securing the branch office fred baumhardt & sandeep modhvadia security technology architects...

Securing the Branch OfficeSecuring the Branch OfficeFred Baumhardt & Sandeep Fred Baumhardt & Sandeep ModhvadiaModhvadia

Security Technology ArchitectsSecurity Technology Architects

MicrosoftMicrosoft

What is a Branch OfficeWhat is a Branch OfficeIt is where Enterprise makes It is where Enterprise makes moneymoney

It is where IT Departments don’t It is where IT Departments don’t have people on the groundhave people on the ground

It has a high multiplier (10 -It has a high multiplier (10 -10,000+ remote offices) 10,000+ remote offices)

It has typically low BandwidthIt has typically low Bandwidth

It is the 19It is the 19thth Century Wild West Century Wild WestBranch OfficesBranch Offices

Core DatacenterCore Datacenter

What is a Branch OfficeWhat is a Branch OfficeRoot CausesRoot CausesSolutionsSolutions

Bandwidth – Bandwidth – the root causethe root cause

Vendor Thinking !Vendor Thinking !

Poor Management – no IT Poor Management – no IT Staff locally, little mngmt Staff locally, little mngmt technologytechnology

Large User Base – code name Large User Base – code name “PEBCAK” “PEBCAK”

High privilege and legacy High privilege and legacy applications (poor execution applications (poor execution control)control)

Branch OfficesBranch Offices


Sticky Tape

Wet String

HLLB – High Latency Low Bandwidth

Session PlanSession PlanRoot Causes – Why The Branch Causes Root Causes – Why The Branch Causes PainPainSolutionsSolutions

Viruses (self inflicted)Viruses (self inflicted)

Worms (network inflicted)Worms (network inflicted)

*.ware*.ware - Malware/Spyware - Malware/Spyware

Users countering policyUsers countering policy

Service and Network Outage Service and Network Outage (due to saturation and loss) (due to saturation and loss)

CostCostBranch OfficesBranch Offices


Sticky Tape

Wet String

HLLB – High Latency Low Bandwidth

Session PlanSession PlanRoot Causes – How You Feel the Root Causes – How You Feel the PainPainSolutionsSolutions

Securing the Branch….Securing the Branch….

Improve Bandwidth -cache, Improve Bandwidth -cache, compress, etccompress, etcTake Back Control of WANTake Back Control of WANTake Back Control of LANTake Back Control of LAN

Select Branch Application PlatformsSelect Branch Application PlatformsAssume Branch Conditions in Assume Branch Conditions in designdesignTrain Internal DevelopmentTrain Internal Development

Enable Management remotelyEnable Management remotelyStart Patching (easier said than Start Patching (easier said than done) done) User Training and EnablementUser Training and Enablement

Control of Task Based WorkControl of Task Based WorkTechnologies like SRP, ACLs, LUATechnologies like SRP, ACLs, LUAClear policy, Tech EnforcedClear policy, Tech Enforced

If you can, improve it – it’s a root killerIf you can, improve it – it’s a root killer

Increase Bandwidth Contracts at next windowIncrease Bandwidth Contracts at next window

Consider local Internet Local Breakout w/VPN, MPLS, etc Consider local Internet Local Breakout w/VPN, MPLS, etc over leased linesover leased lines

Bandwidth has high correlation with securityBandwidth has high correlation with security

Caching Technology is a great enabler Caching Technology is a great enabler


Datacenter

FW or RouterBranch

Datacenter

Datacenter Concentrator

ISA Server Branch Feature PackISA Server Branch Feature Pack

BITS Caching – so you can start to patch – one download for BITS Caching – so you can start to patch – one download for all clients – works for WUAC, WSUS, SMS, all Microsoft BITSall clients – works for WUAC, WSUS, SMS, all Microsoft BITS

HTTP Compression – Reduce B/W required for HTTP streamsHTTP Compression – Reduce B/W required for HTTP streams

HTTP Based Quality of Service – tagging QoS for Network HTTP Based Quality of Service – tagging QoS for Network equipment based on URLequipment based on URL

Caching and pre-populationCaching and pre-population

Depending on your cache device content can be pre-Depending on your cache device content can be pre-deployed during low bandwidth times (like 00:00 -04:00)deployed during low bandwidth times (like 00:00 -04:00)

