Gira Seguridad 2005 Microsoft TechNet

Gira Seguridad 2005 Microsoft TechNet
José Parada Gimeno Evangelista Microsoft TechNet Chema Alonso MVP Windows Server Security Con la participación de: y

Técnicas Hacker de envenenamiento en redes de datos
Agenda I Introducción Técnicas Hacker de envenenamiento en redes de datos Spoofing ARP DNS Hijacking Phising Mail Spoofing Contramedidas Hacking I. Protección de servidores. Cifrado y autenticado de conexiones. IpSec Hardering de Servidores. Protección contra técnicas de envenenamiento en redes de datos con Windows minutos. Se mostrará el funcionamiento de las técnicas de envenenamiento y Spoofing Arp en redes de datos. Se analizará el impacto y la proctección contra dichas técnicas. Cifrado y autenticado de conexiones con IPSec en redes Windows minutos. Se analizará el funcionamiento de IPSec, la arquitectura y el despiegle. Se hará una demostración de cifrado y autenticado de conexiones a servidores utilizando directivas de seguridad GPO. Endurecimiento de servidores Windows minutos. Se mostrará la utilización de plantillas de seguridad del programa Baseline y como funcionan los analisis de directivas para comprobación de directivas efectivas. Cafe. Configuración de servicios de movilidad en Exchange minutos. Se mostrarán los servicios OWA 2003, OMA y ActiveSync de Exchange Se hará una demostración de conexión GPRS a servicios OMA mediante telefonía móvil. Conexiones seguras con RCP/HTTPS. 20 minutos. Se analizará las opciones de cifrado de comunicaciones RCP/HTTPs para permitir el analisis de tráfico por motores Antivirus/Antispam. Soluciones AntiSpam para Exchange minutos. Se analizarán las opciones de filtrado AntiSpam basadas en Message Screener, Filtros estáticos, Filtros de Conexión, Intelligence Message filter, Bullet signature y fingerprinting. Se hara una demostración de Filtro de conexión, Intelligence Message Filter y Bullet signature/fingerpinting.

Contramedidas Hacking II. Protección de Servicios de correo.
Agenda II Contramedidas Hacking II. Protección de Servicios de correo. Conexiones seguras con RPC/HTTPS VPN’s Evolución de las VPNs VPNs Seguras con MPLS Hosting de Aplicaciones en VPNs con MPLS Soluciones con ISA Server 2004 sobre las VPNs de ONO. Tecnicas Hacker de Spamming. Técnicas Eurísticas, Bayesianas y Finger Printing Contramedidas Spaming Protección contra técnicas de envenenamiento en redes de datos con Windows minutos. Se mostrará el funcionamiento de las técnicas de envenenamiento y Spoofing Arp en redes de datos. Se analizará el impacto y la proctección contra dichas técnicas. Cifrado y autenticado de conexiones con IPSec en redes Windows minutos. Se analizará el funcionamiento de IPSec, la arquitectura y el despiegle. Se hará una demostración de cifrado y autenticado de conexiones a servidores utilizando directivas de seguridad GPO. Endurecimiento de servidores Windows minutos. Se mostrará la utilización de plantillas de seguridad del programa Baseline y como funcionan los analisis de directivas para comprobación de directivas efectivas. Cafe. Configuración de servicios de movilidad en Exchange minutos. Se mostrarán los servicios OWA 2003, OMA y ActiveSync de Exchange Se hará una demostración de conexión GPRS a servicios OMA mediante telefonía móvil. Conexiones seguras con RCP/HTTPS. 20 minutos. Se analizará las opciones de cifrado de comunicaciones RCP/HTTPs para permitir el analisis de tráfico por motores Antivirus/Antispam. Soluciones AntiSpam para Exchange minutos. Se analizarán las opciones de filtrado AntiSpam basadas en Message Screener, Filtros estáticos, Filtros de Conexión, Intelligence Message filter, Bullet signature y fingerprinting. Se hara una demostración de Filtro de conexión, Intelligence Message Filter y Bullet signature/fingerpinting.

Motivos Impacto Análisis de Incidentes Análisis de Vulnerabilidades
Introducción Motivos Impacto Análisis de Incidentes Análisis de Vulnerabilidades

Seguridad, es un termino relativo y no absoluto
¿Que es Seguridad? Seguridad, es un termino relativo y no absoluto ¿Que es lo que esta seguro? ¿Contra quien se esta seguro? ¿Contra que se esta seguro? ¿Hasta cuando se esta seguro? ¿Que intensidad de ataque se puede resistir? Por lo tanto sin un contexto el termino Seguridad no tiene sentido

¿Porque Atacan? Motivos Personales Hacer Daño Motivos Financieros
Alterar, dañar or borrar información Deneger servicio Dañar la imagen pública Motivos Personales Desquitarse Fundamentos políticos o terrorismo Gastar una broma Lucirse y presumir The bullets are just examples of the three main motives. Be sure to exemplify most of them. Invite participants to come up with other motives and see if they fit into the three top categories. There’s no direct relationship between threats and motives, basically any mix is possible. However, the teen hackers are mostly hacking for personal motives. Criminals almost exclusively do it for economic gain. Motivos Financieros Robar información Chantaje Fraudes Financieros

Porque MOLA!! Motivos La tecnología tiene fallos.
Es muy fácil hacerlo. No hay conciencia clara del delito Porque MOLA!!

Incidentes Reportados al CERT
Data Source: CERT (

Vulnerabilidades por Años
Data Source: CERT (

Problema de la Industria IT Vulnerabilidades en Sistemas Operativos - 2002
Source: Company web sites Trustix 1.5 Debian Windows XP Sun (OS) Mandrake 8.x 20 40 60 80 100 120 RedHat 7.2 Windows 2000 EnGarde SuSE

Problema de la Industria IT Vulnerabilidades en Sistemas Operativos - 2003
Source: Company web sites 20 40 60 80 100 120 Windows 2003 OpenBSD Windows XP Windows 2000 SuSE SUN Mandrake RedHat Debian

Fuentes Debian: Mandrake: Microsoft: Open BSD: Sun: Suse: RedHat:

http://www.securityfocus.com/bid Vulnerabilidades Es difícil engañar
Mirar versión apache que salio cuando IIS 6.0 comparar vulnerabilidades. Windows 2003 con IIS 6.0 Salio el 24 abril de Hace casí dos años. Solo tiene 2 vulnerabilidades. En Abril 2003 salio apache 2.050

Problema de la Industria IT Vulnerabilidades en Sistemas Operativos - Agosto 2004

Sofisticación de los Ataques vs. Conocimientos requeridos
Nail down source of slide (FBI/CSI?)

Técnicas Hacker de Envenenamiento en Redes de Datos

7. Aplicación 6. Presentación 5. Sesión 4. Transporte 3. Red
El Modelo OSI 7. Aplicación 6. Presentación 5. Sesión 4. Transporte 3. Red 2. Conexión 1.Fisico

4. Aplicación 8-5. usuario 2. Red 3. Transporte TCP, UDP, IPsec
En Realidad Cuatro capas son suficientemente representativas 4. Aplicación 8-5. usuario 2. Red 3. Transporte HTTP, FTP, TFTP, telnet, ping, SMTP, POP3, IMAP4, RPC, SMB, NTP, DNS, … TCP, UDP, IPsec IP, ICMP, IGMP 1. interface ARP, RARP

Técnicas de Spoofing Las técnicas spoofing tienen como objetivo suplantar validadores estáticos Un validador estático es un medio de autenticación que permanece invariable antes, durante y después de la concesión.

Direcciones de correo electrónico Nombres de recursos compartidos
Niveles Afectados ENLACE Dirección MAC RED Dirección IP SERVICIO Nombres de dominio Direcciones de correo electrónico Nombres de recursos compartidos

Tipos de técnicas de Spoofing
Spoofing ARP Envenenamiento de conexiones. Man in the Middle. Spoofing IP Rip Spoofing. Hijacking. Spoofing SMTP Spoofing DNS WebSpoofing.

Técnicas de Sniffing Capturan tráfico de red. Necesitan que la señal física llegue al NIC. En redes de difusión mediante concentradores todas las señales llegan a todos los participantes de la comunicación. En redes conmutadas la comunicación se difunde en función de direcciones. Switches utilizan dirección MAC.

Hijacking (Secuestro) Y Envenenamiento
Técnicas Combinadas Sniffing + Spoofing Hijacking (Secuestro) Y Envenenamiento

Nivel de Enlace: Spoofing ARP
Suplantar identidades físicas. Saltar protecciones MAC. Suplantar entidades en clientes DHCP. Suplantar routers de comunicación. Solo tiene sentido en comunicaciones locales.

Dirección Física Tiene como objetivo definir un identificador único para cada dispositivo de red. Cuando una máquina quiere comunicarse con otra necesita conocer su dirección física. Protocolo ARP No se utilizan servidores que almacenen registros del tipo: Dirección MAC <-> Dirección IP. Cada equipo cuenta con una caché local donde almacena la información que conoce.

PC 2 PC HACKER PC 3 PC 1 PC 4 Datos PC 4 Sniffing en Redes de Difusión
Sniffer PC 1 PC 4 filtra Datos PC 4

PC 2 PC HACKER PC 3 PC 1 PC 4 MAC 2 MAC H MAC 3 Datos PC 4 MAC 1 MAC 4
Sniffing en Redes Conmutadas PC 2 PC HACKER PC 3 Sniffer PC 1 PC 4 MAC 2 MAC H MAC 3 Datos PC 4 MAC 1 MAC 4 Puerto 1 MAC 1 Puerto 2 MAC 2 Puerto 6 MAC H Puerto 11 MAC 3 Puerto 12 MAC 4

Envenenamiento de Conexiones: “Man in the Middle”
La técnica consiste en interponerse entre dos sistemas. Para lograr el objetivo se utiliza el protocolo ARP. El envenenamiento puede realizarse entre cualquier dispositivo de red.

Envenenamiento de Conexiones:“Man in the Middle”
PC 1 IP 1 MAC 1 PC 2 IP 2 MAC 2 CONEXIÓN PC2 REENVÍO A HOST IP 2 – MAC H IP 1 – MAC H CACHE ARP IP 2 – MAC H CACHE ARP IP 1 – MAC H PC H IP H MAC H

Ataque ARP Man In The Middle
esta en 99:88:77:66:55:44 esta en 99:88:77:66:55:44 ¿Quien tiene ? esta en 00:11:22:33:44:55:66

Man in the Middle Sirve como plataforma para otros ataques.
DNS Spoofing. WebSpoofing. Hijacking. Sniffing Se utiliza para el robo de contraseñas.

Demo Envenamiento entre hosts. Robo de contraseñas. DNS Hijacking.
Phising (WebSpoofing). HTTPS Spoofing.

Protección contra Envenenamiento
Medidas preventivas. Control físico de la red. Bloqueo de puntos de acceso. Segmentación de red. Gestión de actualizaciones de seguridad. Protección contra Exploits. Protección contra troyanos.

Medidas preventivas. Cifrado de comunicaciones. IPSec. Cifrado a nivel de Aplicación: S/MIME. SSL. Certificado de comunicaciones.

Medidas preventivas. Utilización de detectores de Sniffers. Utilizan test de funcionamiento anómalo. Test ICMP. Test DNS. Test ARP.

Frase vs. Passwords ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●

Las 4 leyes fundamentales de la protección de datos
Autentica en todas partes. Valida Siempre. Autoriza y audita todo. Cifra siempre que sea necesario.

Cifrado y autenticado de conexiones con IPSec en redes Windows 2003.

