robert petrunić, cissp, ceh, mcitp algebra. agenda kako do sigurnosti? (izazov) kako ff pristupa...
TRANSCRIPT
Agenda
• Kako do sigurnosti? (izazov)• Kako FF pristupa problemu• Što sve spada u FF• FF Endpoint protection 2010• FF Identity Manager• FF TMG i UAG
Svakodnevni problemi
• Malware, spam, phishing• Zaporke• Korisnici surfaju umjesto da rade• Tuneliranje i skrivanje prometa• Novac (nedostatak)• Nerazumijevanje i needuciranost• Propusti u softveru, 0-day napadi• Kriminalci• Društvene mreže• ...
Problemi ...
Reverse konekcijaExploit i malware s WEB-aExploit i malware internoHTTP/HTTPS tuneliranjeCD/USB stickNezadovoljni korisnikCovert kanali...
Potencijalna rješenja
• Edukacija, demistifikacija• End to end trust
− Secure by design− Secure by default− Secure in deployment
• Antivirusni programi• Vatrozid, IDS/IPS, Honeypot• Bolji i sveobuhvatniji alati za
upravljanje• Restrikcije• ForeFront produkti
Business ready security
• 1.− Zaštita svugdje− Pristup od bilo
kuda
• 2. − Integrirano− Proširivo
• 3. − Jednostavno− upravljivo
Što sve spada u FF
• FF Endpoint protection• FF Application Security
− FF Online Protection for Exchange− FF Protection for Exchange − FF Protection for Office Communication
Server FF Protection for SharePoint
• FF Network (Edge) Access and protection− FF Threath Management Gateway− FF Unified Access Gateway
• FF Identity Management − FF Identity Manager 2010
FEP + Security Management Pack• FEP (Forefront Endpoint protection)
− Antivirusno i sigurnosno rješenje za klijente
− Integrirano unutar SCCM 2007
• FEP Security Management Pack − Antivirusno i sigurnosno rješenje za
poslužitelje− Integrirano unutar SCCM 2007
• FEP 2012 je u RC-u !!!
FEP + Security Management Pack• Nude:
− Integraciju s postojećom upravljačkom infrastrukturom− SCCM 2007
− Antimalware engine (dokazano dobar)− Izvješćivanje (MS SQL reporting servisi)− policy based antimalware management− Firewall management− Migracija s postojećih rješenja (FF Client
security)
FEP + Security Management Pack• Jednostavno za deployment• Jednostavno za upravljanje• Unified protection
− Antimalware (virusi, trojanci, rootkitovi, crvi, spyware ...)
− Procjena ranjivosti− Upravljanje Windows vatrozidom− NIS (Network inspection system)
FEP + Security Management Pack• Sistemski zahtijevi (Poslužitelj)
− 2 GB memorije− FEP server (600 MB), FEP baza (1,25 GB),
FEP reporting baza (1,25 GB)− Windows server 2003 SP2 ili noviji− SQL server 2005 SP3 ili noviji− Microsoft SCCM 2007 SP2 ili noviji− Windows installer 3.1, .NET 3.5 SP1
SQLReportingServices
SCCMSoftwareDistribution
SCCMDesiredConfigurationManagement
SCCM Server
DATA
Config. /Dashboard
Reports
EVENTS
Desktops, Laptops, and Servers
TELEMETRY
SpyNet
Network File Share
Distribucija FEP klijenta
• 2 metode::− Distribucija putem SCCM-a− Pokretanjem .exe datoteke s parametrima
− Ručna instalacija− Skriptirana instalacija− Third-party instalacijski alati− Group Policy instalacija− Predinstalirano u OS image− ...
