微软演示稿经典剪辑图例-1
合集下载
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
ቤተ መጻሕፍቲ ባይዱ
3 Scans target systems for OS, OS components, and applications
4 Parses MSSecure to see if updates are available
5
Checks if required
updates are missing
6 Generates time-stamped report of missing updates
Security documents, user education
Requirements For Successful Patch Management
Project management, Patch management process
Effective Processes
Effective Tools and Operations Technologies
SMTP Filter
RPC Filter
DNS Filter
Application Filter API
Policy Engine
Kernel mode data pump: Performance optimization
3
Firewall service
2
TCP/IP Stack
4
Firewall Engine
NDIS
1
App Filter
User Mode Kernel Mode
Packet layer filtering
IIS 5 Request Processing
User mode Kernel mode
INETINFO.exe
FTP NNTP
X Metabase
X
SMTP
WinSock AFD TCP/IP
Request Response
DLLHOST.exe DLLHOST.exe
IIS 6.0 Request Processing
Inetinfo
FTP
NNTP SMTP
XML Metabase
User mode Kernel mode
IIS 6.0
WWW Service
Administration &
reported
and patch released code created
Patch developed
No Exploit
Patch reverse engineered
Begin race to protect and patch systems before attack is launched
Monitoring
Application Pools
X
…
HTTP
TCP/IP
Queue
Request Response
Cache
What is Remote Access Quarantine?
Remote access client authenticates
RAS client placed in Quarantine
Quarantine VSA + Normal Filters
Remove Quarantine
ACS Architectural Overview
Monitored Clients
Management System
WMI
Real-Time Intrusion
Detection Applications
ISA Server 2004 Architecture
Application layer filtering
Policy Store
Web filter
Web filter
Web Filter API (ISAPI)
Web Proxy Filter
Protocol layer filtering
MBSA Computer
Defense In Depth
Using a layered approach
Increases attacker’s risk of detection Reduces attacker’s chance of success
Policies, Procedures, & Awareness
Exploit
Worm or virus launched; infects
unprotected or unpatched systems
MBSA – How It Works
1 Run MBSA on Admin system, specify targets
Downloads CAB file with 2 MSSecure.xml and verifies digital
Corpnet
HTTP/SSL basic auth.
HTTP/SSL request, sent to
server
Web Client (Browser, HTTP client)
Internet
1
2
Firewall Server RADIUS request
3 RADIUS Server (IAS)
Data Application
Host Internal Network
Perimeter Physical Security
ACLs, encryption, EFS
Application hardening, antivirus OS hardening, authentication, patch management, HIDS Network segments, IPSec, NIDS Firewalls, Network Access Quarantine Control Guards, locks, tracking devices
Detailed Quarantine Process
RAS Client
Internet
Quarantine RRAS Server
IAS Server
Connect Authenticate
Quarantine Access Policy Check Result
Full Access
Authorize
Assess your software distribuOtibotnain patch, confirm it is safe
4.iAnDsef4rsDpAa.leesossDpys41tselroeusyospcptlueorryeaEatIvndiaodeln3nu2Ptaaliaftlyeneffecti3v.enEDecveshatsaelnurgmaeitneoeraDiafAnenpsp4dsael1oe3tmPcys. EhselvaraigsnlueEaaanvntIecdnadyaleo3uPnn2radltmatiePfnyalaln
Other ISA 2000 rules
Address translation rules Web routing rules
Published server Published web site Schedule Filtering properties
Firewall policy
Configuration policy
Products, tools automation
People who understand their roles and responsibilities
Patch Management Process
11..AAssessssess
2. Identify
Inventory computing assets
Monitored Servers
Events subject to tampering
Collector
SQL
Forensic Analysis
Events under control of auditors
Exploit Timeline
Vulnerability Security bulletin Worm or virus
Internet DMZ_1
DMZ_n
ISA 2004
VPN CorpNet_1
Local Host Network
CorpNet_n
Net A
Rule Structure & Policy Mapping
Allow Deny
Any user Authenticated users Specific User/Group
1. RAS client fails policy check
2. Quarantine timeout Reached
RAS client meets Quarantine policies
RAS client disconnected
