Week 12 - Server Hardening.pptx

Chat with Document Download Quiz & Flashcards

Document Details

GreatAntigorite

Uploaded by GreatAntigorite

Related

Full Transcript

Week 12: Server Hardening NTWK-8070: Windows Server Roles and Features This week… This week we will learn about: • Introduce the Firewalls Settings in Windows Server • Describe basic Firewall Functions • Discuss Server Hardening examples Firewalls, a wall of fire What is a firewall • A set of...

Week 12: Server Hardening NTWK-8070: Windows Server Roles and Features This week… This week we will learn about: • Introduce the Firewalls Settings in Windows Server • Describe basic Firewall Functions • Discuss Server Hardening examples Firewalls, a wall of fire What is a firewall • A set of technologies that help protect a computer from unauthorized access • Deal with network-based access – A firewall is NOT antivirus • Can explicitly block or allow access for traffic (IP) • Can be “intelligent” (DPI, Staeful, etc) What does Windows have by default? • Windows Server ships with Windows Defender Firewall with Advanced Security • Is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is IPSec Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user. Stateful? IPSec? DPI? Early iterations of Firewalls were very basic. Traffic was either allowed to enter or leave, or it was not. There was no “intelligence”. Newer firewalls implement many technologies to intelligently filter traffic based on a number of criteria to ensure security. We will explore a number of these. In NTWK-8060 you will explore how to create policies. Stateful Firewalls • It is a type of firewall that monitors the “state” – of the connection with intelligence built in. • A Layer 3 and 4 firewall (limited intelligence) • Monitor State and Context of connections • Adjust accordingly (allow or deny) • The most basic of “modern” firewalls What is a State? • A state in a Stateful firewall is the “status” of the current process that is communicating. Analogy of a State “Allow communication if the application reached out first” Imagine the above scenario. The “Stateful” aspect of the above would mean that, if a local process reached out to the internet, then incoming traffic for that process would also be allowed (unless explicitly blocked). If no local process connection was established prior to incoming traffic destined for that process, the traffic would be dropped. States (a selection of) • Closed – The TCP connection has no connection state at all. This state represents the state when there is no Transmission Control Block (TCB), and therefore, no connection. • Listen – The TCP connection is waiting for a connection request from any remote TCP and port. • Established – The TCP connection is an open connection, so the data received can be delivered to the user. This state is normal state for the data transfer phase of the connection. States – Part 2 • Close Wait – The TCP connection is waiting for a request to end the connection from the local user. • Closing – The TCP connection is waiting for an acknowledgment of the request to end the connection from the remote TCP. • Time Wait – The TCP connection is waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its request to end the connection. A Practical Example • You can use the following Command to see any local processes and ports that are listening and have established connections on your computer/server • Netstat –nao – N Displays addresses and port numbers in numerical form. – A Displays all connections and listening ports. – O Displays the owning process ID associated with each connection. Viewing Process Relations Notice the PID? What does this give us? • We can deduce that Spotify.exe has an Established state to 104.154.127.126 on por 4060, and that the connection type is TCP • How is this useful? Allow us to map our processes and their ports to enable building of a firewall rule that either explicitly permits, or denies traffic. You also mentioned Context? • Context is a collection of network related “ metadata components” of the TCP/IP protocol – – – – IP Addresses Ports Layer 3 and 4 (frag and assembly, sequene number) And more • Basically anything that can be used as “inspectable metadata” What about UDP? • You may know that there are two main technologies in play – UDP and TCP. • UDP is User Datagram Protocol – a protocol that is essentially stateless (does not have a state defined in the protocol) • How does a Stateful firewall deal with a protocol that is stateless? Pseudo-state • A Pseudo-state is a “method or logic” that defines a state for a protocol that is stateless. • Examples of Stateless protocols that use UDP are: – DNS – DHCP – VoIP Firewall handling of Pseudo-States • Firewalls typically implement some sort of logic that will work together with algorithms and software to determine a state (Pseudo-State) • A “best-effort guess” to what the protocol is doing • Varies by manufacturer • After a state is determined, the Firewall works as a Stateful Firewall. How do they (Stateful) work? Foreword • Firewalls are network-first devices and require some knowledge of networking • In the future, in your careers, you will want to get some introduction to Networking • There are many different things to consider that this course will not cover, such as