Gira Seguridad 2005Microsoft TechNetCon la participacin de:yJos Parada Gimeno Evangelista Microsoft TechNetChema Alonso MVP Windows Server Security

Agenda IIntroduccin

Tcnicas Hacker de envenenamiento en redes de datos Spoofing ARP DNS Hijacking Phising Mail Spoofing

Contramedidas Hacking I. Proteccin de servidores. Cifrado y autenticado de conexiones. IpSec Hardering de Servidores.

Agenda IIContramedidas Hacking II. Proteccin de Servicios de correo. Conexiones seguras con RPC/HTTPS

VPNs Evolucin de las VPNs VPNs Seguras con MPLS Hosting de Aplicaciones en VPNs con MPLS Soluciones con ISA Server 2004 sobre las VPNs de ONO.

Tecnicas Hacker de Spamming. Tcnicas Eursticas, Bayesianas y Finger Printing Contramedidas Spaming

IntroduccinMotivos ImpactoAnlisis de IncidentesAnlisis de Vulnerabilidades

Que es Seguridad?Seguridad, es un termino relativo y no absolutoQue es lo que esta seguro?Contra quien se esta seguro?Contra que se esta seguro?Hasta cuando se esta seguro?Que intensidad de ataque se puede resistir?

Por lo tanto sin un contexto el termino Seguridad no tiene sentido

Porque Atacan?Motivos PersonalesDesquitarseFundamentos polticos o terrorismoGastar una bromaLucirse y presumirMotivos FinancierosRobar informacinChantajeFraudes FinancierosHacer DaoAlterar, daar or borrar informacinDeneger servicioDaar la imagen pblica

MotivosLa tecnologa tiene fallos.Es muy fcil hacerlo.No hay conciencia clara del delito

Porque MOLA!!

Incidentes Reportados al CERTData Source: CERT ( http://www.cert.org)

Chart1

6

132

252

406

773

1334

2340

2412

2573

2134

3734

9859

21756

52658

82094

137529

Sheet1

Year198819891990199119921993199419951996199719981999*2000200120022003

Incidents61322524067731,3342,3402,4122,5732,1343,7349,85921,75652,65882,094137,529

Sheet1

Sheet2

Sheet3

Vulnerabilidades por AosData Source: CERT ( http://www.cert.org)

Chart2

171

345

311

262

417

1090

2437

4129

3784

Sheet1

Year198819891990199119921993199419951996199719981999*20002001Q1-Q3 2002

Incidents61322524067731,3342,3402,4122,5732,1343,7349,85921,75652,65873,359

Sheet1

Sheet2

Year19951996199719981999*2000200120022003

Vulnerabilities1713453112624171,0902,4374,1293,784

Sheet2

Sheet3

Problema de la Industria ITVulnerabilidades en Sistemas Operativos - 2002

Windows 2003OpenBSDWindows XPWindows 2000SuSESUNMandrakeRedHatDebianProblema de la Industria ITVulnerabilidades en Sistemas Operativos - 2003

FuentesDebian: http://www.nl.debian.org/securityMandrake: http://www.mandrakesoft.com/security/advisoriesMicrosoft: http://www.microsoft.com/technet/security/current.aspxOpen BSD: http://www.openbsd.org/errata35.htmlSun: http://sunsolve.sun.com/pub-cgi/show.pl?target=security/secSuse: http://www.novell.com/linux/security/advisories.htmlRedHat: http://www.redhat.com/security/updates/

Vulnerabilidadeshttp://www.securityfocus.com/bid

Problema de la Industria ITVulnerabilidades en Sistemas Operativos - Agosto 2004

Sofisticacin de los Ataques vs. Conocimientos requeridos

Tcnicas Hacker de Envenenamiento en Redes de DatosCon la participacin de:yJos Parada Gimeno Evangelista Microsoft TechNetChema Alonso MVP Windows Server Security

El Modelo OSI1.Fisico2. Conexin3. Red4. Transporte5. Sesin6. Presentacin7. Aplicacin

En RealidadCuatro capas son suficientemente representativasARP, RARP1. interface4. AplicacinIP, ICMP, IGMPTCP, UDP, IPsecHTTP, FTP, TFTP, telnet, ping, SMTP,POP3, IMAP4, RPC, SMB, NTP, DNS, 8-5. usuario

Tcnicas de SpoofingLas tcnicas spoofing tienen como objetivo suplantar validadores estticosUn validador esttico es un medio de autenticacin que permanece invariable antes, durante y despus de la concesin.

Niveles AfectadosSERVICIOREDDireccin IPENLACEDireccin MACNombres de dominioDirecciones de correo electrnicoNombres de recursos compartidos

Tipos de tcnicas de SpoofingSpoofing ARPEnvenenamiento de conexiones.Man in the Middle.

Spoofing IP Rip Spoofing.Hijacking.

Spoofing SMTP

Spoofing DNSWebSpoofing.

Tcnicas de SniffingCapturan trfico de red.

Necesitan que la seal fsica llegue al NIC.

En redes de difusin mediante concentradores todas las seales llegan a todos los participantes de la comunicacin.

En redes conmutadas la comunicacin se difunde en funcin de direcciones.Switches utilizan direccin MAC.

Sniffing + SpoofingHijacking (Secuestro) Y EnvenenamientoTcnicas Combinadas

Nivel de Enlace: Spoofing ARP

Suplantar identidades fsicas.

Saltar protecciones MAC.Suplantar entidades en clientes DHCP.Suplantar routers de comunicacin.

Solo tiene sentido en comunicaciones locales.

Direccin Fsica

Tiene como objetivo definir un identificador nico para cada dispositivo de red.

Cuando una mquina quiere comunicarse con otra necesita conocer su direccin fsica.Protocolo ARP

No se utilizan servidores que almacenen registros del tipo: Direccin MAC Direccin IP.

Cada equipo cuenta con una cach local donde almacena la informacin que conoce.

Sniffing en Redes de DifusinPC HACKERPC 1PC 2PC 3PC 4Sniffer

PC HACKERPC 1PC 2PC 3PC 4SnifferMAC 1MAC 2MAC HMAC 3MAC 4Puerto 1 MAC 1Puerto 2 MAC 2Puerto 6 MAC HPuerto 11 MAC 3Puerto 12 MAC 4Sniffing en Redes Conmutadas

Envenenamiento de Conexiones: Man in the MiddleLa tcnica consiste en interponerse entre dos sistemas.

Para lograr el objetivo se utiliza el protocolo ARP.

El envenenamiento puede realizarse entre cualquier dispositivo de red.

Envenenamiento de Conexiones:Man in the MiddleCACHE ARPIP 2 MAC HCACHE ARPIP 1 MAC H

Ataque ARP Man In The MiddleQuien tiene 1.1.1.2?1.1.1.2 esta en 99:88:77:66:55:441.1.1.2 esta en 00:11:22:33:44:55:661.1.1.11.1.1.21.1.1.1 esta en 99:88:77:66:55:44

Man in the Middle

Sirve como plataforma para otros ataques.

DNS Spoofing.WebSpoofing.Hijacking.Sniffing

Se utiliza para el robo de contraseas.

DemoEnvenamiento entre hosts.

Robo de contraseas.DNS Hijacking.Phising (WebSpoofing).HTTPS Spoofing.

Proteccin contra Envenenamiento

Medidas preventivas.

Control fsico de la red.Bloqueo de puntos de acceso.Segmentacin de red.

Gestin de actualizaciones de seguridad.Proteccin contra Exploits.Proteccin contra troyanos.

Proteccin contra EnvenenamientoMedidas preventivas.

Cifrado de comunicaciones.IPSec.Cifrado a nivel de Aplicacin:S/MIME. SSL.

Certificado de comunicaciones.

Medidas preventivas.

Utilizacin de detectores de Sniffers.

Utilizan test de funcionamiento anmalo.Test ICMP.Test DNS.Test ARP.Proteccin contra Envenenamiento

Frase vs. Passwords

Las 4 leyes fundamentales de la proteccin de datosAutentica en todas partes.Valida Siempre.Autoriza y audita todo.Cifra siempre que sea necesario.

Cifrado y autenticado de conexiones con IPSec en redes Windows 2003.Con la participacin de:yJos Parada Gimeno Evangelista Microsoft TechNetChema Alonso MVP Windows Server Security

Cifrado de ComunicacionesIPv4 no ofrece cifrado de comunicaciones a nivel de red y transporte.

Solo se puede garantizar la no interceptacin de la informacin en lneas privadas.

Los entornos son abiertos. Movilidad.

La privacidad de la informacin es una necesidad

Cifrado de ComunicacionesLa eleccin de la proteccin debe cumplir:

No anular otras defensas.

Permitir autenticacin integrada.

No suponer un coste excesivo en:Rendimiento.Adquisicin.Implantacin.Mantenimiento.

Cifrado de ComunicacionesSoluciones:

Red : IPv6 -> IPSec.

Transporte:TLSSSL

Aplicacin: HTTP-sFTP-sS/MIMESSH.

Datos: Cifrado informacin.

IPSec - DefinicinIPSec es unprotocolo que sirve para proteger las comunicaciones entre equipos.

Ofrece las siguientes caractersticas:

Autenticacin IntegridadConfidencialidad (cifrado)

IPSec - ObjetivosProteger el contenido de las cabeceras IP contra ataques activos y pasivos mediante : Autenticacin de la cabecera.Cifrado del contendio.

Defender los equipos contra ataques de red:Filtrado de conexiones (sniffing).Autenticacin de conexiones.

IPSec - FuncionamientoDos grupos de protocolos distintosProtocolos de gestin de claves:IKE ( Internet Key Exchange) y sus asociados ISAKMP y OAKLEY KEY)Protocolos de autenticacin, cifrado y manipulacin de paquetes:AH ( Autentication Header )ESP ( Encapsulating Security Payload )

IKE - FuncionamientoIKE tiene dos modos de funcionamiento.