Cifrado de Comunicaciones
IPv4 no ofrece cifrado de comunicaciones a nivel de red y transporte. Solo se puede garantizar la no interceptación de la información en líneas privadas. Los entornos son abiertos. Movilidad. La privacidad de la información es una necesidad

La elección de la protección debe cumplir: No anular otras defensas. Permitir autenticación integrada. No suponer un coste excesivo en: Rendimiento. Adquisición. Implantación. Mantenimiento.

Soluciones: Red : IPv6 -> IPSec. Transporte: TLS SSL Aplicación: HTTP-s FTP-s S/MIME SSH. Datos: Cifrado información.

IPSec - Definición IPSec es unprotocolo que sirve para proteger las comunicaciones entre equipos. Ofrece las siguientes características: Autenticación Integridad Confidencialidad (cifrado) Authentication Verifies the origin and integrity of a message by assuring the genuine identity of each computer. Without strong authentication, an unknown computer and any data it sends is suspect. IPSec provides multiple methods of authentication, ensuring compatibility with legacy systems, remote computers, and computers running other operating systems. Integrity Protects data from unauthorized modification in transit, ensuring that the data received is exactly the same as the data sent. Hash functions sign each packet with a cryptographic checksum, which the receiving computer checks before opening the packet. If the packet (and therefore the signature) has changed, the packet is discarded. Confidentiality (encryption) Ensures that data is disclosed only to intended recipients. This is achieved by encrypting the data before transmission. It ensures that the data cannot be read during transmission, even if the packet has been monitored or intercepted. Only the parties with the shared, secret key can decrypt and read the data. This property is optional and is dependent upon IPSec policy settings. Anti-replay (also called replay prevention) Provides for the uniqueness of each IP packet. Anti-replay ensures that data intercepted by an attacker cannot be reused or replayed to establish a session or illegally gain information or access to resources.Limited Traffic Flow Confidentiality. IPSec encryption of IP packet contents include the protocol headers which appear after the IP header in normal, unsecured IP packets (e.g. TCP port 80). This an IPSec ESP encrypted packet does not show the type of traffic that is being secured. However, since IPSec is defined to secure an IP packet, the behavior of the upper layer protocol is preserved in terms of the size and timing of packets sent and received. IPSec encryption could also be used to add extra data to packets to change the length of packets so that attackers have a more difficult time determining the role of a packet in an upper layer protocol (e.g. a TCP ACK). And IPSec allows many traffic types to be secured in the same way (e.g. all TCP and UDP traffic secured by the same IPSec security association). However, the IPSec architecture does not provide strong protection against traffic analysis which are sophisticated observation techniques to guess what protocol and data is being carried. So it is expected that an attacker could discover which protocol is being secured in some cases by observing the flow of IPSec protected packets.

IPSec - Objetivos Proteger el contenido de las cabeceras IP contra ataques activos y pasivos mediante : Autenticación de la cabecera. Cifrado del contendio. Defender los equipos contra ataques de red: Filtrado de conexiones (sniffing). Autenticación de conexiones. By its design, TCP/IP is an open protocol created to connect heterogeneous computing environments with the least amount of overhead possible. As is often the case, interoperability and performance design goals do not generally result in security—and TCP/IP is no exception to this. TCP/IP provides no native mechanism for the confidentiality or integrity of packets. To secure TCP/IP, you can implement IP Security. IPSec implements encryption and authenticity at a lower level in the TCP/IP stack than application-layer protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Because the protection process takes place lower in the TCP/IP stack, IPSec protection is transparent to applications. IPSec is a well-defined, standards-driven technology. The IPSec process encrypts the payload after it leaves the application at the client and then decrypts the payload before it reaches the application at the server. An application does not have to be IPSec aware because the data transferred between the client and the server is normally transmitted in plaintext. IPSec is comprised of two protocols that operate in two modes with three different authentication methods. IPSec is policy driven and can be deployed centrally by using Group Policy. To deploy IPSec, you must determine the Protocol Mode Authentication methods Policies

IPSec - Funcionamiento
Dos grupos de protocolos distintos Protocolos de gestión de claves: IKE ( Internet Key Exchange) y sus asociados ISAKMP y OAKLEY KEY) Protocolos de autenticación, cifrado y manipulación de paquetes: AH ( Autentication Header ) ESP ( Encapsulating Security Payload )

IKE - Funcionamiento IKE tiene dos modos de funcionamiento.
Modo Principal y Modo Rápido. Centraliza la gestión de asociaciones (SA) para reducir el tiempo. Genera y gestiona las claves usadas para securizar la información. IPSec can be initiated by either the sending host or the receiving host. The two hosts or endpoints enter into a negotiation that will determine how the communication will be protected. The negotiation is completed in the IKE, and the resulting agreement is a set of security associations, or SAs. The SA is used until the two hosts or endpoints cease communication, even though the keys used might change. A computer can have many SAs. The SA for each packet is tracked using the SPI. IKE is a part of the IPsec suite; its function is to allow any two IPsec-capable computers to securely agree on a shared encryption key without exposing the key to MITM attackers or eavesdroppers. IKE actually implements portions of two related protocols: the Internet Security Association Key Management Protocol (ISAKMP; see RFC 2409) and the OAKLEY protocol for key determination (see RFC 2412). The connectio between two IPsec-capable endpoints is called a security association, or SA. SA setup actually takes place in two phases: in the first phase (also known as main mode) the two ends authenticate one another’s identities and generate a Main Mode SA. Think of the Main Mode SA as a master SA: all other communications between the two machines will happen after ISAKMP negotiations take place. These negotiations are carried over the Main Mode SA. The Main Mode key can be derived using three mechanisms: Kerberos: This is the default IPsec authenticator in Windows IPsec. The Kerberos authentication package uses the machine account generated for each computer in an Active Directory domain. The primary benefit of this approach is that as long as the machine accounts stay in synchronization across the domain, IPsec works with no fiddling. However, you can only use Kerberos authentication with machines in the same Active Directory forest. X.509 certificates: Because each certificate is associated with a public/private key pair, it’s natural to leverage them as an authenticator for IPsec. The catch is that you have to issue certificates to each machine that you want to access your network, and you must ensure that all CAs from which those certificates are issued chain to a common (and trusted) root CA. Preshared keys: with preshared keys, each endpoint must have the same shared secret key. This is a terrible idea from a security standpoint, as we’ll discuss a bit later. Once these negotiations are complete, IKE mode 2 (also known as quick mode) kicks in. Quick Mode SAs default to a lifetime of five minutes or 100 MB of traffic; that means that on an IPsec-protected connection, the session key used to protect the actual traffic is only used for five minutes or 100 MB, whichever comes first. (However, the predefined IPsec filters included in the standard policies have a lifetime of 15 minutes.) The master SA key, however, is good for a default lifetime of eight hours. Quick Mode SAs protect traffic on a specific source/destination/protocol/port combination, so there can be several of them for each Main Mode SA between a pair of machines.

IPSec – Proceso de Cifrado
El proceso de cifrado está compuesto de dos protocolos. Autenticación de cabecera (AH) Cifrado de Tráfico (ESP) As mentioned, IPSec is comprised of two protocols: IPSec Authentication Header (AH) and IPSec Encapsulating Security Payload (ESP). Each protocol provides different services; AH primarily provides packet integrity services, while ESP provides packet confidentiality services. IPSec provides mutual authentication services between clients and hosts, regardless of whether AH or ESP is being used.

Cabecera de Autenticación
Authentication Header (AH) ofrece: Autenticacion. Integridad. Funcionalidades Kerberos, certificados o los secretos compartidos pueden ser utilizados para autenticar el tráfico. La integridad se calcula con algoritmos SHA1 o MD5 que calculan el Integrity Check Value (ICV) IPSec AH provides authentication, integrity, and anti-replay protection for the entire packet, including the IP header and the payload. AH does not provide confidentiality. When packets are secured with AH, the IPSec driver computes an Integrity Check Value (ICV) after the packet has been constructed but before it is sent to the computer. With Windows 2000 and Windows XP, you can use either the HMAC SHA1 or HMAC MD5 algorithm to compute the ICV. Figure 9-3 shows how AH modifies an IP packet.

Encabezados de autenticación
IPSec – Cabecera AH. Autenticidad de los datos Integridad de los datos Contra la retransmisión Protección contra la suplantación Encab. IP AH Encab. TCP/UDP Datos de aplicaciones Firmado Encabezados de autenticación The fields in an AH packet include these: Next Header Indicates the protocol ID for the header that follows the AH header. For example, if the encrypted data is transmitted using TCP, the next header value would be 6, which is the protocol ID for TCP. Length Contains the total length of the AH. Security Parameters Index (SPI) Identifies the security association (the IPSec agreement between two computers) that was negotiated in the Internet Key Exchange (IKE) protocol exchange between the source computer and the destination computer. Sequence Number Protects the AH-protected packet from replay attacks in which an attacker attempts to resend a packet that he has previously intercepted, such as an authentication packet, to another computer. For each packet issued for a specific security association (SA), the sequence number is incremented by 1 to ensure that each packet is assigned a unique sequence number. The recipient computer verifies each packet to ensure that a sequence number has not been reused. The sequence number prevents an attacker from capturing packets, modifying them, and then retransmitting them later. Authentication Data Contains the ICV created against the signed portion of the AH packet by using either HMAC SHA1 or HMAC MD5. The recipient performs the same integrity algorithm and compares the result of the hash algorithm with the result stored within the Authentication Data field to ensure that the signed portion of the AH packet has not been altered in transit. Because the TTL, Type of Service (TOS), Flags, Fragment Offset, and Header Checksum fields are not used in the ICV, packets secured with IPSec AH can cross routers, which can change these fields. Using ESP

Cabecera ESP Encapsulating Security Payload (ESP) ESP ofrece:
Confidencialidad. ESP puede ser utilizada sola o combinada con AH. Multiples algoritmos de cifrado DES – claves de cifrado de 56-bit 3DES – claves de cifrado de 168-bit Multiples algoritmos de firmado. SHA1 – 160-bit digest MD5 – 128-bit ESP packets are used to provide encryption services to transmitted data. In addition, ESP provides authentication, integrity, and antireplay services. When packets are sent using ESP, the payload of the packet is encrypted and authenticated. In Windows 2000 and Windows XP, the encryption is done with either Data Encryption Standard (DES) or 3DES, and the ICV calculation is done with either HMAC SHA1 or HMAC MD5. TIP When designing an IPSec solution, you can combine AH and ESP protocols in a single IPSec SA. Although both AH and ESP provide integrity protection to transmitted data, AH protects the entire packet from modification, while ESP protects only the IP payload from modification.

