3Aspectos teóricos Principios básicos Un poco de historia Costos relacionados
4El desafío de seguridad El acceso correctoal contenido debidopor las personas indicadasProveer servicios diversosAcceso Web, , archivos, mensajería, bases de datos, cadena de negocios entre otrosMientras se protegen los activos.Información financiera, procesamiento, recursos de red, propiedad intelectual, satisfacción del clienteBusiness RequirementsIntellectual properties must be secureEmployees must have rapid access to informationDistributed environments must be managed using consistent policyThe environment must be based on open standardsAll computing information environments are different, and therefore all organizations must develop their own strategies, goals, and plans for deploying ISA Server. The following are some of the most critical business considerations at Microsoft, which ITG took into consideration when formulating its strategy, goals, and plans to deploy ISA Server internally:Customer needs must be met. Microsoft is committed to developing solutions that satisfy customer needs. One such need is a reliable and scalable solution that will enable businesses to communicate with customers and partners using the Internet. To stand behind this commitment, Microsoft developed ISA Server and then kicked off an internal initiative to ensure that the product would be the most secure and scalable enterprise firewall and Web cache ever released. To assure that problems with the product were resolved before release, ITG and the product- development team created a tight feedback loop to communicate at every step in planning and deploying the beta release of ISA Server at Microsoft.Intellectual properties must be secure. Microsoft’s intellectual properties are its greatest asset, and ITG must keep these assets secure. For this reason, ITG is extremely careful to avoid compromising the company’s security. Before the beta release of ISA Server was deployed in Microsoft’s production environment, a team of security analysts reviewed the planning documents and then deployed a small test infrastructure based on those plans to determine if the environment could be compromised with commonly used techniques. They found that it could not. They also found that it was sufficiently secure to deploy at the edge of the internal network, where it would communicate directly with servers on the Internet.Employees must have rapid access to information. Information is of value only insofar as it can be used to support the day-to-day decision making of employees and executives. Information must be accessible to employees as quickly as they can process it to ensure that business is carried out at “the speed of thought.” Rapid access to information over the Internet and information shared on the Intranet are crucial business requirements. The Internet has dramatically changed the way Microsoft employees do their everyday jobs. For example, information within the company is provided almost exclusively in electronic, HTML-based form. Most line-of-business applications used at Microsoft now leverage Internet Information Server (the Web server built into Windows 2000 Server), SQL Server 2000, and Internet Explorer 5.5. The widespread use of HTML-based content at Microsoft has made ISA Server an ideal solution for securing information and accelerating access to that information.Distributed environments must be managed using consistent policy. Although most Microsoft employees work at or near corporate headquarters, others are distributed around the world. Employees in all areas of the company need secure and rapid access to the Web and shared information via the Internet regardless of where they work. Managing a geographically distributed environment must be quick and easy, and it is especially important that ITG be able to apply policy consistently to assure the internal environment is secure.Internet access points are available at many locations throughout Microsoft, allowing a geographically dispersed workforce to take advantage of them. As of this writing there are twenty-two such access points, all of which must be securely monitored and maintained while allowing employees secure and fast Internet access.The environment must be based on open standards. The day-to-day management of Microsoft’s internal computing information environment is simplified thanks to the continual support of many third parties. ITG relies on the dedication and day-to-day support of many solution providers to reduce support costs, improve security, and make the internal environment easier to manage. As a best practice, the technical skills and support tools that are core competencies of third parties are viewed as cost-effective alternatives to internal development. For this reason it is vital that the environment be based on open standards so that third parties can extend the environment to satisfy changing business conditions.
5Principios básicos de seguridad AutenticaciónIdentificar correctamente al usuario o aplicación que requiere el accesoAutorizaciónPermitir al usuario identificado el correcto acceso a la informaciónConfidencialidadDefinir que información puede el usuario o aplicación acceder y cual es su derecho sobre la misma
6El Compromiso de Microsoft a la Seguridad Amenaza a todos los usuarios y los sistemas del mercado, en una etapa de expansión global y desafíos de reducción de costos y confidencialidad.Microsoft tiene una obligación especial para ayudar asegurar la seguridad de la Internet y los datos de nuestros clientes.Nosotros en Microsoft estamos trabajando para ayudar a nuestros clientes conseguir estar seguros y mantenerse seguros.
