1、第三篇 圖例篇CorpnetInternetRADIUS AuthenticationFederation through RADIUS proxiesCan be used for centralized authentication servicesDomain membership not requiredGreat for DMZ placement1HTTP/SSL basic auth.2RADIUS requestRADIUS Server (IAS)Firewall Server3HTTP/SSL request, sent to serverBack-endServerWeb

2、 Client(Browser, HTTP client)ISA Server 2000 (Old)Networking ModelFixed zones“IN” = LAT“OUT” = DMZ, InternetPacket filter only on external interfacesSingle outbound policyNAT alwaysStatic filtering from DMZ to InternetInternalNetworkInternetDMZ 1Static PFISA 2000ISA Server 2004 Networking ModelAny n

3、umber of networksVPN as networkLocalhost as networkAssigned relationships (NAT/Route)Per-Network policyPacket filtering onall interfacesSupport for DoDAny topology, any policyCorpNet_1CorpNet_nNet AInternetVPNISA 2004DMZ_nDMZ_1Local HostNetworkRule Structure & Policy MappingBasic ISA 2000 rulesProto

4、col rulesSite and Content rulesStatic packet filtersPublishing rulesWeb publishing rulesSelected filtering configurationOther ISA 2000 rulesAddress translation rulesWeb routing rulesFirewall policyConfiguration policyaction on traffic from user from source to destination with conditionsAllowDenySour

5、ce networkSource IPOriginating userDestination networkDestination IPDestination siteProtocolIP Port / TypePublished serverPublished web siteScheduleFiltering properties Any user Authenticated users Specific User/GroupPolicyEngineNDISTCP/IP StackISA Server 2004 ArchitectureFirewall EngineFirewall ser

6、viceApplication Filter APIAppFilterWeb Proxy FilterWeb Filter API (ISAPI)WebfilterWebfilterUser ModeKernel ModeSMTPFilterRPCFilterDNSFilterPolicyStorePacket layer filtering1Protocol layer filtering2Application layer filtering3Kernel mode data pump:Performanceoptimization4IIS 5 Request ProcessingKern

7、el modeUser modeMetabaseRequestResponseDLLHOST.exeDLLHOST.exeTCP/IPXXFTPNNTPSMTPAFDWinSockIIS 6.0 Request ProcessingAdministration& MonitoringWWW ServiceHTTPCacheQueueKernel modeUser modeXMLMetabaseInetinfoFTPNNTPSMTPRequestResponseApplication PoolsXTCP/IPWhat is Remote Access Quarantine?RAS client

8、meets Quarantine policiesRAS client gets full access to networkRAS client disconnectedRAS client fails policy checkQuarantine timeout ReachedRAS client placed in QuarantineRemote access client authenticatesConnectAuthenticateAuthorizeQuarantine VSA+ Normal FiltersPolicy CheckResultRemove QuarantineQ

9、uarantineAccessFull AccessInternetRAS ClientRRAS ServerIAS ServerQuarantineDetailed Quarantine ProcessWMIMonitored ClientsMonitored ServersSQLCollectorEvents subject to tamperingEvents under control of auditorsSecurity logsSecurity logsReal-Time Intrusion Detection ApplicationsForensic AnalysisManag

10、ement SystemACS Architectural OverviewExploit TimelineBegin race to protect and patch systems before attack is launchedVulnerabilityreportedSecurity bulletinand patch releasedWorm or viruscode createdPatchdevelopedPatch reverseengineeredWorm or viruslaunched; infects unprotected or unpatched systems

11、No ExploitExploitMBSA How It Works containsSecurity bulletin namesProduct-specific updatesVersion and checksum infoRegistry keys changedKB article numbersEtc.Run MBSA on Admin system, specify targets1Downloads CAB file with MSSecure.xml and verifies digital signature2Scans target systems for OS, OS