Modo Principal y Modo Rpido.Centraliza la gestin de asociaciones (SA) para reducir el tiempo.Genera y gestiona las claves usadas para securizar la informacin.

IPSec Proceso de CifradoEl proceso de cifrado est compuesto de dos protocolos.

Autenticacin de cabecera (AH)Cifrado de Trfico (ESP)

Cabecera de AutenticacinAuthentication Header (AH) ofrece:Autenticacion.Integridad.

FuncionalidadesKerberos, certificados o los secretos compartidos pueden ser utilizados para autenticar el trfico. La integridad se calcula con algoritmos SHA1 o MD5 que calculan el Integrity Check Value (ICV)

IPSec Cabecera AH.

Cabecera ESPEncapsulating Security Payload (ESP)

ESP ofrece:Confidencialidad.

ESP puede ser utilizada sola o combinada con AH.

Multiples algoritmos de cifradoDES claves de cifrado de 56-bit 3DES claves de cifrado de 168-bit

Multiples algoritmos de firmado.SHA1 160-bit digestMD5 128-bit

Cabecera ESP

IPSec - FirewallsIPSec se enruta como trfico IPv4.

En firewalls debe ser activado el reenvio IP para:IP Protocol ID 50 (ESP)IP Protocol ID 51 (AH)UDP Port 500 (IKE)

El trfico IPSec que pasa por un firewall no puede ser inspeccionado.

SA EstablishmentNICTCPIPApplicationServer or GatewayIPSecDriverIPSecPolicyAgentIKE (ISAKMP)IPSecDriverIPSecPolicyAgentIKE (ISAKMP)NICTCPIPApp or Serviceclient

IPSec - Modos de trabajoEl sistema IPSEC puede trabajar en dos modos:Modo de transporte: donde el cifrado se realiza de extremo a extremo.

Modo tnel donde el cifrado se realiza nicamente entre los extremos del tnel.

Modos IPSECModo de transporteProporciona cifrado y autenticacin de extremo a extremoCifradoModo de tnelProporciona cifrado y autenticacin slo entre los puntos finales del tnelCifrado

IPSEC - Coste de cifradoDisminucin del rendimiento que es proporcional al hardware del sistema.Tiempo de negociacin IKE aproximadamente 2-5 segundos inicialmenteSession rekey < 1-2 segundos

Prdida de la capacidad de filtrado de paquetes.

Recursos destinados a la solucin de problemas.

Concienciacin tcnica de su necesidad y su uso.

IPSec en Windows 2000- 2003Se configura mediante polticasAlmacenadas en el Directorio Activo o en en Registro Local del Servidor.Controlan la entrada y salida de paquetes permitidos.

Las Politicas IPSec estn formadas por listas de reglas. Estn compuestas de asociaciones de acciones y protocolos.Se definen a nivel de protocolo o a nivel de puerto.Acciones permitidas:Bloquear.Permitir.Pedir seguirdad.Se aplica el filtro ms permisivo.

IPSec - PolticasPodrn utilizarse polticas por defecto o las creadas manualmente.

El sistema proporciona 3 polticas por defecto que van a determinar diferentes comportamientos de la mquina con respecto a IPSEC.

Cliente.Servidor.Servidor seguro.

IPSec - Poltica de cliente.Modo de solo respuestas.

Un sistema en modo cliente responde a peticiones que le realicen en IPSEC.

No inicia conversaciones en modo IPSEC, solamente en claro.

IPSec - Poltica de servidor.Intenta establecer comunicaciones cifradas, pero si la otra mquina no tiene configurado IPSEC la comunicacin se establece en claro.

Este modo est definido por 3 reglas que determinan el comportamiento general del sistema a las peticiones IP, ICMP y el resto de trfico.

IPSec - Poltica Servidor SeguroEl equipo solo puede establecer comunicaciones seguras.

La poltica establece 3 reglas, para el trfico de peticiones IP, ICMP y el resto de trfico.

IPSEC - ReglasLas reglas IPSEC determinan el comportamiento del sistema en la transmisin de la informacin.

Las reglas estn compuestas por los siguientes objetos:Filtros.Accin de filtros.Mtodo de autentificacin.

IPSec - FiltrosEn la configuracin de los filtros hay que especificar los siguientes parmetros:

Determinar la posibilidad o no de establecer un tnel de comunicacin.Qu redes o equipos se van a ver afectados.El mtodo de autentificacin para la transmisin.Mtodos de seguridad.Las acciones de filtrado.

IPSec - AutenticacinKerberosRequiere tiempo de sincronizacin.Solo dentro del bosque.

Certificados Requiere la implementacin de PKI.CRL est deshabilitado por defecto.

Secretos Compartidos.Tan seguro como sea el secreto.En entornos grandes es dificil de mantener.

IPSec - PKI AutodespliegueSe puede configurar un entorno de autodespligue de certificados digitales para equipos :

Instalando una Entidad Certificadora Raiz integrada.

Activando la Peticin de Certificado Automtico en la CPO del dominio.

IPSec Excepciones.IPSec en Windows 2000 no securiza por defecto el siguiente trfico :BroadcastMulticastRSVPIKEKerberosWindows 2003 por defecto securiza todo el trfico excepto IKE. Es posible configuarlo como en Windows 2000IPSec Default Exemptions Are Removed in Windows Server 2003http://support.microsoft.com/default.aspx?scid=kb;EN-US;810207

IPSEC- MonitorizacinIPSecmon IP Security Monitor MMC Snap-In

IPSec - DespliegueGPODespliegue centralizado desde el Directorio Activo.Configuracin posible mediante plantillas.GPO

Polticas de Grupo

Demo Configuracin IPSec

Endurecimiento de Servidores Windows 2003 Plantillas de SeguridadCon la participacin de:yJos Parada Gimeno Evangelista Microsoft TechNetChema Alonso MVP Windows Server Security

EndurecimientoEl aumento de ataques en las redes han hecho necesarias implementar medidas para fortificar los servicios de las empresas.

Entre las medidas caben destacar las actualizaciones de los sistemas y la fortificacin de los servidores desde la configuracin de la seguridad interna mediante plantillas.

Plantillas de seguridadProporcionan los mecanismos para incrementar la seguridad sobre los equipos.

Son ficheros que proporcionan la capacidad para simplificar la implantacin de seguridad en equipos.

Incrementan o modifican las directivas que se estn aplicando.

Aplicacin de PlantillasLas plantillas pueden aplicarse por importacin en polticas locales o mediante el uso en GPO.

Mediante la herramienta de configuracin de seguridad.

Mediante lnea de comando con la ejecucin del comando Secedit.

Componentes de lasPlantillas de SeguridadLas plantillas de seguridad controlan los siguientes aspectos de una mquina:

Cuentas de usuario.Auditoras.Derechos de usuarios.Opciones de seguridad.Visor de sucesos.Grupos restringidos.Servicios.Claves de registro.Sistema de ficheros.

Herramientas de Gestin de PlantillasLa administracin de las plantillas puede ser realizada desde:

La consola Plantillas de seguridad.

Consola configuracin y anlisis de la seguridad.

Ambas herramientas son aadidas como complementos de MMC.

Herramientas de Plantillas Administrativas.

Configuracin y Anlisisde la Seguridad.

Es una herramienta con doble objetivo:

Proporcionar los mecanismos para comparar la seguridad de una mquina con una base de datos de anlisis.

Configurar una mquina con la informacin de una base de datos creada a travs de plantillas.

Anlisis y configuracin.

Resultante de polticas.Sistema complementario de los anteriores que evala no solo plantillas de seguridad sino GPO.

Presenta dos herramientas:

RSoP. Herramienta grfica.GPRESULT. Lnea de Comando.

Demo: Aplicacin de Plantillas de ServidoresAnalsis de Seguridad

Descanso!Con la participacin de:y

RPC sobre HTTPsCon la participacin de:yJos Parada Gimeno Evangelista Microsoft TechNetChema Alonso MVP Windows Server Security

RPC Sobre HTTPLas llamadas a procedimiento remoto son una de las metodologas de comunicaciones entre mquinas.

Outlook 2003 se conecta a Exchange 2003 mediante el protocolo RPC.

El establecimiento de RPC sobre HTTP, proporciona 3 niveles de seguridad adicionales sobre las ofrecidas por RPC.

SeguridadProporciona seguridad y autentificacin a travs de Internet Information Server.

Proporciona encriptacin SSL.

Permite restricciones e inspecciones de informacin a nivel de RPC proxy.

ArquitecturaEn el procedimiento de una comunicacin RPC/HTTPS intervienen los siguientes componentes:

Cliente RPC/HTTPS.

Proxy/Firewall RPC (enrutador).

Servidor RPC.

Implementaciones.Microsoft proporciona 2 versiones de implementacin de RPC/HTTP.

Versin 1.No permite el establecimiento de una sesin SSL sobre el RCP Proxy.No permite autentificacin sobre RPC/Proxy.No opera en granja de servidores.

Versin 2.Permite SSL.Soporta autentificacin sobre RPC/Proxy.Opera en granja de servidores.

Sistemas operativos.

Ventajas.Soporta una plataforma para transmitir informacin segura a travs de Internet.

Permite el enrutamiento de la informacin a travs de una red de forma segura.

Proporciona una plataforma de integracin de antivirus y antispam para la inspeccin de trfico.

Evita el uso de licencias e implantaciones VPN.

Inspeccin de trfico.Con la arquitectura de RPC sobre HTTP antivirus y antispam pueden implementarse en los siguientes niveles:

Cliente. Por ejemplo Outlook 2003.

Proxy RPC. Por ejemplo IIS 6.0/ISA Server 2004.

Servidor RPC. Por ejemplo Exchange 2003.

Configuracin Proxy RPCInstalar IIS.

Instalar servicios RPC/HTTP desde componentes de Windows.

Configuracin del servicio virtual RPC en IIS.

Activar seguridad en el servicio para utilizar RPC/HTTPS

ExchangeExchange soporta el servicio RPC sobre HTTPS.

