安全生产-网络安全培训课程

SEC400:

Windows®2000/WindowsXP

网络平安

张执玉

系统工程师

微软〔中国〕大纲企业网络客户端威胁和防范InternetconnectionfirewallIPsecurity企业网络客户端LargegroupsoftrustedusersandcomputersTypically…InsecuresystemsUsedbytrustedusersUsersarelocaladministratorsLittlecentralcontroloversecurityUsersinstalluntrusted,possiblyinfectedsoftwareMobile–connecttomanypublicnetworks,thenbacktobusinessnetwork企业网络客户端“Ourfirewallwillprotectus〞Wrong!NoprotectionfrominternalsystemsWhere’sthedefenseindepth?Infectede-mailspreadseasilywithinBack-doorTrojansleapfrommachinetomachineOftenconnectedtopublic

networksdirectlyTrojansAndViriiDeliveredthroughe-mailorinfectedprogramsRunasloggedonuserVerybadifit’sacorp-trusteduser!DeadlyifuserislocaladminSendpersonaldatatoattackersIdentitytheftofuserIDandpasswordSensitivedatatheftSendmaliciousdatatoattackothersOpenholesforaccessfromInternetEnableattackertocontrolyourPCEnableyourmachinetostoreandserve“bad〞data系统平安危机AttackeraccessfromInternetPortscanisn’tanattack,butprobingforweaknesses,oncein:RunscriptsscanningforknownweaknessesStealyourdata,passwordsInfectyourcomputerwithtrojansto

spreadinfectionBackupswon’thelpifnot“clean〞NetworktrafficisvisibleNetworkaddresses,e-mail,WebpageURLs,Webpagecontent,datafiles,passwordformsPassivecollectionleadstodatabasetrackingPortScan防范DefenseindepthNetworkPlatformApplicationUsersDefinepoliciesWithoutthese,everythingelseisuselessTestenforcementMonitoradherence防范Principleofleastprivilege(POLP)Usersaren’tlocaladministratorsTrustthosewhoareadmins,thoughConfiguretrustrelationshipsonlywherethereisabusinessneedAppropriateaccesslistsandrights,againfollowingbusinessneeds防范TrustedplatformfortrustedusersAnti-virusprogramsUp-to-datepatchesandservicespacksAdministrator-managedandsecuredClientmachinesjoinedtoWindows2000orWindowsXPDomainmakesclientadminscalableUsersarepowerusersandmaybenetworkoperators(WindowsXP),don’tloginwithadministratorrights防范防止不必要的网络访问Perimeterprotection(firewalls,routers)End-systemfirewallAuthenticated,authorized

networkconnectionsTousenetwork–802.1x(seewirelesstalk)IPsecurityOutboundrestrictions,tooEndsystemfilteringwithIPSecPerimeterfiltering防范经过保护的通信DigitallysignandencryptApp:SSL/TLSconnectionsAdmin:IPSectransportmodeAdmin/User:VPNTunnels–PPTP,L2TP/IPSecMaylimitabilitytoinspect,butcanyoureally?AnonymousaccessisfineforpublicinformationConsiderwhat’struly“public〞Ifyouhavetologontogetinfo,thenit’snot“public〞WindowsXP

InternetConnectionFirewallAddressesthreatofun-solicited

networkaccessInternetConnectionFirewallInWindowsXPHome,WindowsProfessional,WindowsServerEnabledonaper-interfacebasisDropsallIPunicasttrafficinboundExemptsmulticast,broadcastUnlessamappingexistsNo“danger〞dialogsUsersdon’tunderstandUsersunabletotakeactionInternetConnectionFirewallStatefulper-connectionflowentryUsessourceanddestinationportsonoutboundconnectiontocreateflowentryConnectionsclosedbyTCP:ACK-FINandRSTUDP:Time-outICF激活要点Outofboxexperience(OOBE)WizardOnfirst-bootonHomeEditionNetworksetupwizardSetsuphomeandsmallofficenetworksAvailableonHomeandProfessionalNewconnectionwizardEnabledbydefaultforDUN,PPPoEOptiontoenableonVPNNetworkconnectionsfolderPropertiessheetofnetworkconnectionICF使用场景HomeEnableonsinglePCdirectlyconnectedtotheInternetviabroadbandEnabledwhenInternetConnectionSharingusedforhomenetworkingBusinessandmobileGrouppolicyflagcandisableforenterpriseLocationawarenessallowsusertotakelaptopandprotectitwhileoutside

theofficeICF效劳选项AllowsuserswhorunservicesonlocalPCorhomenetworktocreateportmappingsProvidesetof

pre-definedservicesUsercancreatenewmappingsICF日志选项NologgingbydefaultOptiontologunsuccessfulconnectionsOptiontologsuccessfulconnectionsOptionforlogfilename,location,

andsizeICFICMP选项DisabledICMPoptionsType3Type4Type5Type8Type10Type11Type12Type13Type17ICFProtectionWindows2000和

