微软演示稿经典剪辑图例1

Basic ISA 2000 rules
Protocol rules Site and Content rules Static packet filters Publishing rules Web publishing rules Selected filtering configuration
Monitoring
Application Pools
X
…
HTTP
TCP/IP
Queue
Request Response
Cache
What is Remote Access Quarantine?
Remote access client authenticates
RAS client placed in Quarantine
Products, tools automation
People who understand their roles and responsibilities
Patch Management Process
11..AAssessssess
2. Identify
▪ Inventory computing assets
reported
and patch released code created
Patch developed
No Exploit
Patch reverse engineered
Begin race to protect and patch systems before attack is launched
3 Scans target systems for OS, OS components, and applications
4 Parses MSSecure to see if updates are available
5
Checks if required
updates are missing
6 Generates time-stamped report of missing updates
Detailed Quarantine Process
RAS Client
Internet
Quarantine RRAS Server
IAS Server
Connect Authenticate
Quarantine Access Policy Check Result
Full Access
Authorize
Destination network Destination IP Destination site
action on traffic from user from source to destination with conditions
Protocol IP Port / Type
Source network Source IP Originating user
Exploit
Worm or virus launched; infects
unprotected or unpatched systems
MBSA – How It Works
1 Run MBSA on Admin system, specify targets
Downloads CAB file with 2 MSSecure.xml and verifies digital
signature
Windows Download Center
MSSecure.xml
MSSecure.xml contains Security bulletin names Product-specific updates Version and checksum info Registry keys changed KB article numbers Etc.
Monitored Servers
Events subject to tampering
Collector
SQL
Forensic Analysis
Events under control of auditors
Exploit Timeline
Vulnerability Security bulletin Worm or virus
Internet DMZ_1
DMZ_n
ISA 2004
VPN CorpNet_1
Local Host Network
CorpNet_n
Net A
Rule Structure & Policy Mapping
Allow Deny
Any user Authenticated users Specific User/Group
SMTP Filter
RPC Filter
DNS Filter
Application Filter API
Policy Engine
Kernel mode data pump: Performance optimization
3
Firewall service
2
TCP/IP Stack
4
Firewall Engine
Other ISA 2000 rules
Address translation rules Web routing rules
Published server Published web site Schedule Filtering properties
Firewall policy
Configuration policy
Quarantine VSA + Normal Filters
Remove Quarantine
ACS Architectural Overview
Monitored Clients
Management System
WMI
Real-Time Intrusion
Detection Applications
Request Response
DLLHOST.exe DLLHOST.exe
IIS 6.0 Request Processing
Inetinfo
FTP
NNTP SMTP
XML Metabase
User mode Kernel mode
IIS 6.0
WWW Service
Administration &
2. Identify
▪ Discover new updates
▪
▪▪
▪▪
▪▪
ADAAidenifADsssieIffsnssstoenteeeercsrerfimssstvbmioAsssstvuaieeentttyoersihinoepoonrmresusnneetm1shrrtaeiassaenostabtssofiiboortrfnataseutninywshstaoedttalnrrsurvneceoectuwutohlunaraprcemeaeterbItascdfbhoobpieerlaiueustn2inestttsiidtfnnysegvAowuasulssnpr1esceaseertsactfsb▪▪hoierDlDristeieisIeltdecesevorn2amvtniefitynr tenoeAwy▪▪▪wshoDODrcse1hebeeuluetateteeatnvsprrrihgamnmsnedeipietnnoataeenrortcwaityfhvnuehop,ieuecapsrtmorthIconeddeehfnrrinegraivusmeinpmr2tanodiecttnnayieimostsferyensmsnaaaattfrleree
Single outbound policy
NAT always
Static filtering from DMZ to Internet
Internal Network
Static PF
DMZ 1
ISA Server 2004 Networking Model
Any number of networks VPN as network Localhost as network Assigned relationships (NAT/Route) Per-Network policy Packet filtering on all interfaces Support for DoD Any topology, any policy
NDIS
1
App Filter
User Mode Kernel Mode
Packet layer filtering
IIS 5 Request Processing
User mode Kernel mode
INETINFO.exe
FTP NNTP
X Metabase
X
SMTP
WinSock AFD TCP/IP
ISA Server 2004 Architecture
Application layer filtering
Policy Store
Web filter
Web filter
Web Filter API (ISAPI)
Web Proxy Filter
Protocol layer filtering
Data Application
Host Internal Network
Perimeter Physical Security
ACLs, encryption, EFS
Application hardening, antivirus OS hardening, authentication, patch management, HIDS Network segments, IPSec, NIDS Firewalls, Network Access Quarantine Control Guards, locks, tracking devices
1. RAS client fails policy check
2. Quarantine timeout Reached
RAS client meets Quarantine policies
RAS client disconnected
RAS client gets full access to network
MBSA Computer
Defense In Depth
Using a layered approach
Increases attacker’s risk of detection Reduces attacker’s chance of success
Policies, Procedures, & Awareness
第ห้องสมุดไป่ตู้篇 图例篇
RADIUS Authentication
Federation through RADIUS proxies
Can be used for centralized authentication services
Domain membership not required
Great for DMZ placement
Back-end Server
ISA Server 2000 (Old) Networking Model
Fixed zones
“IN” = LAT
Internet
“OUT” = DMZ, Internet
Packet filter only on
external interfaces
ISA 2000
Security documents, user education
Requirements For Successful Patch Management
Project management, Patch management process
Effective Processes
Effective Tools and Operations Technologies
Corpnet
HTTP/SSL basic auth.
HTTP/SSL request, sent to
server
Web Client (Browser, HTTP client)
Internet
1
2
Firewall Server RADIUS request
3 RADIUS Server (IAS)
▪ Assess your software distri▪buOtibotnain patch, confirm it is safe
▪4.iAnDsef4rsDpAa.leesossDpys41tselroesuyospcptlueorryeaEaItvndiaodeln3nu2Ptaaliaftlyeneffecti3v.e▪nEDecveshatsaelnurgmaeitneoeraDiafAnenpsp4dsael1oe3tmPcys. EshelvaraigsnlueEaaanvntIecdnadylaeo3uPnn2radltmatiefPnyalaln