R2 components like Remote Differential CompressionR2 components like Remote Differential Compression

Appliances like Tacit etc that do workload cachingAppliances like Tacit etc that do workload caching

Improve Bandwidth -cache, Improve Bandwidth -cache, compress, etccompress, etcTake Back Control of WAN,Take Back Control of WAN,Take Back Control of LANTake Back Control of LAN

Authenticate Traffic Using the WANAuthenticate Traffic Using the WANWorms are Anonymous – authentication defeats themWorms are Anonymous – authentication defeats them

Start reducing non-essential non controlled trafficStart reducing non-essential non controlled traffic

Example – Branch Users Group can access RPC UUID Example – Branch Users Group can access RPC UUID 00AABB-FA00000 to AppSRV100AABB-FA00000 to AppSRV1

Control of what protocols each user class can use – block Control of what protocols each user class can use – block all others – all others – map the network to the businessmap the network to the business

Requires a Layer 7 Application Layer device Requires a Layer 7 Application Layer device

Protocol Inspect the WANProtocol Inspect the WANCheck syntax of what HTTP, SMTP, RPC, DNS, etc use- Check syntax of what HTTP, SMTP, RPC, DNS, etc use- enforce protocol conformance to reduce non std enforce protocol conformance to reduce non std (overflow) attacks(overflow) attacks

Goal is to prevent infection from leaving/entering branchGoal is to prevent infection from leaving/entering branch


Branch Host Based Firewalls on ClientsMachines treat other network peers as hostile untrusted

XP and WS2003 built-in to OS, other OS third party providers

Usually Branch Workloads allow this feature to be turned on

Win Firewall doesn’t block outbound traffic- APT will


Decisions on Branch Decisions on Branch Network taken by Network taken by Network Team – little Network Team – little consultation to consultation to infrastructure concernsinfrastructure concerns

Architects can buy Architects can buy applications based on applications based on relationship/golf games, relationship/golf games, not capabilitynot capability


SLAs and Bandwidth have been “under-negotiated”

Many environments have near total Network Infra monopolies, other architectures exist

Network companies want to sell in order: Leased Line, MPLS, xDSL

Look at the Development and Purchasing Culture – how are Look at the Development and Purchasing Culture – how are applications for remote offices decidedapplications for remote offices decided

Large move to Web Based Applications in Remote Offices, but Large move to Web Based Applications in Remote Offices, but seldom is caching or HTTP acceleration thought of seldom is caching or HTTP acceleration thought of

Browser clients still require O/S patching etc, and it should be Browser clients still require O/S patching etc, and it should be thought ofthought of

Consider deployment of caching and application acceleration Consider deployment of caching and application acceleration infrastructureinfrastructure

Train In-House Developers to think about the deployment Train In-House Developers to think about the deployment conditions they are writing for – conditions they are writing for – send them to work in a remote send them to work in a remote office for a couple of days office for a couple of days


A Lot of Remote Management Capabilities alreadyA Lot of Remote Management Capabilities already

Point to Point - TechnologiesPoint to Point - Technologies

Terminal Services is fairly efficient in B/W termsTerminal Services is fairly efficient in B/W terms

HTTP Based Server Consoles like SATKHTTP Based Server Consoles like SATK

Remote Access like RPC Consoles (not recommended)Remote Access like RPC Consoles (not recommended)

R2 adding things like Print Management ConsoleR2 adding things like Print Management Console

Breadth Management ToolsBreadth Management Tools

SMS, MOM now increasingly bandwidth friendlySMS, MOM now increasingly bandwidth friendly

Management tools moving to BITS as transfer languageManagement tools moving to BITS as transfer language

Other Third party tools increasingly improving b/w usageOther Third party tools increasingly improving b/w usage


What is the Management Response Plan for What is the Management Response Plan for Branches ?Branches ?

Some Questions to Ask:Some Questions to Ask:

How do you contain branch failure ?How do you contain branch failure ?

How will you detect branch failure ?How will you detect branch failure ?

What are your SLAs to the business ?What are your SLAs to the business ?

Are there “High Value Assets at branch ?Are there “High Value Assets at branch ?

Does your expenditure on remote office correlate to the Does your expenditure on remote office correlate to the above ?above ?