Policy configuration
Third-party detection
Silent removal of third-party products
FEP client installation
Signature update
Client Distribution Flow
Automatsko uklanjanja postojećeg AV-a:
• Symantec Endpoint Protection verzija 11
• Symantec Corporate Edition verzija 10• McAfee VirusScan Enterprise verzija 8.5
i verzija 8.7• Trend Micro OfficeScan verzija 8.0 i
verzija 10.0• Forefront Client Security verzija 1
uključujući i Operations Manager agenta
Management Scenarios
• Policy Management− Scheduled scans− Scan exclusions− Update locations− Client Configuration
• Desired Configuration Management (DCM)− Clients out of policy− Unhealthy clients− Out of date clients
• Reporting− Malware activity− Computer health− Summary or detailed views
Unified Management Interface
• Simplified operations for client management and security through a unified console
• Centralized console for policy management and monitoring
• Enterprise-wide visibility into client security
• Quick identification and remediation of client security issues
Signatures
Samples
Goals for Protection in FEP 2010
Customer machine
MMPC
Blocking threat infections Neutralizing active threats
Real-time Protection
Generics & Heuristics
Browser Protection
Network Vulnerability Shielding
Anti-rootkit
Behavior Monitoring
Dynamic Signature Service
Malware Response
Forefront Protection Stack: Summary
Anti-Rootkit
Generics and Heuristics
Real-time Protection
Behavior Monitoring
Dynamic Signature Service
Malware Response
Provide high-quality protection
Browser Protection
Cover more attack vectors
Discovering new threat
Delivering signatures faster
Network Vulnerability Shielding
FEP Supported Clients• Client SKUs:
− Windows XP SP3 (x86)− No Network Inspection System (Vulnerability Shielding)
support− Windows Vista (x86 and x64)
− SP1 required for NIS support− Windows 7 (x86 and x64)− Windows 7 XP Mode
• Server SKUs:− Windows Server 2003 SP2 (x86 and x64) + R2− Windows Server 2008 (x86 and x64) + R2
Što je FIM?
• FIM = ILM 2007 + − integrirani user management, − self—service portali za upravljanje:
− Credentialima, grupama i policy-em
• Glavne razlike: − IT može bez pisanja custom koda
upravljati heterogenim identitetima− Useri pomoću poznatih alata (Office,
SharePoint, Windows) upravljaju karakteristikama svojih identiteta
− Developeri mogu proširiti platformu (otvorena platforma)
FIM features
Credential Management
Heterogeneous certificate management with 3rd party CAsManagement of multiple credential types, including One Time PasswordsSelf-service password reset integrated with Windows logon
GroupManagement
Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates
UserManagement
Integrated provisioning of identities, credentials, and resourcesAutomated, codeless user provisioning and de-provisioningSelf-service profile management
PolicyManagement
SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency
FIM arhitekturaSolutions Group
MgmtCredential
MgmtPolicy Mgmt
CustomUser Mgmt
Outlook Portal Windows Custom
ILM Clients
ILM PlatformILM SyncILM Service
AuthZWorkflow
AuthN Workflow
Delegation& Permissions
Action Workflow
AppDB
Adapters
Request Processor
SyncDB
Directories Databases E-Mail Systems
Applications
Identity Stores
Cert Mgmt
ILM-CMDB
ILM-CM
ILM-CM Portal
FIM management agenti
• AD DS• AD LDS• AD GAL• Delimited tekst file• Bilo koji file bazirani
data source• Fixed width tekst
fileovi• IBM DB2
• IBM Tivoli DS• LDIF• Novel eDirectory• Oracle database• SAP R/3• MS SQL• SUN DS• Netscape DS
• Management agent ==== sinhronizira FIM sa spojenim data sorce-om
FIM licenciranje
• Serverska licenca − Za FIM 2010 servere
• Klijentska licenca− Za svakog usera čiji identitet ili cert je
upravljan FIM-om− Za svakog usera koji pristupa FIM
softveru− Vanjski usera (CAL ili external connector)
Before Now
Network Protection
Network Access
Integrated and comprehensive protection from Internet-based threats
Unified platform for all enterprise remote access needs
Što je TMG?
