securing the branch office fred baumhardt & sandeep modhvadia security technology architects...
TRANSCRIPT
Securing the Branch OfficeSecuring the Branch OfficeFred Baumhardt & Sandeep Fred Baumhardt & Sandeep ModhvadiaModhvadia
Security Technology ArchitectsSecurity Technology Architects
MicrosoftMicrosoft
What is a Branch OfficeWhat is a Branch OfficeIt is where Enterprise makes It is where Enterprise makes moneymoney
It is where IT Departments don’t It is where IT Departments don’t have people on the groundhave people on the ground
It has a high multiplier (10 -It has a high multiplier (10 -10,000+ remote offices) 10,000+ remote offices)
It has typically low BandwidthIt has typically low Bandwidth
It is the 19It is the 19thth Century Wild West Century Wild WestBranch OfficesBranch Offices
Core DatacenterCore Datacenter
What is a Branch OfficeWhat is a Branch OfficeRoot CausesRoot CausesSolutionsSolutions
Bandwidth – Bandwidth – the root causethe root cause
Vendor Thinking !Vendor Thinking !
Poor Management – no IT Poor Management – no IT Staff locally, little mngmt Staff locally, little mngmt technologytechnology
Large User Base – code name Large User Base – code name “PEBCAK” “PEBCAK”
High privilege and legacy High privilege and legacy applications (poor execution applications (poor execution control)control)
Branch OfficesBranch Offices
Core DatacenterCore Datacenter
Sticky Tape
Wet String
HLLB – High Latency Low Bandwidth
Session PlanSession PlanRoot Causes – Why The Branch Causes Root Causes – Why The Branch Causes PainPainSolutionsSolutions
Viruses (self inflicted)Viruses (self inflicted)
Worms (network inflicted)Worms (network inflicted)
*.ware*.ware - Malware/Spyware - Malware/Spyware
Users countering policyUsers countering policy
Service and Network Outage Service and Network Outage (due to saturation and loss) (due to saturation and loss)
CostCostBranch OfficesBranch Offices
Core DatacenterCore Datacenter
Sticky Tape
Wet String
HLLB – High Latency Low Bandwidth
Session PlanSession PlanRoot Causes – How You Feel the Root Causes – How You Feel the PainPainSolutionsSolutions
Securing the Branch….Securing the Branch….
Improve Bandwidth -cache, Improve Bandwidth -cache, compress, etccompress, etcTake Back Control of WANTake Back Control of WANTake Back Control of LANTake Back Control of LAN
Select Branch Application PlatformsSelect Branch Application PlatformsAssume Branch Conditions in Assume Branch Conditions in designdesignTrain Internal DevelopmentTrain Internal Development
Enable Management remotelyEnable Management remotelyStart Patching (easier said than Start Patching (easier said than done) done) User Training and EnablementUser Training and Enablement
Control of Task Based WorkControl of Task Based WorkTechnologies like SRP, ACLs, LUATechnologies like SRP, ACLs, LUAClear policy, Tech EnforcedClear policy, Tech Enforced
If you can, improve it – it’s a root killerIf you can, improve it – it’s a root killer
Increase Bandwidth Contracts at next windowIncrease Bandwidth Contracts at next window
Consider local Internet Local Breakout w/VPN, MPLS, etc Consider local Internet Local Breakout w/VPN, MPLS, etc over leased linesover leased lines
Bandwidth has high correlation with securityBandwidth has high correlation with security
Caching Technology is a great enabler Caching Technology is a great enabler
Improve Bandwidth -cache, Improve Bandwidth -cache, compress, etccompress, etcTake Back Control of WANTake Back Control of WANTake Back Control of LANTake Back Control of LAN
Datacenter
FW or RouterBranch
Datacenter
Datacenter Concentrator
ISA Server Branch Feature PackISA Server Branch Feature Pack
BITS Caching – so you can start to patch – one download for BITS Caching – so you can start to patch – one download for all clients – works for WUAC, WSUS, SMS, all Microsoft BITSall clients – works for WUAC, WSUS, SMS, all Microsoft BITS
HTTP Compression – Reduce B/W required for HTTP streamsHTTP Compression – Reduce B/W required for HTTP streams
HTTP Based Quality of Service – tagging QoS for Network HTTP Based Quality of Service – tagging QoS for Network equipment based on URLequipment based on URL
Caching and pre-populationCaching and pre-population
Depending on your cache device content can be pre-Depending on your cache device content can be pre-deployed during low bandwidth times (like 00:00 -04:00)deployed during low bandwidth times (like 00:00 -04:00)
R2 components like Remote Differential CompressionR2 components like Remote Differential Compression
Appliances like Tacit etc that do workload cachingAppliances like Tacit etc that do workload caching
Improve Bandwidth -cache, Improve Bandwidth -cache, compress, etccompress, etcTake Back Control of WAN,Take Back Control of WAN,Take Back Control of LANTake Back Control of LAN
Authenticate Traffic Using the WANAuthenticate Traffic Using the WANWorms are Anonymous – authentication defeats themWorms are Anonymous – authentication defeats them
Start reducing non-essential non controlled trafficStart reducing non-essential non controlled traffic
