CHAPTER 14
SECURING AN EXTRANET
The are of a private network that hosts Internet-accessible resources is called an extranet.
Scenario:
offers on the Internet.
to all Internet-accessible resources while maintaining the security of the private network.
to Internet-accessible resources without exposing the internal IP addressing scheme to the public
network. Must use NAT to translate addresses from private to public.
======================================================================
winsec14.html PAGE
2 2002/05/07
Lesson 1:
Identifying Common Firewall Strategies
This configuration is commonly referred to as a Demilitarized Zone (DMZ), perimeter network, or
screened subnet. This internal firewall ensures protection of the private network if the external
firewall or resources in the extranet are compromised.
What is an Extranet?
The challenge is to configure firewalls in such a way as to allow Internet users into a portion of the
private network without granting them access to the entire network. The area of a private network
that hosts Internet-accessible resources is called an extranet.
Web server content is the most common network resource that organizations make available on the
Internet.
Identifying Firewall Features to Protect the Extranet
In the simplest deployment, a firewall is placed between the private and public networks to secure
the private network from the public network.
A firewall acts as a barrier against attacks launched from the public network. To protects the private
network, firewalls can offer a suite of services, including:
Network Address Translation (NAT) Translation of the source address of all outbound packets
from a private network address to a public network address.
Packet filtering. Configuration of rules at a firewall that define which protocols are allowed to pass
through the firewall.
Static address mapping.
Configuration of how incoming packets are re-routed to servers using private network addressing.
Stateful inspection of network traffic. Verification that protocols are following basic rules of
communications.
Advanced features that detect common attacks against the private network. These include
setting time-outs for incomplete session establishment and inspecting the content of incoming packets.
======================================================================
winsec14.html PAGE
3 2002/05/07
Protecting Private Network Addressing with NAT
NAT prevents exposure of the IP addressing scheme used on your private network. An attacker
with knowledge of the IP addressing scheme can attempt an IP spoofing attack by sending packets
to the network with the falsified IP source address of a trusted private network address.
There are three ranges of IP addresses for private network addressing:
10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
192.168.0.0 – 192.168.255.255 (192.168.0.0/16)
Packet Filters
Once you’ve deployed a firewall, you must establish firewall rules to define what data is allowed to
enter and exit the private network. Firewall rules are made up of individual packet filters. A firewall
can send a packet filter to profile a protocol so that data transmitted using the protocol is identified.
A packet filter is typically composed of fields that profile a protocol and identify what action to take
if the protocol attempts to pass through the firewall. The fields used by packet filters include:
Source address. The individual IP address or network IP address from which the data
originates.
Destination address. The individual IP address or network IP address to which the
data is sent.
Destination port. The port that the server uses to listen for connections. IP-based
servers and applications listen for connections on a predefined port.
Protocol. Application and Services use a specific protocol ID or a transport layer
protocol for transporting application data. If the application or service uses a transport layer
protocol, it will be either TCP or UDP.
Action. Options include Allow or Deny.
Many firewalls include an option to mirror all packet filters. Mirroring is necessary to allow
response packets to return to the source client computers.
Mirroring simply switches the source and destination information to allow the response packets
to cross the firewall.
======================================================================
winsec14.html PAGE
4 2002/05/07
Static Address Mapping
Use static address mapping at a firewall to redirect incoming traffic to Internet accessible resources
hidden behind the firewall. The resources are advertised on the Internet with publicity accessible
P addresses. When a firewall receives the packets the firewall translates the destination address
to the true IP address of the resource behind the firewall and redirects the data to the resource.
Combined with packet filtering rules, static address mapping allows you to define authorized
protocols and redirect the protocols to servers located in a DMZ.
Stateful Inspection
In higher-security networks, simple packet filters may not provide enough security. Packet filters
define which ports are left open at the firewall to redirect network traffic to Internet-accessible
resources. Many protocols utilize random ports above port 1024 at the client computer side.
Opening up all ports above 1024 can leave both the firewall and the private network resources
susceptible to attack.
Stateful inspection allows firewall rules to be established so that UDP-based protocols such as
SNMP can pass through firewalls successfully.