Puede integrarse en la arquitectura Front End / Back End.

El servidor Front End podra funcionar como:

Servidor RPC Proxy.

Servidor RPC recibiendo y enviando peticiones a un servidor Proxy.

Exchange como servidor RPC

Demo:Conexin RPC/HTTPsOutlook 2003 Exchange 2003

MPLS y Hosting de aplicaciones. Interaccin con ISA ServerCon la participacin de:yJulio Csar Gmez Martn

IndiceQuin es ONO?

Evolucin de las VPNs VPNs de Nivel 2VPNs de Nivel 3. IPSec

VPNs Seguras con MPLS

Hosting de Aplicaciones con MPLS

Soluciones con ISA Server 2004 sobre las VPNs de ONOISA Server 2004 como ProxyISA Server 2004 como Firewall

Qu es ONO? ONO es la mayor compaa de comunicaciones integradas por banda ancha para particulares y una de las principales para empresas en Espaa

Servicios detelevisin + telfono + internet al mercado residencial (en las demarcaciones con concesin de cable)servicios y aplicaciones sobre redes IP para empresas (en toda Espaa)

Licencias de cable en la Comunidad Valenciana, Mallorca, Castilla La Mancha, Murcia, Santander, Cdiz y Huelva.

En febrero de 2004, ONO complet la compra del 61% de Retecal, el operador de telecomunicaciones por cable de Castilla y Len.

Portfolio de serviciosInfraestructuraConectividadITS: Trnsito InternetHousing: Alojamiento de servidoresASP Exchange e-Baan: ASP Baan (ERP)Streaming VideoHosting Gestionado: Dedicado, compartidoPlataformade negocio VIP: Redes Privadas VirtualesSIG: Acceso a Internet GarantizadoWall: Firewall GestionadoISP virtual: ISP virtual

IndiceQuin es ONO?

Evolucin de las VPNs VPNs de Nivel 2VPNs de Nivel 3. IPSec

VPNs Seguras con MPLS

Hosting de Aplicaciones con MPLS

Soluciones con ISA Server 2004 sobre las VPNs de ONOISA Server 2004 como ProxyISA Server 2004 como Firewall

Definicin de VPNConexiones realizadas sobre una infraestructura compartida Funcionalidad similar (mejor?) que una red privada real: comportamiento (servicio garantizado)seguridad (integridad datos, confidencialidad)Seguridad aislamiento

Evolucin de las VPNsVPN de Nivel 3. IPSecTneles GRE y sobre todo IPSecAutenticacin y cifrado de los datos en InternetEncaminamiento basado en IP del tnelAceleracin de cifrado por HW y SWVPN de Nivel 2Frame Relay y ATMDefinicin esttica de Circuitos Virtuales (PVCs)Encaminamiento basado en DLCIEscalabilidad y Flexibilidad Limitadas

Evolucin de las VPNsVPN de Nivel 3. MPLSCombina los niveles 2 y 3 empleando paquetes etiquetados Separacin de la componente de routing de la de envoSeguridad inherente: diferencia y asla el trfico VPN generando redes privadas realesComportamiento de la red: ingeniera trfico

IndiceQuin es ONO?

Evolucin de las VPNs VPNs de Nivel 2VPNs de Nivel 3. IPSec

VPNs Seguras con MPLS

Hosting de Aplicaciones con MPLS

Soluciones con ISA Server 2004 sobre las VPNs de ONOISA Server 2004 como ProxyISA Server 2004 como Firewall

Esquema bsico funcionamiento 3.Los Routers de Backbone (P) conmutan los paquetes mediante la etiqueta de los paquetes2. El Router de Borde (PE1) recibe un paquete, marca el paquete con una etiqueta y lo introduce en la red 4. El Router de Borde destino (PE2) elimina la etiqueta y entrega el paquete 1b.- A partir de esta informacin LDP genera el mapeo de destinos mediante Labels1a.- Mediante los protocolos de routing Existentes (e.g. OSPF), establecemos los destinos mas apropiados dentro de la redPEPEPPPEPEPEPEPP

Esquema bsico funcionamientoRouter PERouter PERouter PBackbone MPLS

Generacin de una VPNTablas de envo (VRF) para cada VPN en el PE permiten encaminar el trfico a cada miembro de una VPN

Generacin de una VPNIdentidad VPN mediante un distintivo de ruta de 64-bit (Route Distinguisher - RD)RD asignado por el operador, desconocido por el clienteRD + direccin IP cliente = direccin IP-VPN, globalmente unvocaEmpleo de Route Tarjet (RT) que definen las rutas a importar y exportar de las VRFsTablas de envo (VRF) para cada VPN en el PE permiten encaminar el trfico a cada miembro de una VPN

Plan de direccionamientoPE-Router XPE-Router YP-Router ZPE-Router V

Plan de direccionamientoVPN A CPE VPN AVPN B CPE VPN B10.1.1.0/2410.1.1.0/24PE-Router XPE-Router YP-Router ZPE-Router V

Simplicidad de configuracinPEMPLS BackbonePEPEPE

Simplicidad de configuracinPEMPLS BackbonePEPEPE

IndiceQuin es ONO?

Evolucin de las VPNs VPNs de Nivel 2VPNs de Nivel 3. IPSec

VPNs Seguras con MPLS

Hosting de Aplicaciones con MPLS

Soluciones con ISA Server 2004 sobre las VPNs de ONOISA Server 2004 como ProxyISA Server 2004 como Firewall

Visibilidad todos con todosSede Central VPNDelegaciones VPNRed MPLSONO

Visibilidad parcial entre VPNsRED ONO(MPLS)Delegaciones TIPO Acceso ADSL/PaP/Cable/RDSISede Central (Servicios Centrales)Sede 1 CLIENTE ASede 1 CLIENTE B

Visibilidad parcial entre VPNsip vrf vpn_C rd 12457:56route-target import 12457:100route-target export 12457:100 route-target import 12457:101 route-target import 12457:102ip vrf vpn_A rd 12457:3 route-target export 12457:101 route-target import 12457:101 route-target import 12457:100 ip vrf vpn_B rd 12457:55 route-target export 12457:102 route-target import 12457:102 route-target import 12457:56

Hosting de Aplicaciones sobre MPLS

Hosting de Aplicaciones sobre MPLSip vrf vpn_cliente rd 12444:406 export map direcciones_loopback route-target export 12444:406 route-target import 12444:406 route-target import 12457:1!interface GE-WAN8/2 no ip addressnegotiation auto mls qos trust dscp!interface GE-WAN8/2.300 description Conexion con HOSTING cliente encapsulation dot1Q 300 ip vrf forwarding vpn_cliente ip address 192.168.60.254 255.255.255.0 mls qos trust dscp!router bgp 12457 address-family ipv4 vrf vpn_cliente_s redistribute connected redistribute static

IndiceQuin es ONO?

Evolucin de las VPNs VPNs de Nivel 2VPNs de Nivel 3. IPSec

VPNs Seguras con MPLS

Hosting de Aplicaciones con MPLS

Soluciones con ISA Server 2004 sobre las VPNs de ONOISA Server 2004 como ProxyISA Server 2004 como Firewall

Gestin de Redes a travs de Objetos de RedSoporta cualquier N de RedesPertenecia dinamica a la RedReglas y Polticas por Red

Reglas de AccesoLas reglas de acceso siempre definen:accin en trafic del usuario del origen al destino con condiciones

Porque usar un Servidor Proxy?Mejora la seguridad en el acceso a internet:Autenticacin de UsuariosFiltrado de peticiones de clienteInspeccin de contenidoLog del acceso de los usuariosEsconder los detalles de la red interna.ISA ServerWeb ServerMejora el rendimiento en el acceso a Internet.

Servidor Proxy Directo.ISA ServerWeb Server136254

EstaEl usuario permitido?El Protocolo permitido?El destino permitido?

Servidor Proxy inverso?3Web ServerDNS ServerISA Server54261

Estala peticn permitida?el Protocolo permitido?el Destino permitido?

Cacheo en ISA ServerLa cache del servidor ISA almacena una copia del contenido web solicitado en memoria o en el disco duro.Nos proporciona:Mejora de Rendimiento la informacin se almacena localmente en el servidor ISA.Reduce el ancho de banda no hay trafico adicional hacia internet.Escenarios posibles en modo Cacheo:Cacheo Directo Servidores Web de InternetCacheo Inverso Servidores Web internos

Componentes TCP/IP afectados

Que es el filtrado de paquetes?Web ServerISA ServerPacketFilter

Que es el filtrado de paquetes?Web ServerISA ServerWeb Server

Es el paquete parte de la conexin?

Que es el filtrado por aplicacin?ISA Serverwww.contoso.comRespuesta al clienteEst permitido el mtodo?Est la respuesta permitida en contenido y mtodos?Web Server

Funcionalidades IDSISA ServerAlerta al administradorAtaque de escaneo de puertosExcedido el lmite del escaneo de puertos

Filtrado del trfico de red en ISA Server 2004 TCP/IPIngenieria Firewall Servicios de Firewall Filtrado de AplicacionesFiltrados Proxy WEBReglasDeIngenieriaFiltrados WEBFiltrado por estado y protocoloFiltrado por aplicacinModo KernelBomba de datos234Filtrado de paquetes1

Resumen: Implementing ISA Server 2004 como FirewallEn un entorno de Hosting de aplicaciones con MPLS:Determinar el permetro de configuracin de RedConfigurar las reglas sobre las distintas redesConfigurar la poltica del sistemaConfigurar la deteccin de intrusionesConfigurar las reglas de accesoConfigurar los servicios y polticas de anunci WEB

Reglas de publicacin de serviciosISA ServerLas reglas de publicacin aplican a los servidores:

Redirecconar la peticin a la red interna (DMZ)Comunicaciones basadas en protocolo y puertoPublicar el contenido usando mltiples protocolosFiltrado a nivel de aplicacin para protocolos con filtros de aplicacin en ISASoporte para encriptacinLogar direccin IP de clientes

Muchas Gracias

Tcnicas de deteccin de SPAMCon la participacin de:yJacobo Crespo Sybari Software

AGENDA

Presentacin

Herramientas de Filtrado de Contenido

Filtros AntiSpam en MS Exchange Server 2003

Intelligent Message Filter en Exchange 2003 Demo

Advance Spam Manager SpamCure Demo

Quienes Somos?

