Lesson 1: Providing Internet Security | MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)

Lesson 1: Providing Internet Security

Securing computers that will provide service on the Internet is one of the most challenging security problems you are likely to encounter. When you face accidents or malicious acts by logged on users, you can use auditing to identify the culprit, and use training or legal action to prevent the act from happening again. However, attacks from the Internet are always anonymous, making it very difficult to pinpoint a perpetrator who might easily come from a part of the world that is beyond the reach of local law. These acts cannot be eliminated, so you must harden your network security to prevent them from affecting you.

To complete this lesson exactly as written, you will need

A Microsoft Windows 2000 server configured as the domain controller for domain.Fabrikam.com
A Windows 2000 server to configure as a firewall
A Windows 2000 Professional workstation
An evaluation edition of Microsoft Internet Security and Acceleration (ISA) Server

If you are using another type of firewall, you will need to adjust the steps.

After this lesson, you will be able to

Understand the fundamental problems of Internet security
Understand the requirements of a secure network architecture
Configure a firewall to protect a private network

Estimated lesson time: 45 minutes

Understanding the Requirements for Internet Security

Securing public Internet servers is very difficult because you are inviting the public to use your computers in a specific context. The goal of Internet security is to ensure that the public cannot use your servers in any manner that you don't specifically invite. To keep your public servers secure, you need to follow these four security practices:

Restrict access to all protocols except public protocols that you intend to serve.
Harden public protocols so that they cannot be exploited.
Ensure that legitimate remote users cannot be impersonated.
Monitor all access to determine that the first three practices are successful.

In this chapter, you learn to use firewalls and proper network architecture to prevent hacking that originates from outside your network.

What Is the Threat?

To prepare and protect your network, you need to understand the multiple types of attacks.

Types of Attack

The seriousness of a hacking event is determined mostly by whether you are a random target of opportunity or you have been specifically targeted.

A random attack does not indicate a specific, malicious intent against your company and it is unlikely to result in a sustained hacking effort. Therefore, there is little reason to respond to these types of hacking events once you've identified them as such.
A targeted attack is perpetrated specifically against your organization. It requires vigilance to prevent and research to determine who is (or might be) perpetrating the attack.

Specifically, you need to prepare for the following three types of attacks:

Automated attacks. Also referred to as "worms," automated attacks are perpetrated by virus-like software that exploits a known weakness in specific Internet service software, such as a Web server or an e-mail server. This type of attack has been around since the very early days of the Internet and affects all major operating systems. Because Windows is a popular operating system, it's a major target for these types of attacks. Once your service software is patched to be invulnerable to a specific worm, you can safely ignore further warnings from your firewall about it.
Target of opportunity attacks. Random target-of-opportunity attacks are the typical "hacking" events that occur on the Internet. Novice hackers who have little to lose generally perpetrate these attacks. Hackers typically attempt to exploit only one or two vulnerabilities that they have recently learned about. This type of attack is easily defended against by using firewalls and security proxies, and by updating services that are exposed to the Internet with the latest security patches. Random attacks don't require serious research or follow-up because they occur routinely and are perpetrated against all Internet participants equally.
Targeted attacks. Attacks specifically targeted against your organization are very rare and far more serious. These attacks are unlikely to happen to most businesses, but attackers who carry them out are more persistent and likely to use any means possible to gain access or cause a denial of service. These attacks are always very serious and are most often perpetrated by disgruntled employees, ideological activists, illicit competitors, or extortionists. In exceptionally rare cases, these attacks might be perpetrated by an experienced hacker looking for a technical challenge.