WindowsXP

Internet协议平安Addressesthreats:Un-solicitednetworkaccessPassiveinterceptionofsensitivenetworktrafficTrustedusershavingtoomuchnetworkaccessIPSec功能IPPacketFilteringPermit,block,negotiatesecuritySecurecommunicationMutualauthenticationSenderandreceiverknoweachother,trustPacketconfidentiality=EncryptionOnlysenderandreceiverknowcontentsPacketintegrity=CryptographicChecksumTamperedpacketsarediscardedAdministrativelyappliedbelowapplicationsNochangeinapplicationsneededNochangeinnetworkneeded,exceptportfilters如何应用IPSecNetworkadministratordesignsagroupofconfigurationsettingsCalledan“ipsecpolicy〞NeedtounderstandIPtrafficrequiredbyapplications,

bysystemLikeafirewallorrouterACLUsetheIPSecpolicymanagementMMCsnapinUse“LocalSecurityPolicy〞tocreatestaticpoliciesstoredinregistryUseActiveDirectory™grouppoliciesfor

centralizedmanagementUseIPSECPOL.EXE(Windows2000)orIPSECCMD.EXE(WindowsXP)tocreatestaticanddynamicpoliciesatcommandlineWindowsXP

TCP/IP

架构IPPacketFilterdriverIPHOOKDriver(DDK)TCPRawICMPUDPWinSockWinsockLayered

ServiceProvidersIPSecFilters,TransportandTunnelOffload:TCPchecksum,largesend,IPSecIPFrag/ReassemblyPPTPL2TPLAN/WANminiportsVPN=PPP

virtualinterfacesIPHOOKcalloutRRASUI,andMPR,IPHLPAPIfilterAPINATandICFPPPTCP/UDP/IPConnectionUIFiltersTCPIPStackNetmon

SniffDriverAPPLICATIONIPSec包过滤FiltersforallowedandblockedtrafficNoactualnegotiationofIPSecsecurityassociationsOverlappingfilters–mostspecificmatch

determinesactionDoesnotprovidestatefulfilteringExample:Toopenonlyport80ontheIIS:FromIPToIPProtocolSrcPortDestPortActionAnyMyInternetIPAnyn/an/aBlockAnyMyInternetIPTCPAny80PermitAD同步端口ServicePort/protocolRPCendpointmapper135/tcp,135/udpNetBIOSnameservice137/tcp,137/udpNetBIOSdatagramservice138/udpNetBIOSsessionservice139/tcpRPCdynamicassignment1024-65535/tcp[1]SMBoverIP(Microsoft-DS)445/tcp,445/udpLDAP389/tcpLDAPoverSSL636/tcpGlobalcatalogLDAP3268/tcpGlobalcatalogLDAPoverSSL3269/tcpKerberos88/tcp,88/udpDNS(ifrequired)53/tcp[2],53/udpWINSresolution(ifrequired)1512/tcp,1512/udpWINSreplication(ifrequired)42/tcp,42/udp

Packet/PortFilteringIsn’tSufficientToProtectServerFromIP1toIP2,UDP,src*,dst88/389FromIP2toIP1,UDP,src88/389,dst*FromIP2toIP1,TCP,src*,dst135FromIP1toIP2,TCP,src135,dst*SpoofedIPpacketscontainingqueriesormaliciousjunkcanstillreachopenportsthroughFWIP1toIP2,UDP,src*,dst88/389,…Manyhackertoolsexisttousesourceports80,88,135,etctoconnecttoanydestinationportFromIP2,toIP1,UDP,src88/389,dst88/389IPSecServerToServer“Lockdown〞IPSecDriverfiltersRequireIPSecto/fromMeandSeattleSiteIPs;Trust“MyCARoot〞onlyRequireIPSecto/fromMeandLondonSiteIPs,allIPtraffic;Trust“MyCARoot〞onlyNosendun-secured(fallbacktoclear)Noreceiveun-securedAction:IPSecESP3DES/SHA1,rekeysessionsevery1houror100MbytesIKESAnegotiationUDPport500IPSecESPEstablishedIPSecDriverfiltersIKEcertcertIKESeattleSiteLondonSiteIPSecWithInternetKeyExchange