Fabricante de Seguridad orientado a Mensajera:

Correo Electrnico (Exchange)Portales para publicacin de documentos (Sharepoint Portal Server)Servidores de Mensajera Instantnea (Live Communication Server)

Que ofrece:

Hasta 8 motores de AV SimultneosControl del contenido enviado en el correo (palabras, adjuntos, tamao,)Soluciones Antispam (borrado, etiquetado,.)Auditoria sobre la utilizacin del email (Productividad, almacenamiento, ancho de banda)

En US desde el ao 1994 y en Espaa desde el ao 2000 con mas de 600 clientes

Referencias

Por qu Antispam?Circulan al da 2.3 billones de mensajes SPAM

Un buzn de correo normal recibe al da 75 correos de los cuales el 52% es SPAM

Se ha cuantificado que el coste por ao por empleado del SPAM es de 300

Los costes directos del SPAM son:

Transmitir esos mensajes Reduce el ancho de bandaAlmacenar esos mensajes Aumenta el coste de almacenamientoBorrar o leer esos mensajes Reduce la productividad del empleado

ROIProteccin Antispam por dos aos para 50 empleados = 1.200 300 x 50 empleados = 15.000 de coste de Spam anual x2 = 30.000Proteccin Antispam por dos aos para 1.000 empleados = 20.250 300 x 1.000 empleados = 300.000 de coste de Spam anual x2 = 600.000

Filtrado de ContenidoEvita que cierto tipo de palabras y tpicos sean enviados hacia o desde los usuarios

Sin embargo, es ineficiente para controlar el SPAM

Requiere una atencin continua del Administrador (horas por da)

Algunos simples trucos lo hacen vulnerableEjemplos: $ave, V*i*a*gr*a, ChExisten 105 variantes solo para la letra A!

Genera muchos falsos positivosImposible de utilizar en ciertas industrias

Filtrado de ContenidoV I @ G R A , V--1.@--G.R.a, \./iagra, Viiagra, V?agr?, V--i--a--g--r-a, V!agra, V1agra, VI.A.G.R.A, vi@gra, vIagr.a, via-gra, Via.gra, Vriagra, Viag*ra, vi-agra, Vi-ag.ra, v-iagra, Viagr-a, V^I^A^G^G^A, V'i'a'g'r'a', V*I*A,G,R.A, VI.A.G.R.A..., Viag\ra!, Vj@GRA, V-i:ag:ra, V'i'a'g'r'a, V/i;a:g:r:a, V i a g r @, V+i\a\g\r\a, Viag[ra, V?agra, V;I;A*G-R-A, V-i-a-g-r-a, V*I*A*G*R*A , V-i-@-g-r-a, VI@AGRA, Vi@gr@, \/^i^ag-ra, VlAGRA, V\i\a.g.r.a, V1@GRA, v_r_i_a_g_r_a, V\i\a:g:r:a, V^i^a^g^r^a, V-i-@-g-r-@, Viag(ra.

RBLs (Real Time Black Holes)

Las RBLs son listas de supuestos spammers y sus dominios/direcciones IPEjemplos: SpamCop, MAPS, SPEWS, Dorkslayers

Generalmente es manejado por voluntarios, por lo cual no existe una auditora, y a menudo bloquean mas de la cuentaAlgunos ISPs son agregados, an cuando envan correos legtimosBorrarse de estas listas puede llevar desde das a meses

Requiere la utilizacin de muchas listas blancas para no generar falsos positivos

Anlisis HeursticoUtiliza una tcnica que busca miles de caractersticas y/o palabras para identificar SPAM y asignar una calificacinEl nivel de SPAM debe ser ajustado peridicamente

Es utilizado en muchos productos antispam

Muy conocido por los spammersSitios Web de spammers permiten verificar el spam contra motores heursticos

Aumentar el nivel de deteccin = Aumentar los falsos +

Filtros BayesianosSistema de aprendizaje basado en anlisis estadsticos de vocabularioListas de palabras buenas y malas

Necesita intervencin del usuario para que sea efectiva

Puede ser muy efectiva para usuarios individuales

Es atacado deliberadamente por los spammersIncluyendo palabras buenas Generalmente con palabras escondidas dentro de cdigo HTML

Filtros BayesianosEjemplo de palabras aleatorias para evitar filtros Bayesianos

ChecksumsCrea un fingerprint de ejemplos de spam conocido

La Base de Datos se actualiza peridicamente

Es reactivoPor definicin, el fingerprint es creado tras identificar el correo como spam

Es posible evitarlo con una tcnica llamada hash busting agregando diferentes caracteres dentro del mensaje

Ejemplo de Hash bustingEjemplo de hash busting para evitar la tcnica de checksums

CuriosidadesLos Spammers estn continuamente creando trucos y tcnicas para evitar las diferentes tecnologas de deteccin

Algunos Ejemplos..

Filtros AntiSpam en MS Exchange Server 2003Con la participacin de:yJacobo Crespo Sybari Software

ProblemticaPlataforma Relay de correo:

El ataque se produce cuando un usuario malicioso vulnera la seguridad de la plataforma para enviar correo masivo a travs de nuestro servidor.

Receptor de Correo Spam:

Se reciben correos que cargan el rendimiento, reducen la productividad de los empleados y generan gastos directos (sistemas de backup, conexiones GPRS, ancho de banda, soporte...)

Problemtica Tcnica RelayPasarela SMTPExchange Front-EndRelayBuzonesExchange Back-EndNo Relay

Soluciones Exchange Server 2003

Opciones de Seguridad para no admitir Relay y, por tanto, no ser plataforma de correo Spam.

Bloqueo de Relay por defecto para todos los clientes no autenticados.Bloqueo por dominios.Bloqueo por usuarios.Bloqueo por mquinas.

Soluciones Exchange Server 2003Opciones para detener el correo Spam recibido:

Filtro de Remitente.Filtro de Destinatario. Nuevo.Listas Autenticadas. Nuevo.Filtro de Conexin en tiempo real. Nuevo. Filtros de Junk e-mail. Nuevo.IMF. Nuevo.

Soluciones Exchange Server 2003Filtro de Remitente. (Filtro Esttico)

Bloquea los mensajes que proceden de determinados usuarios.

Filtro de Destinatario (Filtro Esttico)

Bloquea los mensajes que van dirigidos a determinados destinatarios.

Soluciones Exchange 2003Listas AutenticadasSe discrimina solo a usuarios autenticados para enviar mensajes a listas de correo.

Soluciones Exchange 2003Filtros de ConexinExchange Server 2003 comprueba en tiempo real si un servidor que est enviando correo est almacenado en una base de datos de servidores nocivos.

Implantacin de Filtros de ConexinImplantamos en un servidor DNS una zona de consulta para almacenar los servidores bloqueados. Ej.[bloqueados.midominio.com ]Aadimos registros del tipo

Configuramos un filtro para que se consulte la zona anterior cada vez que se recibe una conexin de servidor13.12.11.10 Host 127.0.0.1

Filtro de ConexinServidor BackEndServidor FrontEndServidor DNS

Soluciones Exchange 2003Filtros Junk e-mail en Cliente

Opciones de Outlook 2003

El cliente tiene la opcin de configurar los correos nocivos

El Servidor y SW de terceros (Antigen) catalogan los mensajes para entrar en la carpeta de Junk-email

En conexiones de pago por transferencia permite ahorrar costes

Intelligent Message Filter & Advance Spam ManagerCon la participacin de:yJacobo Crespo Sybari Software

Dos MotoresMicrosoft IMFUtiliza la tecnologa SmartScreen Conjunto detallado de reglas que son comparadas con el correo entrante

Sybari/Antigen ASMIntegra el motor de deteccin de spam SpamCureUtiliza una combinacin de Bullet Signatures y el motor STAR

Tecnologa SmartScreenIMF distingue entre los mensajes de correo legtimos y el correo comercial no solicitado u otro tipo de correo electrnico no deseado

Hace un seguimiento de ms de 500.000 caractersticas de correo electrnico basadas en datos de cientos de miles de suscriptores del servicio MSN Hotmail que participaron voluntariamente en la clasificacin de millones de mensajes de correo electrnico

Ayuda a filtrar el correo no deseado antes de que llegue a la bandeja de entrada del usuario

Tecnologa SmartScreenBase de datos utilizada para almacenar las caractersticas de los correos catalogados como Spam se actualiza con nueva informacin de patrones del origen de la muestra, lo que hace que el filtro sea ms eficaz y actual

Permite llevar a cabo una evaluacin ms precisa de la legitimidad de un mensaje de correo electrnico entrante

SCL Nivel de Confianza del correo no deseadoIMF evala el contenido de los mensajes en busca de modelos reconocibles y les asigna una clasificacin basada en la probabilidad de que el mensaje sea correo comercial no solicitado o correo no deseado

La clasificacin se almacena en una base de datos con el mensaje como una propiedad llamada nivel de confianza de correo no deseado (SCL)

Los administradores configuran dos umbrales que determinan la forma en que IMF controla los mensajes de correo electrnico con diferentes niveles de SCL

Demo: Intelligent Message Filter (IMF)

ASM Antigen Advanced Spam ManagerCon la participacin de:yJacobo Crespo Sybari Software

Bullet SignaturesBD Bullet signatures es creada y revisada por un grupo de expertos

Los Bullet signatures son una combinacin de atributos nicos de un spammer en particular

Un conjunto de datos extrados de la cabecera, del campo asunto y del cuerpo del mensajeFunciona tanto para spam actual como futuroCreados para conseguir caractersticas nicas del mensaje que no puedan estar presentes en correos legtimosNo puede ser falseado por tcnicas como el Hash Busting

STAR EngineEl motor STAR busca trucos y tcnicas especficas de los spammersSpammer Tricks Analysis and Response

Utiliza los Bullet Signatures para buscar mtodos especficos de spamming

Se actualiza automticamente cuando se lanza una nueva versin del motor

Desde el comienzo est diseado para soportar cualquier idioma, incluso los de doble byte.

