Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Threat Modeling Networks Fundamental Tradeoff You get to pick any two!

Threat Modeling
Networks
Jesper M. Johansson
Senior Security Strategist
Microsoft Corporation
Fundamental Tradeoff
Secure
You get to pick any two!
Usable
Cheap
jesperjo@microsoft.com
http://blogs.technet.com/jesper_johansson
http://
blogs.technet.com/jesper_johansson
© 2004, Microsoft Corporation, All Rights Reserved
Perimeters Are Weak
Defense in Depth
Threat Modeling is one part of a Defense in Depth strategy
Supplement it with other measures
Data
ACL, encryption
Application
Host
Internal Network
Perimeter
Physical Security
People, Policies, & Process
© 2004, Microsoft Corporation, All Rights Reserved
Lessons Learned From Experience
Most security tweaks do not improve
security
Security changes without a threat model do
not improve security
Focus is often on the wrong thing
Analysis of target environment is essential
Threat model must correlate with security
policy
Group policy is a bonus
Careful smokesmoke-testing needed
© 2004, Microsoft Corporation, All Rights Reserved
SEC320
Application hardening, antivirus
OS hardening, patch management,
authentication, HIDS
Network segments, IPSec, NIDS
Firewalls, VPN quarantine
Guards, locks, tracking devices
User education
© 2004, Microsoft Corporation, All Rights Reserved
Applying the lessons - DSR
Document
Model applications and services
Environment dependent
Segment
Applications
Security requirements
Restrict
Disable services
Close ports
Use IPSec or RRAS filters
Use different passwords
© 2004, Microsoft Corporation, All Rights Reserved
1
Modeling Systems with DFDs
Graphic representation showing
communication between objects
Document
Describes activities that process data
Shows how data flows through a system
Shows logical sequence of associations and
activities
Sometimes known as a process model
We are appropriating and modifying this
method
© 2004, Microsoft Corporation, All Rights Reserved
© 2004, Microsoft Corporation, All Rights Reserved
Modified Data Flow Diagram
Conventions
Model The Network
Internet
Client
Data Flow
VPN Server
Web Farm 2
SQL Cluster
Web Farm 1
Domain Controller
SQL Cluster
Client
Corporate Domain Controller
Corp Servers
© 2004, Microsoft Corporation, All Rights Reserved
Superimpose a DFD
Corporate
Clients All Rights Reserved
© 2004,
Microsoft Corporation,
Component Segmentation
Internet
Client
VPN Server
Web Farm 2
SQL Cluster
Web Farm 1
Domain Controller
SQL Cluster
Client
Corporate Domain Controller
Corp Servers
SEC320
Corporate
Clients All Rights Reserved
© 2004,
Microsoft Corporation,
© 2004, Microsoft Corporation, All Rights Reserved
2
Network Segmentation
End Goal
Segment systems by application and
security requirements
Should you trust systems that are not part
of your application?
Which systems do they trust?
What are their security requirements?
Less sensitive systems may depend on
more sensitive systems
More sensitive systems MUST NEVER
depend on less sensitive systems
© 2004, Microsoft Corporation, All Rights Reserved
© 2004, Microsoft Corporation, All Rights Reserved
Documenting Segments
Trust Boundaries
80, 443
3389
Internet Client
SQL Cluster 1
We b F arm 1
1433
Term Serv
3389
DC traffic
443
DC Traffic
Domain Controller
3389
DC traffic
DC Traffic
3389
1433
SQL Clu ster 2
Web Far m 2
DC Traffic
Term Serv
3389
VPN
DC traffic DC traffic
Systems and entities you trust are included
within your trust boundary
Never share administration and accounts
across boundaries
Should your trust boundary include
databases?