Carga de seguridad de encapsulación
Cabecera ESP Nuevo encab. IP ESP Hdr Cifrado Firmado Autenticación del origen Cifrado de los datos Contra la retransmisión Protección contra la suplantación Carga de seguridad de encapsulación Encab. IP original Encab. TCP/UDP Datos de aplicaciones Fin. ESP Aut. ESP

IPSec - Firewalls IPSec se enruta como tráfico IPv4.
En firewalls debe ser activado el reenvio IP para: IP Protocol ID 50 (ESP) IP Protocol ID 51 (AH) UDP Port 500 (IKE) El tráfico IPSec que pasa por un firewall no puede ser inspeccionado. IP Security (IPSec) is implemented at the Networking layer (Layer 3) of the Open Systems Interconnection (OSI) model. This provides protection for all IP and upper-layer protocols in the TCP/IP protocol suite. The primary benefit of securing information at Layer 3 is that all programs and services using IP for data transport can be protected. IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports: IP Protocol ID 50: For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded. IP Protocol ID 51: For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded. UDP Port 500: For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded. L2TP/IPSec traffic looks just like IPSec traffic on the wire. The firewall just has to allow IKE (UDP 500) and IPSec ESP formatted packets (IP protocol = 50). It may be necessary to allow Kerberos traffic through the firewall, if so then UDP port 88 and TCP port 88 would also need to be forwarded. For more information, view the following articles in the Microsoft Knowledge Base: Traffic That Can--and Cannot--Be Secured by IPSec ( Overview of Secure IP Communication with IPSec in Windows 2000 (

TCPIP TCPIP App or Service Application client Server or Gateway IPSec
SA Establishment App or Service client Application Server or Gateway UDP port 500 negotiation 1 IKE SA IPSec PolicyAgent IPSec PolicyAgent IKE (ISAKMP) IKE (ISAKMP) 2 IPSec SAs IPSec Driver IPSec Driver TCPIP TCPIP IP protocol 50/51 filters NIC filters NIC “IKE Responder” “IKE Initiator”

IPSec - Modos de trabajo
El sistema IPSEC puede trabajar en dos modos: Modo de transporte: donde el cifrado se realiza de extremo a extremo. Modo túnel donde el cifrado se realiza únicamente entre los extremos del túnel.

Modos IPSEC Modo de transporte Proporciona cifrado y autenticación de extremo a extremo Cifrado Modo de túnel Proporciona cifrado y autenticación sólo entre los puntos finales del túnel Cifrado

IPSEC - Coste de cifrado
Disminución del rendimiento que es proporcional al hardware del sistema. Tiempo de negociación IKE – aproximadamente 2-5 segundos inicialmente Session rekey < 1-2 segundos Pérdida de la capacidad de filtrado de paquetes. Recursos destinados a la solución de problemas. Concienciación técnica de su necesidad y su uso.

IPSec en Windows 2000- 2003 Se configura mediante políticas
Almacenadas en el Directorio Activo o en en Registro Local del Servidor. Controlan la entrada y salida de paquetes permitidos. Las Politicas IPSec están formadas por listas de reglas. Están compuestas de asociaciones de acciones y protocolos. Se definen a nivel de protocolo o a nivel de puerto. Acciones permitidas: Bloquear. Permitir. Pedir seguirdad. Se aplica el filtro más permisivo. IPSec policies, rather than applications, are used to configure IPSec services. The policies provide variable levels of protection for most traffic types in most existing networks. IPSec policies are based on your organization's guidelines for secure operations. There are two storage locations for IPSec policies: Active Directory The registry on a local computer You can configure IPSec policies to meet the security requirements of a domain, site, or organizational unit for an Active Directory domain. IPSec policy can also be implemented in a non-Active Directory domain environment by using local IPSec policies. IPSec policies are based on IP filter lists and IP filter actions. An IP filter list is a list of protocols and folders. For example, you can create a filter list entry that allows all computers to gain access to TCP port 80 on the local interface. Another entry in the same filter list might allow access to TCP port 25 on the local interface, and a third filter list entry might allow access to User Datagram Protocol (UDP) port 53 on the local interface. If a packet that arrives on the computer interface has a matching entry on the filter list, IPSec Policy Agent applies a filter action that you assign to the filter list. For example, if you assign a Block filter action to the above filter list. When you do this, any packet that is destined for TCP port 80, TCP port 25, or UDP port 53 is blocked. However, if you assign a Permit filter action to the above filter list, the packets that are destined for TCP port 80, TCP port 25, or UDP port 53 is allowed. You can use IPSec filter lists and filter actions as an effective method of access control on all interfaces. Note that IPSec policies are applied to all interfaces on a multiple-homed computer. There is no procedure that you can use to allow selective application of IPSec policies to a particular interface. Note For information on how to create IPSec policies, go to Filter Actions For each filter rule, you must choose a filter action. The filter action defines how the traffic defined in the IP filter will be handled by the filter rule. Permit Allows packets to be transmitted without IPSec protection. For example, Simple Network Management Protocol (SNMP) includes support for devices that might not be IPSec aware. Enabling IPSec for SNMP would cause a loss of network management capabilities for these devices. In a highly secure network, you could create an IPSec filter for SNMP and set the IPSec action to Permit to allow SNMP packets to be transmitted without IPSec protection. Block Discards packets. If the associated IPSec filter is matched, all packets with the block action defined are discarded. Negotiate Security Allows an administrator to define the desired encryption and integrity algorithms to secure data transmissions if an IPSec filter is matched.

IPSec - Políticas Podrán utilizarse políticas por defecto o las creadas manualmente. El sistema proporciona 3 políticas por defecto que van a determinar diferentes comportamientos de la máquina con respecto a IPSEC. Cliente. Servidor. Servidor seguro.

IPSec - Política de cliente.
Modo de solo respuestas. Un sistema en modo cliente responde a peticiones que le realicen en IPSEC. No inicia conversaciones en modo IPSEC, solamente en claro.

IPSec - Política de servidor.
Intenta establecer comunicaciones cifradas, pero si la otra máquina no tiene configurado IPSEC la comunicación se establece en claro. Este modo está definido por 3 reglas que determinan el comportamiento general del sistema a las peticiones IP, ICMP y el resto de tráfico.

IPSec - Política Servidor Seguro
El equipo solo puede establecer comunicaciones seguras. La política establece 3 reglas, para el tráfico de peticiones IP, ICMP y el resto de tráfico.

IPSEC - Reglas Las reglas IPSEC determinan el comportamiento del sistema en la transmisión de la información. Las reglas están compuestas por los siguientes objetos: Filtros. Acción de filtros. Método de autentificación.

IPSec - Filtros En la configuración de los filtros hay que especificar los siguientes parámetros: Determinar la posibilidad o no de establecer un túnel de comunicación. Qué redes o equipos se van a ver afectados. El método de autentificación para la transmisión. Métodos de seguridad. Las acciones de filtrado.

IPSec - Autenticación Kerberos Certificados Secretos Compartidos.
Requiere tiempo de sincronización. Solo dentro del bosque. Certificados Requiere la implementación de PKI. CRL está deshabilitado por defecto. Secretos Compartidos. Tan seguro como sea el secreto. En entornos grandes es dificil de mantener. Selecting an IPSec Authentication Method During the initial construction of the IPSec session—also known as the Internet Key Exchange, or IKE—each host or endpoint authenticates the other host or endpoint. When configuring IPSec, you must ensure that each host or endpoint supports the same authentication methods. IPSec supports three authentication methods: Kerberos X.509 certificates Preshared key Authenticating with Kerberos In Windows 2000 and Windows XP, Kerberos is used for the IPSec mutual authentication by default. For Kerberos to be used as the authentication protocol, both hosts or endpoints must receive Kerberos tickets from the same Active Directory directory service forest. Thus, you should choose Kerberos for IPSec authentication only when both hosts or endpoints are within you own organization. Kerberos is an excellent authentication method for IPSec because it requires no additional configuration or network infrastructure. IMPORTANT Some types of traffic are exempted by default from being secured by IPSec, even when the IPSec policy specifies that all IP traffic should be secured. The IPSec exemptions apply to Broadcast, Multicast, Resource Reservation Setup Protocol (RSVP), IKE, and Kerberos traffic. Kerberos is a security protocol itself, can be used by IPSec for IKE authentication, and was not originally designed to be secured by IPSec. Therefore, Kerberos is exempt from IPSec filtering. To remove the exemption for Kerberos and RSVP, set the value NoDefaultExempt to 1 in the registry key HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC, or use the Nodefaultexempt.vbs script located in the Tools\Scripts folder on the CD included with this book. Authenticating with X.509 Certificates You can use X.509 certificates for IPSec mutual authentication of hosts or endpoints. Certificates allow you to create IPSec secured sessions with hosts or endpoints outside your Active Directory forests, such as business partners in extranet scenarios. You also must use certificates when using IPSec to secure VPN connections made by using Layer Two Tunneling Protocol (L2TP). To use certificates, the hosts must be able to validate that the other’s certificate is valid. Authenticating with Preshared Key You can use a preshared key, which is a simple, case-sensitive text string, to authenticate hosts or endpoints. Preshared key authentication should be used only when testing or troubleshooting IPSec connectivity because the preshared key is not stored in a secure fashion by hosts or endpoints.

IPSec - PKI Autodespliegue
Se puede configurar un entorno de autodespligue de certificados digitales para equipos : Instalando una Entidad Certificadora Raiz integrada. Activando la Petición de Certificado Automático en la CPO del dominio. Automatic Enrollment For Computer Certificates You can specify automatic enrollment and renewal for computer certificates. When auto-enrollment is configured, the specified certificate types are issued automatically to all computers within the scope of the public-key Group Policy. Computer certificates that are issued by auto-enrollment are renewed automatically from the issuing CA. Auto-enrollment does not function unless at least one enterprise CA is online to process certificate requests.

IPSec – Excepciones. IPSec en Windows 2000 no securiza por defecto el siguiente tráfico : Broadcast Multicast RSVP IKE Kerberos Windows 2003 por defecto securiza todo el tráfico excepto IKE. Es posible configuarlo como en Windows 2000 IPSec Default Exemptions Are Removed in Windows Server 2003 To enable Kerberos IPSec protection Add registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC Add value NoDefaultExempt (note that this name is case sensitive) Data Type: REG_DWORD Data Value: 1 1 = RSVP and Kerberos are not exempted (only IKE, Multicast, and Broadcast are exempted) Note: For information on IPSec and Kerberos traffic between domain controllers , go to

IPSEC - Monitorización
IP Security Monitor MMC Snap-In

GPO Site Domain OU IPSec - Despliegue GPO
Despliegue centralizado desde el Directorio Activo. Configuración posible mediante plantillas. GPO Site Domain OU

Políticas de Grupo Introduction
Implementing Group Policy on a domain provides the network administrator with control over computer configurations throughout the network.

Demo – Configuración IPSec

Endurecimiento de Servidores Windows 2003 Plantillas de Seguridad

Endurecimiento El aumento de ataques en las redes han hecho necesarias implementar medidas para fortificar los servicios de las empresas. Entre las medidas caben destacar las actualizaciones de los sistemas y la fortificación de los servidores desde la configuración de la seguridad interna mediante plantillas.

Plantillas de seguridad
Proporcionan los mecanismos para incrementar la seguridad sobre los equipos. Son ficheros que proporcionan la capacidad para simplificar la implantación de seguridad en equipos. Incrementan o modifican las directivas que se están aplicando.

Aplicación de Plantillas
Las plantillas pueden aplicarse por importación en políticas locales o mediante el uso en GPO. Mediante la herramienta de configuración de seguridad. Mediante línea de comando con la ejecución del comando Secedit.

Componentes de las Plantillas de Seguridad
Las plantillas de seguridad controlan los siguientes aspectos de una máquina: Cuentas de usuario. Auditorías. Derechos de usuarios. Opciones de seguridad. Visor de sucesos. Grupos restringidos. Servicios. Claves de registro. Sistema de ficheros.

Herramientas de Gestión de Plantillas
La administración de las plantillas puede ser realizada desde: La consola Plantillas de seguridad. Consola configuración y análisis de la seguridad. Ambas herramientas son añadidas como complementos de MMC.

Herramientas de Plantillas Administrativas.

