization

Domain controllerSQL Server

central database store

Direct dial Cisco router

MS-CHAP v2authentication

CHAPauthentication

EAP-TLS security authentication(smart card)

Lightweight Directory Access Protocol (LDAP)

authorization Secure Remote Procedure Call

(RPC) domain authentication

Microsoft user account

authentication

ModemRemote client

Corporatenetwork

resources

User session data transfers,

regional IAS / RADIUS

servers

Telephone service

Legenddata transfer pathauthentication transfer pathphysical dial connections

The user experienceThe user experienceAverage connect experience worldwide is Average connect experience worldwide is under two minutesunder two minutesFailed security check results in opportunity Failed security check results in opportunity to remediateto remediate

Microsoft IT design decisionMicrosoft IT design decision

Incorrect smartcard PIN results in quick Incorrect smartcard PIN results in quick notificationnotification

Since PIN unlocks card, decision is made locallySince PIN unlocks card, decision is made locallyFive incorrect PIN entries will lock the smartard; Five incorrect PIN entries will lock the smartard; takes a help desk call to unlocktakes a help desk call to unlock

Lessons we learnedLessons we learnedManage change—minimize overlapsManage change—minimize overlaps

Deploy smartcards firstDeploy smartcards firstThen Connection Manager and security scanning secondThen Connection Manager and security scanning second

Provide internal and external sites where users can Provide internal and external sites where users can obtain security toolsobtain security toolsConsider analog dial-up users when designing Consider analog dial-up users when designing security scriptssecurity scriptsCommunicate and set user expectations clearlyCommunicate and set user expectations clearlyThe solution is only as good as the componentsThe solution is only as good as the components

Monitor and measure each required element Monitor and measure each required element

Don’t wait until using RAS to bring machine into Don’t wait until using RAS to bring machine into compliance—encourage proactive security practicescompliance—encourage proactive security practices