SendingpacketsinitiatessecurityInternetKeyExchange(IKE)-IdentityProtectMode–definedinRFC2409Phase1“MainMozde〞establishesIKESA–trustedchannelbetweensystems,negotiationestablishesencryptedchannel,mutualtrust,anddynamicallygeneratessharedsecretkey(“master〞key)Phase2“QuickMode〞establishesIPSecSAs–fordataprotection,oneSAforeachdirectionidentifiedbypacketlabel(SPI),algorithmsandpacketformatsagreed,generatesshared“session〞secretkeysderivedfrom“master〞keyNICTCPIPApplicationServerorGatewayIPSecDriverfiltersIPSecPolicyAgentIKE(ISAKMP)IPSecDriverIPSecPolicyAgentIKE(ISAKMP)NICTCPIPfiltersApporServiceclient“IKEResponder”“IKEInitiator”UDPport500negotiation1IKESA2IPSecSAsIPprotocol50/51IPSecAuthenticationHeader(AH)InTransportModeDataTCPHdrOrigIPHdrDataTCPHdrAHHdrOrigIPHdrNextHdrPayloadLenRsrvSecParamIndexKeyedHashIntegrityhashcoverage(exceptformutablefieldsinIPheader)Seq#24bytestotalAHisIPprotocol51InsertIPSecEncapsulatingSecurityPayload(ESP)InTransportModeDataTCPHdrOrigIPHdrDataTCPHdrESPHdrOrigIPHdrESPTrailerESPAuthUsuallyencryptedintegrityhashcoverageSecParamIndexPaddingPadLengthNextHdrSeq#KeyedHash22-36bytestotalInitVectorESPisIPprotocol50InsertAppendIPSecESPTunnelModeDataTCPHdrOrigIPHdrESPTrailerESPAuthUsuallyencryptedintegrityhashcoverageDataTCPHdrESPHdrIPHdrIPHdrNewIPheaderwithsourceanddestinationIPaddressIPSecLockdownConnectionServerToServerIPSec“ServerInitiated〞ConnectionsForInternalServersActiveDirectoryKeyDistribution

Center(KDC)Windows2000domaincontrollerApplicationIPSecDriverfiltersClient(RespondOnly)PolicyCustomSecureServerPolicy“Securefrommetoanydestination,allunicasttraffic;Acceptunsecured;Trustdomainmember〞“Sendinclear,securetrafficonlyifrequested;Trustdomainmembers〞TGTTGTIKESAnegotiationUDPport500SessionTicketticketIPSecSAsEstablishedServerconfignotforInternetuse!IPSec性能IPSecprocessinghassomeperformanceimpactIKEnegotiationtime–about2-5secondsinitially5roundtripsAuthentication–KerberosorcertificatesCryptographickeygenerationandencryptedmsgsButdoneonceper8hoursbydefault,settableSessionrekeyisfast–<1-2seconds,2roundtrips,onceper

hour,settableHowtoimprove?OffloadingNICsdoIPSecalmostatwirespeed~85-92Mbits/sec3DESfor100MbitEthernetcardFasterCPUsConclusionIPSecperformanceimpactisusuallynegligibleBestforservertoserverorclienttoserverprotecteddatatransfersIPSec硬件加速器IPSecper-packetencryptionhaswire-speedhardwareaccelerationfor

10/100EthernetClient/Svrcardsretail$100-130USD3CR990-TX-97(3DESdesktopNIC)3CR990-TX-95(DESdesktopNIC)3CR990SVR97(3DESserverNIC)3CR990SVR9597(DESserverNIC)3C990B-TXM(DES/3DESDesktopNIC)3C990BSVR(DES/3DESServerNIC)IntelShipping::///network/products/

Intel®PRO/100SDesktopAdapterIntel®PRO/100SServerAdapterIntel®PRO/100SRMobileAdapter(PCMCIA)Intel®PRO/100SRComboMobileAdapter(PCMCIA)Intel®PRO/100SPMobileAdapter(PCMCIA)Intel®PRO/100SPComboMobileAdapter(PCMCIA)XPIPSec性能的增强DoublednumberofnewSAsperminuteReliabledeletehandlinginIKEDoubledpacketfilteringspeed(throughput)ClientLDAPretrievalofADpolicy5timesfasterthanWindows2000BothInteland3Com32bitx8610/100EthernetoffloadsupportshippingintheboxWindowsXP管理的增强IPSecmonitorsnapinprovidesdetailedviewwithDNSnamesforIPsIpseccmdcommandlinein\system32NetdiagshowsmoregrouppolicydetailMoredetailedstats