Methods of Attack

There are three primary ways attacks might be perpetrated against you:

Denial of Service (DoS) attacks. These attacks exploit the nature of Internet protocols to prevent valid users from reaching a service. These attacks do not attempt to gain access to a system; they seek only to prevent others from using it. Typical methods include flooding a service with information to use up available bandwidth (called flooding), creating a large number of bogus connection attempts to use up server resources (similar to prank phone calling), or transmitting a specifically malformed request to trigger a bug that will crash the server. Either ideological hackers or extortionists almost always perpetrate doS attacks.
Exploitation attacks. Frequently referred to as "buffer overruns," this type of attack seeks to connect anonymously to a service and then elevate the attacker's privileges on the system to that of a valid user or an administrator. This type of attack exploits a weakness in the server code allowing attackers to execute arbitrary code that they've sent to the service. The code elevates their privileges and allows them to gain direct access. When they are on the system as an administrator, they can take measures to further compromise the system. This type of attack is exploited by worms so it automatically propagates through vulnerable systems, and it is also performed by target-of-opportunity hackers whenever new exploits are discovered.
Impersonation attacks. These attacks occur when a user without valid access uses a valid user account to gain access by either discovering a password or performing a brute-force password attack that reveals an account password. Disgruntled former employees or illicit competitors typically perpetrate these attacks, but hackers looking for a challenge might perpetrate them. These attacks are very serious because they indicate specific, malicious intent directed against your company.

Vectors for Attack

Computers are not vulnerable to random attacks from any source there are only a few ways an attacker can reach a computer.

Direct attack. A direct attack occurs when a hacker attempts to exploit a computer directly from the computer's console. These attacks are exceptionally rare and are typically performed only by disgruntled employees or employees performing pranks on others who leave their computers logged on. Modern logon systems are hardened against these sorts of attacks, and with little administrative effort, administrators can eliminate them as a serious concern.
Wireless. These attacks occur when hackers directly connect to the interior of the network using wireless services intended for legitimate users and begin attacking from inside the perimeter of the network. Once rare, wireless technology has brought these attacks to the fore as hackers are able to exploit wireless access points to gain access to networks.

Defeating these types of attacks can be very difficult. The most effective methods are to put wireless access points outside the firewall and treat them as Internet connections, and then use technology like the 802.1x protocol to prevent unauthorized users from attaching. Chapter 10, "Wireless Security," explains how to secure wireless access to your network.
Dial-up. Dial-up attacks were the original method that hackers exploited to connect remotely to networks. These attacks have become rare as the technology is being replaced by Internet connectivity, and they can be prevented by placing Routing and Remote Access Service (RRAS) servers outside the perimeter and treating dial-up connections as Internet connections.
Internet. The Internet is the most common vector for attacks. The vast majority of businesses and many consumers worldwide have Internet access. This level of connectivity and the anonymous nature of lower-level Internet protocols create the perfect environment for hacking and invite abuse. Because direct attacks are rare, and wireless and dial-up vectors can be placed outside a firewall so that they can be treated as Internet attacks, attacks from the Internet are the only type of attack from outsiders that you need to be concerned about in a properly constructed network infrastructure.

Securing Public Services

The first step to securing your network is controlling the intrusion vectors by narrowing them down to the fewest possible intrusion points. Listed below are methods of control for the four possible intrusion vectors:

Direct access attacks must be prevented by implementing strong physical security, such as security guards and identification badges for valid users. Implementing a smart card infrastructure can prevent user credentials from being exploited by hackers.
The wireless security problem is most often solved by placing wireless devices outside your firewall and using strong authentication protocols like 802.1x or a combination of media access control (MAC) address filtering and disabling Service Set Identifier (SSID) broadcast to prevent hackers from finding your wireless access points.
Dial-up attacks are a serious concern you can eliminate by placing remote access servers outside your Internet firewall. Even if hackers are able to exploit the remote access server, they still won't be inside your network. Keep Remote Authentication Dial-In User Service (RADIUS) servers inside your network, and create a firewall policy that allows public remote access servers to connect to the internal RADIUS servers on the RADIUS port only to authenticate users. Consider creating a separate domain for user accounts on the RADIUS server so that externally used account credentials are not valid on the interior of your network.
Secure Internet access requires virtual private network (VPN) connections so that remote users can get through your interior firewall, even if they've already authenticated with a dial-up or wireless access point. VPN provides strong encryption that will keep data secure in transit, and it provides machine authentication, which prevents hackers from reaching the interior of your network if they don't have valid machine certificates for your VPN.

