Asegure su Red: Introducción a seguridad

Presentación del tema: "Asegure su Red: Introducción a seguridad"— Transcripción de la presentación:

1 Asegure su Red: Introducción a seguridad
Alexandre Le Bienvenu Microsoft Consulting Services Microsoft Perú

2 Agenda Aspectos teóricos Tecnologías Ejemplos

3 Aspectos teóricos Principios básicos Un poco de historia
Costos relacionados

4 El desafío de seguridad
El acceso correcto al contenido debido por las personas indicadas Proveer servicios diversos Acceso Web, , archivos, mensajería, bases de datos, cadena de negocios entre otros Mientras se protegen los activos. Información financiera, procesamiento, recursos de red, propiedad intelectual, satisfacción del cliente Business Requirements Intellectual properties must be secure Employees must have rapid access to information Distributed environments must be managed using consistent policy The environment must be based on open standards All computing information environments are different, and therefore all organizations must develop their own strategies, goals, and plans for deploying ISA Server. The following are some of the most critical business considerations at Microsoft, which ITG took into consideration when formulating its strategy, goals, and plans to deploy ISA Server internally: Customer needs must be met. Microsoft is committed to developing solutions that satisfy customer needs. One such need is a reliable and scalable solution that will enable businesses to communicate with customers and partners using the Internet. To stand behind this commitment, Microsoft developed ISA Server and then kicked off an internal initiative to ensure that the product would be the most secure and scalable enterprise firewall and Web cache ever released. To assure that problems with the product were resolved before release, ITG and the product- development team created a tight feedback loop to communicate at every step in planning and deploying the beta release of ISA Server at Microsoft. Intellectual properties must be secure. Microsoft’s intellectual properties are its greatest asset, and ITG must keep these assets secure. For this reason, ITG is extremely careful to avoid compromising the company’s security. Before the beta release of ISA Server was deployed in Microsoft’s production environment, a team of security analysts reviewed the planning documents and then deployed a small test infrastructure based on those plans to determine if the environment could be compromised with commonly used techniques. They found that it could not. They also found that it was sufficiently secure to deploy at the edge of the internal network, where it would communicate directly with servers on the Internet. Employees must have rapid access to information. Information is of value only insofar as it can be used to support the day-to-day decision making of employees and executives. Information must be accessible to employees as quickly as they can process it to ensure that business is carried out at “the speed of thought.” Rapid access to information over the Internet and information shared on the Intranet are crucial business requirements. The Internet has dramatically changed the way Microsoft employees do their everyday jobs. For example, information within the company is provided almost exclusively in electronic, HTML-based form. Most line-of-business applications used at Microsoft now leverage Internet Information Server (the Web server built into Windows 2000 Server), SQL Server 2000, and Internet Explorer 5.5. The widespread use of HTML-based content at Microsoft has made ISA Server an ideal solution for securing information and accelerating access to that information. Distributed environments must be managed using consistent policy. Although most Microsoft employees work at or near corporate headquarters, others are distributed around the world. Employees in all areas of the company need secure and rapid access to the Web and shared information via the Internet regardless of where they work. Managing a geographically distributed environment must be quick and easy, and it is especially important that ITG be able to apply policy consistently to assure the internal environment is secure. Internet access points are available at many locations throughout Microsoft, allowing a geographically dispersed workforce to take advantage of them. As of this writing there are twenty-two such access points, all of which must be securely monitored and maintained while allowing employees secure and fast Internet access. The environment must be based on open standards. The day-to-day management of Microsoft’s internal computing information environment is simplified thanks to the continual support of many third parties. ITG relies on the dedication and day-to-day support of many solution providers to reduce support costs, improve security, and make the internal environment easier to manage. As a best practice, the technical skills and support tools that are core competencies of third parties are viewed as cost-effective alternatives to internal development. For this reason it is vital that the environment be based on open standards so that third parties can extend the environment to satisfy changing business conditions.