It depends…
depends …
Domain Controller
DC traffic
3389
1433
Corp Servers
1723
Corp Clients
Corp DCs
DC traffic
DC
traffic
© 2004, Microsoft Corporation, All
Rights
Reserved
© 2004, Microsoft Corporation, All Rights Reserved
Trust Boundaries
Threat Analysis
Trust Boundary
80, 443
Internet Client
Web Farm 1
SQL 1
1433
DC Traffic
DC Traffic
445
Domain Controller
1433
Staging Server
© 2004, Microsoft Corporation, All Rights Reserved
SEC320
© 2004, Microsoft Corporation, All Rights Reserved
3
Fault Trees
Goal: Root the SQL Server
Root SQL
0.7
Demonstrate logical paths through a
system
Used to highlight faults in a system
Points out relationships between faults
Allow us to estimate the interactions
between faults
Blank SA
password
Pre- requisite Probability:
0.8*0.63
= 0.504
0.0
1 .0
Port 80 open
in firewall
Port 1433 open
in firewall
0 .8
Aggregate
Probability:
0.5
0.0
1434 BO on
SQL
1434 open in
firewall
MAX[MIN(0.7,0.0),
MIN(0.5,0.0),
1.0*0.504]
=
0.504
Write access
to web app
0.3
0.9
OR condition Probability:
DLL Loading
Trojan
Vroots with
Execute
0.7
Exploit Blank
SA Password
1 .0
MAX[(0.9*0.7),
0.3]
= 0.63
Dump LSA
Secrets
0 .5
OR condition
– Probability:
MAX[1.0*0.5,
0.7]
= 0.7
Probability:
0.5
Shared svc accts
with admin privs
© 2004, Microsoft Corporation, All Rights Reserved
© 2004, Microsoft Corporation, All Rights Reserved
Preventative Measures
Root SQL
0.7
Blank SA
password
Break here
with best
practices
0.0
0.0
Port 80 open
in firewall
Port 1433 open
in firewall
0 .8
Break here with
IIS lockdown
0.5
1 .0
1434 BO on
SQL
Write access
to web app
0.3
Break here
with SQL
hardening
0.9
DLL Loading
Trojan
Vroots with
Execute
Restrict
1434 open in
firewall
0.7
Exploit Blank
SA Password
1 .0
Break here by
restricting
outgoing traffic
from servers
Dump LSA
Secrets
0 .5
Shared svc accts
with admin privs
© 2004, Microsoft Corporation, All Rights Reserved
Restrict
Break here by
removing
security
dependencies
© 2004, Microsoft Corporation, All Rights Reserved
Manage Administrative
Dependencies
Policies allow nothing but…
but…
Disable unnecessary services
Remove users
Restrict privileges
Turn on security tweaks
Remove permissions
Set very strong passwords
Restrict communications
IPSec
RRAS filters
© 2004, Microsoft Corporation, All Rights Reserved
SEC320
An administrator on any given machine can
run code as any user logging on to that
machine
What other machines do your admins log on to?
Who administers those machines
Administrative dependencies
balloon – fast!
Enumerating actual administrators
is hard
© 2004, Microsoft Corporation, All Rights Reserved
4
Limit Service Account Trust
Environment
How Many Admins Do
You Have?
Any admin can retrieve service account
credentials
Service accounts frequently have
Administrative privileges…
privileges…
…on several machines
Implements the “ least common security
denominator””
denominator
Consider security needs
NetworkService and LocalService are
useful, to a point
© 2004, Microsoft Corporation, All Rights Reserved
Dependency Chain Example
1. Hacks Test-Host, gets account “Cedric”
2. Uses Cedric’s account to compromise
SQL Server
SQL Server gives up account “Bob”
3. Bob is an Admin on the Web Server
Web server has service account _Svc
4. _Svc is a domain admin!
Attacker
d!
0wn3
© 2004, Microsoft Corporation, All Rights Reserved
Conclusion
Hardening networks requires understanding
the environment
Optimal hardening requires deep
understanding
There is a fundamental tradeoff between
security and usability
Three--phase approach to network
Three
hardening
Document
Segment
Restrict
© 2004, Microsoft Corporation, All Rights Reserved
For more information
See Chapters 8 and 9
Order online:
http://www.awprofessio
nal.com/title/032133643
7
Use promo code
JJSR6437
jesperjo@microsoft.com
© 2004, Microsoft Corporation, All Rights Reserved
Resources
Tools
Security news
Registry Monitor, File Monitor, Process
Explorer, et. al.
Security Bulletin Notification
http://go.microsoft.com/fwlink/?LinkId=21163
http://www.sysinternals.com
Security Bulletins
My Email: jesperjo@microsoft.com
http://www.microsoft.com/ technet/security/current
.aspx
Technical information
Security guidance and training
Security Guidance Center
http://www.microsoft.com/security/guidance/
Windows 2000 Security Hardening Guide
http://go.microsoft.com/fwlink/?LinkId=28591
MBSA
http://www.microsoft.com/technet/security/tools/mb
sahome.mspx
Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?LinkId=14846
Open Hack IV Hardening
http://msdn.microsoft.com/library/en-http://msdn.microsoft.com/library/en
us/dnnetsec/html/openhack.asp
Jesper ’s Security Columns
Jesper’
http://go.microsoft.com/fwlink/?LinkId=28592
Threats and Countermeasures
http://go.microsoft.com/fwlink/?LinkId=15159
© 2004, Microsoft Corporation, All Rights Reserved
SEC320
Windows XP Security Guide
http://go.microsoft.com/fwlink/?LinkId=14839
Exchange Server 2003 Security Hardening Guide
http://go.microsoft.com/fwlink/?LinkId=25210
Microsoft Guide to Security
Patch Management
http://go.microsoft.com/fwlink/?LinkId=16284
© 2004, Microsoft Corporation, All Rights Reserved
5
Jesper M. Johansson
jesperjo@microsoft.com
© 2004-2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
SEC320
6
Related documents
Application software assignment
Application software assignment
ASP.NET MVC
ASP.NET MVC
Chapter 1Computer Concept
Chapter 1Computer Concept
PLANNING, MANAGING AND VISUALIZING PROJECTS WITH MICROSOFT 2013
PLANNING, MANAGING AND VISUALIZING PROJECTS WITH MICROSOFT 2013
Download