Configuración y Análisis de la Seguridad.
Es una herramienta con doble objetivo: Proporcionar los mecanismos para comparar la seguridad de una máquina con una base de datos de análisis. Configurar una máquina con la información de una base de datos creada a través de plantillas.

Análisis y configuración.

Resultante de políticas.
Sistema complementario de los anteriores que evalúa no solo plantillas de seguridad sino GPO. Presenta dos herramientas: RSoP. Herramienta gráfica. GPRESULT. Línea de Comando.

Demo: Aplicación de Plantillas de Servidores Analísis de Seguridad

¡Descanso! Con la participación de: y

RPC sobre HTTPs José Parada Gimeno Evangelista Microsoft TechNet
Chema Alonso MVP Windows Server Security Con la participación de: y

RPC Sobre HTTP Las llamadas a procedimiento remoto son una de las metodologías de comunicaciones entre máquinas. Outlook 2003 se conecta a Exchange 2003 mediante el protocolo RPC. El establecimiento de RPC sobre HTTP, proporciona 3 niveles de seguridad adicionales sobre las ofrecidas por RPC.

Seguridad Proporciona seguridad y autentificación a través de Internet Information Server. Proporciona encriptación SSL. Permite restricciones e inspecciones de información a nivel de RPC proxy.

Arquitectura En el procedimiento de una comunicación RPC/HTTPS intervienen los siguientes componentes: Cliente RPC/HTTPS. Proxy/Firewall RPC (enrutador). Servidor RPC.

Implementaciones. Microsoft proporciona 2 versiones de implementación de RPC/HTTP. Versión 1. No permite el establecimiento de una sesión SSL sobre el RCP Proxy. No permite autentificación sobre RPC/Proxy. No opera en granja de servidores. Versión 2. Permite SSL. Soporta autentificación sobre RPC/Proxy. Opera en granja de servidores.

Sistemas operativos. Plataforma Soporte Implementación Windows
Server 2003 Cliente, servidor y Proxy RPC Soporta RPC sobre HTTP v1 y RPC sobre HTTP v2. RPC Proxy soporta RPC sobre HTTP v2 cuando se está ejecutando IIS en modo RPC Proxy soporta RPC sobre HTTP v1 y RPC sobre HTTP v2 cuando IIS se ejecuta en modo IIS 5.0. Windows XP con SP1 o SP2 Cliente y Servidor Soporta RPC sobre HTTP v1 y RPC sobre HTTP v2 en modo cliente y servidor. No soporta PROXY RPC. Windows XP servidor Soporta RPC sobre HTTP v1 solamente en modo cliente y servidor. Windows 2000 Servidor y Soporta programas servidor RPC sobre HTTP y Proxy RPC sobre diferentes equipos. Solamente presenta soporte solo sobre HTTP v1. Windows NT 4.0 with SP4 Programas servidor RPC sobre HTTP y Proxy RPC deben ser ejecutadas en la misma máquina. Presenta soporte solo sobre HTTP v1. Windows 95/98 Cliente No soporta servidor HTTP sobre RPC. Windows 95 deben tener instalados los componentes DCOM 95 v1.2 o posteriores

Ventajas. Soporta una plataforma para transmitir información segura a través de Internet. Permite el enrutamiento de la información a través de una red de forma segura. Proporciona una plataforma de integración de antivirus y antispam para la inspección de tráfico. Evita el uso de licencias e implantaciones VPN.

Inspección de tráfico. Con la arquitectura de RPC sobre HTTP antivirus y antispam pueden implementarse en los siguientes niveles: Cliente. Por ejemplo Outlook 2003. Proxy RPC. Por ejemplo IIS 6.0/ISA Server 2004. Servidor RPC. Por ejemplo Exchange 2003.

Configuración Proxy RPC
Instalar IIS. Instalar servicios RPC/HTTP desde componentes de Windows. Configuración del servicio virtual RPC en IIS. Activar seguridad en el servicio para utilizar RPC/HTTPS

Exchange Exchange soporta el servicio RPC sobre HTTPS.
Puede integrarse en la arquitectura Front – End / Back – End. El servidor Front – End podría funcionar como: Servidor RPC Proxy. Servidor RPC recibiendo y enviando peticiones a un servidor Proxy.

Exchange como servidor RPC

Demo: Conexión RPC/HTTPs Outlook 2003 – Exchange 2003

MPLS y Hosting de aplicaciones. Interacción con ISA Server
Julio César Gómez Martín Con la participación de: y

Indice ¿Quién es ONO? Evolución de las VPNs VPNs de Nivel 2 VPNs de Nivel 3. IPSec VPNs Seguras con MPLS Hosting de Aplicaciones con MPLS Soluciones con ISA Server 2004 sobre las VPNs de ONO ISA Server 2004 como Proxy ISA Server 2004 como Firewall

¿Qué es ONO? ONO es la mayor compañía de comunicaciones integradas por banda ancha para particulares y una de las principales para empresas en España Servicios de televisión + teléfono + internet al mercado residencial (en las demarcaciones con concesión de cable) servicios y aplicaciones sobre redes IP para empresas (en toda España) Licencias de cable en la Comunidad Valenciana, Mallorca, Castilla La Mancha, Murcia, Santander, Cádiz y Huelva. En febrero de 2004, ONO completó la compra del 61% de Retecal, el operador de telecomunicaciones por cable de Castilla y León.

Portfolio de servicios
Plataforma de negocio ASP Exchange e-Baan: ASP Baan (ERP) Streaming Video Hosting Gestionado: Dedicado, compartido Conectividad VIP: Redes Privadas Virtuales SIG: Acceso a Internet Garantizado Wall: Firewall Gestionado ISP virtual: ISP virtual Infraestructura ITS: Tránsito Internet Housing: Alojamiento de servidores

Indice ¿Quién es ONO? Evolución de las VPNs VPNs Seguras con MPLS
VPNs de Nivel 2 VPNs de Nivel 3. IPSec VPNs Seguras con MPLS Hosting de Aplicaciones con MPLS Soluciones con ISA Server 2004 sobre las VPNs de ONO ISA Server 2004 como Proxy ISA Server 2004 como Firewall

Definición de VPN Conexiones realizadas sobre una infraestructura compartida Funcionalidad similar (¿mejor?) que una red privada real: comportamiento (servicio garantizado) seguridad (integridad datos, confidencialidad) Seguridad ð aislamiento

VPN de Nivel 3. IPSec VPN de Nivel 2 Túneles GRE y sobre todo IPSec
Evolución de las VPNs VPN de Nivel 3. IPSec Túneles GRE y sobre todo IPSec Autenticación y cifrado de los datos en Internet Encaminamiento basado en IP del túnel Aceleración de cifrado por HW y SW VPN de Nivel 2 Frame Relay y ATM Definición estática de Circuitos Virtuales (PVCs) Encaminamiento basado en DLCI Escalabilidad y Flexibilidad Limitadas

Combina los niveles 2 y 3 empleando paquetes “etiquetados”
Evolución de las VPNs VPN de Nivel 3. MPLS Combina los niveles 2 y 3 empleando paquetes “etiquetados” Separación de la componente de routing de la de envío Seguridad inherente: diferencia y aísla el tráfico VPN generando redes privadas reales Comportamiento de la red: ingeniería tráfico

Indice ¿Quién es ONO? Evolución de las VPNs VPNs Seguras con MPLS
VPNs de Nivel 2 VPNs de Nivel 3. IPSec VPNs Seguras con MPLS Hosting de Aplicaciones con MPLS Soluciones con ISA Server 2004 sobre las VPNs de ONO ISA Server 2004 como Proxy ISA Server 2004 como Firewall

Esquema básico funcionamiento
1a.- Mediante los protocolos de routing Existentes (e.g. OSPF), establecemos los destinos mas apropiados dentro de la red 1b.- A partir de esta información LDP genera el mapeo de destinos mediante Labels PE 4. El Router de Borde destino (PE2) elimina la etiqueta y entrega el paquete P PE P 1 2 3 Delegación Sede Central PE PE P P PE 2. El Router de Borde (PE1) recibe un paquete, marca el paquete con una etiqueta y lo introduce en la red 3. Los Routers de Backbone (P) conmutan los paquetes mediante la etiqueta de los paquetes PE

Esquema básico funcionamiento
Backbone MPLS Cliente 1 MP-iBGP Routing VPN Routing VPN Cliente 2 Cliente 3 Router PE Router PE Router P IGP IS-IS IGP IS-IS

Router PE Generación de una VPN
Tablas de envío (VRF) para cada VPN en el PE permiten encaminar el tráfico a cada miembro de una VPN Sede #1 Cliente 1 Sede #2 Sede #3 Router PE P-Router Tabla de Routing GLOBAL Tabla de Routing GLOBAL Tabla de Routing Virtual para Cliente 1 Router Virtual para el Cliente 1 Tabla de Routing Virtual para Cliente 2 Router Virtual para el Cliente 2 Sede #1 Cliente 2

Generación de una VPN Tablas de envío (VRF) para cada VPN en el PE permiten encaminar el tráfico a cada miembro de una VPN Identidad VPN mediante un “distintivo de ruta” de 64-bit (Route Distinguisher - RD) RD asignado por el operador, desconocido por el cliente RD + dirección IP cliente = dirección “IP-VPN”, globalmente unívoca Empleo de Route Tarjet (RT) que definen las rutas a importar y exportar de las VRFs

Plan de direccionamiento
Actualización MP-iBGP Red= /24 Next Hop= PE-Router X Actualización MP-iBGP Red= /24 Next Hop= PE-Router Y PE-Router V VPN A CPE VPN A /24 CPE VPN B VPN B /24 PE-Router X P-Router Z PE-Router Y

Plan de direccionamiento
Actualización MP-iBGP RD:100:27 Red= /24 Next Hop= PE-Router X Actualización MP-iBGP RD:100:26 Red= /24 Next Hop= PE-Router Y PE-Router V VPN A VPN B CPE VPN B /24 CPE VPN A /24 PE-Router X P-Router Z PE-Router Y

Simplicidad de configuración
! interface FastEthernet0 ip address speed auto interface serial0 ip address no ip directed-broadcast no ip route-cache ip route serial0 PE MPLS Backbone PE PE PE

Simplicidad de configuración
ip vrf vpn_cliente rd 12457:5 route-target export 12457:5 route-target import 12457:5 ! interface Serial1/1/1 no ip directed-broadcast no ip proxy-arp ip address ip vrf forwarding vpn_cliente router bgp 12457 address-family ipv4 vrf vpn_cliente redistribute static exit-address-family ip route vrf vpn_cliente PE MPLS Backbone PE PE PE

Indice ¿Quién es ONO? Evolución de las VPNs VPNs de Nivel 2
VPNs de Nivel 3. IPSec VPNs Seguras con MPLS Hosting de Aplicaciones con MPLS Soluciones con ISA Server 2004 sobre las VPNs de ONO ISA Server 2004 como Proxy ISA Server 2004 como Firewall

Visibilidad “todos con todos”
Sede Central VPN Cisco CPE ADSL 4Mb Cisco CPE PaP 2Mb Red MPLS ONO PaP 1Mb Cisco CPE Telia VIP permite la generación de VPN’s a través del protocolo MPLS. Este protocolo, de forma nativa permite visibilidad de todas las redes IP que componen la IP-VPN, pero además, frente a otro tipo de topologías, MPLS permite optimizar cierto tipos de escenarios: CONEXIÓN A INTERNET: Dado que esta topología de red entiende IP, para aquel tráfico con destino a una dirección publica, es decir, no perteneciente a la VPN, es posible introducir en cada CPE una ruta por defecto hacia otro equipo que tiene la conexión a Internet. NO ES NECESARIO QUE TODO EL TRÁFICO DE INTERNET PASE POR LA SEDE CENTRAL. Dicha conexión “virtual”..., físicamente es un router que solamente implementa NAT y pequeñas funciones de filtrado basado en listas de acceso. Posee dos conexiones, una hacia la VPN, por la que recibe en tráfico de cualquiera de la sucursales o la sede central, y una segunda conexión a Internet. Internet Centralizado INTERNET Delegaciones VPN Conexión SIG con router en Housing. Conexión al Backbone IP Alta flexibilidad y escalabilidad NAT y Servicio Wall Clase C