5 Principios básicos de seguridad
Autenticación Identificar correctamente al usuario o aplicación que requiere el acceso Autorización Permitir al usuario identificado el correcto acceso a la información Confidencialidad Definir que información puede el usuario o aplicación acceder y cual es su derecho sobre la misma

6 El Compromiso de Microsoft a la Seguridad
Amenaza a todos los usuarios y los sistemas del mercado, en una etapa de expansión global y desafíos de reducción de costos y confidencialidad. Microsoft tiene una obligación especial para ayudar asegurar la seguridad de la Internet y los datos de nuestros clientes. Nosotros en Microsoft estamos trabajando para ayudar a nuestros clientes conseguir estar seguros y mantenerse seguros.

7 Todo era más sencillo antes…
Mainframe Terminales tontas “hibernadero” Seguridad física, conectividad limitada

8 Todo era más sencillo antes…
Cliente-Servidor Conectividad LAN Servicios de archivos e impresión Acceso externo limitado

9 Todo era más sencillo antes…
Internet La Internet “Siempre encendida” No tiene dueño Múltiples aplicaciones La WWW El mundo se tornó complejo y difícil…

10 Perfiles de ataques Métodos comunes de crímenes Código hostil
Virus Worms (Gusanos) Trojan horses (Caballos de troya) Denial of Service (Denegación de servicio) Web page defacement (Cambio de contenido) Eavesdropping, Interception (Observar información, interceptarla) Identity theft (Robo de identidad) Viruses: Code that replicates itself (example: Melissa) Worms: Code that makes its way through existing code Trojan Horses: From Greek mythology, code that is disguised and is executed or activated on a certain date or by a certain activity Denial of Service: Potentially overloading and locking up a system so that others cannot gain access; also, modification of access rights to prevent others from gaining access Web page defacement: Replacing web pages or re-routing urls Eavesdropping and Interception: Via wireless or wired networks, “listening” to the wire and capturing data as it is transmitted Identity theft: False credentials, using false IP addresses or authentication credentials/passwords And, note that the punishment for the Anna Kournikova virus was only 50 days of community service. Métodos comunes de crímenes

11 Amenazas recientes Nimda: Virus auto extendible por varios mecanismos. Code Red: Servidores Web infectados que proporcionaban acceso administrativo. Víruses de scripting: Clientes Outlook Otros: Denial of Service, Defacement Microsoft tiene la obligación de tomar un enfoque proactivo a la seguridad

12 Casos locales Robo de información Falla de confidencialidad
Utilización indebida de información corporativa (Mensajería, Documentos, conocimiento tácito) Cambio de información en sistemas de misión crítica Entre otros

13 Impacto al negocio La seguridad tienen costos reales
Según el estudio de Crimen de sistemas y Seguridad de 2001, por el Instituto de Seguridad de Computadora (CSI) y el FBI: Cuantificó pérdidas financieras de por lo menos $377M, o $2M por los encuestados en el estudio 40% descubrieron la penetración del sistema del exterior; 25% de crecimiento respecto al 2000 94% descubrieron los viruses de computadora; 85% de crecimiento respecto al 2000 InformationWeek estima: Las brechas de seguridad costarán a los negocios $1.4 billones de dolares a nivel mundial este año 2/3 de compañías han experimentado viruses, gusanos, o los Caballos troyanos 15% han experimentado Denial Of Service (Denegación de servicio) La seguridad tienen costos reales Fuente: Computer Security Institute (CSI) Computer Crime and Security Survey 2001 Fuente 2: InformationWeek.com, 10/15/01