Advanced Techniques
In addition to these services, firewalls provide advanced security through the following features:
Configuring Time-out tolerance. Some attacks attempt to lock up the firewall by flooding it with
incomplete TCP sessions. The time-out tolerance allows the firewall to disconnect these sessions
before the SYN queue overflows.
Content Scanning. Although packet filtering can restrict protocols, it can’t inspect commands
within a protocol.
======================================================================
winsec14.html PAGE
5 2002/05/07
Designing Firewall Features to Protect Internet-Accessible
Resources
=====================================================================
Use This Firewall To
do the following
Feature
=====================================================================
NAT Prevent The private Network addressing scheme from
Being revealed.
Hide the true IP address of private network resources
When accessing Internet-based resources.
Packet Filters Manage what protocols are allowed to cross between
The private network and the public network.
Define what action to take if a protocol is identified
when crossing the firewall.
Define a default action to take if a protocol doesn’t
meet any of the defined packet filters.
Static Address Mapping Advertise Internet-accessible resources that have
private network addresses using public network
addressing.
Hide the true IP address of Internet-accessible
resources.
Stateful inspection Protect UDP-based protocols that must enter the
private network.
Detect session hijacking attempts.
Detect application-level attacks that attempt to bypass
the packet filters established for a protocol.
Time-out tolerance Prevent SYN Flood attacks by closing sessions that
That have timed out.
Free up connections for new connection attempts if
The connection is left idle.
Content scanning Prevent specific application commands from being.
Issued within a protocol. Detect viruses.
======================================================================
winsec14.html PAGE
6 2002/05/07
Comparing DMZ Configurations
DMZs have a variety of common names, including screened subnet and perimeter network.
Screened subnet refers to the function of a DMZ in network security. All network traffic that
attempts to enter or exit the DMZ is screened by packet filters to determine whether they’re
allowed.
Networks use one of the following DMZ designs: a three-pronged firewall DMZ, a mid-ground
DMZ, or a hybrid (or multizone) DMZ.
Three-pronged firewall DMZ:
A three-pronged firewall DMZ consists of a firewall with three network interfaces. One interface
is connected to the private network, another is connected to the public network, and the final
interface is connected to the DMZ.
A DMZ is part of the private network and part of the public network. In a sense the DMZ is part
of the public network, because resources that are accessible to the public network are placed in
he DMZ. But the DMZ is also part of the private network because packet filters enforce which
protocols can be used to connect to each server located in the DMZ.
While deploying a three-pronged firewall, ensure that your firewall solution supports three
network interfaces. Each interface will be assigned to a zone and you must establish packet
filters that define the interaction allowed between each zone.
Mid-Ground DMZ:
You establish a mid-ground DMZ by using two firewalls. You place the first firewall between
the public network and the DMZ and the second firewall between the DMZ and the private
network.
As with a three-pronged firewall DMZ, the IP addressing used in the mid-ground DMZ can be
either private or public network addressing. Generally you will use private network addressing
in the DMZ unless there’s a requirement to establish IPSec connections through the external
firewall.
Hybrid DMZ:
Sometimes a single DMZ may not meet your business requirements. In these cases you can use
Hybrid DMZ. See page 554. In this scenario you create two DMZs to support the need for
IPSec connections and for protection of the private network addressing configuration for all other
======================================================================
winsec14.html PAGE
7 2002/05/07
Internet-accessible resources. One DNZ, containing the remote access server that will accept
IPSec connections, uses public network addressing. The second DMZ uses private network
addressing and contains all other Internet-accessible resources. The firewall prevents static
address mapping for all incoming traffic to the network segment.
You can also have multiple firewalls set up to establish two or more DMZs between the private
network and the public network.
Choosing Between DMZ configurations
===================================================================
Use To Meet These
Business Objectives
===================================================================
Three-pronged To reduce the costs associated with deploying firewalls.
Firewall DMZ Only a single firewall is required for this design.
To maintain a single packet filter list. The packet filter
rules determine which interface a packet filter is applied
to.
Mid-ground DMZ Top provide physical separation of the private network
from the public network with the DMZ being placed
between the private and public networks. An attacker
must breach two firewalls to access the private network.