Visibilidad parcial entre VPNs
Sede 1 CLIENTE A ADSL CPE Agrupacion de VPNs Router CPE RED ONO (MPLS) Delegaciones TIPO Acceso ADSL/PaP/Cable/RDSI Cable CPE Sede Central (Servicios Centrales) Sede 1 CLIENTE B

Visibilidad parcial entre VPNs
ip vrf vpn_C rd 12457:56 route-target import 12457:100 route-target export 12457:100 route-target import 12457:101 route-target import 12457:102 ip vrf vpn_A rd 12457:3 route-target export 12457:101 ip vrf vpn_B rd 12457:55 route-target export 12457:102 route-target import 12457:56 Resaltar que hemos optado por no utilizar el comando “redistribute connected” para clarificar las tablas VRF de las VPNs. Este comando suele ser configurado normalmente para facilitar las tareas de troubleshooting y As ya que al redistribuir las rutas directamente conectadas en la VPN es posible llegar a los servidores del clientes realizando un PING desde el PE ya que de esta manera los paquetes origen son los del enlace. Al no configurarlo además de tener menos entradas en la tabla VRF de la VPN (menor número de prefijos totales en M-BGP) incrementamos la seguridad ya que tan sólo damos conectividad a los servidores de la LAN. Para el troubleshooting en este caso hay que realizarlo desde el CPE mediante pings extendidos con origen la LAN del CPE.

Hosting de Aplicaciones sobre MPLS
Sede Central VPN Delegación 1 Delegación 2 Delegación 3 Red MPLS Servidores de Aplicaciones Internas (INTRANET) Microsoft ISA Server Dado que esta topología de red entiende IP, para aquel tráfico con destino a una dirección publica, es decir, no perteneciente a la VPN, es posible introducir en cada CPE una ruta por defecto hacia otro equipo que tiene la conexión a Internet. NO ES NECESARIO QUE TODO EL TRÁFICO DE INTERNET PASE POR LA SEDE CENTRAL como ocurre con topologías FR/ATM mencionadas en apartados anteriores. En ellas se sueles definir dos PVC’s una para todo el tráfico entrante proveniente de cada una de las delegaciones y otro saliente para el acceso a los servicios externos. Con ello obtenemos una duplicación del ancho de banda en la sede central que MPLS nos ahorra, con la reducción en costes de líneas de acceso a que da lugar. Observamos como se trata de una solución mucho menos flexible y escalable que la plateada en la figura anterior donde el consumo de ancho de banda es para el operador. Pero no solo eso, sino que la conexión que en este escenario nos ofrezca dicho operador estará conectada a su backbone IP, de modo que es como si directamente estuviéramos conectados a Internet. Ahora bien si la PYME precisa de una solución completa y profesional, dado que ya poseemos el segundo nivel de Firewall en la Red (descrito en el apartado anterior), para el conjunto de servicios de nuestra Intranet, es momento de introducir el primer nivel de Firewall, que nos une al mundo Internet y que podemos introducir también en “Housing/Hosting” en el nodo del operador. En él se implementarán las funcionalidades de limitación de acceso a Internet de nuestros empleados, la limitación de puertos susceptibles de ser atacados e incluso introducir una zona desmilitarizada (DMZ) donde instalaremos servidores WEB, máquinas que alberguen aplicativos de acceso de los clientes para comercio electrónico, etc… De igual modo se implementarán el conjunto de reglas de traslación de direcciones (NAT) de acuerdo al modo de implementación del Firewall. En conjunto, aglutinando todos los aspectos vistos, obtenemos una estructura de aplicaciones totalmente segura y de acceso a las mismas, gracias al binomio VPN con MPLS-Firewall. Servidor Correo

Hosting de Aplicaciones sobre MPLS
ip vrf vpn_cliente rd 12444:406 export map direcciones_loopback route-target export 12444:406 route-target import 12444:406 route-target import 12457:1 ! interface GE-WAN8/2 no ip address negotiation auto mls qos trust dscp interface GE-WAN8/2.300 description Conexion con HOSTING cliente encapsulation dot1Q 300 ip vrf forwarding vpn_cliente ip address router bgp 12457 address-family ipv4 vrf vpn_cliente_s redistribute connected redistribute static

Indice ¿Quién es ONO? Evolución de las VPNs VPNs de Nivel 2
VPNs de Nivel 3. IPSec VPNs Seguras con MPLS Hosting de Aplicaciones con MPLS Soluciones con ISA Server 2004 sobre las VPNs de ONO ISA Server 2004 como Proxy ISA Server 2004 como Firewall

Gestión de Redes a través de Objetos de Red
Internet VPN Perimetro1 Soporta cualquier Nº de Redes Pertenecia dinamica a la Red Reglas y Políticas por Red ISA Server 2004 supports multi-networking. This means that you can configure an unlimited number of networks on ISA Server. You can then configure access rules to manage the flow of network traffic between all of the networks. What is multi-networking Multi-networking means that you can configure multiple networks on ISA Server, and then configure network and access rules that inspect and filter all network traffic between all networks. Multi-networking examples Multi-networking enables flexible options for network configuration. One of the most common network configurations is a three-legged firewall where you create three networks: The servers that are accessible from the Internet are usually isolated on their own network, such as a perimeter network. The internal client computers and servers that are not accessible from the Internet are located on an internal network. The third network is the Internet. ISA Server multi-networking functionality supports this configuration. You can configure how clients on the corporate network access the perimeter network, and how external clients access the network. You can also configure the relationships between the various networks, defining different access policies between each network. You might also want to configure a more complicated network environment. For example, you might have two different categories of servers that need to be accessible from the Internet. Perhaps you are deploying some servers that are domain members and other servers that are stand-alone servers. The domain members need to be able to communicate with domain controllers that are located on your internal network. In this scenario, you could configure a second perimeter network for the servers that need to be members of the domain. Because ISA Server supports per-network policies, you can configure two different policies for access from the perimeter networks to the internal networks. You might also need a second internal network. You might have a group of client computers that needs to access the Internet using a different application or with different security rules than the other client computers. You can create an additional internal network and configure specific Internet access rules for each network. Multi-networking features ISA Server 2004 supports several multi-networking features: You can create an unlimited number of networks on ISA Server. The VPN Clients and Quarantined VPN Clients’ networks are represented as networks, which means you can configure network access policies for the traffic flowing from these networks to the other networks. The client’s membership in a network is automatically assigned. A computer becomes a member of a network based on its IP address (in the case of local area network [LAN]–connected clients) or based on its connection method (in the case of VPN clients). You can configure network rules that specify a route or Network Address Translation (NAT) relationship between networks. You can configure per-network access policies so that each network’s interaction with other networks can be unique. You can group several networks together into network sets, which means that you can define an access policy that applies to an entire network set. LAN1 Perimetro2

Las reglas de acceso siempre definen:
Red Destino IP Destino Sitio de Destino acción en traficó del usuario del origen al destino con condiciones Permitir Denegar Usuarios Protocolo IP Port/Tipo Access rules determine how clients on a source network can access resources on a destination network. To enable access to Internet resources for users on your internal network, you need to configure an access rule that enables this access. Access rule format Access rules are used to configure all traffic flowing through ISA Server, including all traffic from the internal network to the Internet, and from the Internet to the internal network. All access rules have the same overall structure as shown in the following table. Access rules define An action: Access rules are always configured to either allow or deny access. To be performed on specified traffic: Access rules can be applied to specific protocols or port numbers. From a particular user: Access rules can be applied to specific users or all users, whether they have authenticated or not. Coming from a particular computer: Access rules can be applied to specific computers based on their network locations or IP addresses. Going to a particular destination: Access rules can be applied to specific destinations, including networks, destination IP addresses, and destination sites. Based on particular conditions: Access rules can set additional conditions, including schedules and content-type filtering. Red Origen IP Origen Schedule Tipo de contenido

Porque usar un Servidor Proxy?
ISA Server Web Server Mejora la seguridad en el acceso a internet: Autenticación de Usuarios Filtrado de peticiones de cliente Inspección de contenido Log del acceso de los usuarios Esconder los detalles de la red interna. A proxy server is a server that is situated between a client application, such as a Web browser, and a server that the client is connecting to. All client requests and all server responses pass through the proxy server. A proxy server can provide enhanced security and performance for Internet connections. Improving Internet access security The most important reason for using a proxy server is to make the user’s connection to the Internet more secure. Proxy servers make the Internet connection more secure in the following ways: User authentication. When a user requests a connection to an Internet resource, the proxy server can require that the user authenticate, either by forcing the user to enter a user name and password or by using the cached credentials stored on the client computer. The proxy server can then grant or deny access to the Internet resource based on the authenticated user. Filtering client requests. The proxy server can use multiple criteria to filter client requests. In addition to filtering the request based on the user who is making the request, the proxy server can filter requests based on the IP address, the protocol or application that is being used to access the Internet, the time of day, and the Web site or Uniform Resource Locator (URL) the user is requesting. Content inspection. Proxy servers can inspect all traffic flowing in and out of the Internet connection and determine if there is any traffic that should be denied. This may include examining the traffic content for inappropriate words, scanning for viruses, or scanning for file extensions. Based on the criteria configured on the proxy server, all content can be inspected and filtered. Logging user access. Because all traffic is flowing through the proxy server, the server can log everything the user does. For HTTP requests, this can include logging every URL visited by each user. The proxy server can be configured to provide detailed reports of user activity that can be used to ensure compliance with the organization’s Internet usage policies. Hiding the internal network details. Because all requests for Internet resources are coming from the proxy server rather than from the internal client computer, the details of the internal network are hidden from the Internet. In almost all cases, no client computer information such as computer name or IP address is sent to the Internet resource. In some cases, such as when creating a Remote Desktop Protocol connection to a server on the Internet, the client computer name is transmitted on the Internet. Improving Internet access performance Another benefit of using a proxy server is to improve Internet access performance. The Web proxy server improves performance by caching requested Internet pages on the Web proxy server hard disk. When another user requests the same information, the proxy server provides the page from the cache rather than retrieving it from the Internet. Mejora el rendimiento en el acceso a Internet.