7Todo era más sencillo antes… MainframeTerminales tontas“hibernadero”Seguridad física, conectividad limitada
8Todo era más sencillo antes… Cliente-ServidorConectividad LANServicios de archivos e impresiónAcceso externo limitado
9Todo era más sencillo antes… InternetLa Internet“Siempre encendida”No tiene dueñoMúltiples aplicacionesLa WWWEl mundo se tornó complejo y difícil…
10Perfiles de ataques Métodos comunes de crímenes Código hostil VirusWorms (Gusanos)Trojan horses (Caballos de troya)Denial of Service (Denegación de servicio)Web page defacement (Cambio de contenido)Eavesdropping, Interception (Observar información, interceptarla)Identity theft (Robo de identidad)Viruses: Code that replicates itself (example: Melissa)Worms: Code that makes its way through existing codeTrojan Horses: From Greek mythology, code that is disguised and is executed or activated on a certain date or by a certain activityDenial of Service: Potentially overloading and locking up a system so that others cannot gain access; also, modification of access rights to prevent others from gaining accessWeb page defacement: Replacing web pages or re-routing urlsEavesdropping and Interception: Via wireless or wired networks, “listening” to the wire and capturing data as it is transmittedIdentity theft: False credentials, using false IP addresses or authentication credentials/passwordsAnd, note that the punishment for the Anna Kournikova virus was only 50 days of community service.Métodos comunes de crímenes
11Amenazas recientesNimda: Virus auto extendible por varios mecanismos.Code Red: Servidores Web infectados que proporcionaban acceso administrativo.Víruses de scripting: Clientes OutlookOtros: Denial of Service, DefacementMicrosoft tiene la obligación de tomar un enfoque proactivo a la seguridad
12Casos locales Robo de información Falla de confidencialidad Utilización indebida de información corporativa (Mensajería, Documentos, conocimiento tácito)Cambio de información en sistemas de misión críticaEntre otros
13Impacto al negocio La seguridad tienen costos reales Según el estudio de Crimen de sistemas y Seguridad de 2001, por el Instituto de Seguridad de Computadora (CSI) y el FBI:Cuantificó pérdidas financieras de por lo menos $377M, o $2M por los encuestados en el estudio40% descubrieron la penetración del sistema del exterior; 25% de crecimiento respecto al 200094% descubrieron los viruses de computadora; 85% de crecimiento respecto al 2000InformationWeek estima:Las brechas de seguridad costarán a los negocios $1.4 billones de dolares a nivel mundial este año2/3 de compañías han experimentado viruses, gusanos, o los Caballos troyanos15% han experimentado Denial Of Service (Denegación de servicio)La seguridad tienen costos realesFuente: Computer Security Institute (CSI) Computer Crime and Security Survey 2001Fuente 2: InformationWeek.com, 10/15/01
14¿Es la seguridad importante? The CSI / FBI is an annual survey done by CSI (Computer Security Institute) on behalf of FBI. It’s partly a real security study (that’s why FBI is involved), partly a shameless marketing stunt (that’s why CSI is involved). There’s quite a large number of arguments why the statistics are not very representative, incl. how the questionees are chosen, the conflict of interest of CSI who also sells security consulting and services (and thus is interested in seeing many security problems), the extremely sketchy information in the reports on the exact formulation of questions and how the results are presented, the way the results are interpreted, and more. However, it’s still about the best statistics on security there exist.The study in 2001 was based 538 completed questionaires across various U.S. only industry sectors. There’s a quite heavy influence by high-tech and financial companies, with a total of 39% of the responses.The main objective of this and the next two slides is to argue that security is an important issue to tackle today, that the threat is indeed real, and that many companies out there is struggling with this. By committing to this workshop, the participants have already taken the first step to do something about it.In this slide, try asking the participants which types of attacks they’re most concerned with and which ones they’ve experienced (if they’re prepared to talk about this). A few highlights are how prevalent things like viruses and laptop theft are. Insider abuse of net access is probably mainly concerned with internal users browsing unauthorized web sites like porn or hate sites, which depending of view may be as much a HR as a security issue. Also notice that fully 40% of all respondents has experienced outsiders getting access to internal systems within the last year. Less surprising – but as big a security problem – is that almost half of all companies have experienced internal employees getting access to resources (data, services) that they shouldn’t have (some of that could have been e.g. HR information).
15¿Es la seguridad importante? To put an end to the myth: 80% of security breaches are not created by insiders and 20% by outsiders.However, as it can be seen in the slide most companies estimate that internals (disgruntled employees) are about as likely a source of an attack as an external hacker. On top of this comes the other external threats like governments and competitors. This is the first year, where external hackers actually scored higher than disgruntled employees, but both are still very significant.Is the participants worrying about particular sources of attack on their resources?