To reduce the change of breach of the external
firewall will lead to access of the private network. If
you use two different manufacturers for the internal and
external firewall, you gain security because different
methods must be used to breach the second firewall.
Hybrid To provide both private network and public network
addressing to DMZ segments.
To categorize Internet-accessible resources into different
levels of access that can be protected by firewall strategies.
====================================================================
Lesson Summary:
ensuring access to Internet-accessible resources is secure.
only authorized data transactions can take place.
======================================================================
winsec14.html PAGE
8 2002/05/07
Lesson 2:
Securing Internet-Accessible Resources in a DMZ
With the DMZ you must secure resources to ensure that only authorized access takes place.
Securing IIS
The most common network resource exposed to the Internet is the content on a Web server.
Internet Information Service (IIS) 5.0 is included with Windows 2000 Server and allows an
organization to host Web sites.
You should consider additional security configurations for securing and IIS server.
renamed, but don’t choose names that are easy to guess when you rename them.
type, you can apply security specific to each content type.
then apply discretionary access control lists specific to the Web content type.
included with IIS 5.0 are installed by default and could provide tools to an attacker.
disable all unnecessary service, such as the Telnet or FTP service.
attacked. By using the World Wide Web Consortium (W3) Extended logging you choose
exactly which properties will be logged for each connection
attempt to the IIS server. Enable
ODBC log file.
addresses, credit cards, or password information should be protected by using application-
layer SSL protection.
the attack occurred, what kind of attack was attempted, and whether the attack was successful.
Site.
server security template (Hisecweb.inf) that you can apply to secure the Web server.
server to participate in an NLBS cluster, you can host the Web site on multiple servers
simultaneously. When a public network user connects to the shared address of the NLBS
cluster, the connection is directed to one of the nodes in the cluster. If a server in the NLBS
cluster is rendered inaccessible by an attack, the NLBS cluster recognizes that the node is
down and directs future traffic to the remaining servers in the cluster.
======================================================================
winsec14.html PAGE
9 2002/05/07
NOTE: NLBS allows weighting of nodes. This means that you can direct a higher percentage
of incoming traffic to the server with the most resources. For example, if your NLBS cluster is
comprised of a Pentium 166 MHz server and a Pentium 933 MHz, you’d want a higher
percentage of the connections to be established with a higher performance Web server.
Maintain the latest service packs and hot fixes for the Web server. Ensure that regular
updates to the operating system are applied so that security fixes included in the updates
are applied to the Web server.
Securing Other Services Within the
DMZ
Within a DMZ you can expect to find several common resources. These include external
FTP servers, Telnet servers and DNS servers.
FTP services. The FTP service isn’t loaded by default in a Windows 2000 installation.
If you install the FTP service, be aware that the C:\Internet\Ftproot folder allows the
Everyone group Full Control by default. Consider changing the permissions and enabling
disk quotas to limit the amount of data that can be written to the FTP root.
Telnet servers. Telnet provides text-based access to a server’s disk subsystem. If it’s enabled,
all users could access the Telnet service by default. You can restrict access to telnet servers
by creating a group named TelnetClients in either the local Security Account Management
(SAM) database of the Telnet server or, if the Telnet server is a member of a domain, within
Active Directory. Create a TelnetClient group.
======================================================================
winsec14.html PAGE
10 2002/05/07
DNS Services. Only externally accessible DNS resource records should be stored on a
DNS server located in the DMZ. Try to protect DNS.
Terminal Services. Restrict Terminal Services to administrators of the network by configuring
Terminal Services to operate in Remote Administration mode.
All Services. Use IPSec to limit access to these well-known ports by creating IPSec block
policies that will block access to other ports found on the server. The firewall can do the
filtering to protect the system.
IMPORTANT: If you want private network computers to connect to other ports on the server,
change the IPSec action to negotiate and define the encryption protocols that must be used for
the connection. Only members on the private network should be able to negotiate a security
association (SA) with the Web server.
In addition to securing the additional servers within the DMZ, you can also use IPSec to
configure the security of transmitted data between the servers located in the DMZ. Data
between the Web Server and the SQL Server is transferred and possibly encrypted. All of
this is between the DMZ Internal & External Walls.
Lesson Summary:
Don’t depend exclusively on firewalls to protect resources exposed to the Internet.