Remember that you must secure all clients that connect through your VPN. Use the same level of security you use for the interior of your network to prevent hackers from exploiting a VPN-connected client and then traveling through the VPN to attack the network.

Establishing Firewall Security

Once you have three of the four vectors handled by your firewalls and the direct attack vector handled by strong physical security, you can use firewall policy to secure your network against attack from all public sources. Firewalls are essential in creating a secure network architecture.

If you provide public services, you must have at least three security zones:

The public Internet (untrusted)
The perimeter network (semi-trusted)
The private network (trusted)

This three-zone infrastructure creates two borders: the border between the public and the perimeter network, and the border between the perimeter network and the private network. Each of these two borders must have a separate policy to allow data to flow through it. Perimeter security is usually accomplished using a two-stage firewall system: one stage allows access to public servers, and another stage prevents all access to the interior of your network.

The network between the public and private networks is called a perimeter network or a demilitarized zone (DMZ). The public side of the perimeter network is protected by a firewall that allows public access to the services you intend to provide, such as Web access. The private side of the perimeter network is protected by another firewall that allows only encrypted and authenticated protocols required for remote access and to allow public servers to exchange data with private servers. Figure 11.1 shows a diagram of a secure network architecture.

figure 11-1 providing public services requires three firewall policy zones

Figure 11-1. Providing public services requires three firewall policy zones

In Figure 11.1, you'll notice that the branch office does not require two firewalls. This is because the branch office provides no public services and therefore does not require a separate policy to allow access to public servers that would have to be enforced using a separate firewall.

The private network must be strongly blocked against servers in the perimeter network it is not enough to protect perimeter network servers and then create policies that allow these servers wide access to the private network, because it's likely that servers in the perimeter network will someday be exploited by hackers who are able to gain administrative access to them. If your private-side firewall policy allows those servers wide access to your private network, hackers will be able to bounce through the perimeter network to the private side of the network. Policies that allow access on the private side of the firewall should be restricted to the specific protocols and machines that the public servers actually require access to. Servers in the perimeter network should never be linked to the domain, so that domain account information cannot be gleaned from them if they are exploited.

Some firewalls, including Microsoft Internet Security and Acceleration (ISA) Server, allow you to create a virtual perimeter network by employing a third network adapter in the firewall with its own policy. The Internet is attached to one adapter, the private network to another, and the perimeter network to the third. These firewalls are frequently referred to as being tri-homed or as having DMZ support. These firewalls are just as effective as using two firewalls to enforce your public security policy as long as they are correctly configured. Some software-based firewalls such as ISA Server have no inherent limit to the number of interfaces you can use. However, because policy can be configured strictly based on IP addresses, it is usually not necessary to use more than three network interfaces in a single firewall. Figure 11.2 shows the same security problem as shown in Figure 11.1, but with configuration managed using a single perimeter network-based firewall.

figure 11-2 creating three security zones using a firewall with perimeter network support

Figure 11-2. Creating three security zones using a firewall with perimeter network support

Because the Internet doesn't require a log on, wireless access points located in a typical perimeter network can be exploited to gain Internet access. It has recently become popular for hackers to connect to wireless devices for a free Internet connection rather than attempting to break into the network that they serve.

To prevent this type of use, place RRAS dial-in servers and wireless access points in a fourth security zone that blocks both Internet access and private network access to users who have not established a VPN connection. Once hackers find that they can't easily reach the Internet, they'll stop using your resources and go elsewhere.

Even though exploiting dial-in and wireless servers for free Internet access is relatively harmless for your network, it doesn't mean that it's not a security issue. If hackers used your Internet connection to perpetrate an illegal attack against a third party, your IP addresses and network would appear in the audit logs of the attacked party and could make you or your company liable for the damages incurred.

What Are the Types of Firewall?

Firewalls come in two primary types: firewall routers and security proxies.

Firewall Routers

Firewall routers (also called device-based firewalls) provide a TCP/IP network-layer firewall by inspecting packets at the IP and TCP layers. Packets that don't conform to the protocol rules configured in the firewall are dropped. Because network-layer filtering is relatively simple, firewall routers typically do not include hard disk drives and are not based on general-purpose server computers. Cisco Systems routers with the firewall option are good examples of device firewalls (also called router-based firewalls).