Example – Branch Users Group can access RPC UUID Example – Branch Users Group can access RPC UUID 00AABB-FA00000 to AppSRV100AABB-FA00000 to AppSRV1
Control of what protocols each user class can use – block Control of what protocols each user class can use – block all others – all others – map the network to the businessmap the network to the business
Requires a Layer 7 Application Layer device Requires a Layer 7 Application Layer device
Protocol Inspect the WANProtocol Inspect the WANCheck syntax of what HTTP, SMTP, RPC, DNS, etc use- Check syntax of what HTTP, SMTP, RPC, DNS, etc use- enforce protocol conformance to reduce non std enforce protocol conformance to reduce non std (overflow) attacks(overflow) attacks
Goal is to prevent infection from leaving/entering branchGoal is to prevent infection from leaving/entering branch
Improve Bandwidth -cache, Improve Bandwidth -cache, compress, etccompress, etcTake Back Control of WANTake Back Control of WANTake Back Control of LANTake Back Control of LAN
Branch Host Based Firewalls on ClientsMachines treat other network peers as hostile untrusted
XP and WS2003 built-in to OS, other OS third party providers
Usually Branch Workloads allow this feature to be turned on
Win Firewall doesn’t block outbound traffic- APT will
Improve Bandwidth -cache, Improve Bandwidth -cache, compress, etccompress, etcTake Back Control of WANTake Back Control of WANTake Back Control of LANTake Back Control of LAN
Decisions on Branch Decisions on Branch Network taken by Network taken by Network Team – little Network Team – little consultation to consultation to infrastructure concernsinfrastructure concerns
Architects can buy Architects can buy applications based on applications based on relationship/golf games, relationship/golf games, not capabilitynot capability
Select Branch Application PlatformsSelect Branch Application PlatformsAssume Branch Conditions in Assume Branch Conditions in designdesignTrain Internal DevelopmentTrain Internal Development
SLAs and Bandwidth have been “under-negotiated”
Many environments have near total Network Infra monopolies, other architectures exist
Network companies want to sell in order: Leased Line, MPLS, xDSL
Look at the Development and Purchasing Culture – how are Look at the Development and Purchasing Culture – how are applications for remote offices decidedapplications for remote offices decided
Large move to Web Based Applications in Remote Offices, but Large move to Web Based Applications in Remote Offices, but seldom is caching or HTTP acceleration thought of seldom is caching or HTTP acceleration thought of
Browser clients still require O/S patching etc, and it should be Browser clients still require O/S patching etc, and it should be thought ofthought of
Consider deployment of caching and application acceleration Consider deployment of caching and application acceleration infrastructureinfrastructure
Train In-House Developers to think about the deployment Train In-House Developers to think about the deployment conditions they are writing for – conditions they are writing for – send them to work in a remote send them to work in a remote office for a couple of days office for a couple of days
Select Branch Application PlatformsSelect Branch Application PlatformsAssume Branch Conditions in Assume Branch Conditions in designdesignTrain Internal DevelopmentTrain Internal Development
A Lot of Remote Management Capabilities alreadyA Lot of Remote Management Capabilities already
Point to Point - TechnologiesPoint to Point - Technologies
Terminal Services is fairly efficient in B/W termsTerminal Services is fairly efficient in B/W terms
HTTP Based Server Consoles like SATKHTTP Based Server Consoles like SATK
Remote Access like RPC Consoles (not recommended)Remote Access like RPC Consoles (not recommended)
R2 adding things like Print Management ConsoleR2 adding things like Print Management Console
Breadth Management ToolsBreadth Management Tools
SMS, MOM now increasingly bandwidth friendlySMS, MOM now increasingly bandwidth friendly
Management tools moving to BITS as transfer languageManagement tools moving to BITS as transfer language
Other Third party tools increasingly improving b/w usageOther Third party tools increasingly improving b/w usage
Enable Management remotelyEnable Management remotelyStart Patching (easier said than Start Patching (easier said than done) done) User Training and EnablementUser Training and Enablement
What is the Management Response Plan for What is the Management Response Plan for Branches ?Branches ?
Some Questions to Ask:Some Questions to Ask:
How do you contain branch failure ?How do you contain branch failure ?
How will you detect branch failure ?How will you detect branch failure ?
What are your SLAs to the business ?What are your SLAs to the business ?
Are there “High Value Assets at branch ?Are there “High Value Assets at branch ?
Does your expenditure on remote office correlate to the Does your expenditure on remote office correlate to the above ?above ?