14 ¿Es la seguridad importante?
The CSI / FBI is an annual survey done by CSI (Computer Security Institute) on behalf of FBI. It’s partly a real security study (that’s why FBI is involved), partly a shameless marketing stunt (that’s why CSI is involved). There’s quite a large number of arguments why the statistics are not very representative, incl. how the questionees are chosen, the conflict of interest of CSI who also sells security consulting and services (and thus is interested in seeing many security problems), the extremely sketchy information in the reports on the exact formulation of questions and how the results are presented, the way the results are interpreted, and more. However, it’s still about the best statistics on security there exist. The study in 2001 was based 538 completed questionaires across various U.S. only industry sectors. There’s a quite heavy influence by high-tech and financial companies, with a total of 39% of the responses. The main objective of this and the next two slides is to argue that security is an important issue to tackle today, that the threat is indeed real, and that many companies out there is struggling with this. By committing to this workshop, the participants have already taken the first step to do something about it. In this slide, try asking the participants which types of attacks they’re most concerned with and which ones they’ve experienced (if they’re prepared to talk about this). A few highlights are how prevalent things like viruses and laptop theft are. Insider abuse of net access is probably mainly concerned with internal users browsing unauthorized web sites like porn or hate sites, which depending of view may be as much a HR as a security issue. Also notice that fully 40% of all respondents has experienced outsiders getting access to internal systems within the last year. Less surprising – but as big a security problem – is that almost half of all companies have experienced internal employees getting access to resources (data, services) that they shouldn’t have (some of that could have been e.g. HR information).

15 ¿Es la seguridad importante?
To put an end to the myth: 80% of security breaches are not created by insiders and 20% by outsiders. However, as it can be seen in the slide most companies estimate that internals (disgruntled employees) are about as likely a source of an attack as an external hacker. On top of this comes the other external threats like governments and competitors. This is the first year, where external hackers actually scored higher than disgruntled employees, but both are still very significant. Is the participants worrying about particular sources of attack on their resources?

16 ¿Es el problema real? Crecimiento de actividad hostil
Note to Presenter – we do not want to be arrogant about this. While we are not the best at internet security we think all vendors have flaws and we are mobilizing to take leadership and address ours. Focus on the fact, that even though this was non-published, it was quickly a target for many hackers. The fact that it was Linux broken into should not be stressed, this was (as said) an out-of-box installation with no patches applied for known vulnerabilities. Notice that this and a number of the following slides really talks about scenarios that are Internet focused, which is not the focus of this service offering. However, good security includes ”defense in depth” which means, that protection should not only be done at the perimeter but also at the possible internal security checkpoints. This workshop does focus on how to make life much harder for a hacker or internal employee to breach security, if they already have gained access to the LAN (e.g. by hacking in through the access points). This issue is adressed in a later slide in this section, but be aware of this if a participant raises the issue before getting to ”Defense in Depth”. *Hasta el 2001 Q1-Q3 Toda la información obtenidad en

17 Porque la seguridad no se implementa
Security Magazine Julio 2001 Razón n.1 Presupuesto El resto de las razones son generalmente administrativas y de planeamiento. Topics that must also be addressed in this workshop. What is this customers blockers, what must they solve to improve security? Notice that issue are really about planning and execution of security, with a total of 37%. Also lack of commitment and supplying the necessary resources and commitment is behind issue 1, 2 and 6 with a total of 51%. By committing to the workshop and participating, the attendees (customer) are clearly making an effort to make sure, that won’t be the primary problem in their security project. They should be commended for this.

18 Activos de Infraestructura a proteger
Data Información comercial o financiera Planes de marketing Código fuente Información salarial Communicación Ingreso de usuarios Transacciones Intercambio de información Envío de Servicios Web sites Acceso a Internet Controladores de dominio ERPs CRMs This illustrates the assets from the previous model, that we want to protect when viewing security from an infrastructure perspective. Obviously the listed data / services / communication are only examples. Make sure to talk about some examples of these three types of assets. It can easily be argued, that communication is really just data in transit and thus part of the data asset, however the type of attacks and the means of protection is different for the two assets, so this separation is kept to aid thinking of how to defend against attacks. For the most part, this workshop focuses on Data and Communicatio assets, because the Services assets are much more tied with specific applications / solutions, and are thus scenario based. Some common Services assets are addressed in other security service offerings. However, we will talk about domain controllers specifically in this workshop, as they’re a core part of the infrastructure. Some Services are outside the scope of a Microsoft initiated workshop, e.g. ERP Systems (well actually with the acquirement of Great Plains it’s not anymore, but then think of e.g. a CRM system).