Uno + Uno = TRESSupongamos que recibimos 10.000 correos de SPAM Si el IMF analiza primero, el total de correos de SPAM se reducira a un total de 1500 (85% de deteccin)A partir de ah, SpamCure escanea el correo restante y detectara el 95% de los 1500Lo que reduce a 75 los correos de SPAM que recibiramos

Combinando Tecnologas El motor IMF analiza los correos en primer lugarSe aplica una clasificacin SCL a cada correoDespus pasa por ASM, que tambin analiza el mensajeASM nunca reducir la clasificacin de IMF

ResumenDos sistemas de deteccin de spam para lograr una mayor efectividadMnima intervencin humanaFcil de instalar y configurarIntegracin entre cliente y servidorRatio de deteccin del 99%, mucho mayor que la que pueda ofrecer cualquier tecnologa por s misma

Demo: Advance Spam Manager. Tecnologa SpamCure

ReferenciasLSSI : http://www.lssi.esMS ISA Server 2004:http://www.microsoft.com/spain/servidores/isaserverExchange Server 2003http://www.microsoft.com/spain/exchangeMessage Screener:http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/smtpfilter.mspxTechnet:http://www.microsoft.com/spain/technetSybari:http://www.sybari.comInformtica 64http://www.informatica64.com

Preguntas ?

ContactosJacobo Crespo - Sybari Softwarejacob_crespo@sybari.com

Chema Alonso - Informtica 64Chema@informatica64.com

Jos Parada Gimeno - Microsoftjparada@microsoft.com

Contacto localCDROM, S.A.Servicios de Sistemas y Telec.Microsoft Certified PartnerArea de Seguridad de los S.I.

www.cdromsa.esJose Luis Yago (jose.luis.yago@cdromsa.es)

Prximas Acciones

Proteccin contra tcnicas de envenenamiento en redes de datos con Windows 2003. 30 minutos.

Se mostrar el funcionamiento de las tcnicas de envenenamiento y Spoofing Arp en redes de datos.Se analizar el impacto y la procteccin contra dichas tcnicas.

Cifrado y autenticado de conexiones con IPSec en redes Windows 2003. 30 minutos.

Se analizar el funcionamiento de IPSec, la arquitectura y el despiegle. Se har una demostracin de cifrado y autenticado de conexiones a servidores utilizando directivas de seguridad GPO.

Endurecimiento de servidores Windows 2003. 30 minutos.

Se mostrar la utilizacin de plantillas de seguridad del programa Baseline y como funcionan los analisis de directivas para comprobacin de directivas efectivas.

Cafe.

Configuracin de servicios de movilidad en Exchange 2003. 25 minutos.

Se mostrarn los servicios OWA 2003, OMA y ActiveSync de Exchange 2003. Se har una demostracin de conexin GPRS a servicios OMA mediante telefona mvil.

Conexiones seguras con RCP/HTTPS. 20 minutos.

Se analizar las opciones de cifrado de comunicaciones RCP/HTTPs para permitir el analisis de trfico por motores Antivirus/Antispam.

Soluciones AntiSpam para Exchange 2003. 45 minutos.

Se analizarn las opciones de filtrado AntiSpam basadas en Message Screener, Filtros estticos, Filtros de Conexin, Intelligence Message filter, Bullet signature y fingerprinting. Se hara una demostracin de Filtro de conexin, Intelligence Message Filter y Bullet signature/fingerpinting. Proteccin contra tcnicas de envenenamiento en redes de datos con Windows 2003. 30 minutos.

Se mostrar el funcionamiento de las tcnicas de envenenamiento y Spoofing Arp en redes de datos.Se analizar el impacto y la procteccin contra dichas tcnicas.

Cifrado y autenticado de conexiones con IPSec en redes Windows 2003. 30 minutos.

Se analizar el funcionamiento de IPSec, la arquitectura y el despiegle. Se har una demostracin de cifrado y autenticado de conexiones a servidores utilizando directivas de seguridad GPO.

Endurecimiento de servidores Windows 2003. 30 minutos.

Se mostrar la utilizacin de plantillas de seguridad del programa Baseline y como funcionan los analisis de directivas para comprobacin de directivas efectivas.

Cafe.

Configuracin de servicios de movilidad en Exchange 2003. 25 minutos.

Se mostrarn los servicios OWA 2003, OMA y ActiveSync de Exchange 2003. Se har una demostracin de conexin GPRS a servicios OMA mediante telefona mvil.

Conexiones seguras con RCP/HTTPS. 20 minutos.

Se analizar las opciones de cifrado de comunicaciones RCP/HTTPs para permitir el analisis de trfico por motores Antivirus/Antispam.

Soluciones AntiSpam para Exchange 2003. 45 minutos.

Se analizarn las opciones de filtrado AntiSpam basadas en Message Screener, Filtros estticos, Filtros de Conexin, Intelligence Message filter, Bullet signature y fingerprinting. Se hara una demostracin de Filtro de conexin, Intelligence Message Filter y Bullet signature/fingerpinting. The bullets are just examples of the three main motives. Be sure to exemplify most of them. Invite participants to come up with other motives and see if they fit into the three top categories.

Theres no direct relationship between threats and motives, basically any mix is possible. However, the teen hackers are mostly hacking for personal motives. Criminals almost exclusively do it for economic gain.Es difcil engaar

Mirar versin apache que salio cuando IIS 6.0 comparar vulnerabilidades.Windows 2003 con IIS 6.0 Salio el 24 abril de 2003. Hace cas dos aos. Solo tiene 2 vulnerabilidades.En Abril 2003 salio apache 2.050

Nail down source of slide (FBI/CSI?) AuthenticationVerifies the origin and integrity of a message by assuring the genuine identity of each computer. Without strong authentication, an unknown computer and any data it sends is suspect. IPSec provides multiple methods of authentication, ensuring compatibility with legacy systems, remote computers, and computers running other operating systems.

IntegrityProtects data from unauthorized modification in transit, ensuring that the data received is exactly the same as the data sent. Hash functions sign each packet with a cryptographic checksum, which the receiving computer checks before opening the packet. If the packet (and therefore the signature) has changed, the packet is discarded.

Confidentiality (encryption)Ensures that data is disclosed only to intended recipients. This is achieved by encrypting the data before transmission. It ensures that the data cannot be read during transmission, even if the packet has been monitored or intercepted. Only the parties with the shared, secret key can decrypt and read the data. This property is optional and is dependent upon IPSec policy settings.

Anti-replay (also called replay prevention)Provides for the uniqueness of each IP packet. Anti-replay ensures that data intercepted by an attacker cannot be reused or replayed to establish a session or illegally gain information or access to resources.Limited Traffic Flow Confidentiality. IPSec encryption of IP packet contents include the protocol headers which appear after the IP header in normal, unsecured IP packets (e.g. TCP port 80). This an IPSec ESP encrypted packet does not show the type of traffic that is being secured. However, since IPSec is defined to secure an IP packet, the behavior of the upper layer protocol is preserved in terms of the size and timing of packets sent and received. IPSec encryption could also be used to add extra data to packets to change the length of packets so that attackers have a more difficult time determining the role of a packet in an upper layer protocol (e.g. a TCP ACK). And IPSec allows many traffic types to be secured in the same way (e.g. all TCP and UDP traffic secured by the same IPSec security association). However, the IPSec architecture does not provide strong protection against traffic analysis which are sophisticated observation techniques to guess what protocol and data is being carried. So it is expected that an attacker could discover which protocol is being secured in some cases by observing the flow of IPSec protected packets.By its design, TCP/IP is an open protocol created to connect heterogeneous computing environments with the least amount of overhead possible. As is often the case, interoperability and performance design goals do not generally result in securityand TCP/IP is no exception to this. TCP/IP provides no native mechanism for the confidentiality or integrity of packets. To secure TCP/IP, you can implement IP Security. IPSec implements encryption and authenticity at a lower level in the TCP/IP stack than application-layer protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Because the protection process takes place lower in the TCP/IP stack, IPSec protection is transparent to applications. IPSec is a well-defined, standards-driven technology.

The IPSec process encrypts the payload after it leaves the application at the client and then decrypts the payload before it reaches the application at the server. An application does not have to be IPSec aware because the data transferred between the client and the server is normally transmitted in plaintext.IPSec is comprised of two protocols that operate in two modes with three different authentication methods. IPSec is policy driven and can be deployed centrally by using Group Policy.

To deploy IPSec, you must determine theProtocolModeAuthentication methodsPolicies

IPSec can be initiated by either the sending host or the receiving host. The two hosts or endpoints enter into a negotiation that will determine how the communication will be protected. The negotiation is completed in the IKE, and the resulting agreement is a set of security associations, or SAs.

The SA is used until the two hosts or endpoints cease communication, even though the keys used might change. A computer can have many SAs. The SA for each packet is tracked using the SPI.