Besides packet filtering, firewall routers typically provide Network Address Translation (NAT), which converts the IP addresses of packets from public addresses to private addresses that are unknown outside the private network as the packets flow through the router. While NAT does translate packet headers, it does not otherwise modify or regenerate the packets. Therefore, maliciously deformed packets designed by hackers to exploit some weakness in the TCP/IP protocol on interior machines might still get through NAT routers. NAT routers also modify packet headers, which is incompatible with Internet Protocol Security (IPSec) Authenticated Headers (AH) because the AH checksum will no longer match, meaning that IPSec cannot be used through firewalls that perform NAT. See Chapter 8, "IP Security" for more information about IPSec.

Security Proxies

Security proxies work by receiving client connections and interpreting them at the application layer, such as HTTP or SMTP. The proxy "stands in" for the server and receives the client's Web request as if it were the target Web server. It then regenerates the request on the Internet as if it were the client. When the real Web server returns the Web page, the proxy subsequently returns the page to the requesting client.

Because requests are regenerated on the security proxy, the proxy can filter the higher-level protocol for dangerous content and hacking exploits. For example, a security proxy can scrub characters usually exploited by hackers but rarely found in valid URLs, to ensure that buffer overruns are not being sent to the client from the Web server (or vice versa security proxies can stand in front of Web servers to protect them as well). Also, because the TCP connections are completely regenerated, any malformed TCP/IP packets will be stopped at the security proxy and not passed to the interior of the private network.

Circuit-layer generic proxies (also called Socket, Windows Sockets or Winsock, or SOCKS proxies) are similar to application-specific proxies, except that they can proxy any TCP layer protocol without knowing what is contained within the TCP packets. These proxies work by receiving the TCP/IP stream on one interface and regenerating it on the other, rather than routing it through the TCP/IP stack. Unlike filtering or NAT firewalls, no original network-layer packets flow through, and the proxy itself must be configured as the destination. For example, to reach a Web server behind a filter, you would use the Web server's actual IP address, and the filtering router would inspect packets flowing through it, whereas with a circuit-layer proxy, the client would specify the proxy itself as the destination Web server, and the proxy would be configured to forward all traffic received on port 80 to an interior Web server.

Circuit-layer proxies are configured exactly like port forwarding on NAT firewalls, and the differences between them can be confusing. Circuit-layer proxies regenerate the TCP/IP packets completely, forwarding only the interior application-layer protocol intact. NAT firewalls, even when they are configured to forward ports, translate only IP addresses and ports numbers in the packet header, so they don't eliminate network-layer malformation attacks.

Modern security proxies often include the functionality of device-based firewall routers and can be configured as either network-layer or application-layer firewalls in fact, most allow you to configure either circuit-layer proxying or NAT, two ways to achieve the same functionality at different layers. If routing is enabled on the security proxy (which is required for NAT), it can operate as a network-layer firewall. Microsoft ISA Server and Symantec Enterprise Firewall are good examples of security proxies.

If you configure a security proxy to act as a network-layer firewall, you might unintentionally reduce the security of the firewall by allowing malformed TCP/IP packets through. Always proxy protocols at the application or circuit layer if possible, and if you run into protocols that must be routed through at the network layer, consider replacing them rather than reducing your security posture.

In the two-stage firewall system, network-layer firewalls are appropriate for the public-side firewall system, where their simplicity and speed provide a strong defense against most denial of service attacks. Security proxies are a good choice for private-side firewalls for two reasons: They can perform much more rigorous security checking on protocols, and their network interface can be protected by the public-side firewalls, although it is not as secure against attack as a firewall router because it is the standard protocol stack for a general purpose operating system.

It is also common to use the private-side firewall as the endpoint for VPN connections originating on the Internet. VPNs are discussed in Chapter 9, "Remote Access and VPN."