Servidor Proxy Directo.
Esta… El usuario permitido? El Protocolo permitido? El destino permitido? 3 6 1 5 Forward Web proxy servers are usually located between a Web application running on a client computer on the internal network and a Web server located on the Internet. You must configure the Web application on the client computer to use the Web proxy server to gain access to the Internet. The Web proxy service may be running at the connection point between the Internet and the internal network; the client computers may have no physical connection to the Internet other than through the proxy server. In other cases, a firewall may be deployed between the Internet and the proxy server, but all client computers will still use the proxy server because of the Web application configuration. How does a forward proxy server work? The following steps outline how a forward Web proxy server works. A client application such as a Web browser makes a request for an object located on a Web server. The client application checks its Web proxy configuration to determine whether the request destination is on the local network or on an external network. If the requested Web server is not on the local network, then the request is sent to the proxy server. The proxy server checks the request to confirm that there is no policy in place that blocks access to the requested content. The proxy server also checks if the requested object already exists in its local cache. If the object is stored in the local cache and it is current, the proxy server sends the object to the client from the cache. If the page is not in the cache, the proxy server sends the request to the appropriate server on the Internet. The Web server response is sent back to the proxy server. The proxy server filters the response based on the filtering rules configured on the server. If the content is not blocked, ISA Server saves a copy of the content in its cache and then the object is returned to the client application that made the original request. 2 4 ISA Server Web Server

Servidor Proxy inverso?
¿Esta… la peticíón permitida? el Protocolo permitido? el Destino permitido? Web Server 3 DNS Server 4 5 2 1 A reverse Web proxy server operates in much the same way as a forward Web proxy server. However, instead of making Internet resources accessible to internal clients, reverse proxy makes internal resources accessible to external clients. How a reverse proxy works The following steps outline how a reverse Web proxy server works. A user on the Internet makes a request for an object located on a Web server that is on an internal network protected by a reverse proxy server. The client computer performs a Domain Name System (DNS) lookup using the fully qualified domain name (FQDN) of the hosting server. The DNS name will resolve to the IP address of the external network interface on the proxy server. The client application sends the request for the object to the external address of the proxy server. The proxy server checks the request to confirm that the URL is valid and to ensure that there is no policy in place that blocks access to the requested content. The proxy server also checks if the requested object already exists in its local cache. If the object is stored in the local cache and it is current, the proxy server sends the object to the client from the cache. If the page is not in the cache, the proxy server sends the request to the appropriate server on the internal network. The Web server response is sent back to the proxy server. The object is returned to the client application that made the original request. ISA Server 6

Cacheo en ISA Server La cache del servidor ISA almacena una copia del contenido web solicitado en memoria o en el disco duro. Nos proporciona: Mejora de Rendimiento — la información se almacena localmente en el servidor ISA. Reduce el ancho de banda — no hay trafico adicional hacia internet. Escenarios posibles en modo Cacheo: Cacheo Directo — Servidores Web de Internet Cacheo Inverso — Servidores Web internos

Componentes TCP/IP afectados
Dirección destino: 0003FFD329B0 Dirección fuente: 0003FFFDFFFF Physical payload Nivel de enlace Destino: fuente: Protocolo: TCP IP payload Nivel de red Puerto destino: 80 Puerto origen: 1159 Nº secuencia: ACK: TCP payload Nivel de transporte All network communication on the Internet uses TCP/IP as its communication protocol. To configure ISA Server as a firewall, you must understand the characteristics of TCP/IP communication. TCP/IP layersEach TCP/IP packet is made up of multiple components. The components correspond to the following four protocol layers: Network Interface Layer. This layer handles placing TCP/IP packets on the network medium and receiving TCP/IP packets off the network medium. TCP/IP was designed to be independent of the network interface layer. The network interface layer header includes addressing information required for the physical devices connected to the network to communicate with each other. Internet Layer. This layer handles addressing packets, fragmentation and reassembly of packets, and routing packets between networks. The most important protocol at this layer is the Internet Protocol (IP). Transport Layer. This layer provides session and datagram communication services. The core protocols of the transport layer are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). Application Layer. This layer lets applications access the services of the other layers and defines the protocols that applications use to exchange data. Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Telnet, and Domain Name System (DNS) are all examples of application layer protocols. Internet Protocol IP is a network layer protocol primarily responsible for addressing and routing packets between hosts. An IP packet consists of an IP header and an IP payload. The following describes the key fields in the IP header: Source address: The IP address of the original source of the IP datagram Destination address: The IP address of the final destination of the IP datagram Protocol: Informs IP at the destination host whether to pass the packet up to TCP, UDP, Internet Control Message Protocol (ICMP), or other protocols TCP TCP is a reliable, session-oriented delivery service. Session-oriented means that a session must be established before hosts can exchange data. Reliability is achieved by assigning a sequence number to each segment transmitted. An acknowledgment is used to verify that the data is received. TCP provides a one-to-one, session-oriented, reliable communications service. The following describes the key fields in the TCP header: Source port: TCP port of sending hostDestination portTCP port of destination host Sequence number: Sequence number of the first byte of data in the TCP segment Acknowledgment Number: Sequence number of the byte the sender expects to receive next from the other side of the connection UDP UDP provides a sessionless datagram service that offers unreliable, best-effort delivery of data transmitted in messages. This means that neither the arrival of datagrams nor the correct sequencing of delivered packets is guaranteed. UDP does not recover from lost data through retransmission. The UDP header contains a source port and destination port, but does not include sequence information or acknowledgment. Ensuring that UDP packets are delivered is the responsibility of the application layer protocols that use UDP as a transport. Windows Sockets Most Internet applications running on Microsoft Windows® use Windows Sockets to communicate with the lower protocol layers. Windows Sockets provides services that allow applications to bind to a particular port and IP address on a host, initiate and accept a connection, send and receive data, and close a connection. A socket is defined by a protocol and an address on the host. In TCP/IP, the address is the combination of the IP address and port. Two sockets, one for each end of the connection, form a bidirectional communications path. To communicate, an application specifies the protocol, the IP address of the destination host, and the port of the destination application. After the application is connected, information can be sent and received. HTTP, Método de petición: Get HTTP, Versión del protocolo: =HTTP/1.1 HTTP Host: = Nivel de aplicación

¿Que es el filtrado de paquetes?
Está … lá dirección fuente permitida? lá dirección destino permitida? el protocolo permitido? sl puerto de destino permitido? Web Server The primary role of a firewall is to prevent network traffic from entering an internal network unless the traffic is explicitly permitted. One of the ways in which a firewall ensures this is through packet filtering. What is packet filtering? Packet filters control access to the network at the network layer by inspecting and allowing or denying the IP packets to transfer through the firewall. When the firewall inspects an IP packet, it examines only information in the network and transport layer headers, including the packet’s source and destination information, and its protocol and port numbers. The firewall can evaluate IP packets using the following criteria: Destination address. The destination address may be the actual IP address of the destination computer in the case of a routed relationship between the two networks being connected by ISA Server. The destination may also be the external interface of ISA Server in the case of a Network Address Translation (NAT) network relationship. Source address. This is the IP address of the computer that originally transmitted the packet. IP Protocol and protocol number. You can configure packet filters for TCP, UDP, ICMP, and any other protocol. Each protocol is assigned a number. For example, TCP is protocol 6, and the Generic Route Encapsulation (GRE) protocol for Point-to-Point Tunneling Protocol (PPTP) connections is protocol 47. Direction. This is the direction of the packet through the firewall. In most cases, the direction can be defined by inbound, outbound, or both. For some protocols, such as FTP or UDP, the directional choices may be Receive only, Send only, or Both. Port numbers. A TCP or UDP packet filter defines a local and remote port. The local and remote ports can be defined by a fixed port number, or as a dynamic port number. Advantages and disadvantages of packet filtering Packet filtering has a number of advantages and disadvantages. Some of the advantages include: Packet filtering has to inspect only the network and transport layer headers, so packet filtering is very fast. Packet filtering can be used to block a particular IP address or to allow a particular IP address. If you detect an application-level attack from an IP address, you can block that IP address at the packet-filter level. Or, if you need to enable access to your network and you know that all access attempts will be coming from a particular address, you can enable access only for that source address. Packet filtering can be used for ingress and egress filtering. Ingress filtering blocks all access on the external interface of the firewall to packets that have a source IP address that is logically on the internal network. For example, if your internal network includes the network, an ingress filter will block a packet arriving at the external interface that claims to be coming from An egress filter prevents packets from leaving your network that have a source IP address that is not on the internal network. Packet filtering also has some disadvantages: Packet filters cannot prevent IP address spoofing or source-routing attacks. An attacker can substitute the IP address of a trusted host as the source IP address and the packet filter will not block the packet. Or the attacker can include routing information in the packet that includes incorrect routing information for return packets so that the packets are not returned to the actual host, but to the attacker’s computer. Packet filters cannot prevent IP-fragment attacks. An IP-fragment attack splits a single IP packet into multiple fragments. Most packet-filtering firewalls check only the first fragment and assume that the other fragments of the same packet are acceptable. The additional fragments may contain malicious content. Packet filters are not application aware. You may be blocking the default Telnet port (port 23) on your firewall, but allowing access to the HTTP port (port 80). If an attacker can configure a Telnet server to run on port 80 on your network, the packets would be passed to the server. ISA Server 2004 and packet filtering ISA Server 2004 does not have an option to directly configure packet filtering. However, ISA Server does operate as a packet filter firewall inspecting traffic at the network and transport layers. For example, if you define a firewall access rule that enables all protocol traffic from a computer on one network to a computer on another network, ISA Server uses a packet filter to allow that traffic. Or, if you configure a firewall access rule that denies the use of the default Telnet port (TCP port 23), ISA Server will use a packet filter to block that port. ISA Server 2000 supported direct configuration of packet filters. If you upgrade to ISA Server 2004 from ISA Server 2000, packet filters are replaced by access rules. Packet Filter ISA Server

¿Que es el filtrado de paquetes?
Reglas de conexión Crear la regla de conexión Web Server Es el paquete parte de la conexión? Web Server When a firewall uses stateful filtering, it not only examines the packet header information, but also examines the status of the packet. For example, the firewall can inspect a packet at its external interface and determine whether the packet is a response to a request from the internal network. This check can be performed at both the transport and application layers. Stateful filtering uses information about the TCP session to determine if a packet should be blocked or allowed through the firewall. TCP sessions are established using the TCP three-way handshake. The purpose of the three-way handshake is to synchronize the sequence number and acknowledgment numbers of both sides of the connection and exchange other information defining how the two hosts will exchange packets. ISA Server

¿Que es el filtrado por aplicación?
Está permitido el método? Respuesta al cliente Web Server Application filtering enables the firewall to open up the entire TCP/IP packet and inspect the application data for unacceptable commands and data. For example, an SMTP filter intercepts communication on port 25 and inspects it to make sure the SMTP commands are authorized before passing the communication to the destination server. An HTTP filter performs the same function on all HTTP packets. Firewalls that are capable of application-layer filtering can stop dangerous code at the edge of the network before it can do any damage. Application-layer filtering can also be used to stop attacks from sources such as viruses and worms. Most worms look like legitimate software code to the packet-filtering firewall. The headers of the packets are identical in format to those of legitimate traffic. It is the payload that is malicious; only when all the packets are put together can the worm be identified as malicious code, so these exploits often travel straight through to the private network because the firewall allowed what looked like normal code. Advantages and disadvantages of application filtering The advantages of application-layer filtering go beyond the prevention of attacks. It can also be used to protect your network and systems from the harmful actions that unaware employees often take. For example, you can configure filters that prevent potentially harmful programs from being downloaded via the Internet, or ensure that critical customer data does not leave the network in an . Application-layer filtering can also be used to more broadly limit employee actions on the network. You can use an application filter to restrict common types of inappropriate communication on your network. For example, you can block peer-to-peer file-exchange services. These types of services can consume substantial network resources and raise legal liability concerns for your organization. The most significant disadvantage of application-filtering firewalls is performance. Because an application-filtering firewall examines the actual payload of each packet, it is usually slower than packet or stateful filtering. ISA Server and application filtering The most important benefit of implementing ISA Server 2004 is that it is a powerful and complete application-layer firewall. ISA Server includes many built-in application filters. In addition, ISA Server 2004 includes powerful and flexible interfaces with which administrators can create custom filters to detect virtually any attack. ISA Server is also highly extensible. This means your in-house programmers or third-party vendors can extend much of its functionality, including its filtering capabilities. ISA Server Está la respuesta permitida en contenido y métodos?