IKE is a part of the IPsec suite; its function is to allow any two IPsec-capable computers to securely agree on a shared encryption key without exposing the key to MITM attackers or eavesdroppers. IKE actually implements portions of two related protocols: the Internet Security Association Key Management Protocol (ISAKMP; see RFC 2409) and the OAKLEY protocol for key determination (see RFC 2412). The connectio between two IPsec-capable endpoints is called a security association, or SA.SA setup actually takes place in two phases: in the first phase (also known as main mode) the two ends authenticate one anothers identities and generate a Main Mode SA. Think of the Main Mode SA as a master SA: all other communications between the two machines will happen after ISAKMP negotiations take place. These negotiations are carried over the Main Mode SA. The Main Mode key can be derived using three mechanisms:Kerberos: This is the default IPsec authenticator in Windows IPsec. The Kerberos authentication package uses the machine account generated for each computer in an Active Directory domain. The primary benefit of this approach is that as long as the machine accounts stay in synchronization across the domain, IPsec works with no fiddling. However, you can only use Kerberos authentication with machines in the same Active Directory forest.X.509 certificates: Because each certificate is associated with a public/private key pair, its natural to leverage them as an authenticator for IPsec. The catch is that you have to issue certificates to each machine that you want to access your network, and you must ensure that all CAs from which those certificates are issued chain to a common (and trusted) root CA.Preshared keys: with preshared keys, each endpoint must have the same shared secret key. This is a terrible idea from a security standpoint, as well discuss a bit later.Once these negotiations are complete, IKE mode 2 (also known as quick mode) kicks in. Quick Mode SAs default to a lifetime of five minutes or 100 MB of traffic; that means that on an IPsec-protected connection, the session key used to protect the actual traffic is only used for five minutes or 100 MB, whichever comes first. (However, the predefined IPsec filters included in the standard policies have a lifetime of 15 minutes.) The master SA key, however, is good for a default lifetime of eight hours. Quick Mode SAs protect traffic on a specific source/destination/protocol/port combination, so there can be several of them for each Main Mode SA between a pair of machines.

As mentioned, IPSec is comprised of two protocols: IPSec Authentication Header (AH) and IPSec Encapsulating Security Payload (ESP). Each protocol provides different services; AH primarily provides packet integrity services, while ESP provides packet confidentiality services. IPSec provides mutual authentication services between clients and hosts, regardless of whether AH or ESP is being used. IPSec AH provides authentication, integrity, and anti-replay protection for the entire packet, including the IP header and the payload. AH does not provide confidentiality. When packets are secured with AH, the IPSec driver computes an Integrity Check Value (ICV) after the packet has been constructed but before it is sent to the computer. With Windows 2000 and Windows XP, you can use either the HMAC SHA1 or HMAC MD5 algorithm to compute the ICV. Figure 9-3 shows how AH modifies an IP packet.The fields in an AH packet include these:

Next Header Indicates the protocol ID for the header that follows the AH header. For example, if the encrypted data is transmitted using TCP, the next header value would be 6, which is the protocol ID for TCP.

Length Contains the total length of the AH.

Security Parameters Index (SPI) Identifies the security association (the IPSec agreement between two computers) that was negotiated in the Internet Key Exchange (IKE) protocol exchange between the source computer and the destination computer.

Sequence Number Protects the AH-protected packet from replay attacks in which an attacker attempts to resend a packet that he has previously intercepted, such as an authentication packet, to another computer. For each packet issued for a specific security association (SA), the sequence number is incremented by 1 to ensure that each packet is assigned a unique sequence number. The recipient computer verifies each packet to ensure that a sequence number has not been reused. The sequence number prevents an attacker from capturing packets, modifying them, and then retransmitting them later.

Authentication Data Contains the ICV created against the signed portion of the AH packet by using either HMAC SHA1 or HMAC MD5. The recipient performs the same integrity algorithm and compares the result of the hash algorithm with the result stored within the Authentication Data field to ensure that the signed portion of the AH packet has not been altered in transit. Because the TTL, Type of Service (TOS), Flags, Fragment Offset, and Header Checksum fields are not used in the ICV, packets secured with IPSec AH can cross routers, which can change these fields.Using ESP ESP packets are used to provide encryption services to transmitted data. In addition, ESP provides authentication, integrity, and antireplay services. When packets are sent using ESP, the payload of the packet is encrypted and authenticated. In Windows 2000 and Windows XP, the encryption is done with either Data Encryption Standard (DES) or 3DES, and the ICV calculation is done with either HMAC SHA1 or HMAC MD5.

TIP When designing an IPSec solution, you can combine AH and ESP protocols in a single IPSec SA. Although both AH and ESP provide integrity protection to transmitted data, AH protects the entire packet from modification, while ESP protects only the IP payload from modification.IP Security (IPSec) is implemented at the Networking layer (Layer 3) of the Open Systems Interconnection (OSI) model. This provides protection for all IP and upper-layer protocols in the TCP/IP protocol suite. The primary benefit of securing information at Layer 3 is that all programs and services using IP for data transport can be protected.

IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports: IP Protocol ID 50: For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded. IP Protocol ID 51: For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded. UDP Port 500: For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.

L2TP/IPSec traffic looks just like IPSec traffic on the wire. The firewall just has to allow IKE (UDP 500) and IPSec ESP formatted packets (IP protocol = 50). It may be necessary to allow Kerberos traffic through the firewall, if so then UDP port 88 and TCP port 88 would also need to be forwarded.

For more information, view the following articles in the Microsoft Knowledge Base: Traffic That Can--and Cannot--Be Secured by IPSec (http://support.microsoft.com/default.aspx?scid=kb;EN-US;253169)Overview of Secure IP Communication with IPSec in Windows 2000 (http://support.microsoft.com/default.aspx?scid=kb;en-us;231585)IPSec policies, rather than applications, are used to configure IPSec services. The policies provide variable levels of protection for most traffic types in most existing networks. IPSec policies are based on your organization's guidelines for secure operations. There are two storage locations for IPSec policies:Active Directory The registry on a local computer

You can configure IPSec policies to meet the security requirements of a domain, site, or organizational unit for an Active Directory domain. IPSec policy can also be implemented in a non-Active Directory domain environment by using local IPSec policies.

IPSec policies are based on IP filter lists and IP filter actions.

An IP filter list is a list of protocols and folders. For example, you can create a filter list entry that allows all computers to gain access to TCP port 80 on the local interface. Another entry in the same filter list might allow access to TCP port 25 on the local interface, and a third filter list entry might allow access to User Datagram Protocol (UDP) port 53 on the local interface. If a packet that arrives on the computer interface has a matching entry on the filter list, IPSec Policy Agent applies a filter action that you assign to the filter list. For example, if you assign a Block filter action to the above filter list. When you do this, any packet that is destined for TCP port 80, TCP port 25, or UDP port 53 is blocked. However, if you assign a Permit filter action to the above filter list, the packets that are destined for TCP port 80, TCP port 25, or UDP port 53 is allowed. You can use IPSec filter lists and filter actions as an effective method of access control on all interfaces. Note that IPSec policies are applied to all interfaces on a multiple-homed computer. There is no procedure that you can use to allow selective application of IPSec policies to a particular interface. Note For information on how to create IPSec policies, go to http://support.microsoft.com/default.aspx?scid=kb;en-us;313190.

Filter Actions For each filter rule, you must choose a filter action. The filter action defines how the traffic defined in the IP filter will be handled by the filter rule.

Permit Allows packets to be transmitted without IPSec protection. For example, Simple Network Management Protocol (SNMP) includes support for devices that might not be IPSec aware. Enabling IPSec for SNMP would cause a loss of network management capabilities for these devices. In a highly secure network, you could create an IPSec filter for SNMP and set the IPSec action to Permit to allow SNMP packets to be transmitted without IPSec protection.

Block Discards packets. If the associated IPSec filter is matched, all packets with the block action defined are discarded.

Negotiate SecurityAllows an administrator to define the desired encryption and integrity algorithms to secure data transmissions if an IPSec filter is matched.

Selecting an IPSec Authentication Method During the initial construction of the IPSec sessionalso known as the Internet Key Exchange, or IKEeach host or endpoint authenticates the other host or endpoint. When configuring IPSec, you must ensure that each host or endpoint supports the same authentication methods. IPSec supports three authentication methods:

Kerberos

X.509 certificates

Preshared key

Authenticating with Kerberos In Windows 2000 and Windows XP, Kerberos is used for the IPSec mutual authentication by default. For Kerberos to be used as the authentication protocol, both hosts or endpoints must receive Kerberos tickets from the same Active Directory directory service forest. Thus, you should choose Kerberos for IPSec authentication only when both hosts or endpoints are within you own organization. Kerberos is an excellent authentication method for IPSec because it requires no additional configuration or network infrastructure.

IMPORTANT--------------------------------------------------------------------------------

Some types of traffic are exempted by default from being secured by IPSec, even when the IPSec policy specifies that all IP traffic should be secured. The IPSec exemptions apply to Broadcast, Multicast, Resource Reservation Setup Protocol (RSVP), IKE, and Kerberos traffic. Kerberos is a security protocol itself, can be used by IPSec for IKE authentication, and was not originally designed to be secured by IPSec. Therefore, Kerberos is exempt from IPSec filtering.To remove the exemption for Kerberos and RSVP, set the value NoDefaultExempt to 1 in the registry key HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC, or use the Nodefaultexempt.vbs script located in the Tools\Scripts folder on the CD included with this book.

Authenticating with X.509 Certificates You can use X.509 certificates for IPSec mutual authentication of hosts or endpoints. Certificates allow you to create IPSec secured sessions with hosts or endpoints outside your Active Directory forests, such as business partners in extranet scenarios. You also must use certificates when using IPSec to secure VPN connections made by using Layer Two Tunneling Protocol (L2TP). To use certificates, the hosts must be able to validate that the others certificate is valid.

Authenticating with Preshared Key You can use a preshared key, which is a simple, case-sensitive text string, to authenticate hosts or endpoints. Preshared key authentication should be used only when testing or troubleshooting IPSec connectivity because the preshared key is not stored in a secure fashion by hosts or endpoints.