Using ISA Server

Microsoft ISA Server is an excellent example of a security proxy and a strong Internet firewall. As with all firewalls designed to run on general-purpose computers, you must ensure that the firewall is configured correctly and does not expose any services that could be exploited to take control of the firewall. The setup wizard does a good job of performing this function, as you will see in the practice for this lesson.

The default configuration of ISA Server (suggested by the setup wizard) is to allow all outbound access. While this default setting is common to most firewalls, it allows considerably more access than you will probably need and could allow Trojan horses embedded in viruses or downloaded executables to connect back to hackers from the interior of your network.

You should treat outbound connections just like inbound connections scrutinize the need for the protocol and allow only those protocols that have a valid purpose. This can be done easily in ISA Server by disabling routing and using application-layer proxy services to move protocols through the firewall.

ISA Server can be configured as a protocol proxy for HTTP, SMTP, POP3, and FTP, and as a circuit-layer proxy for almost any other TCP protocol. Furthermore, ISA Server can be configured as a firewall router with packet filtering and NAT. However, as with all security proxies, ISA Server is most secure when routing is disabled and circuit-layer proxying is used to forward protocols through it.

Practice: Configuring a Firewall

In this practice, you configure a private-side firewall to protect a private network. This practice presumes that a public-side firewall already exists to keep network-layer hacking attempts at bay, creating a perimeter network between the public-side firewall and the private-side firewall that will be used to secure public servers in subsequent lessons.

You will implement the following specific policy:

All inbound connection attempts should be dropped.
All outbound connection attempts should be allowed.

This policy is very typical of a baseline firewall policy and is a good starting point for most businesses. For organizations that have unusually strict security policies, consider starting with all connections dropped both ways and loosening outbound restrictions on a per-protocol basis. You will extend this policy in later lessons to provide connectivity through the firewall for perimeter network servers.

Exercise 1: Installing and Configuring ISA Server

In this exercise, you install ISA Server on a newly installed Windows 2000 Server computer named ISA, which is not a member of the domain. The computer has two network adapters, named Public (with an IP address of 10.0.0.90) and Private (with an address of 192.168.241.90).

To install Microsoft ISA Server

Start the ISA Server 2000 setup program.

The setup program will unpack numerous files. The ISA Server installation screen appears, as shown in Figure 11.3.

Figure 11-3. The ISA Server Setup screen
Click Install ISA Server. Microsoft Internet Security And Acceleration Server Enterprise Edition Setup dialog box appears.
In the Microsoft ISA Setup dialog box, click Continue.
When the Microsoft Internet Security And Acceleration dialog box requests a CD Key, type in your ISA Server key. If you have downloaded the evaluation edition, the key is provided during step 5 of the download process.
Click OK. The Microsoft ISA Server Setup dialog box shows your product key.
Click OK. The Microsoft ISA Server Setup dialog box presents the EULA.
Click I Agree. The Microsoft ISA Server Setup dialog box appears.
Click Typical Installation. The Microsoft ISA Server Setup mode dialog box appears, as shown in Figure 11.4.

Figure 11-4. The ISA mode page sets the fundamental operating mode of the firewall
Select Integrated Mode, and click Continue. The Microsoft Internet Security And Acceleration Server Setup drive cache dialog box appears.
Click the C Drive, type 100 in the Cache Size box, click Set, and click OK.

If you have other physical drives, you might want to place the cache on them to improve system performance.

The Microsoft Internet Security And Acceleration Server Setup dialog box appears asking you to enter the IP range of the Internal network.
Type 192.168.241.0 in the From box, and 192.168.241.255 in the To box. Click Add; the dialog box will look like Figure 11.5.

Figure 11-5. Configuring the Private Network range allows ISA Server to automatically determine security zones
Click OK. A setup progress indicator appears, showing the file installation progress.
When file installation finishes, the Launch ISA Management Tool dialog box appears. Click OK.
The Microsoft ISA Server Setup dialog box indicates that setup completed successfully. Click OK.
The ISA Management console displays the Getting Started page as shown in Figure 11.6.