Excedido el límite del escaneo de puertos Ataque de escaneo de puertos
Funcionalidades IDS Excedido el límite del escaneo de puertos Ataque de escaneo de puertos Alerta al administrador If you detect an intrusion attempt early enough, you may be able to prevent a successful intrusion. If an intrusion does occur, you need to be alerted as soon as possible to reduce the potential impact of the intrusion and to eliminate the vulnerability in your network security. What is an intrusion detection system? An intrusion detection system (IDS) that is located at the edge of a network inspects all traffic in and out of the network and identifies patterns that may indicate a network or system attack. An IDS is usually configured with information about a wide variety of known attacks. It then monitors the network traffic for signatures that indicate that a known attack is occurring. An IDS can also be configured with information about normal network traffic and then be configured to detect variations from the normal traffic. A complete IDS also includes several layers. One device may be located at the network perimeter and monitor all traffic entering and leaving the network. Additional devices may be deployed on the internal networks, or on routers connecting networks. A final layer of protection is provided by host-based systems in which an IDS is configured on individual computers. The most sophisticated IDS can collect information from all the layers and correlate data to make the most accurate intrusion detection decisions. Intrusion detection systems also provide options for configuring alerts or responses to intrusion attempts. At the very least, an IDS should alert an administrator when an attack is detected. More sophisticated IDSs provide additional responses to attacks, including shutting down or limiting the functionality of the systems under attack. Although they both relate to network security, an IDS differs from a firewall in that a firewall looks out for intrusions to stop them from happening. The firewall limits the access between networks to prevent intrusion and does not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. ISA Server and intrusion detection ISA Server includes intrusion detection that monitors for several well-known vulnerabilities. ISA Server detects intrusions at two different network layers. First, ISA Server detects intrusions at the network layer. This enables ISA Server to detect vulnerabilities that are inherent to the IP protocol. Second, ISA Server uses application filters to detect intrusions at the application layer. You can use third-party application filters to add more intrusion detection or create your own application filters using the filter application programming interfaces (APIs) defined in the ISA Server software development kit (SDK). ISA Server

Filtrado del tráfico de red en ISA Server 2004
3 Filtrado por aplicación Filtrados WEB 2 Filtrado por estado y protocolo Filtrados Proxy WEB Filtrado de Aplicaciones Reglas De Ingenieria Servicios de Firewall ISA Server 2004 is designed to provide all of the firewall filtering functionality using a layered architecture. ISA Server filtering architecture When a network packet arrives at the firewall, it goes through one or more components in the ISA Server architecture. The network packets may be inspected and allowed or denied by each of the following components: Packet filtering. The firewall engine, which runs in kernel mode, receives the packets as they pass through the network layer. The packets are associated with a connection rule, and then the packets are filtered. The firewall engine applies the packet filters. If no packet filters apply, the packet is passed to the firewall service. Stateful and protocol filtering. The firewall service, which runs in user mode, performs protocol and stateful filtering. The firewall service creates and manages firewall connections. The firewall service also handles communication with and connections via Firewall Client. If an application filter or Web filter is associated with the connection protocol, the packet is passed to the appropriate application filter or Web filter. Application filtering. The application filters expand the network packet and inspects the application data. If the packet uses the HTTP or Hypertext Transfer Protocol Secure (HTTPS) protocols, the message is passed through the Web proxy filter to a HTTP Web filter, which inspects the application data. The Web proxy filter also manages and accesses the Web cache. Kernel mode data pump. If the data entering the firewall engine can be associated with an existing connection rule, the data is forwarded through ISA Server using the kernel mode data pump. This means that data that will be accepted by the higher layers in the architecture can be passed through ISA Server without ever leaving the kernel mode driver. The rules engine communicates with all of the other major components, including with both the firewall engine and the firewall service, as well as with application and Web filters. Ingenieria Firewall 4 Modo Kernel Bomba de datos TCP/IP 1 Filtrado de paquetes

Resumen: Implementing ISA Server 2004 como Firewall
En un entorno de Hosting de aplicaciones con MPLS: Determinar el perímetro de configuración de Red Configurar las reglas sobre las distintas redes Configurar la política del sistema Configurar la detección de intrusiones Configurar las reglas de acceso Configurar los servicios y políticas de anunció WEB In many organizations, ISA Server is deployed as a firewall. ISA Server provides a secure firewall solution that can be deployed in many different firewall configurations. Configuration components Configuring ISA Server as a firewall includes the following steps. Determine perimeter network configuration. The primary role for a firewall is to protect the network perimeter. The first step in deploying ISA Server as a firewall is to design the perimeter network configuration and determine the role of ISA Server in that configuration. Configure networks and network rules. The second step in deploying ISA Server as a firewall is to configure networks and network rules based on your perimeter network design. You can use network templates in ISA Server to simplify this process. Configure system policy. System policy is used in ISA Server to define how the ISA Server will be managed. One step in your deployment should be to ensure that the system policy enables only required functionality. Configure intrusion detection. ISA Server provides built-in intrusion detection. Configure intrusion detection so that you can be alerted when an attack occurs on your ISA Server. Configure access rule elements and access rules. To grant users access to the Internet, you need to configure access rule elements and access rules. Configure server and Web publishing. The final step in configuring ISA Server as a firewall is to enable server and Web publishing. This step makes internal resources accessible from the Internet.

Reglas de publicación de servicios
Las reglas de publicación aplican a los servidores: Redireccíonar la petición a la red interna (DMZ) Comunicaciones basadas en protocolo y puerto Publicar el contenido usando múltiples protocolos Filtrado a nivel de aplicación para protocolos con filtros de aplicación en ISA Soporte para encriptación Logar dirección IP de clientes ISA Server uses Web publishing rules to make Web sites available to users on the Internet. A Web publishing rule is a firewall rule that specifies how ISA Server will route incoming requests to internal Web servers. Functions of Web publishing rules Use Web publishing rules to provide: Access to Web servers running HTTP protocol. When you configure a Web publishing rule, you configure ISA Server to listen for HTTP requests from the Internet and to forward that request to a Web server on a protected network. To publish servers using any other protocols, you need to use a server publishing rule. Application-layer filtering. Application-layer filtering enables ISA Server to inspect the application data in each packet passing through ISA Server. This includes filtering of Secure Sockets Layer (SSL) packets if you enable SSL bridging. This provides an additional layer of security not provided by server publishing rules. Path mapping. Path mapping enables you to hide the details of your internal Web site configuration by redirecting external requests for parts of the Web site to alternate locations within the internal Web site. This means that you can limit access to only specific areas within a Web site. User authentication. You can configure ISA Server to require that all external users authenticate before their requests are forwarded to the Web server hosting the published content. This protects the internal Web server from authentication attacks. Web publishing rules support several methods of authentication including Remote Authentication Dial-In User Service (RADIUS), integrated, basic, digest, digital certificates, and RSA SecurID. Content caching. The content from the internal Web server can be cached on ISA Server, which improves the response time to the Internet client while decreasing the load on the internal Web server. Support for publishing multiple Web sites using a single Internet Protocol (IP) address. You can configure multiple Web publishing rules that can make multiple internal Web sites available to Internet clients. Link translation. With link translation, you can provide access to complex Web pages that include references to other internal Web servers that are not directly accessible from the Internet. Without link translation, any link to a server that is not accessible from the Internet would appear as a broken link. Link translation can be used to publish complex Web sites providing content from many servers while hiding the complexity from the Internet users. Support for logging of the Internet client’s IP address. By default, when you publish a server using Web publishing, the source IP address that is received by the internal Web server is the IP address of the ISA Server internal interface. If you need to be able to log access to the Web server based on the IP address of the client computer on the Internet, you can modify the default setting. Functions of secure Web publishing rules Secure Web publishing rules are a special type of Web publishing rule that increases the security of the Web site by encrypting network traffic using SSL. ISA Server supports both SSL tunneling and SSL bridging. SSL tunneling. With SSL tunneling, ISA Server forwards encrypted packets between the client and the Web server. In this scenario, ISA Server cannot inspect the content of the packets. SSL bridging. With SSL bridging, ISA Server can encrypt and decrypt all network traffic between the server and client. In this scenario, ISA Server can accept SSL requests from clients, and can then convert them to HTTP and forward them to the published Web server. ISA Server can also be configured to re-encrypt the traffic sent to the publishing Web server to provide additional security. In a SSL bridging scenario, ISA Server can inspect the HTTP packets while they are not encrypted. ISA Server

Muchas Gracias

Técnicas de detección de SPAM
Jacobo Crespo Sybari Software Con la participación de: y

AGENDA Presentación Herramientas de Filtrado de Contenido
Filtros AntiSpam en MS Exchange Server 2003 Intelligent Message Filter en Exchange 2003 – Demo Advance Spam Manager – SpamCure – Demo

¿Quienes Somos? Fabricante de Seguridad orientado a Mensajería:
Correo Electrónico (Exchange) Portales para publicación de documentos (Sharepoint Portal Server) Servidores de Mensajería Instantánea (Live Communication Server) Que ofrece: Hasta 8 motores de AV Simultáneos Control del contenido enviado en el correo (palabras, adjuntos, tamaño,…) Soluciones Antispam (borrado, etiquetado,….) Auditoria sobre la utilización del (Productividad, almacenamiento, ancho de banda) En US desde el año 1994 y en España desde el año 2000 con mas de 600 clientes

Referencias

¿Por qué Antispam? Circulan al día 2.3 billones de mensajes SPAM
Un buzón de correo normal recibe al día 75 correos de los cuales el 52% es SPAM Se ha cuantificado que el coste por año por empleado del SPAM es de 300€ Los costes directos del SPAM son: Transmitir esos mensajes – Reduce el ancho de banda Almacenar esos mensajes – Aumenta el coste de almacenamiento Borrar o leer esos mensajes – Reduce la productividad del empleado ROI Protección Antispam por dos años para 50 empleados = 1.200€ 300€ x 50 empleados = € de coste de Spam anual x2 = € Protección Antispam por dos años para empleados = € 300€ x empleados = € de coste de Spam anual x2 = €

Filtrado de Contenido Evita que cierto tipo de palabras y tópicos sean enviados hacia o desde los usuarios Sin embargo, es ineficiente para controlar el SPAM Requiere una atención continua del Administrador (horas por día) Algunos simples trucos lo hacen vulnerable Ejemplos: $ave, V*i*a*gr*a, Chëὰρ Existen 105 variantes solo para la letra A! Genera muchos falsos positivos Imposible de utilizar en ciertas industrias

Filtrado de Contenido V G R A , \./iagra, Viiagra, V?agr?, V--i--a--g--r-a, V!agra, V1agra, VI.A.G.R.A, vIagr.a, via-gra, Via.gra, Vriagra, Viag*ra, vi-agra, Vi-ag.ra, v-iagra, Viagr-a, VÎÂ^G^GÂ, V'i'a'g'r'a', V*I*A,G,R.A, VI.A.G.R.A..., Viag\ra!, V-i:ag:ra, V'i'a'g'r'a, V/i;a:g:r:a, V i a g V+i\a\g\r\a, Viag[ra, V?agra, V;I;A*G-R-A, V-i-a-g-r-a, V*I*A*G*R*A , \/îâg-ra, VlAGRA, V\i\a.g.r.a, v_r_i_a_g_r_a, V\i\a:g:r:a, Vîâ^g^râ, Viag(ra.

