SEC400:

Windows?2000/WindowsXP

網絡平安

張執玉

系統工程師

微軟〔中國〕大綱企業網絡客戶端威脅和防范InternetconnectionfirewallIPsecurity企業網絡客戶端LargegroupsoftrustedusersandcomputersTypically…InsecuresystemsUsedbytrustedusersUsersarelocaladministratorsLittlecentralcontroloversecurityUsersinstalluntrusted,possiblyinfectedsoftwareMobile–connecttomanypublicnetworks,thenbacktobusinessnetwork企業網絡客戶端“Ourfirewallwillprotectus〞Wrong!NoprotectionfrominternalsystemsWhere’sthedefenseindepth?Infectede-mailspreadseasilywithinBack-doorTrojansleapfrommachinetomachineOftenconnectedtopublic

networksdirectlyTrojansAndViriiDeliveredthroughe-mailorinfectedprogramsRunasloggedonuserVerybadifit’sacorp-trusteduser!DeadlyifuserislocaladminSendpersonaldatatoattackersIdentitytheftofuserIDandpasswordSensitivedatatheftSendmaliciousdatatoattackothersOpenholesforaccessfromInternetEnableattackertocontrolyourPCEnableyourmachinetostoreandserve“bad〞data系統平安危機AttackeraccessfromInternetPortscanisn’tanattack,butprobingforweaknesses,oncein:RunscriptsscanningforknownweaknessesStealyourdata,passwordsInfectyourcomputerwithtrojansto

spreadinfectionBackupswon’thelpifnot“clean〞NetworktrafficisvisibleNetworkaddresses,e-mail,WebpageURLs,Webpagecontent,datafiles,passwordformsPassivecollectionleadstodatabasetrackingPortScan防范DefenseindepthNetworkPlatformApplicationUsersDefinepoliciesWithoutthese,everythingelseisuselessTestenforcementMonitoradherence防范Principleofleastprivilege(POLP)Usersaren’tlocaladministratorsTrustthosewhoareadmins,thoughConfiguretrustrelationshipsonlywherethereisabusinessneedAppropriateaccesslistsandrights,againfollowingbusinessneeds防范TrustedplatformfortrustedusersAnti-virusprogramsUp-to-datepatchesandservicespacksAdministrator-managedandsecuredClientmachinesjoinedtoWindows2000orWindowsXPDomainmakesclientadminscalableUsersarepowerusersandmaybenetworkoperators(WindowsXP),don’tloginwithadministratorrights防范防止不必要的網絡訪問Perimeterprotection(firewalls,routers)End-systemfirewallAuthenticated,authorized

networkconnectionsTousenetwork–802.1x(seewirelesstalk)IPsecurityOutboundrestrictions,tooEndsystemfilteringwithIPSecPerimeterfiltering防范經過保護的通信DigitallysignandencryptApp:SSL/TLSconnectionsAdmin:IPSectransportmodeAdmin/User:VPNTunnels–PPTP,L2TP/IPSecMaylimitabilitytoinspect,butcanyoureally?AnonymousaccessisfineforpublicinformationConsiderwhat’struly“public〞Ifyouhavetologontogetinfo,thenit’snot“public〞WindowsXP

InternetConnectionFirewallAddressesthreatofun-solicited

networkaccessInternetConnectionFirewallInWindowsXPHome,WindowsProfessional,WindowsServerEnabledonaper-interfacebasisDropsallIPunicasttrafficinboundExemptsmulticast,broadcastUnlessamappingexistsNo“danger〞dialogsUsersdon’tunderstandUsersunabletotakeactionInternetConnectionFirewallStatefulper-connectionflowentryUsessourceanddestinationportsonoutboundconnectiontocreateflowentryConnectionsclosedbyTCP:ACK-FINandRSTUDP:Time-outICF激活要點Outofboxexperience(OOBE)WizardOnfirst-bootonHomeEditionNetworksetupwizardSetsuphomeandsmallofficenetworksAvailableonHomeandProfessionalNewconnectionwizardEnabledbydefaultforDUN,PPPoEOptiontoenableonVPNNetworkconnectionsfolderPropertiessheetofnetworkconnectionICF使用場景HomeEnableonsinglePCdirectlyconnectedtotheInternetviabroadbandEnabledwhenInternetConnectionSharingusedforhomenetworkingBusinessandmobileGrouppolicyflagcandisableforenterpriseLocationawarenessallowsusertotakelaptopandprotectitwhileoutside

theofficeICF效勞選項AllowsuserswhorunservicesonlocalPCorhomenetworktocreateportmappingsProvidesetof

pre-definedservicesUsercancreatenewmappingsICF日志選項NologgingbydefaultOptiontologunsuccessfulconnectionsOptiontologsuccessfulconnectionsOptionforlogfilename,location,

andsizeICFICMP選項DisabledICMPoptionsType3Type4Type5Type8Type10Type11Type12Type13Type17ICFProtectionWindows2000和