Enable Management remotelyEnable Management remotelyStart Patching (easier said than Start Patching (easier said than done) done) User Training and EnablementUser Training and Enablement
Patch Management is Reactive – but necessaryPatch Management is Reactive – but necessary
Most Companies don’t patch due to B/WMost Companies don’t patch due to B/W
Enable Management remotelyEnable Management remotelyStart Patching (easier said than Start Patching (easier said than done) done) User Training and EnablementUser Training and Enablement
TechnologTechnologyy
CostCost FlexibiliFlexibilityty
BandwidBandwidthth
SavingsSavings
ControlControl NotesNotes
WUACWUAC LowLow Low – MS Low – MS Only Only
NoneNone None – MS None – MS ApprovesApproves
Core Product only with Core Product only with MS Update Office, SQL, MS Update Office, SQL, EXchEXch
WSUSWSUS Low- Low- MedMed
MediumMedium Full – if Full – if WSUS WSUS local, else local, else nonenone
Admin Admin ApprovesApproves
MS Core Product Only – MS Core Product Only – admins approve – req admins approve – req IIS locally @ Branch (to IIS locally @ Branch (to cache)cache)
ISA 2004 BO ISA 2004 BO + WSUS or + WSUS or SMSSMS
Low- Low- MedMed
Medium-Medium-HighHigh
Full – ISA Full – ISA cache, WS cache, WS approvesapproves
Admin Admin ApprovesApproves
No IIS locally – FW does No IIS locally – FW does other tasks and caches, other tasks and caches, no dist point for SMS no dist point for SMS requiredrequired
SMS, or SMS, or other other Management Management
Medium Medium - High- High
HighHigh SMS – Full SMS – Full – others – others dependdepend
SMS- SMS- Admin Admin Full – Full – Others Others DependDepend
SMS offers full solution SMS offers full solution including roll back , including roll back , local distribution etclocal distribution etc
User Training is Key – Users can be useful to ITUser Training is Key – Users can be useful to IT
Enable Management remotelyEnable Management remotelyStart Patching (easier said than Start Patching (easier said than done) done) User Training and EnablementUser Training and Enablement
•Users – (like pets ) can Help You – If you train them
•Branch Manager etc can be delegated some tasks
•Equipment can be swapped out by Users, if it and your design is IPA (Idiot Proof Architecture)
•Security Policy should be communicated to user base – and peer enforced
•Users are IT eyes and ears @ branch
Execution Control Cost
0
200
400
600
800
1000
1200
1400
12345
Risk Factor
Co
st
Control of Task Based WorkControl of Task Based WorkTechnologies like SRP, ACLs, LUATechnologies like SRP, ACLs, LUAClear policy, Tech EnforcedClear policy, Tech Enforced
Whitelists like Software Restriction Policy require Business Investment – but are the most effective
Blacklist technologies are “appliantized”, easy to deploy and require signature payments – perfect for the security industry- bad for you
You will need to buy lots of different blacklist technologies
If your tellers only use the bank application – and they can only run it (and nothing else) – do you need AV ?
Control of Task Based WorkControl of Task Based WorkTechnologies like SRP, ACLs, LUATechnologies like SRP, ACLs, LUAClear policy, Tech EnforcedClear policy, Tech Enforced
Remove Admin Privileges from Task Based Users – until Vista this will be very difficult to do for Information Workers
Active Directory driven group policy provides a repeatable re-applied lock down – but GPOs depend on DC placement (B/W)
Usually Anti(*.*) takes management and bandwidth Usually Anti(*.*) takes management and bandwidth for signaturesfor signatures
Access Control Lists, etc can be very expensive to Access Control Lists, etc can be very expensive to deploy – LUA for Vista, SRP arent widely deployeddeploy – LUA for Vista, SRP arent widely deployed
For IW branch users, full management is required for For IW branch users, full management is required for security, consider AD GPO, SRP, HBF, Auto Patchingsecurity, consider AD GPO, SRP, HBF, Auto Patching
Control of Task Based WorkControl of Task Based WorkTechnologies like SRP, ACLs, LUATechnologies like SRP, ACLs, LUAClear policy, Tech EnforcedClear policy, Tech Enforced
Optimal Policy Enforcement•Do your users know what their policy is ?
•Do they know its NOT OK to let someone take the server away “for repair” without authorisation ?
•Can you Technologically Enforce your Security Policy – if not why is it there?
•Did you write your policy with legal guidance?•Have you adjusted your policy for the branch environment ?
•Do you have a Monitoring Infrastructure in place to detect contravention ?
The latest news on Microsoft security:The latest news on Microsoft security:www.microsoft.com/uk/securitywww.microsoft.com/uk/security
www.microsoft.com/www.microsoft.com/ukuk/technet/technet
Read and contribute to our blogs:Read and contribute to our blogs:http://http://blogs.technet.com/sandeep/default.aspxblogs.technet.com/sandeep/default.aspx
http://blogs.technet.com/fred/default.aspxhttp://blogs.technet.com/fred/default.aspx
ResourcesResources
We are better at this stuff than you think…We are better at this stuff than you think…