RBLs (Real Time Black Holes)
Las RBLs son listas de supuestos spammers y sus dominios/direcciones IP Ejemplos: SpamCop, MAPS, SPEWS, Dorkslayers Generalmente es manejado por voluntarios, por lo cual no existe una auditoría, y a menudo bloquean mas de la cuenta Algunos ISPs son agregados, aún cuando envían correos legítimos Borrarse de estas listas puede llevar desde días a meses Requiere la utilización de muchas listas blancas para no generar falsos positivos

Análisis Heurístico Utiliza una técnica que busca miles de características y/o palabras para identificar SPAM y asignar una calificación El nivel de SPAM debe ser ajustado periódicamente Es utilizado en muchos productos antispam Muy conocido por los spammers Sitios Web de spammers permiten verificar el spam contra motores heurísticos Aumentar el nivel de detección = Aumentar los falsos +

Filtros Bayesianos Sistema de aprendizaje basado en análisis estadísticos de vocabulario Listas de palabras “buenas” y “malas” Necesita intervención del usuario para que sea efectiva Puede ser muy efectiva para usuarios individuales Es atacado deliberadamente por los spammers Incluyendo palabras “buenas” Generalmente con palabras escondidas dentro de código HTML

Filtros Bayesianos Ejemplo de palabras aleatorias para evitar filtros Bayesianos Definition of SPAM – spam is not the same for everybody. One user’s spam is another’s valid . So there is a need to delegate decision making. Privacy - Is the cure worse than the problem? -- Privacy is a key issue. Some spam solutions send entire s outside of an organization. Others use quarantine solutions. This means that the admin must read the message content to decide if something is spam. This creates a potential for deliberate or inadvertent access to private information. False positives/high detection: every solution will claim this. But with content-based solutions, the higher you turn the “sensitivity” to spam, the more false positives you get. Corporate / MIS control (Solicited – Private ): some mail that has the characteristics of spam is wanted, such as newsletters. MIS needs to be able to open the doors to these s. You need a combination of IT and user control. Individual control: Relieving the administrator – the administrator cannot be expected to spend all day writing rules. Ever changing enemy: Staying on top of the challenge – spam attacks happen in real-time and must be reacted to in the same way.

Checksums Crea un “fingerprint” de ejemplos de spam conocido
La Base de Datos se actualiza periódicamente Es reactivo Por definición, el “fingerprint” es creado tras identificar el correo como spam Es posible evitarlo con una técnica llamada “hash busting” – agregando diferentes caracteres dentro del mensaje

Ejemplo de Hash busting
Ejemplo de hash busting para evitar la técnica de checksums Definition of SPAM – spam is not the same for everybody. One user’s spam is another’s valid . So there is a need to delegate decision making. Privacy - Is the cure worse than the problem? -- Privacy is a key issue. Some spam solutions send entire s outside of an organization. Others use quarantine solutions. This means that the admin must read the message content to decide if something is spam. This creates a potential for deliberate or inadvertent access to private information. False positives/high detection: every solution will claim this. But with content-based solutions, the higher you turn the “sensitivity” to spam, the more false positives you get. Corporate / MIS control (Solicited – Private ): some mail that has the characteristics of spam is wanted, such as newsletters. MIS needs to be able to open the doors to these s. You need a combination of IT and user control. Individual control: Relieving the administrator – the administrator cannot be expected to spend all day writing rules. Ever changing enemy: Staying on top of the challenge – spam attacks happen in real-time and must be reacted to in the same way.

Curiosidades Los Spammers están continuamente creando trucos y técnicas para evitar las diferentes tecnologías de detección… Algunos Ejemplos….. Definition of SPAM – spam is not the same for everybody. One user’s spam is another’s valid . So there is a need to delegate decision making. Privacy - Is the cure worse than the problem? -- Privacy is a key issue. Some spam solutions send entire s outside of an organization. Others use quarantine solutions. This means that the admin must read the message content to decide if something is spam. This creates a potential for deliberate or inadvertent access to private information. False positives/high detection: every solution will claim this. But with content-based solutions, the higher you turn the “sensitivity” to spam, the more false positives you get. Corporate / MIS control (Solicited – Private ): some mail that has the characteristics of spam is wanted, such as newsletters. MIS needs to be able to open the doors to these s. You need a combination of IT and user control. Individual control: Relieving the administrator – the administrator cannot be expected to spend all day writing rules. Ever changing enemy: Staying on top of the challenge – spam attacks happen in real-time and must be reacted to in the same way.

Filtros AntiSpam en MS Exchange Server 2003

Problemática Plataforma Relay de correo:
El ataque se produce cuando un usuario malicioso vulnera la seguridad de la plataforma para enviar correo masivo a través de nuestro servidor. Receptor de Correo Spam: Se reciben correos que cargan el rendimiento, reducen la productividad de los empleados y generan gastos directos (sistemas de backup, conexiones GPRS, ancho de banda, soporte...)

Problemática Técnica Relay
Buzones Exchange Back-End Pasarela SMTP Exchange Front-End No Relay

Soluciones Exchange Server 2003
Opciones de Seguridad para no admitir Relay y, por tanto, no ser plataforma de correo “Spam”. Bloqueo de Relay por defecto para todos los clientes no autenticados. Bloqueo por dominios. Bloqueo por usuarios. Bloqueo por máquinas.

Opciones para detener el correo Spam recibido: Filtro de Remitente. Filtro de Destinatario. Nuevo. Listas Autenticadas. Nuevo. Filtro de Conexión en tiempo real. Nuevo. Filtros de Junk . Nuevo. IMF. Nuevo.

Filtro de Remitente. (Filtro Estático) Bloquea los mensajes que proceden de determinados usuarios. Filtro de Destinatario (Filtro Estático) Bloquea los mensajes que van dirigidos a determinados destinatarios.

Soluciones Exchange 2003 Listas Autenticadas
Se discrimina solo a usuarios autenticados para enviar mensajes a listas de correo.

13.12.11.10 Host 127.0.0.1 Soluciones Exchange 2003
Filtros de Conexión Exchange Server 2003 comprueba en tiempo real si un servidor que está enviando correo está almacenado en una base de datos de servidores nocivos. Implantación de Filtros de Conexión Implantamos en un servidor DNS una zona de consulta para almacenar los servidores bloqueados. Ej.[bloqueados.midominio.com ] Añadimos registros del tipo Configuramos un filtro para que se consulte la zona anterior cada vez que se recibe una conexión de servidor Host

Se envian los mensajes al servidor de BackEnd
Filtro de Conexión Se envian los mensajes al servidor de BackEnd Se recibe una conexión desde un servidor de correo Se deniega la conexión El servidor FrontEnd consulta la zona DNS de bloqueo. El servidor DNS contesta si existe o no ese registro. Servidor FrontEnd Servidor BackEnd Servidor DNS

Soluciones Exchange 2003 Filtros Junk e-mail en Cliente
Opciones de Outlook 2003 El cliente tiene la opción de configurar los correos nocivos El Servidor y SW de terceros (Antigen) catalogan los mensajes para entrar en la carpeta de Junk- En conexiones de pago por transferencia permite ahorrar costes

Intelligent Message Filter & Advance Spam Manager

Dos Motores Microsoft IMF Utiliza la tecnología SmartScreen™
Conjunto detallado de reglas que son comparadas con el correo entrante Sybari/Antigen ASM Integra el motor de detección de spam SpamCure™ Utiliza una combinación de “Bullet Signatures” y el motor STAR

Tecnología SmartScreen™
IMF distingue entre los mensajes de correo legítimos y el correo comercial no solicitado u otro tipo de correo electrónico no deseado Hace un seguimiento de más de características de correo electrónico basadas en datos de cientos de miles de suscriptores del servicio MSN® Hotmail® que participaron voluntariamente en la clasificación de millones de mensajes de correo electrónico Ayuda a filtrar el correo no deseado antes de que llegue a la bandeja de entrada del usuario

Tecnología SmartScreen™
Base de datos utilizada para almacenar las características de los correos catalogados como Spam se actualiza con nueva información de patrones del origen de la muestra, lo que hace que el filtro sea más eficaz y actual Permite llevar a cabo una evaluación más precisa de la legitimidad de un mensaje de correo electrónico entrante

SCL – Nivel de Confianza del correo no deseado
IMF evalúa el contenido de los mensajes en busca de modelos reconocibles y les asigna una clasificación basada en la probabilidad de que el mensaje sea correo comercial no solicitado o correo no deseado La clasificación se almacena en una base de datos con el mensaje como una propiedad llamada nivel de confianza de correo no deseado (SCL) Los administradores configuran dos umbrales que determinan la forma en que IMF controla los mensajes de correo electrónico con diferentes niveles de SCL

Demo: Intelligent Message Filter (IMF)

ASM Antigen Advanced Spam Manager

Bullet Signatures BD “Bullet signatures” es creada y revisada por un grupo de expertos Los “Bullet signatures” son una combinación de atributos únicos de un spammer en particular Un conjunto de datos extraídos de la cabecera, del campo asunto y del cuerpo del mensaje Funciona tanto para spam actual como futuro Creados para conseguir características únicas del mensaje que no puedan estar presentes en correos legítimos No puede ser falseado por técnicas como el “Hash Busting”

STAR Engine El motor STAR busca trucos y técnicas específicas de los spammers Spammer Tricks Analysis and Response Utiliza los “Bullet Signatures” para buscar métodos específicos de spamming Se actualiza automáticamente cuando se lanza una nueva versión del motor Desde el comienzo está diseñado para soportar cualquier idioma, incluso los de doble byte.

Uno + Uno = TRES Supongamos que recibimos 10.000 correos de SPAM
Si el IMF analiza primero, el total de correos de SPAM se reduciría a un total de 1500 (85% de detección) A partir de ahí, SpamCure™ escanea el correo restante y detectaría el 95% de los 1500 Lo que reduce a 75 los correos de SPAM que recibiríamos

Combinando Tecnologías
El motor IMF analiza los correos en primer lugar Se aplica una clasificación SCL a cada correo Después pasa por ASM, que también analiza el mensaje ASM nunca reducirá la clasificación de IMF

Resumen Dos sistemas de detección de spam para lograr una mayor efectividad Mínima intervención humana Fácil de instalar y configurar Integración entre cliente y servidor Ratio de detección del 99%, mucho mayor que la que pueda ofrecer cualquier tecnología por sí misma

Demo: Advance Spam Manager. Tecnología SpamCure

Referencias LSSI : http://www.lssi.es MS ISA Server 2004:
Exchange Server 2003 Message Screener: Technet: Sybari: Informática 64

¿ Preguntas ?

Contactos Jacobo Crespo - Sybari Software
Chema Alonso - Informática 64 José Parada Gimeno - Microsoft

Contacto local CDROM, S.A. Servicios de Sistemas y Telec.
Microsoft Certified Partner Area de Seguridad de los S.I. Jose Luis Yago

Próximas Acciones

Gira Seguridad 2005 Microsoft TechNet

Presentaciones similares

Presentación del tema: "Gira Seguridad 2005 Microsoft TechNet"— Transcripción de la presentación:

Presentaciones similares

Sobre el proyecto

Feedback

Iniciar la sesión

Autorizarse a través de una red social:

Gira Seguridad 2005 Microsoft TechNet

Presentaciones similares

Presentación del tema: "Gira Seguridad 2005 Microsoft TechNet"— Transcripción de la presentación:

Presentaciones similares

Sobre el proyecto

Feedback