12、components, and applications3Parses MSSecure to see if updates are available4Checks if required updates are missing5Generates time-stamped report of missing updates6Windows Download CenterMBSAComputerPolicies, Procedures, & AwarenessPhysical SecurityPerimeterInternal NetworkHostApplicationDataDefens

13、e In Depth Using a layered approachIncreases attackers risk of detection Reduces attackers chance of successOS hardening, authentication, patch management, HIDSFirewalls, Network Access Quarantine ControlGuards, locks, tracking devicesNetwork segments, IPSec, NIDSApplication hardening, antivirusACLs

14、, encryption, EFSSecurity documents, user educationRequirements For Successful Patch ManagementProducts, toolsautomationProject management, Patch management process People who understand their roles and responsibilitiesEffective ProcessesEffective OperationsTools and Technologies1. Assess Inventory

15、computing assets Assess threats and vulnerabilities Determine the best source for information about new patches Assess your software distribution infrastructure Assess operational effectiveness4Deploy3Evaluate and Plan1Assess2Identify4Deploy3Evaluate and Plan1Assess2Identify Discover new updates Det

16、ermine whether updates are relevant to your environment Obtain patch, confirm it is safe Determine if patch is a normal change or an emergency 2. Identify 4Deploy3Evaluate and Plan1Assess2Identify3. Evaluate and Plan Determine whether the patch is actually required Plan the release of the patch Buil

17、d the release Perform acceptance testing4Deploy3Evaluate and Plan1Assess2Identify Prepare for deployment Deploy the patch to targeted computers Review the deployment4. Deploy4Deploy3Evaluate and Plan1Assess2Identify1. Assess2. Identify3. Evaluate and Plan Prepare for deployment Deploy the patch to t

18、argeted computers Review the deployment4. Deploy Determine whether the patch isactually requiredPlan the release of the patchBuild the releasePerform acceptance testing Inventory computing assets Assess threats and vulnerabilities Determine the best source for information about new patches Assess yo

19、ur software distribution infrastructure Assess operational effectiveness Discover new updates Determine whether updates are relevant to your environment Obtain patch, confirm it is safe Determine if patch is a normal change or an emergencyPatch Management ProcessSUS How It WorksParentSUS ServerWindo

20、ws UpdateChildSUS ServerFirewallClient ComputersClient ComputersSUS Sample Deployment ScenarioMain OfficeSUS ServerWindows UpdatePilotSUS ServerFirewallPilot Client ComputersMain Office ClientComputersRegional Client ComputersRegionalSUS ServerSUS ServerWindows Update ServiceFirewallSoftware Update

21、Service SUS Deployment Scenario 1SUS server downloads updates and metadata1Administrator reviews, evaluates, and approves updates2Automatic Update gets approved updates list from SUS server3Automatic Update downloads approved updates from Windows Update4Software Update Service SUS Deployment Scenari

22、o 2SUS ServerWindows Update ServiceFirewallSUS server downloads updates and metadata1Administrator reviews, evaluates, and approves updates2Automatic Update gets approved updates list from SUS server3Automatic Update downloads approved updates from SUS server4Software Update Service SUS Deployment S

23、cenario 3SUS serverdownloads updates1Administrator reviews, evaluates, andapproves updates2Approvals and updates synced with childSUS servers3Automatic Update downloads approved updates from SUS server5ParentSUS ServerWindows Update ServiceChildSUS ServerFirewallChildSUS ServerAutomatic Updates gets

24、 approved updates list from SUS server4Automatic Update downloads approved updates from Windows Update6Managing A ComplexSUS EnvironmentCentrally manage downloading and approving updatesUse OU structure and GPOs to manage SUS update distributionUse the WUAU.ADM template file to configure AU client s

25、ettingsAssign GPOs to OUsDomainMember Server GPOMember ServersSUS TestRO1 GPOHO GPORO2 GPOHO WorkstationsRO1 WorkstationsRO2 WorkstationsSUS TestGPOAges of Security Stone AgeBronze AgeInformation AgeNo decent toolsNo mythology, no guidanceVery little information sharedGlobal lack of awarenessPrimiti