WindowsXP

Internet協議平安Addressesthreats:Un-solicitednetworkaccessPassiveinterceptionofsensitivenetworktrafficTrustedusershavingtoomuchnetworkaccessIPSec功能IPPacketFilteringPermit,block,negotiatesecuritySecurecommunicationMutualauthenticationSenderandreceiverknoweachother,trustPacketconfidentiality=EncryptionOnlysenderandreceiverknowcontentsPacketintegrity=CryptographicChecksumTamperedpacketsarediscardedAdministrativelyappliedbelowapplicationsNochangeinapplicationsneededNochangeinnetworkneeded,exceptportfilters如何應用IPSecNetworkadministratordesignsagroupofconfigurationsettingsCalledan“ipsecpolicy〞NeedtounderstandIPtrafficrequiredbyapplications,

bysystemLikeafirewallorrouterACLUsetheIPSecpolicymanagementMMCsnapinUse“LocalSecurityPolicy〞tocreatestaticpoliciesstoredinregistryUseActiveDirectory?grouppoliciesfor

centralizedmanagementUseIPSECPOL.EXE(Windows2000)orIPSECCMD.EXE(WindowsXP)tocreatestaticanddynamicpoliciesatcommandlineWindowsXP

TCP/IP

架構IPPacketFilterdriverIPHOOKDriver(DDK)TCPRawICMPUDPWinSockWinsockLayered

ServiceProvidersIPSecFilters,TransportandTunnelOffload:TCPchecksum,largesend,IPSecIPFrag/ReassemblyPPTPL2TPLAN/WANminiportsVPN=PPP

virtualinterfacesIPHOOKcalloutRRASUI,andMPR,IPHLPAPIfilterAPINATandICFPPPTCP/UDP/IPConnectionUIFiltersTCPIPStackNetmon

SniffDriverAPPLICATIONIPSec包過濾FiltersforallowedandblockedtrafficNoactualnegotiationofIPSecsecurityassociationsOverlappingfilters–mostspecificmatch

determinesactionDoesnotprovidestatefulfilteringExample:Toopenonlyport80ontheIIS:FromIPToIPProtocolSrcPortDestPortActionAnyMyInternetIPAnyn/an/aBlockAnyMyInternetIPTCPAny80PermitAD同步端口ServicePort/protocolRPCendpointmapper135/tcp,135/udpNetBIOSnameservice137/tcp,137/udpNetBIOSdatagramservice138/udpNetBIOSsessionservice139/tcpRPCdynamicassignment1024-65535/tcp[1]SMBoverIP(Microsoft-DS)445/tcp,445/udpLDAP389/tcpLDAPoverSSL636/tcpGlobalcatalogLDAP3268/tcpGlobalcatalogLDAPoverSSL3269/tcpKerberos88/tcp,88/udpDNS(ifrequired)53/tcp[2],53/udpWINSresolution(ifrequired)1512/tcp,1512/udpWINSreplication(ifrequired)42/tcp,42/udp

Packet/PortFilteringIsn’tSufficientToProtectServerFromIP1toIP2,UDP,src*,dst88/389FromIP2toIP1,UDP,src88/389,dst*FromIP2toIP1,TCP,src*,dst135FromIP1toIP2,TCP,src135,dst*SpoofedIPpacketscontainingqueriesormaliciousjunkcanstillreachopenportsthroughFWIP1toIP2,UDP,src*,dst88/389,…Manyhackertoolsexisttousesourceports80,88,135,etctoconnecttoanydestinationportFromIP2,toIP1,UDP,src88/389,dst88/389IPSecServerToServer“Lockdown〞IPSecDriverfiltersRequireIPSecto/fromMeandSeattleSiteIPs;Trust“MyCARoot〞onlyRequireIPSecto/fromMeandLondonSiteIPs,allIPtraffic;Trust“MyCARoot〞onlyNosendun-secured(fallbacktoclear)Noreceiveun-securedAction:IPSecESP3DES/SHA1,rekeysessionsevery1houror100MbytesIKESAnegotiationUDPport500IPSecESPEstablishedIPSecDriverfiltersIKEcertcertIKESeattleSiteLondonSiteIPSecWithInternetKeyExchange