19 ¿Cuales son las vulnerabilidades?
Los productos carecen de capacidades de seguridad Los productos tienen bugs Muchas de las vulnerabildiades no son causadas por problemática técnica Tecnología Fallas en la barrera de protección Planeamiento, procedimientos y procesos El factor humano Ask participants, which of these they think is the primary factor in most successful attacks. There’s a tendency to think that technology will solve all security issues, but often policies & procedures (processes) and the human factor (people) are overlooked, and that’s where the most gaps are. Diseñar orientado a seguridad Roles y responsabilidades Auditar, análisis y seguimiento Planes de recuperación en caso de desastre Mantenerse al día en el avanze técnologico de seguridad Falta de conocimiento Falta de compromiso Error humano

20 Marco de trabajo orientado a la protección
Beneficio económico Infligir daño Motivos personales Prevencíon Detección Reacción Tecnología Data Services Communi- cation Protection from security breaches is the process of protecting the assets, which are (illustrated with the center bubbles in the slide): Data Services Communication As mentioned in a previous slide (”What are the Vulnerabilities”), the vulnerabilities are those factors that makes it possible for a threat+motive+tool to succesfully attack the assets. The vulnerabilities are (illustrated as holes in the wall around the assets): Technology Planning, policies & procedures The human factor As shown in an earlier slide (”What are the Motives”) possible attacks can be motivated by (illustrated with flashing lightning in the slide): Economic gain Inflict damage Personal motives To prevent the lightning from penetrating through the holes in your wall around the assets (put figuratively), you need a framework for how to plan your security. This framework is (illustrated with arrows closing the holes in the wall by adding a ”protective layer”): Prevention Detection Reaction Explain all three animated steps in the slide, instead of just showing the whole slide initially. To keep the complexity down, the framework doesn’t include Threats and Tools as part of the illustration, but they obviously also plays a role when designing the protective measures of prevention – detection – reaction. Prevention – detection – reaction is the model to protect against attacks that is preached by a number of security specialists, especially Bruce Schneier. Planeamiento, procedimientos y procesos El Factor humano

21 Como enfrentar ataques
Hacer un cuadro por cada activo Planificar por cada riesgo o ataque potencial Generar planes de prevención, detección y reacción Asegurar la contínua mejora de seguridad en el tiempo Stress that it’s important to have both a proactive and reactive strategy. Contingency plans are not the same thing as being reactive. Explain the steps in the model. Prevention corresponds to the proactive strategy, while detection and reaction is the reactive strategy. The feedback loop is made from the review / adjust steps in the security strategy.

22 Los 7 pasos para implementar un proceso de seguridad
Establecer un equipo de seguridad u Organización Realizar una revisión (assesment) de la infraestructura, procesos y tecnologías actuales Desarrollar las políticas de seguridad de la organización Realizar un análisis de riego respecto a los activos Diseñar e implementar estándares de seguridad Implementar la educación y conciencia del personal Ejecutar un proceso continuo de administración de seguridad These seven steps are much further drilled into in the workshop with step 2+4 in the module “Customer Situation Analysis” and the other steps in the module “Implementing Continuous Security Protection”. All of the technical training in the modules “Security Technologies” and “Experiencing Technologies” can be considered part of the training for the security people themselves, which is part of step 6. Describe briefly at a high level the steps, but don’t go into too much detail, as they will be covered in later modules. However, make sure to tell participants, that we will cover all seven steps during this workshop.

