Server Security Technologies (not Dr.) Fred Baumhardt Security Technology Architect Microsoft Incubation
[email protected]
Server Security
•How not to do it
This is not the way to protect your front perimeter or edge
Infrastructure Security Architecture Security
Root Causes
•Infrastructure Architecture
• Enterprise organically grown under “Project” context • Security was Secondary – vendors no best practice ClassicNetwork Security wide open – everything to • Internal Unmanaged Perimeter everything Unpatched Internet Extranets Some Core Systems • 0 day undefended – patch is the solution Internet Systems
Project 1…n System Branch Offices Departments
This will Save
Security Rules
•The Biology of Security
Worms are Anonymous – they don’t Authenticate Traffic – Stops foreign carry your password database…. Infection Pathogens Break protocol – you Enforce Protocol Rules at therules Network wrote a buffer for 72 characters – Device – things that break are dropped attacker sent you 182
Don’t process traffic that you didn’t ask for, Worms send clients something they understand protocols and know what to didn’t ask for expect
Server Auth Mobile
SS LT UN HT TP
B AS
I C,
NE L
C er
t if ic ate
s, L im it
ed
VPN
s), Sec ID IC, VPN(all ty pe AS , B s orm l F ul F
tes , a c i if Cert
External Clients
•Auth at all levels
s orm F l l Fu
NT
, LM
Ke
r os e rb
er b K , PC (R
e
P DA L ), DC/GC r os
) Ker beros , M L T N col, ( Internal Clients nt Pr ot o ie l C l l a Firew RA DI US (U1 81 2-1 3D e fa ul t ) Firewall
DNS, HTTP(S), SMTP, FTP, RPC, POP3, IMAP4, LDAP, IKE, VPNs
Internet Authentication Server
Plan + Execute
•Wipe Out Attack Classes • example Internet
Redundant Routers Redundant Firewalls NIC teams/switches
Control Zone
Control Zone
ExtranetData Network – Control SQL Zone
Control Zone
Presentation Control Zone
Control Zone
Outbound Proxy Zone
Inbound Proxy Control Zone
Control Zone
Application Servers
Control Zone
Data Network – SQL Server Clusters
Control Zone
Infrastructure Network – Internal Active Directory
Control Zone
Management Network – MOM, deployment
Control Zone
Control Zone
Messaging Network – Exchange Messaging Network – Exchange FE BE
Control Zone
Control Zone
Control Zone
Client Networks 1…n RADIUS Network Intranet Network - Web Servers
Plan + Execute
•Wipe Out Attack Classes • NAP and Domain I
•NAP (will) and Domain Isolation (has) become the standard which new systems roll out to
X
X
Infrastructure Security ForeFront Security
Capabilities
•Understand The Risks •Define the Strategy
How Much Risk can we tolerate ? Does it aggregate ? Outsource the risk to others Buy managed services Hire Consultants (outsource blame)
Quantify Risk and impact Decommission/Transition Allow long term “project” to fix it .Low enough risk/cost ratio to
Transformation required To prevent re-occurence Should Wipe out Class of risk
Previous
Current
H2 2006
2007+
Client
Server
Edge
TBD TBD
Its about securing the workload Simple malware at client or server base insufficient Multiple malware vendors scanning traffic inside data repository, need engines per repository For mail, do it at edge and cloud, but other protocols are attacked internally, so protection should be internal
Workload Malware Approach Antigen
IM and Documents Live Communications Server Antigen EHS
Email Exchange Hosted Services
SharePoint Server
ISA Server Antigen
Antigen
Exchange Front End Servers
Exchange & BES Servers
Malware Engines across Products
Plan + Execute
•The Training and Feelings of IT
Admin Training is Key – Users can be useful to IT
•Admins– (like pets ) can Help You – If you train them •Work with your new IT to let them understand your architecture and why •Security Policy should be open to be evolved, and should be enforced and challenged to application paradigms •Application and Infrastructure admins should treat security and FW admins as peers
Be Sensitive to Jobs and Roles, re-skilling is pain