connection/session connection/session is allowed through ... · dan metzler – its-ei windows...
TRANSCRIPT
![Page 1: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/1.jpg)
Windows Firewall AppliedRob Vinson – ISPO Security Architect
Dan Metzler – ITS-EI Windows Systems Architect
March 2012
![Page 2: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/2.jpg)
Agenda
Basic concepts – a quick review
Firewall Profiles
Network Location Awareness (NLA)
Rule generation and validation
March 2012
![Page 3: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/3.jpg)
Stateful Firewall - Basics
Rules are for the traffic that initiates a connection/session
Subsequent traffic belonging to that connection/session is allowed through
Example allow rule for HTTP: 10.0.0.1 10.0.0.2:80
The response traffic 10.0.0.2:80 10.0.0.1 is automatically allowed
March 2012
![Page 4: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/4.jpg)
Application Firewall - Basics
Based on the application/program creating the network communication socket.
Example allow rule:
any instant_messenger.exe
Allows any host to communicate to ports opened by instant_messenger.exe
March 2012
![Page 5: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/5.jpg)
Profiles
Allow different firewall rules to be applied in different environments
Domain – Corporate Environment
Private – Trusted/home network
Public – Coffee Shops, Airport, etc.
March 2012
![Page 6: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/6.jpg)
Settings - Profiles
Allow outbound connections by default.
Inbound connections are allowed if there is an allow rule that matches the connection
Public profile – Network discovery is off
March 2012
![Page 7: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/7.jpg)
How Profiles are Chosen
Network Location Awareness (NLA)
Domain Profile – Computer can reach Domain Controller
Private/Public Profiles – Pop-up window asks which to apply
More info: http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx
March 2012
![Page 8: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/8.jpg)
Rule Development - Tools
Command line: netstat –noa
Sysinternals - http://technet.microsoft.com/en-us/sysinternals/bb842062
TCPView
Process Monitor
March 2012
![Page 9: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/9.jpg)
Rule Validation
Verify that you can get an open port when you should, and don’t when you shouldn’t.
Tools:Logs, netcat, nmap (port scanners), telnet, web browser, etc.
March 2012
![Page 10: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/10.jpg)
Demo
March 2012
![Page 11: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/11.jpg)
Windows Firewall GPO
![Page 12: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/12.jpg)
Agenda
Managing Firewall GPOsTools
Concepts
Troubleshooting Tools
Things to Think About
Strategy
![Page 13: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/13.jpg)
Managing Firewall GPOsTools
![Page 14: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/14.jpg)
Tools
Group Policy Management Console (GPMC)
Group Policy Editor (GPEdit)
NetSH
Powershell
![Page 15: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/15.jpg)
NetSH (local and GPO)
![Page 16: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/16.jpg)
Powershell
GroupPolicy ModuleImport-module GroupPolicy
Netsh
New-GPO Get-gpregistryvalue
New-gplink Set-gpregistryvalue
Set-gppermissions Remove-gpregistryvalue
$stream = [System.IO.StreamWriter] ‘netshinput.txt’
$stream.WriteLine(‘advfirewall’)
$stream.WriteLine(‘set store gpo=‘ + $domainfqdn + ‘\’ + $gponame)
$stream.WriteLine(‘import myfirewallsettings.wfw’)
$stream.WriteLine(‘exit’)$stream.Close()Get-content ‘netshinput.txt’ | netsh
![Page 17: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/17.jpg)
Managing Firewall GPOsSome Concepts
![Page 18: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/18.jpg)
GPO Processing Order
Local GPO
Site
Domain
OU (Top to Bottom)
![Page 19: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/19.jpg)
GPO Processing
Some settings overwrite
Some settings accumulate
![Page 20: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/20.jpg)
FilteringComputer Group – only certain groups have permissions to apply the GPO
WMI - If the filter evaluates to true the GPO appliesExamples
Certain OS versionsSELECT Version FROM Win32_OperatingSystem WHERE
Version >= "6"Certain Server Features installed
SELECT Name FROM Win32_ServerFeature WHERE Name = "Web Server (IIS)“Certain Program Installed
SELECT Name FROM Win32_Product WHERE Name = "Cisco AnyConnect VPN Client"
![Page 21: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/21.jpg)
Local GPO and Local Settings
If you don’t block these, Domain GPO firewall rules and local settings are cumulative.