Figure 11-6. The Welcome page of the ISA Getting Started Wizard

To configure ISA Server

In the Welcome page of the ISA Management console Getting Started Wizard, click Configure Protocol Rules. The Configure Protocol Rules page appears, as shown in Figure 11.7.

Figure 11-7. Configuring protocol rules
Click Create A Protocol Rule For Internet Access. The New Protocol Rule Wizard appears as shown in Figure 11.8.

Figure 11-8. The New Protocol Rule Wizard
Type Outbound Web Access in the Protocol Rule Name box, and click Next. The Protocols page appears.
In the Protocols list, select HTTP and HTTPS, and clear FTP, FTP Download Only, and Gopher. These settings restrict which protocols you allow to pass through the firewall. Click Next. The Schedule page appears.
In the Use This Schedule box, select Always, and click Next. The Client Type page appears.
Select Any Request under Apply The Rule To Requests From, and click Next.
Click Finish to close the New Protocol Rule Wizard. A protocol rule appears in the Available Protocol Rules list box.
In the right-hand pane of the ISA Management console, click Secure Server. The Secure Server page appears as shown in Figure 11.9. You use this page to create appropriate host security for various roles.

Figure 11-9. The Secure Server page
Click Secure Your ISA Server Computer. The ISA Server Security Configuration Wizard appears.
Click Next. The Select System Security Level page appears.
Select Dedicated, and click Next.
On the Congratulations page, click Finish. The ISA Security Configuration page will appear, and it might take several minutes to configure security on the server.
The ISA Server message appears informing you that the server must be restarted for the new security settings to take effect. Click OK to continue.
In the ISA Management console, click Configure Firewall Protection. The Configure Firewall Protection page appears, as shown in Figure 11.10. Use this page to configure firewall protection to strengthen the ISA server against network-layer attacks.

Figure 11-10. Configuring firewall protection
Click Configure Packet Filtering And Intrusion Detection. The IP Filters Properties dialog box appears.
In the dialog box, select both the Enable Packet Filtering check box and the Enable Intrusion Detection check box.
In the dialog box, click the Packet Filters tab, and select the Enable Filtering Of IP Fragments check box.
Click the Intrusion Detection tab, as shown in Figure 11.11.

Figure 11-11. Configuring Intrusion Detection options
Select all of the available options, and click OK.
In the ISA Management console, click Finish. The ISA Welcome page appears.
Restart the server to allow the security settings to take effect.

Lesson Review

The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.

Why is it difficult to protect public servers?
Are all hacking attempts serious?
What is the most important attack vector to defend against and why?
What is a perimeter network?
What are the primary types of firewalls that are available?

Lesson Summary

Internet security basics are similar to any security problem:
- Reduce the scope of the problem as much as possible by restricting access to only what is necessary to meet requirements.
- Strengthen security for those services that must be provided, authenticate all participants, and vigilantly monitor activities to ensure that attacks are detected as early as possible.
Attacks are common and constant on the Internet. The real problem is determining which attacks are merely random and which indicate a serious attempt to access your network in a manner that would be damaging.
There are three primary types of attacks: denial of service attacks that interrupt service but do not compromise information, exploitation attacks that gain access by exploiting bugs, and impersonation attacks that gain access by masquerading as legitimate users.
There are four primary vectors for attack: direct intrusion through physical access, through dial-up, through wireless connection, and through the Internet. When you've implemented strong physical security and placed wireless and dial-up access points outside your firewall, you need to concern yourself only with Internet security. Firewalls are used to protect against attacks stemming from the Internet.
For those who must provide public Web server and e-mail server access, Internet security is not simple. You must establish three zones of security: the untrusted Internet, the semi-trusted public server zone, referred to as a perimeter network, and the trusted private network. A firewall is required at the boundaries between each of these networks, by using either two physical firewalls or a single, tri-homed perimeter network firewall.
Firewalls come in two primary types: device-based firewall routers that inspect packets at the TPC/IP layer, and security proxies that inspect data at the application (Web, e-mail) layer. VPN endpoints are frequently configured on firewalls to connect networks together securely at their borders.