RAS client gets full access to network
Single outbound policy
NAT always
Static filtering from DMZ to Internet
Internal Network
Static PF
DMZ 1
ISA Server 2004 Networking Model
Any number of networks VPN as network Localhost as network Assigned relationships (NAT/Route) Per-Network policy Packet filtering on all interfaces Support for DoD Any topology, any policy
Back-end Server
ISA Server 2000 (Old) Networking Model
Fixed zones
“IN” = LAT
Internet
“OUT” = DMZ, Internet
Packet filter only on
external interfaces
ISA 2000
2. Identify
Discover new updates
ADAAidenifADsssieIffsnssstoenteeeercsrerfimssstvbmiosssAstvuaieeentttoyersihinoepoonrmresusnneetm1shrrtaeiasasenotsabtssofiiboortrnfataesuntinyswhstaoedttalnrrsurvneceoectuwutohlunaraprcemeaeterbItascdfbhoobpieerlaiueustn2inestttsiidtfnnysegvAowuasulsnspr1esceaseertsactfsbhoierDlDristeieisIeltdecesevorn2amvtniefitnyr tenoeAwywshoDODrcse1hebeeuluetateteeantvsprrrigahmnmsnedeipietnnoataeenrortcwaityfhvnuehop,ieuecapsrtmorthIconeddeehfnrrinegriavusmeinpmr2tanodiecttnnayieimostsferyensmsnaaaattfrleree
signature
Windows Download Center
MSSecure.xml
MSSecure.xml contains Security bulletin names Product-specific updates Version and checksum info Registry keys changed KB article numbers Etc.
第三篇 图例篇
RADIUS Authentication
Federation through RADIUS proxies
Can be used for centralized authentication services
Domain membership not required
Great for DMZ placement
Destination network Destination IP Destination site
action on traffic from user from source to destination with conditions
Protocol IP Port / Type
Source network Source IP Originating user
Basic ISA 2000 rules
Protocol rules Site and Content rules Static packet filters Publishing rules Web publishing rules Selected filtering configuration
3 Scans target systems for OS, OS components, and applications
4 Parses MSSecure to see if updates are available
5
Checks if required
updates are missing
6 Generates time-stamped report of missing updates
Security documents, user education
Requirements For Successful Patch Management
Project management, Patch management process
Effective Processes
Effective Tools and Operations Technologies
SMTP Filter
RPC Filter
DNS Filter
Application Filter API
Policy Engine
Kernel mode data pump: Performance optimization
3
Firewall service
2
TCP/IP Stack
4
Firewall Engine
NDIS
1
App Filter
User Mode Kernel Mode
Packet layer filtering
IIS 5 Request Processing
User mode Kernel mode
INETINFO.exe
FTP NNTP
X Metabase
X
SMTP
WinSock AFD TCP/IP
Request Response
DLLHOST.exe DLLHOST.exe
IIS 6.0 Request Processing
Inetinfo
FTP
NNTP SMTP
XML Metabase
User mode Kernel mode
IIS 6.0
WWW Service
Administration &
reported
and patch released code created
Patch developed
No Exploit
Patch reverse engineered
Begin race to protect and patch systems before attack is launched
Monitoring
Application Pools
X
…
HTTP
TCP/IP
Queue
Request Response
Cache
What is Remote Access Quarantine?
Remote access client authenticates
RAS client placed in Quarantine
Quarantine VSA + Normal Filters
Remove Quarantine
ACS Architectural Overview
Monitored Clients
Management System
WMI
Real-Time Intrusion
Detection Applications
ISA Server 2004 Architecture
Application layer filtering
Policy Store
Web filter
Web filter
Web Filter API (ISAPI)
Web Proxy Filter
Protocol layer filtering
MBSA Computer
Defense In Depth
Using a layered approach
Increases attacker’s risk of detection Reduces attacker’s chance of success
Policies, Procedures, & Awareness
Exploit
Worm or virus launched; infects
unprotected or unpatched systems
MBSA – How It Works
1 Run MBSA on Admin system, specify targets
Downloads CAB file with 2 MSSecure.xml and verifies digital
Corpnet
HTTP/SSL basic auth.