If you want to prevent Domain GPOs from being overridden, then you have to block local settings and local GPO processing.Warning: This significantly impacts the the number of rules required in Domain GPOs.
![Page 22: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/22.jpg)
Must Have Rules
![Page 23: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/23.jpg)
Firewall Rule Precedence
Authentication Bypass
Block Rule
Allow Rule
Default Rule
![Page 24: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/24.jpg)
Troubleshooting
![Page 25: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/25.jpg)
Netstat
![Page 26: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/26.jpg)
Firewall logging
![Page 27: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/27.jpg)
Event Viewer
![Page 28: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/28.jpg)
Event Viewer (Cont.)
![Page 29: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/29.jpg)
Event Viewer (Cont.)
![Page 30: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/30.jpg)
Event Viewer (Cont.)
![Page 31: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/31.jpg)
Packet Sniffing (Netmon and Wireshark)
![Page 32: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/32.jpg)
Windows Firewall with Advanced Security Snap-in
![Page 33: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/33.jpg)
Things to Think About
![Page 34: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/34.jpg)
It’s A Balance?
Security requirements tend to drive the need for restricting traffic with firewall rules.
Software requirements drive the need allow traffic through the firewall.
![Page 35: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/35.jpg)
Part of Software Deployment
Installation time is when the firewall rule change happens.
Vendor documentation is sparse with regard to firewall requirements
Common statements“Allow the following ports both ways: x,y,z”
“Application uses the following ports both TCP and UDP: x,y,z”
![Page 36: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/36.jpg)
Who Manages The Rules?
Typically those who have admin permissions are likely the group that installs software.
Often the owner, (not necessarily the user of the computer), determines who has admin rights, and who controls firewall rules.
Security office implements policy that often dictatesrules.
Auditors may need to audit rules on occasion.
![Page 37: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/37.jpg)
StrategyLevel Of Control
![Page 38: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/38.jpg)
Loose Management Scenario
EnvironmentEnd user has admin rights to the computer.
End user often installs software
Software installs often open up rules in the process of installing.
IT only might add a few rules through GPO
![Page 39: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/39.jpg)
Strict Management Scenario 1
EnvironmentUsers don’t have admin permissions:
IT controls local firewall settings
IT controls local gpo settings.
Users request software not firewall settings.
IT might use GPOs or just manage settings locally.
![Page 40: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/40.jpg)
Strict Management Scenario 2
EnvironmentUsers have admin permissions:
IT wants to manage firewall rules centrally.
Users need to request firewall rules.
IT must use GPOs in this situation.Disable local firewall settings
Disable local GPO processing
![Page 41: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/41.jpg)
StrategyLevel Of Security
![Page 42: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/42.jpg)
Default Security
Inbound Default rule: Block
Outbound Default rule: Allow
Only Inbound exceptions must be defined.
![Page 43: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/43.jpg)
High Security/High Maintenance
Inbound Default rule: Block
Outbound Default rule: Block
All exceptions must be defined.
![Page 44: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/44.jpg)
Account For Your Environment
Inbound Exception RulesProgram or ServiceProtocolLocal PortsRemote Address Scope (Any, Campus, Trusted Nets)
Outbound Exception Rules (High Security)Program or ServiceProtocolRemote Ports (maybe)Remote Address Scope (Any, Campus, Trusted Nets)
![Page 45: connection/session connection/session is allowed through ... · Dan Metzler – ITS-EI Windows Systems Architect March 2012. Agenda ... Allow outbound connections by default. Inbound](https://reader031.vdocuments.mx/reader031/viewer/2022022805/5ca4064d88c99355658bd2ef/html5/thumbnails/45.jpg)
Questions?