Patch Management is Reactive – but necessaryPatch Management is Reactive – but necessary

Most Companies don’t patch due to B/WMost Companies don’t patch due to B/W


TechnologTechnologyy

CostCost FlexibiliFlexibilityty

BandwidBandwidthth

SavingsSavings

ControlControl NotesNotes

WUACWUAC LowLow Low – MS Low – MS Only Only

NoneNone None – MS None – MS ApprovesApproves

Core Product only with Core Product only with MS Update Office, SQL, MS Update Office, SQL, EXchEXch

WSUSWSUS Low- Low- MedMed

MediumMedium Full – if Full – if WSUS WSUS local, else local, else nonenone

Admin Admin ApprovesApproves

MS Core Product Only – MS Core Product Only – admins approve – req admins approve – req IIS locally @ Branch (to IIS locally @ Branch (to cache)cache)

ISA 2004 BO ISA 2004 BO + WSUS or + WSUS or SMSSMS

Low- Low- MedMed

Medium-Medium-HighHigh

Full – ISA Full – ISA cache, WS cache, WS approvesapproves

Admin Admin ApprovesApproves

No IIS locally – FW does No IIS locally – FW does other tasks and caches, other tasks and caches, no dist point for SMS no dist point for SMS requiredrequired

SMS, or SMS, or other other Management Management

Medium Medium - High- High

HighHigh SMS – Full SMS – Full – others – others dependdepend

SMS- SMS- Admin Admin Full – Full – Others Others DependDepend

SMS offers full solution SMS offers full solution including roll back , including roll back , local distribution etclocal distribution etc

User Training is Key – Users can be useful to ITUser Training is Key – Users can be useful to IT


•Users – (like pets ) can Help You – If you train them

•Branch Manager etc can be delegated some tasks

•Equipment can be swapped out by Users, if it and your design is IPA (Idiot Proof Architecture)

•Security Policy should be communicated to user base – and peer enforced

•Users are IT eyes and ears @ branch

Execution Control Cost

0

200

400

600

800

1000

1200

1400

12345

Risk Factor

Co

st


Whitelists like Software Restriction Policy require Business Investment – but are the most effective

Blacklist technologies are “appliantized”, easy to deploy and require signature payments – perfect for the security industry- bad for you

You will need to buy lots of different blacklist technologies

If your tellers only use the bank application – and they can only run it (and nothing else) – do you need AV ?


Remove Admin Privileges from Task Based Users – until Vista this will be very difficult to do for Information Workers

Active Directory driven group policy provides a repeatable re-applied lock down – but GPOs depend on DC placement (B/W)

Usually Anti(*.*) takes management and bandwidth Usually Anti(*.*) takes management and bandwidth for signaturesfor signatures

Access Control Lists, etc can be very expensive to Access Control Lists, etc can be very expensive to deploy – LUA for Vista, SRP arent widely deployeddeploy – LUA for Vista, SRP arent widely deployed

For IW branch users, full management is required for For IW branch users, full management is required for security, consider AD GPO, SRP, HBF, Auto Patchingsecurity, consider AD GPO, SRP, HBF, Auto Patching


Optimal Policy Enforcement•Do your users know what their policy is ?

•Do they know its NOT OK to let someone take the server away “for repair” without authorisation ?

•Can you Technologically Enforce your Security Policy – if not why is it there?

•Did you write your policy with legal guidance?•Have you adjusted your policy for the branch environment ?

•Do you have a Monitoring Infrastructure in place to detect contravention ?

The latest news on Microsoft security:The latest news on Microsoft security:www.microsoft.com/uk/securitywww.microsoft.com/uk/security

www.microsoft.com/www.microsoft.com/ukuk/technet/technet

Read and contribute to our blogs:Read and contribute to our blogs:http://http://blogs.technet.com/sandeep/default.aspxblogs.technet.com/sandeep/default.aspx

http://blogs.technet.com/fred/default.aspxhttp://blogs.technet.com/fred/default.aspx

ResourcesResources

http://www.microsoft.com/uk/security

http://www.microsoft.com/uk/technet



http://blogs.technet.com/sandeep/default.aspx

http://blogs.technet.com/sandeep/default.aspx

http://blogs.technet.com/fred/default.aspx

We are better at this stuff than you think…We are better at this stuff than you think…

securing the branch office fred baumhardt & sandeep modhvadia security technology architects...

Documents