HTTP/SSL request, sent to
server
Web Client (Browser, HTTP client)
Internet
1
2
Firewall Server RADIUS request
3 RADIUS Server (IAS)
Data Application
Host Internal Network
Perimeter Physical Security
ACLs, encryption, EFS
Application hardening, antivirus OS hardening, authentication, patch management, HIDS Network segments, IPSec, NIDS Firewalls, Network Access Quarantine Control Guards, locks, tracking devices
Detailed Quarantine Process
RAS Client
Internet
Quarantine RRAS Server
IAS Server
Connect Authenticate
Quarantine Access Policy Check Result
Full Access
Authorize
Assess your software distribuOtibotnain patch, confirm it is safe
4.iAnDsef4rsDpAa.leesossDpys41tselroeusyospcptlueorryeaEatIvndiaodeln3nu2Ptaaliaftlyeneffecti3v.enEDecveshatsaelnurgmaeitneoeraDiafAnenpsp4dsael1oe3tmPcys. EhselvaraigsnlueEaaanvntIecdnadyaleo3uPnn2radltmatiePfnyalaln
Other ISA 2000 rules
Address translation rules Web routing rules
Published server Published web site Schedule Filtering properties
Firewall policy
Configuration policy
Products, tools automation
People who understand their roles and responsibilities
Patch Management Process
11..AAssessssess
2. Identify
Inventory computing assets
Monitored Servers
Events subject to tampering
Collector
SQL
Forensic Analysis
Events under control of auditors
Exploit Timeline
Vulnerability Security bulletin Worm or virus
Internet DMZ_1
DMZ_n
ISA 2004
VPN CorpNet_1
Local Host Network
CorpNet_n
Net A
Rule Structure & Policy Mapping
Allow Deny
Any user Authenticated users Specific User/Group
1. RAS client fails policy check
2. Quarantine timeout Reached
RAS client meets Quarantine policies
RAS client disconnected
RAS client gets full access to network
Single outbound policy
NAT always
Static filtering from DMZ to Internet
Internal Network
Static PF
DMZ 1
ISA Server 2004 Networking Model
Any number of networks VPN as network Localhost as network Assigned relationships (NAT/Route) Per-Network policy Packet filtering on all interfaces Support for DoD Any topology, any policy
Back-end Server
ISA Server 2000 (Old) Networking Model
Fixed zones
“IN” = LAT
Internet
“OUT” = DMZ, Internet
Packet filter only on
external interfaces
ISA 2000
2. Identify
Discover new updates
ADAAidenifADsssieIffsnssstoenteeeercsrerfimssstvbmiosssAstvuaieeentttoyersihinoepoonrmresusnneetm1shrrtaeiasasenotsabtssofiiboortrnfataesuntinyswhstaoedttalnrrsurvneceoectuwutohlunaraprcemeaeterbItascdfbhoobpieerlaiueustn2inestttsiidtfnnysegvAowuasulsnspr1esceaseertsactfsbhoierDlDristeieisIeltdecesevorn2amvtniefitnyr tenoeAwywshoDODrcse1hebeeuluetateteeantvsprrrigahmnmsnedeipietnnoataeenrortcwaityfhvnuehop,ieuecapsrtmorthIconeddeehfnrrinegriavusmeinpmr2tanodiecttnnayieimostsferyensmsnaaaattfrleree
signature
Windows Download Center
MSSecure.xml
MSSecure.xml contains Security bulletin names Product-specific updates Version and checksum info Registry keys changed KB article numbers Etc.
第三篇 图例篇
RADIUS Authentication
Federation through RADIUS proxies
Can be used for centralized authentication services
Domain membership not required
Great for DMZ placement
Destination network Destination IP Destination site
action on traffic from user from source to destination with conditions
Protocol IP Port / Type
Source network Source IP Originating user
Basic ISA 2000 rules
Protocol rules Site and Content rules Static packet filters Publishing rules Web publishing rules Selected filtering configuration