16¿Es el problema real? Crecimiento de actividad hostil Note to Presenter – we do not want to be arrogant about this. While we are not the best at internet security we think all vendors have flaws and we are mobilizing to take leadership and address ours.Focus on the fact, that even though this was non-published, it was quickly a target for many hackers. The fact that it was Linux broken into should not be stressed, this was (as said) an out-of-box installation with no patches applied for known vulnerabilities.Notice that this and a number of the following slides really talks about scenarios that are Internet focused, which is not the focus of this service offering. However, good security includes ”defense in depth” which means, that protection should not only be done at the perimeter but also at the possible internal security checkpoints. This workshop does focus on how to make life much harder for a hacker or internal employee to breach security, if they already have gained access to the LAN (e.g. by hacking in through the access points). This issue is adressed in a later slide in this section, but be aware of this if a participant raises the issue before getting to ”Defense in Depth”.*Hasta el 2001 Q1-Q3Toda la información obtenidad en
17Porque la seguridad no se implementa Security Magazine Julio 2001Razón n.1 PresupuestoEl resto de las razones son generalmente administrativas y de planeamiento.Topics that must also be addressed in this workshop. What is this customers blockers, what must they solve to improve security?Notice that issue are really about planning and execution of security, with a total of 37%. Also lack of commitment and supplying the necessary resources and commitment is behind issue 1, 2 and 6 with a total of 51%. By committing to the workshop and participating, the attendees (customer) are clearly making an effort to make sure, that won’t be the primary problem in their security project. They should be commended for this.
18Activos de Infraestructura a proteger DataInformación comercial o financieraPlanes de marketingCódigo fuenteInformación salarialCommunicaciónIngreso de usuariosTransaccionesIntercambio de informaciónEnvío deServiciosWeb sitesAcceso a InternetControladores de dominioERPsCRMsThis illustrates the assets from the previous model, that we want to protect when viewing security from an infrastructure perspective. Obviously the listed data / services / communication are only examples. Make sure to talk about some examples of these three types of assets.It can easily be argued, that communication is really just data in transit and thus part of the data asset, however the type of attacks and the means of protection is different for the two assets, so this separation is kept to aid thinking of how to defend against attacks.For the most part, this workshop focuses on Data and Communicatio assets, because the Services assets are much more tied with specific applications / solutions, and are thus scenario based. Some common Services assets are addressed in other security service offerings. However, we will talk about domain controllers specifically in this workshop, as they’re a core part of the infrastructure. Some Services are outside the scope of a Microsoft initiated workshop, e.g. ERP Systems (well actually with the acquirement of Great Plains it’s not anymore, but then think of e.g. a CRM system).
19¿Cuales son las vulnerabilidades? Los productos carecen de capacidades de seguridadLos productos tienen bugsMuchas de las vulnerabildiades no son causadas por problemática técnicaTecnologíaFallas en la barrera de protecciónPlaneamiento,procedimientosy procesosEl factor humanoAsk participants, which of these they think is the primary factor in most successful attacks. There’s a tendency to think that technology will solve all security issues, but often policies & procedures (processes) and the human factor (people) are overlooked, and that’s where the most gaps are.Diseñar orientado a seguridadRoles y responsabilidadesAuditar, análisis y seguimientoPlanes de recuperación en caso de desastreMantenerse al día en el avanze técnologico de seguridadFalta de conocimientoFalta de compromisoError humano
20Marco de trabajo orientado a la protección Beneficio económicoInfligir dañoMotivos personalesPrevencíonDetecciónReacciónTecnologíaDataServicesCommuni-cationProtection from security breaches is the process of protecting the assets, which are (illustrated with the center bubbles in the slide):DataServicesCommunicationAs mentioned in a previous slide (”What are the Vulnerabilities”), the vulnerabilities are those factors that makes it possible for a threat+motive+tool to succesfully attack the assets. The vulnerabilities are (illustrated as holes in the wall around the assets):TechnologyPlanning, policies & proceduresThe human factorAs shown in an earlier slide (”What are the Motives”) possible attacks can be motivated by (illustrated with flashing lightning in the slide):Economic gainInflict damagePersonal motivesTo prevent the lightning from penetrating through the holes in your wall around the assets (put figuratively), you need a framework for how to plan your security. This framework is (illustrated with arrows closing the holes in the wall by adding a ”protective layer”):PreventionDetectionReactionExplain all three animated steps in the slide, instead of just showing the whole slide initially. To keep the complexity down, the framework doesn’t include Threats and Tools as part of the illustration, but they obviously also plays a role when designing the protective measures of prevention – detection – reaction. Prevention – detection – reaction is the model to protect against attacks that is preached by a number of security specialists, especially Bruce Schneier.Planeamiento,procedimientosy procesosEl Factor humano
21Como enfrentar ataques Hacer un cuadro por cada activoPlanificar por cada riesgo o ataque potencialGenerar planes de prevención, detección y reacciónAsegurar la contínua mejora de seguridad en el tiempoStress that it’s important to have both a proactive and reactive strategy. Contingency plans are not the same thing as being reactive.Explain the steps in the model. Prevention corresponds to the proactive strategy, while detection and reaction is the reactive strategy. The feedback loop is made from the review / adjust steps in the security strategy.