23 El marco de seguridad requiere:
Planeamiento de seguridad Prevención Detección Reacción Procesos Tecnología base Estándares, Encriptación, Protección Capacidad de los productos Herramientas y productos de seguridad Tecnología Personal dedicado Entrenamiento Seguridad – El cambio de mentalidad es la prioridad Personas externas Personas

24 Tecnologías

25 Tecnologías Active directory Estándares soportados
Arquitectura de autenticación de la plataforma Microsoft Kerberos Biométrica

26 Windows 2000 Active Directory
Windows Users Account info Privileges Profiles Policy Windows Clients Mgmt profile Network info Policy Windows Servers Mgmt profile Network info Services Printers File shares Policy Applications Server config Single Sign-On App-specific directory info Policy Network Devices Configuration QoS policy Security policy Internet Firewall Services Security Policy VPN policy Other Directories White pages E-Commerce Other NOS User registry Security Servers Mailbox info Address book Active Directory A Focal Point for: Manageability Security Interoperability

27 Estándares soportados plataforma 2000
FIPS 140-1 Level 1 crypto module certification DSS, RSA Web, , and certificate services S/MIME V3 DMS C2/E3* Fortezza Web services Spyrus CSP, Litronic reader ITU X.509 RSA PKCS IETF PKIX SSL/TLS S/MIME PC/SC MIT V5 Kerberos Services for UNIX password synchronization Host Integration Server 2000

28 Arquitectura de Autenticación
Internet Explorer, Internet Information Server Directory enabled apps using ADSI Mail, Chat, News Remote file DCOM application CIFS/SMB Secure RPC HTTP LDAP POP3, NNTP SSPI NTLM Kerberos SChannel SSL/TLS DPA MSV1_0/ SAM KDC/DS Membership services

29 Kerberos básico Domain Controller Windows 2000 Server(s)
Client Machine Applications Files Windows 2000 Server(s) ACL Devices Active Directory Domain Controller KDC Client Authenticates to Domain Controller (Authentication) Ticket Server grants Ticket(s) to client Client requests a resource and presents a ticket Request Ticket (Authorization) 4. Resource Server verifies the ticket, compares it to the Access Control List (ACL) on the resource and grants or denies access

30 Windows 2000 Kerberos Mejoras de performance
Windows NT 4.0: Domain Controller 5. 4. Impersonate This slide shows the challenge/response architecture used in NT4. Notice the number of trips and the need to communicate with the Domain Controller for all resource requests. 1. Request File Server Client 2. Challenge 3. Response 6. Resource

31 Windows 2000 Kerberos Improved Network Performance
Domain Controller Ticket In Windows 2000, Kerberos tickets are used to authenticate users on the network. These tickets contain identity or authentication as well as authorization data. Because the ticket contains full authorization data, the Domain Controller issues the initial Kerberos resource ticket to the client that can then be used for subsequent resource requests (without communicating with the Domain Controller. This reduces the “chattiness” of the authorization architecture, eliminates a common Domain Controller bottleneck and improves network performance overall. File Server N Requests Ticket Client N Resources

32 Smart Card Logon LSA KDC SC Reader
1 Card insertion causes Winlogon to display GINA 4 LSA accesses smart card and retrieves cert from card 2 User inputs PIN 8 Smart card decrypts the TGT using private key allowing LSA to log user on 3 GINA passes PIN to LSA 6 KDC verifies certificate then looks up principal in DS Talk to the slide at each build point Additional information: Private key and certificate on card Public key domain authentication 5 Kerberos sends certificate in a PKINIT login request to the KDC LSA Kerberos Kerberos KDC 7 KDC returns TGT, encrypted with a session key which is in turn encrypted using user’s public key

33 Microsoft Operations Manager
Permite el punto centralizado y único de manejo Provee manejo de servicios y aplicaciones tanto reactivamente como proactivamente Escala tecnológicamente como organizacionalmente Elimina la necesidad de administrar el sistema de administración W e n t s M I E v a t i o n i c A p p l P n t s e r f o r m s 2 E v e a n c e T h r e s W i n d o w h o l d s Operations n n i n g D a t a Manager W a i n d C a p a c i t y P l o w s N T E v e n t s U N I s X a p S T r y s M P t e m S N L o g s