SendingpacketsinitiatessecurityInternetKeyExchange(IKE)-IdentityProtectMode–definedinRFC2409Phase1“MainMozde〞establishesIKESA–trustedchannelbetweensystems,negotiationestablishesencryptedchannel,mutualtrust,anddynamicallygeneratessharedsecretkey(“master〞key)Phase2“QuickMode〞establishesIPSecSAs–fordataprotection,oneSAforeachdirectionidentifiedbypacketlabel(SPI),algorithmsandpacketformatsagreed,generatesshared“session〞secretkeysderivedfrom“master〞keyNICTCPIPApplicationServerorGatewayIPSecDriverfiltersIPSecPolicyAgentIKE(ISAKMP)IPSecDriverIPSecPolicyAgentIKE(ISAKMP)NICTCPIPfiltersApporServiceclient“IKEResponder”“IKEInitiator”UDPport500negotiation1IKESA2IPSecSAsIPprotocol50/51IPSecAuthenticationHeader(AH)InTransportModeDataTCPHdrOrigIPHdrDataTCPHdrAHHdrOrigIPHdrNextHdrPayloadLenRsrvSecParamIndexKeyedHashIntegrityhashcoverage(exceptformutablefieldsinIPheader)Seq#24bytestotalAHisIPprotocol51InsertIPSecEncapsulatingSecurityPayload(ESP)InTransportModeDataTCPHdrOrigIPHdrDataTCPHdrESPHdrOrigIPHdrESPTrailerESPAuthUsuallyencryptedintegrityhashcoverageSecParamIndexPaddingPadLengthNextHdrSeq#KeyedHash22-36bytestotalInitVectorESPisIPprotocol50InsertAppendIPSecESPTunnelModeDataTCPHdrOrigIPHdrESPTrailerESPAuthUsuallyencryptedintegrityhashcoverageDataTCPHdrESPHdrIPHdrIPHdrNewIPheaderwithsourceanddestinationIPaddressIPSecLockdownConnectionServerToServerIPSec“ServerInitiated〞ConnectionsForInternalServersActiveDirectoryKeyDistribution

Center(KDC)Windows2000domaincontrollerApplicationIPSecDriverfiltersClient(RespondOnly)PolicyCustomSecureServerPolicy“Securefrommetoanydestination,allunicasttraffic;Acceptunsecured;Trustdomainmember〞“Sendinclear,securetrafficonlyifrequested;Trustdomainmembers〞TGTTGTIKESAnegotiationUDPport500SessionTicketticketIPSecSAsEstablishedServerconfignotforInternetuse!IPSec性能IPSecprocessinghassomeperformanceimpactIKEnegotiationtime–about2-5secondsinitially5roundtripsAuthentication–KerberosorcertificatesCryptographickeygenerationandencryptedmsgsButdoneonceper8hoursbydefault,settableSessionrekeyisfast–<1-2seconds,2roundtrips,onceper

hour,settableHowtoimprove?OffloadingNICsdoIPSecalmostatwirespeed~85-92Mbits/sec3DESfor100MbitEthernetcardFasterCPUsConclusionIPSecperformanceimpactisusuallynegligibleBestforservertoserverorclienttoserverprotecteddatatransfersIPSec硬件加速器IPSecper-packetencryptionhaswire-speedhardwareaccelerationfor

10/100EthernetClient/Svrcardsretail$100-130USD3CR990-TX-97(3DESdesktopNIC)3CR990-TX-95(DESdesktopNIC)3CR990SVR97(3DESserverNIC)3CR990SVR9597(DESserverNIC)3C990B-TXM(DES/3DESDesktopNIC)3C990BSVR(DES/3DESServerNIC)IntelShipping::///network/products/

Intel?PRO/100SDesktopAdapterIntel?PRO/100SServerAdapterIntel?PRO/100SRMobileAdapter(PCMCIA)Intel?PRO/100SRComboMobileAdapter(PCMCIA)Intel?PRO/100SPMobileAdapter(PCMCIA)Intel?PRO/100SPComboMobileAdapter(PCMCIA)XPIPSec性能的增強DoublednumberofnewSAsperminuteReliabledeletehandlinginIKEDoubledpacketfilteringspeed(throughput)ClientLDAPretrievalofADpolicy5timesfasterthanWindows2000BothInteland3Com32bitx8610/100EthernetoffloadsupportshippingintheboxWindowsXP管理的增強IPSecmonitorsnapinprovidesdetailedviewwithDNSnamesforIPsIpseccmdcommandlinein\system32NetdiagshowsmoregrouppolicydetailMoredetailedstats