22Los 7 pasos para implementar un proceso de seguridad Establecer un equipo de seguridad u OrganizaciónRealizar una revisión (assesment) de la infraestructura, procesos y tecnologías actualesDesarrollar las políticas de seguridad de la organizaciónRealizar un análisis de riego respecto a los activosDiseñar e implementar estándares de seguridadImplementar la educación y conciencia del personalEjecutar un proceso continuo de administración de seguridadThese seven steps are much further drilled into in the workshop with step 2+4 in the module “Customer Situation Analysis” and the other steps in the module “Implementing Continuous Security Protection”. All of the technical training in the modules “Security Technologies” and “Experiencing Technologies” can be considered part of the training for the security people themselves, which is part of step 6.Describe briefly at a high level the steps, but don’t go into too much detail, as they will be covered in later modules. However, make sure to tell participants, that we will cover all seven steps during this workshop.
23El marco de seguridad requiere: Planeamiento de seguridadPrevenciónDetecciónReacciónProcesosTecnología baseEstándares, Encriptación, ProtecciónCapacidad de los productosHerramientas y productos de seguridadTecnologíaPersonal dedicadoEntrenamientoSeguridad – El cambio de mentalidad es la prioridadPersonas externasPersonas
27Estándares soportados plataforma 2000 FIPS 140-1Level 1 crypto module certificationDSS, RSAWeb, , and certificate servicesS/MIME V3DMSC2/E3*FortezzaWeb servicesSpyrus CSP, Litronic readerITU X.509RSA PKCSIETFPKIXSSL/TLSS/MIMEPC/SCMIT V5 KerberosServices for UNIX password synchronizationHost Integration Server 2000
28Arquitectura de Autenticación Internet Explorer,Internet Information ServerDirectory enabled apps using ADSIMail, Chat, NewsRemote fileDCOM applicationCIFS/SMBSecure RPCHTTPLDAPPOP3, NNTPSSPINTLMKerberosSChannel SSL/TLSDPAMSV1_0/ SAMKDC/DSMembership services
29Kerberos básico Domain Controller Windows 2000 Server(s) Client MachineApplicationsFilesWindows 2000Server(s)ACLDevicesActiveDirectoryDomain ControllerKDCClient Authenticates to Domain Controller(Authentication)TicketServer grants Ticket(s) to clientClient requests a resource and presents a ticketRequestTicket(Authorization)4. ResourceServer verifies the ticket, compares it to the Access Control List (ACL) on the resource and grants or denies access
30Windows 2000 Kerberos Mejoras de performance Windows NT 4.0:Domain Controller5.4. ImpersonateThis slide shows the challenge/response architecture used in NT4.Notice the number of trips and the need to communicate with the Domain Controller for all resource requests.1. RequestFile ServerClient2. Challenge3. Response6. Resource
31Windows 2000 Kerberos Improved Network Performance Domain ControllerTicketIn Windows 2000, Kerberos tickets are used to authenticate users on the network.These tickets contain identity or authentication as well as authorization data.Because the ticket contains full authorization data, the Domain Controller issues the initial Kerberos resource ticket to the client that can then be used for subsequent resource requests (without communicating with the Domain Controller. This reduces the “chattiness” of the authorization architecture, eliminates a common Domain Controller bottleneck and improves network performance overall.File ServerN RequestsTicketClientN Resources
32Smart Card Logon LSA KDC SC Reader 1 Card insertion causes Winlogon to display GINA4 LSA accesses smart card and retrieves cert from card2 User inputs PIN8 Smart card decrypts the TGT using private key allowing LSA to log user on3 GINA passes PIN to LSA6 KDC verifies certificate then looks up principal in DSTalk to the slide at each build pointAdditional information:Private key and certificate on cardPublic key domain authentication5 Kerberos sends certificate in a PKINIT login request to the KDCLSAKerberosKerberosKDC7 KDC returns TGT, encrypted with a session key which is in turn encrypted using user’s public key
33Microsoft Operations Manager Permite el punto centralizado y único de manejoProvee manejo de servicios y aplicaciones tanto reactivamente como proactivamenteEscala tecnológicamente como organizacionalmenteElimina la necesidad de administrar el sistema de administraciónWentsMIEvationicApplPntserforms2EveanceThresWindowholdsOperationsnningDataManagerWaindCapacityPlowsNTEventsUNIsXapSTrysMPtemSNLogs