Automatic Enrollment For Computer Certificates

You can specify automatic enrollment and renewal for computer certificates. When auto-enrollment is configured, the specified certificate types are issued automatically to all computers within the scope of the public-key Group Policy. Computer certificates that are issued by auto-enrollment are renewed automatically from the issuing CA. Auto-enrollment does not function unless at least one enterprise CA is online to process certificate requests.To enable Kerberos IPSec protectionAdd registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC

Add value NoDefaultExempt (note that this name is case sensitive) Data Type: REG_DWORD Data Value: 1

1 = RSVP and Kerberos are not exempted (only IKE, Multicast, and Broadcast are exempted)

Note: For information on IPSec and Kerberos traffic between domain controllers , go to http://support.microsoft.com/default.aspx?scid=kb;en-us;254728.IntroductionImplementing Group Policy on a domain provides the network administrator with control over computer configurations throughout the network. Telia VIP permite la generacin de VPNs a travs del protocolo MPLS. Este protocolo, de forma nativa permite visibilidad de todas las redes IP que componen la IP-VPN, pero adems, frente a otro tipo de topologas, MPLS permite optimizar cierto tipos de escenarios:CONEXIN A INTERNET:Dado que esta topologa de red entiende IP, para aquel trfico con destino a una direccin publica, es decir, no perteneciente a la VPN, es posible introducir en cada CPE una ruta por defecto hacia otro equipo que tiene la conexin a Internet. NO ES NECESARIO QUE TODO EL TRFICO DE INTERNET PASE POR LA SEDE CENTRAL.Dicha conexin virtual..., fsicamente es un router que solamente implementa NAT y pequeas funciones de filtrado basado en listas de acceso. Posee dos conexiones, una hacia la VPN, por la que recibe en trfico de cualquiera de la sucursales o la sede central, y una segunda conexin a Internet.Resaltar que hemos optado por no utilizar el comando redistribute connected para clarificar las tablas VRF de las VPNs. Este comando suele ser configurado normalmente para facilitar las tareas de troubleshooting y As ya que al redistribuir las rutas directamente conectadas en la VPN es posible llegar a los servidores del clientes realizando un PING desde el PE ya que de esta manera los paquetes origen son los del enlace. Al no configurarlo adems de tener menos entradas en la tabla VRF de la VPN (menor nmero de prefijos totales en M-BGP) incrementamos la seguridad ya que tan slo damos conectividad a los servidores de la LAN. Para el troubleshooting en este caso hay que realizarlo desde el CPE mediante pings extendidos con origen la LAN del CPE.

Dado que esta topologa de red entiende IP, para aquel trfico con destino a una direccin publica, es decir, no perteneciente a la VPN, es posible introducir en cada CPE una ruta por defecto hacia otro equipo que tiene la conexin a Internet. NO ES NECESARIO QUE TODO EL TRFICO DE INTERNET PASE POR LA SEDE CENTRAL como ocurre con topologas FR/ATM mencionadas en apartados anteriores.En ellas se sueles definir dos PVCs una para todo el trfico entrante proveniente de cada una de las delegaciones y otro saliente para el acceso a los servicios externos. Con ello obtenemos una duplicacin del ancho de banda en la sede central que MPLS nos ahorra, con la reduccin en costes de lneas de acceso a que da lugar. Observamos como se trata de una solucin mucho menos flexible y escalable que la plateada en la figura anterior donde el consumo de ancho de banda es para el operador.Pero no solo eso, sino que la conexin que en este escenario nos ofrezca dicho operador estar conectada a su backbone IP, de modo que es como si directamente estuviramos conectados a Internet.Ahora bien si la PYME precisa de una solucin completa y profesional, dado que ya poseemos el segundo nivel de Firewall en la Red (descrito en el apartado anterior), para el conjunto de servicios de nuestra Intranet, es momento de introducir el primer nivel de Firewall, que nos une al mundo Internet y que podemos introducir tambin en Housing/Hosting en el nodo del operador. En l se implementarn las funcionalidades de limitacin de acceso a Internet de nuestros empleados, la limitacin de puertos susceptibles de ser atacados e incluso introducir una zona desmilitarizada (DMZ) donde instalaremos servidores WEB, mquinas que alberguen aplicativos de acceso de los clientes para comercio electrnico, etc De igual modo se implementarn el conjunto de reglas de traslacin de direcciones (NAT) de acuerdo al modo de implementacin del Firewall.En conjunto, aglutinando todos los aspectos vistos, obtenemos una estructura de aplicaciones totalmente segura y de acceso a las mismas, gracias al binomio VPN con MPLS-Firewall.