TCP/IP Basics and the in-depth protocol breakdown Let’s put it all together ! • Data is collected on all packets that flow through the stateful firewall • The firewall the build a table of all states and connections, which are established and considered safe (rules permitting) • If another connection/packet flows through the firewall, it is verified against the table of connections/safe entries and either allowed or dropped Seems too simple? • It’s still better than Stateless Packet Inspection! – Stateless packet inspection is ancient and relies on simply looking at the packet in isolation, not in a context. – Either allow or deny based on source/destination, that’s it. SPI • A Stateful Firewall utilises Stateful Packet Inspection • SPI tracks packets of a period of time • This is what we talked about with Context NGFW? Better? What are NGFWs? • Next Generation Firewalls • Offer the same SPI as a Stateful Firewall, but also offer DPI • What is DPI? – Deep Packet Inspection Deep Packet Inspection Cyber criminals have gotten more advanced, and so the need for better Firewalls is a ever-present requirement Deep Packet Inspection will inspect the packet for validity and ensure that it meets criteria to allow it to pass Example DPI techniques • Regular Packet Filtering is known as “Convectional Packet Filtering” • DPI relies on a number of different methodologies – Pattern or Signature Matching – Protocol Discerptions – SSL Decryption Pattern or Signature Matching • This DPI technique is a cornerstone of DPI firewalls that allow you to add another layer of security by using the same technology as a “antivirus” • Packets are compared against a robust database of malicious traffic signatures • Can drop or notify (or both) – if the match is found Protocol Discerptions • Certain firewalls prohibit certain types of traffic from leaving the organization • Early exploits could “package” one protocol in another: – i.e. TCP over DNS – Would allow for malicious traffic to flow in/out, disguised as DNS (port 53) – Would be allowed, because simply firewalls do not examine the “innards” of the packet Protocol Discerptions pt 2 • NGFWs allow to verify the integrity of the protocol. • A TCP data packet (Transmission Control Protocol) would no longer be able to hide inside a DNS packet, as the protocol integrity would fail. • Would either notify or drop (or both) SSL Decryption • SSL is the backbone of security, especially in the internet. • Most websites use SSL to ensure that your connections and what you send/receive is encrypted between the server and client • Neither Stateful nor NGFWs can inspect a SSL packet deeply to either verify the signature, or another mechanism SSL Decryption pt 2 • SSL decryption is a technology that acts as a middleman between you and the internet • SSL decryption on NGFWs will establish a connection on your behalf, and decrypt the packets to inspect them – Like the Border Services and Customs – looking at each parcel to ensure it’s safe • It would then encrypt the package again and send it to you, ensuring that the packet is only decrypted on the firewall, and not anywhere else • It’s also extremely resource-intensive • • • • • What does NGFWs and WS have in common? Nothing. Windows Server does not come or have a NGFW available NGFWs are network devices (or in some rare cases virtual appliances) NGFWs are a vital part to your overall security posture They are used in conjunction to WS’s Firewall A Fortinet Firewall (NGFW) Basic Configuration, WS Firewall We will create a basic Firewall Rule • First you want to open the MMC console – MMC.exe • You can also use the “Control Panel” version of Windows Defender Firewall with Advanced Security– however it is somewhat limited Add the Snapin You can manage another machine too! Let’s explore The Left Pane • Consists of Inbound Rules, Outbound Rules, Connection Security Rules and Monitoring • Inbound and Outbound rules are straight forward • They either explicitly allow or deny a process or port access to networks What you can filter on (I/O rule) Filtering on (Rule Type) • Program – allow or deny an application access to the internet • Port – allow a specific port (such as 80/443 for webservers) access • Predefined – Windows Built-in services • Custom – Allows you to specify a number of different parameters and mix/match – You can mix Application, Ports and Protocols, Local and Remote IP Addresses The Program… The Ports/Protocol Scope (Local/Remote IPs) What can you do Tips for Hardening These are just tips • There is no “prescriptive approach” to server hardening • Everything depends on use case and how your environment is configured • Not everything will apply to everyone • NTWK-8070 will go over more concepts, including safeguarding data, and a little more details on hardening/BPs Basic Server Hardening 1. Control Server Access via RBAC 2. Minimize external access and your attack vector 3. Keep server up-to-date with vetted patches 4. Keep baseline inventory of hardware, software and configurations (versions, etc) Hardening Part 2 5. 6. 7. 8. Disable unused services Remove non-required roles Decentralize services Configure centralized logging and configuration 9. Avoid manual configuration 10.Implement logging End of Lecture, Questions?

Use Quizgecko on...
Browser
Open
Browser
Browser