Firewall – Control network policy access at the edge
Secure Web Gateway – Protect users from Web browsing threats
Secure E-mail Relay – Protect users from e-mail threats
Remote Access Gateway – Enable users to remotely access corporate resources
Intrusion Prevention – Protect desktops and servers from intrusion attempts
Comprehensive
Integrated
Simplified
Features• VoIP traversal• Enhanced NAT• ISP link redundancy
Firewall
• HTTP antivirus/antispyware
• URL filtering• HTTPS forward inspection
Secure Web Access
• Exchange Edge integration
• Antivirus• Antispam
E-mail Protection
• Network inspection system
Intrusion Prevention
• NAP integration with client VPN
• SSTP integration
Remote Access
• Array management• Change tracking• Enhanced reporting• W2K8, native 64-bit
Deployment and Management
• Malware protection
• URL filtering• Intrusion prevention
Subscription Services
Network layer firewallApplication layer firewallInternet access protection (proxy)Basic OWA and SharePoint publishing
IPSec VPN (remote and site-to-site)Web caching, HTTP compression
Web antivirus, antimalware
URL filtering
E-mail antimalware, antispamNetwork intrusion prevention
• Comparing with ISA Server 2006ISA Server 2006
ForefrontTMG
New
New
New
New
Enhanced UI, management, reporting New
Exchange publishing (RPC over HTTP)
Windows Server® 2008 R2, 64-bit (only)
New
TMG vs. ISA 2006
• HTTPS inspekcija• URL filtering• Antimalware WEB zaštita• Ugrađen IPS• Poboljšana E-mail zaštita• Poboljšana podrška za NAT• Poboljšana podrška za VoIP• 64 bitni OS
NIS
• Baziran na signaturama• Tri tipa signatura:
− Vulenrability based− Exploit based− Policy based
• Baziran na GAPA-i (Generic Application level Protocol Analyzer)
• Poznati browser bazirani napadi• MMPC (Microsoft Malware protection
center) istražuje ranjivosti i piše signature
NIS podržani protokoli
• HTTP, DNS, • SMB, SMB2, NetBIOS, MSRPC,• SMTP, POP3, IMAP, MIME • ... za sad ...
NIS planiranje
• Kapacitet− Troši do 30% dodatnih resursa na TMG
serveru s uključenom antimalware inspekcijom
− Većina toga otpada na HTTP promet
HTTPS inspekcija
• Rješava problem tuneliranja• Sprječava pristup stranicama s
neispravnim certifikatima• Postoji mogućnost izuzetaka• TMG generira certifikate (MitM)
URL filtering - namjena
• Povećanje sigurnosti• Povećanje produktivnosti• Smanjanje rizika odgovornosti• Smanjanje potrošnje bandwith-a
URL filtering - MRS
• Microsoft reputation services (MRS) cloud bazirani reputation centar hostan u Microsoft datacentru
• TMG podatke s MRS-a pohranjuje lokalno (TTL)
• Koristi filtere više vendora svaki specijaliziran za neko područje
URL filtering
• Preko 80 URL kategorija (Child Pornography, Anonymizers, BotNets, Gambling, Malicious, Hate/Discrimination ...)
• Razlika između ISA servera gdje je administrator trebao importirati i raditi kategorije
• Jednostavno podešavanje (kategorije)• Mogućnost izuzetaka• Reporting – tko su useri koji
konstantno krše politike tvrtke?• Moguće lokalno prepisati MSR policy
Antimalware inspekcija
• Hvata web bazirani malware• Reže sumnjiv promet prije ulaska u
internu mrežu• Antivirusni softver na rubu mreže
UAG vs. TMG
• Forefront TMG 2010− Enables users to safely and productively
use the Internet without worrying about malware and other threats
• Forefront UAG− Comprehensive, secure remote access to
corporate resources
• Forefront UAG is the preferred solution for providing remote access− Forefront TMG 2010 still provides support
for remote access features, but not the recommended solution
Problemi i rješenja
• Zero day napadi, Malware, Phishing, spam− FF Endpoint security− TMG
• Politike (policy), zaporke i regulatorni zahtijevi, društvene mreže− TMG− FIM
• Zaporke − FIM
• Nerazumijevanje i needuciranost− Svi alati iz FF porodice (user dio je
jednostavan)
Linkovi
• ForeFront• Virtualni labovi• Video prezentacije