26、ve ToolsPrimitive methodologyLittle sense of the big pictureInformation spreads slowlyAwareness widespread, but expertise rareSurvival mentality Advanced, automated toolsComprehensive methodologyWidespread expertiseUniversal awarenessThink integrated!SMS What It DoesMicrosoft Download CenterFirewall

27、SMS Site ServerSMS DistributionPointSMS ClientsSMS ClientsSMS ClientsSetup: Download Security Update Inventory and Office Inventory Tools; run inventory tool installer1Scan components replicate to SMS clients2Clients scanned; scan results merged into SMS hardware inventory data3Administrator uses Di

28、stribute Software Updates Wizard to authorize updates4Update files downloaded; packages, programs, and advertisements created/updated; packages replicated and programs advertised to SMS clients5Software Update Installation Agent on clients deploy updates6Periodically: Sync component checks for new u

29、pdates, scans clients, and deploys necessary updates7Enumeration“OK”?Record of State“Better”?Well-defined Standard Configurations“Best”Security Policy ModelOperationsProcessImplementationDocumentationPolicyTechnology Start with policy Build process Apply technologySystem = Programs + Servers + Solut

30、ions + ServicesCompare to standards and best practicesMeasuring Security PolicySecurity PolicyDocumented ProceduresOperations“What you must do”“What you say you do”“What you really do”Security Operating PrinciplesCorporate Security Mission and VisionSecurity StrategyRisk-Based Decision ModelTactical

31、 PrioritizationMissionAssess RiskDefine PolicyMonitorAuditOperating PrinciplesMission and VisionRisk Based Decision ModelTactical PrioritizationPrevent malicious or unauthorized use that results in the loss of Microsoft intellectual property or productivity by systematically assessing, communicating

32、, and mitigating risks to digital assetsEnterprise Risk ModelHighLowHighImpact to Business(Defined by Business Owner)LowAcceptable RiskUnacceptable RiskOperating PrinciplesMission and VisionRisk Based Decision ModelTactical PrioritizationProbability of Exploit(Defined by Corporate Security)Risk asse

33、ssment drives to acceptable riskTask & Status Tracking Formal Workflow Expense Management Benefits Administration Account Planning Procurement Government Forms. EnterpriseApplications DepartmentApplications TeamCollaborationDept. & Vertical Workflow5-10 usersSolutions LandscapeDepartment usersCross-

34、enterprise usersFormalAd-hocTeamDepartment ITEnterprise IT Team Survey Status Report Issue Tracking. Asset Mgmt Sales Reports Customer Service Healthcare Forms Project Mgmt Case studies atcasestudiesRisk Analysis By Asset ClassExploit of misconfiguration, buffer overflows, open shares, NetBIOS attac

35、ksHostUnauthenticated access to applications, unchecked memory allocationsApplicationCompromise of integrity or privacy of accountsAccountUnmanaged trusts enable movement among environmentsTrustData sniffing on the wire, network fingerprintingNetworkAssetsOperating PrinciplesMission and VisionRisk B

36、ased Decision ModelTactical PrioritizationComponents Of Risk AssessmentAssetThreatImpactVulnerabilityMitigationProbability+=What are you trying toassess?What are you afraid of happening?What is the impact to the business?How could the threat occur?What is currently reducing the risk?How likely is th

37、e threat giventhe controls?Current Level of RiskWhat is the probability that the threat will overcome controls to successfully exploit the vulnerability and affect the asset?Operating PrinciplesMission and VisionRisk Based Decision ModelTactical PrioritizationRisk Management Process And Roles34SecuritySolutions &InitiativesSustained OperationsCross-IT TeamsCorporate SecurityOperating PrinciplesMission and VisionRisk Based Decision ModelTactical PrioritizationTa