ISA Server 2004 supports multi-networking. This means that you can configure an unlimited number of networks on ISA Server. You can then configure access rules to manage the flow of network traffic between all of the networks.What is multi-networkingMulti-networking means that you can configure multiple networks on ISA Server, and then configure network and access rules that inspect and filter all network traffic between all networks.Multi-networking examplesMulti-networking enables flexible options for network configuration. One of the most common network configurations is a three-legged firewall where you create three networks:The servers that are accessible from the Internet are usually isolated on their own network, such as a perimeter network.The internal client computers and servers that are not accessible from the Internet are located on an internal network.The third network is the Internet.ISA Server multi-networking functionality supports this configuration. You can configure how clients on the corporate network access the perimeter network, and how external clients access the network. You can also configure the relationships between the various networks, defining different access policies between each network.You might also want to configure a more complicated network environment. For example, you might have two different categories of servers that need to be accessible from the Internet. Perhaps you are deploying some servers that are domain members and other servers that are stand-alone servers. The domain members need to be able to communicate with domain controllers that are located on your internal network. In this scenario, you could configure a second perimeter network for the servers that need to be members of the domain. Because ISA Server supports per-network policies, you can configure two different policies for access from the perimeter networks to the internal networks.You might also need a second internal network. You might have a group of client computers that needs to access the Internet using a different application or with different security rules than the other client computers. You can create an additional internal network and configure specific Internet access rules for each network.Multi-networking featuresISA Server 2004 supports several multi-networking features:You can create an unlimited number of networks on ISA Server.The VPN Clients and Quarantined VPN Clients networks are represented as networks, which means you can configure network access policies for the traffic flowing from these networks to the other networks.The clients membership in a network is automatically assigned. A computer becomes a member of a network based on its IP address (in the case of local area network [LAN]connected clients) or based on its connection method (in the case of VPN clients).You can configure network rules that specify a route or Network Address Translation (NAT) relationship between networks.You can configure per-network access policies so that each networks interaction with other networks can be unique.You can group several networks together into network sets, which means that you can define an access policy that applies to an entire network set.Access rules determine how clients on a source network can access resources on a destination network. To enable access to Internet resources for users on your internal network, you need to configure an access rule that enables this access.Access rule formatAccess rules are used to configure all traffic flowing through ISA Server, including all traffic from the internal network to the Internet, and from the Internet to the internal network.All access rules have the same overall structure as shown in the following table.Access rules defineAn action: Access rules are always configured to either allow or deny access.To be performed on specified traffic: Access rules can be applied to specific protocols or port numbers.From a particular user: Access rules can be applied to specific users or all users, whether they have authenticated or not.Coming from a particular computer: Access rules can be applied to specific computers based on their network locations or IP addresses.Going to a particular destination: Access rules can be applied to specific destinations, including networks, destination IP addresses, and destination sites.Based on particular conditions: Access rules can set additional conditions, including schedules and content-type filtering.A proxy server is a server that is situated between a client application, such as a Web browser, and a server that the client is connecting to. All client requests and all server responses pass through the proxy server. A proxy server can provide enhanced security and performance for Internet connections.Improving Internet access securityThe most important reason for using a proxy server is to make the users connection to the Internet more secure. Proxy servers make the Internet connection more secure in the following ways:User authentication. When a user requests a connection to an Internet resource, the proxy server can require that the user authenticate, either by forcing the user to enter a user name and password or by using the cached credentials stored on the client computer. The proxy server can then grant or deny access to the Internet resource based on the authenticated user.Filtering client requests. The proxy server can use multiple criteria to filter client requests. In addition to filtering the request based on the user who is making the request, the proxy server can filter requests based on the IP address, the protocol or application that is being used to access the Internet, the time of day, and the Web site or Uniform Resource Locator (URL) the user is requesting.Content inspection. Proxy servers can inspect all traffic flowing in and out of the Internet connection and determine if there is any traffic that should be denied. This may include examining the traffic content for inappropriate words, scanning for viruses, or scanning for file extensions. Based on the criteria configured on the proxy server, all content can be inspected and filtered.Logging user access. Because all traffic is flowing through the proxy server, the server can log everything the user does. For HTTP requests, this can include logging every URL visited by each user. The proxy server can be configured to provide detailed reports of user activity that can be used to ensure compliance with the organizations Internet usage policies.Hiding the internal network details. Because all requests for Internet resources are coming from the proxy server rather than from the internal client computer, the details of the internal network are hidden from the Internet. In almost all cases, no client computer information such as computer name or IP address is sent to the Internet resource. In some cases, such as when creating a Remote Desktop Protocol connection to a server on the Internet, the client computer name is transmitted on the Internet.Improving Internet access performanceAnother benefit of using a proxy server is to improve Internet access performance. The Web proxy server improves performance by caching requested Internet pages on the Web proxy server hard disk. When another user requests the same information, the proxy server provides the page from the cache rather than retrieving it from the Internet.Forward Web proxy servers are usually located between a Web application running on a client computer on the internal network and a Web server located on the Internet.You must configure the Web application on the client computer to use the Web proxy server to gain access to the Internet. The Web proxy service may be running at the connection point between the Internet and the internal network; the client computers may have no physical connection to the Internet other than through the proxy server. In other cases, a firewall may be deployed between the Internet and the proxy server, but all client computers will still use the proxy server because of the Web application configuration.How does a forward proxy server work?The following steps outline how a forward Web proxy server works.A client application such as a Web browser makes a request for an object located on a Web server. The client application checks its Web proxy configuration to determine whether the request destination is on the local network or on an external network.If the requested Web server is not on the local network, then the request is sent to the proxy server.The proxy server checks the request to confirm that there is no policy in place that blocks access to the requested content.The proxy server also checks if the requested object already exists in its local cache. If the object is stored in the local cache and it is current, the proxy server sends the object to the client from the cache. If the page is not in the cache, the proxy server sends the request to the appropriate server on the Internet.The Web server response is sent back to the proxy server. The proxy server filters the response based on the filtering rules configured on the server.If the content is not blocked, ISA Server saves a copy of the content in its cache and then the object is returned to the client application that made the original request.A reverse Web proxy server operates in much the same way as a forward Web proxy server. However, instead of making Internet resources accessible to internal clients, reverse proxy makes internal resources accessible to external clients.How a reverse proxy worksThe following steps outline how a reverse Web proxy server works.A user on the Internet makes a request for an object located on a Web server that is on an internal network protected by a reverse proxy server. The client computer performs a Domain Name System (DNS) lookup using the fully qualified domain name (FQDN) of the hosting server. The DNS name will resolve to the IP address of the external network interface on the proxy server.The client application sends the request for the object to the external address of the proxy server.The proxy server checks the request to confirm that the URL is valid and to ensure that there is no policy in place that blocks access to the requested content.The proxy server also checks if the requested object already exists in its local cache. If the object is stored in the local cache and it is current, the proxy server sends the object to the client from the cache. If the page is not in the cache, the proxy server sends the request to the appropriate server on the internal network.The Web server response is sent back to the proxy server.The object is returned to the client application that made the original request.All network communication on the Internet uses TCP/IP as its communication protocol. To configure ISAServer as a firewall, you must understand the characteristics of TCP/IP communication.TCP/IP layersEach TCP/IP packet is made up of multiple components. The components correspond to the following four protocol layers:Network Interface Layer. This layer handles placing TCP/IP packets on the network medium and receiving TCP/IP packets off the network medium. TCP/IP was designed to be independent of the network interface layer. The network interface layer header includes addressing information required for the physical devices connected to the network to communicate with each other.Internet Layer. This layer handles addressing packets, fragmentation and reassembly of packets, and routing packets between networks. The most important protocol at this layer is the Internet Protocol (IP).Transport Layer. This layer provides session and datagram communication services. The core protocols of the transport layer are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).Application Layer. This layer lets applications access the services of the other layers and defines the protocols that applications use to exchange data. Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Telnet, and Domain Name System (DNS) are all examples of application layer protocols.Internet ProtocolIP is a network layer protocol primarily responsible for addressing and routing packets between hosts. An IP packet consists of an IP header and an IP payload. The following describes the key fields in the IP header:Source address: The IP address of the original source of the IP datagramDestination address: The IP address of the final destination of the IP datagramProtocol: Informs IP at the destination host whether to pass the packet up to TCP, UDP, Internet Control Message Protocol (ICMP), or other protocolsTCPTCP is a reliable, session-oriented delivery service. Session-oriented means that a session must be established before hosts can exchange data. Reliability is achieved by assigning a sequence number to each segment transmitted. An acknowledgment is used to verify that the data is received. TCP provides a one-to-one, session-oriented, reliable communications service.The following describes the key fields in the TCP header:Source port: TCP port of sending hostDestination portTCP port of destination hostSequence number: Sequence number of the first byte of data in the TCP segmentAcknowledgment Number: Sequence number of the byte the sender expects to receive next from the other side of the connectionUDPUDP provides a sessionless datagram service that offers unreliable, best-effort delivery of data transmitted in messages. This means that neither the arrival of datagrams nor the correct sequencing of delivered packets is guaranteed. UDP does not recover from lost data through retransmission. The UDP header contains a source port and destination port, but does not include sequence information or acknowledgment. Ensuring that UDP packets are delivered is the responsibility of the application layer protocols that use UDP as a transport.Windows SocketsMost Internet applications running on Microsoft Windows use Windows Sockets to communicate with the lower protocol layers. Windows Sockets provides services that allow applications to bind to a particular port and IP address on a host, initiate and accept a connection, send and receive data, and close a connection.A socket is defined by a protocol and an address on the host. In TCP/IP, the address is the combination of the IP address and port. Two sockets, one for each end of the connection, form a bidirectional communications path.To communicate, an application specifies the protocol, the IP address of the destination host, and the port of the destination application. After the application is connected, information can be sent and received.The primary role of a firewall is to prevent network traffic from entering an internal network unless the traffic is explicitly permitted. One of the ways in which a firewall ensures this is through packet filtering.What is packet filtering?Packet filters control access to the network at the network layer by inspecting and allowing or denying the IP packets to transfer through the firewall. When the firewall inspects an IP packet, it examines only information in the network and transport layer headers, including the packets source and destination information, and its protocol and port numbers.The firewall can evaluate IP packets using the following criteria:Destination address. The destination address may be the actual IP address of the destination computer in the case of a routed relationship between the two networks being connected by ISAServer. The destination may also be the external interface of ISAServer in the case of a Network Address Translation (NAT) network relationship.Source address. This is the IP address of the computer that originally transmitted the packet.IP Protocol and protocol number. You can configure packet filters for TCP, UDP, ICMP, and any other protocol. Each protocol is assigned a number. For example, TCP is protocol 6, and the Generic Route Encapsulation (GRE) protocol for Point-to-Point Tunneling Protocol (PPTP) connections is protocol 47.Direction. This is the direction of the packet through the firewall. In most cases, the direction can be defined by inbound, outbound, or both. For some protocols, such as FTP or UDP, the directional choices may be Receive only, Send only, or Both.Port numbers. A TCP or UDP packet filter defines a local and remote port. The local and remote ports can be defined by a fixed port number, or as a dynamic port number.Advantages and disadvantages of packet filteringPacket filtering has a number of advantages and disadvantages. Some of the advantages include:Packet filtering has to inspect only the network and transport layer headers, so packet filtering is very fast.Packet filtering can be used to block a particular IP address or to allow a particular IP address. If you detect an application-level attack from an IP address, you can block that IP address at the packet-filter level. Or, if you need to enable access to your network and you know that all access attempts will be coming from a particular address, you can enable access only for that source address.Packet filtering can be used for ingress and egress filtering. Ingress filtering blocks all access on the external interface of the firewall to packets that have a source IP address that is logically on the internal network. For example, if your internal network includes the 192.168.20.0 network, an ingress filter will block a packet arriving at the external interface that claims to be coming from 192.168.20.1. An egress filter prevents packets from leaving your network that have a source IP address that is not on the internal network.Packet filtering also has some disadvantages:Packet filters cannot prevent IP address spoofing or source-routing attacks. An attacker can substitute the IP address of a trusted host as the source IP address and the packet filter will not block the packet. Or the attacker can include routing information in the packet that includes incorrect routing information for return packets so that the packets are not returned to the actual host, but to the attackers computer.Packet filters cannot prevent IP-fragment attacks. An IP-fragment attack splits a single IP packet into multiple fragments. Most packet-filtering firewalls check only the first fragment and assume that the other fragments of the same packet are acceptable. The additional fragments may contain malicious content.Packet filters are not application aware. You may be blocking the default Telnet port (port 23) on your firewall, but allowing access to the HTTP port (port 80). If an attacker can configure a Telnet server to run on port 80 on your network, the packets would be passed to the server.ISAServer 2004 and packet filteringISAServer 2004 does not have an option to directly configure packet filtering. However, ISAServer does operate as a packet filter firewall inspecting traffic at the network and transport layers. For example, if you define a firewall access rule that enables all protocol traffic from a computer on one network to a computer on another network, ISAServer uses a packet filter to allow that traffic. Or, if you configure a firewall access rule that denies the use of the default Telnet port (TCP port 23), ISAServer will use a packet filter to block that port. ISAServer 2000 supported direct configuration of packet filters. If you upgrade to ISAServer 2004 from ISAServer 2000, packet filters are replaced by access rules. When a firewall uses stateful filtering, it not only examines the packet header information, but also examines the status of the packet. For example, the firewall can inspect a packet at its external interface and determine whether the packet is a response to a request from the internal network. This check can be performed at both the transport and application layers.Stateful filtering uses information about the TCP session to determine if a packet should be blocked or allowed through the firewall. TCP sessions are established using the TCP three-way handshake. The purpose of the three-way handshake is to synchronize the sequence number and acknowledgment numbers of both sides of the connection and exchange other information defining how the two hosts will exchange packets. Application filtering enables the firewall to open up the entire TCP/IP packet and inspect the application data for unacceptable commands and data. For example, an SMTP filter intercepts communication on port 25 and inspects it to make sure the SMTP commands are authorized before passing the communication to the destination server. An HTTP filter performs the same function on all HTTP packets. Firewalls that are capable of application-layer filtering can stop dangerous code at the edge of the network before it can do any damage.Application-layer filtering can also be used to stop attacks from sources such as viruses and worms. Most worms look like legitimate software code to the packet-filtering firewall. The headers of the packets are identical in format to those of legitimate traffic. It is the payload that is malicious; only when all the packets are put together can the worm be identified as malicious code, so these exploits often travel straight through to the private network because the firewall allowed what looked like normal code.Advantages and disadvantages of application filteringThe advantages of application-layer filtering go beyond the prevention of attacks. It can also be used to protect your network and systems from the harmful actions that unaware employees often take. For example, you can configure filters that prevent potentially harmful programs from being downloaded via the Internet, or ensure that critical customer data does not leave the network in an e-mail.Application-layer filtering can also be used to more broadly limit employee actions on the network. You can use an application filter to restrict common types of inappropriate communication on your network. For example, you can block peer-to-peer file-exchange services. These types of services can consume substantial network resources and raise legal liability concerns for your organization.The most significant disadvantage of application-filtering firewalls is performance. Because an application-filtering firewall examines the actual payload of each packet, it is usually slower than packet or stateful filtering.ISAServer and application filteringThe most important benefit of implementing ISAServer 2004 is that it is a powerful and complete application-layer firewall. ISAServer includes many built-in application filters. In addition, ISAServer 2004 includes powerful and flexible interfaces with which administrators can create custom filters to detect virtually any attack. ISAServer is also highly extensible. This means your in-house programmers or third-party vendors can extend much of its functionality, including its filtering capabilities. If you detect an intrusion attempt early enough, you may be able to prevent a successful intrusion. If an intrusion does occur, you need to be alerted as soon as possible to reduce the potential