34MOM: Arquitectura y configuración Agentes de MOMPaquetes de administración por productoColeccionar y analizar eventos, performance y configuraciónRelación entre eventos, Respuesta automática a erroresAgente consolidador:Distribuye paquetes de adm.Dinámicamente configura, administra, obtiene información y realiza accionesCorrelación central de eventos, Respuesta automática a erroresKEY MESSAGE: Active Agent technology is really several elements working together in a Operations Manager deployment to automate management system tasks to significantly reduce, or eliminate altogether the need to manage the management system.SLIDE BUILDS: 7SLIDE SCRIPT:Active Agent technology is really several elements working together in a Operations Manager deployment to automate management system tasks to significantly reduce, or eliminate altogether the need to manage the management system.[BUILD 1] First, the agents. Agents to the work at the PCs that are managed. They collect and analyze event, performance, and configuration data at the source. The perform event correlation, analyzing the rules for the Operations Manager deployment and responding when event occur that meet criteria set forth in the rules.[BUILD 2] The agents are controlled by the consolidator/agent manager. The Consolidator and agent manager are two elements that work closely together. The agent manager does just that, manages agents. It scans computers, and determines if they fall in the scope of PCs that should be managed. If they do, the agent manager will install an agent. It can do this automatically, or simply queue up pending installations that have to be approved. It also uninstalls agents when PCs fall outside the scope of management. The agents talk to the consolidator. The consolidator collects all of the information the agents gather, and send it to the Database Access Server or DAS.[BUILD 3] The Data Access Server manages the flow of information to and from the database. So it puts collected information in the database, but it also allows you to view collected information through the MOM Administrator Console, or Web Console.[BUILD 4] The data is stored in an Access database, or on a SQL server. All the MOM configuration is stored in the database. Events, and alerts, management pack information, policies, rules, collected data, views, reportts, and resolution workflows (notes about how to solve a problem). Access is a little less expensive option that SQL, but SQL server is a better performer. If your Operations Manager database is going to exceed 2 GB you have to use SQL Server.[BUILD 5] With rules in place and scans occurring at regular intervals, administrator’s don’t need to manage the management system. As PCs come online the meet the criteria for PCs that are supposed to be managed. Scans will detect them, agents managers will agents, information will be collected at the consolidators and sent to the data access server to be stored in the database.[BUILD 6] As your organization scales, or expands, you can deploy new Operations Manager elements, such as new consolidators, agent managers, data access servers and database servers as required for more granular control, or to address different rule sets, or for redundancy.[BUILD 7] You can even create a separate security partitions, basically be having multiple MOM deployments that use different service accounts. This allows you to design a configuration group that include agents from many different domains, without having a single service account that has privileges in all domains.SLIDE TRANSITION: So what do all of these things do?ADDITIONAL INFORMATION FOR PRESENTER:MOM User guide: (pages 19-27)Servidore de acceso a BD:Ingresa datos del consolidadorProvee datos al consolidadorBase de datos:Eventos y alertasPaquetes de adm.PolíticasPerformance y capacidadVistasReportesWorkflows de resolución de problemas
35ISA Server Asegurando la barrera de la red Revisión de contenidoPermitir el paquete?Archivo adjuntoNo permidoNo.SiExchange 2000InternetMessageInternetpacketInternetpacket( )InternetpacketBizTalk ServerISA ServerFirewall ArrayIIS (Web Server)
39Taller avanzado de ISA Server 2000 Asegure su red empresarial con las mejores prácticas de Microsoft Consulting ServicesMicrosoft ofrece un taller avanzado en el que se revisarán las mejores prácticas y experiencias de campo, tanto teórico como práctico.Duración: 12 horasTeoría: 8 horasPráctica: 4 horasFechas: 17, 20 y 21 de Mayo de 6:00 PM a 10:00 PMContacto: Arturo Valenciax 5669