34 MOM: Arquitectura y configuración
Agentes de MOM Paquetes de administración por producto Coleccionar y analizar eventos, performance y configuración Relación entre eventos, Respuesta automática a errores Agente consolidador: Distribuye paquetes de adm. Dinámicamente configura, administra, obtiene información y realiza acciones Correlación central de eventos, Respuesta automática a errores KEY MESSAGE: Active Agent technology is really several elements working together in a Operations Manager deployment to automate management system tasks to significantly reduce, or eliminate altogether the need to manage the management system. SLIDE BUILDS: 7 SLIDE SCRIPT: Active Agent technology is really several elements working together in a Operations Manager deployment to automate management system tasks to significantly reduce, or eliminate altogether the need to manage the management system. [BUILD 1] First, the agents. Agents to the work at the PCs that are managed. They collect and analyze event, performance, and configuration data at the source. The perform event correlation, analyzing the rules for the Operations Manager deployment and responding when event occur that meet criteria set forth in the rules. [BUILD 2] The agents are controlled by the consolidator/agent manager. The Consolidator and agent manager are two elements that work closely together. The agent manager does just that, manages agents. It scans computers, and determines if they fall in the scope of PCs that should be managed. If they do, the agent manager will install an agent. It can do this automatically, or simply queue up pending installations that have to be approved. It also uninstalls agents when PCs fall outside the scope of management. The agents talk to the consolidator. The consolidator collects all of the information the agents gather, and send it to the Database Access Server or DAS. [BUILD 3] The Data Access Server manages the flow of information to and from the database. So it puts collected information in the database, but it also allows you to view collected information through the MOM Administrator Console, or Web Console. [BUILD 4] The data is stored in an Access database, or on a SQL server. All the MOM configuration is stored in the database. Events, and alerts, management pack information, policies, rules, collected data, views, reportts, and resolution workflows (notes about how to solve a problem). Access is a little less expensive option that SQL, but SQL server is a better performer. If your Operations Manager database is going to exceed 2 GB you have to use SQL Server. [BUILD 5] With rules in place and scans occurring at regular intervals, administrator’s don’t need to manage the management system. As PCs come online the meet the criteria for PCs that are supposed to be managed. Scans will detect them, agents managers will agents, information will be collected at the consolidators and sent to the data access server to be stored in the database. [BUILD 6] As your organization scales, or expands, you can deploy new Operations Manager elements, such as new consolidators, agent managers, data access servers and database servers as required for more granular control, or to address different rule sets, or for redundancy. [BUILD 7] You can even create a separate security partitions, basically be having multiple MOM deployments that use different service accounts. This allows you to design a configuration group that include agents from many different domains, without having a single service account that has privileges in all domains. SLIDE TRANSITION: So what do all of these things do? ADDITIONAL INFORMATION FOR PRESENTER: MOM User guide: (pages 19-27) Servidore de acceso a BD: Ingresa datos del consolidador Provee datos al consolidador Base de datos: Eventos y alertas Paquetes de adm. Políticas Performance y capacidad Vistas Reportes Workflows de resolución de problemas

35 ISA Server Asegurando la barrera de la red
Revisión de contenido Permitir el paquete? Archivo adjunto No permido No. Si Exchange 2000 Internet Message Internet packet Internet packet ( ) Internet packet BizTalk Server ISA Server Firewall Array IIS (Web Server)

36 Ejemplo: Red protegida

37 Diseño de una red segura

38 ¿Preguntas? Gracias!

39 Taller avanzado de ISA Server 2000
Asegure su red empresarial con las mejores prácticas de Microsoft Consulting Services Microsoft ofrece un taller avanzado en el que se revisarán las mejores prácticas y experiencias de campo, tanto teórico como práctico. Duración: 12 horas Teoría: 8 horas Práctica: 4 horas Fechas: 17, 20 y 21 de Mayo de 6:00 PM a 10:00 PM Contacto: Arturo Valencia x 5669