Ensure that each server in the DMZ is properly configured so that security will be maintained
even if a firewall is compromised.
Lesson 3:
Securing Data Flow Through a DMZ
Firewalls can regulate which protocols are allowed to enter and exit the DMZ.
By configuring the firewall to allow only the authorized protocols to connect to each server in
the DMZ, you can prevent hackers from attaching to the servers using alternate protocols.
Determining a Firewall Strategy
When configuring a firewall, decide between the following basic firewall strategies based on
your desired security level:
======================================================================
winsec14.html PAGE
11 2002/05/07
all protocols that are allowed to pass through the firewall.
all protocols that must be dropped at the firewall.
What about the Order of the Packet Filters?
The order in which packet filters are processed depends on the specific firewall product.
Firewalls typically process the packet filters using one of two common methods.
The first method is to process the packet filters in the order in which they’re entered.
The second method is to process the most specific packet filters before the more general packet
filters. In other words, a packet filter that restricts access to a specific server will be processed
before a packet filter that defines traffic between network segments.
DNS must be in internal & external, so you can allow “forwarding”.
In High Security, do this: Allow certain protocols and packs and Deny everythingelse.
Securing Web Traffic
A Web server is one of the most common network resources made available for Internet Access.
A Web server listens for connections from external client computers on TCP port 80 for HTTP
connections and on TCP port 443 for HTTPS connections. In High Security do this: Allow
certain protocols and packs and Deny everythingelse. This gives you control of the traffic.
Securing FTP Traffic
FTP allows data to be transferred to and from a central location.
FTP uses two separate channels for FTP sessions. FTP uses a control stream (a connection to
TCP port 21) to send FTP commands from the FTP client software to the FTP server and a
data stream (a connection to TCP port 20) for transferring data).
To restrict FTP connections from the Internet, you typically place the FTP server in a DMZ.
======================================================================
winsec13.html PAGE
12 2002/05/04
NOTE: The packet filters listed on page 576 assume that active FTP clients exist on the
network. The last two packet filters allow data transfers initiated by the FTP server to pass
through the external firewall. If the FTP clients were passive, you could remove the last two
filters from the packet filter listing.
Securing Mail Traffic
Many organizations use e-mail to communicate within the organization and with other organizations.
Ensure that mail servers are secured against attacks by allowing only authorized protocols to
connect to the mail server.
Carefully plan mail access for an organization so that e-mail doesn’t cause security problems.
Typically, a mail server must support several protocols for e-mail access. Common protocols
supported by mail servers include:
Allows you to receive mail.
messages form the mail server. Like POP3 also uses plaintext authentication. Allows you to
receive mail.
to other e-mail recipients. SMTP is subject to spamming attacks where unsolicited messages
are relayed using an unprotected e-mail server. Sends the data clear text, not the user and
password.
for the e-mail server. LDAP provides the ability to find e-mail addresses on a mail server.
LDAP uses plaintext authentication by default.
IMPORTANT: You can protect POP3, IMAPv4, and LDAP by implementing SSL. The
protocols will use SSL encryption to protect user account and password verification during
the authentication process.
Making the Decision
When configuring a firewall to allow access to a mail server, include the following items in your
security design:
======================================================================
winsec14.html PAGE
13 2002/05/07
Determine which protocols will be allowed to access the mail server from the public network.
Establish packet filters at the external firewall to allow only the necessary ports to connect to
he mail server. Ports to be opened can include POP3 (TCP port 110), Pop3-ssl (TCP port
995….. BLA, BLA BLA see page 580.
Establish restrictions on SMTP relaying to prevent the mail server from becoming a source for
unsolicited bulk e-mail.
Restrict which protocols can be used to connect to the mail server from the private network.
Restrict access to specific protocols, such as allowing only POP3 and SMTP protocol access.
Restrict access to specific users. Use this strategy if the organization has multiple mail servers
and the mail server in the DMZ only acts as a gateway to the other e-mail system.
Allow private network client computers to connect using any protocol, provided they’re located
on the private network.
Securing Application Traffic
Servers in the DMZ are often required to store or access data from an application server, such
as an SQL server, in the private network.
It’s too risky to place the application server in the DMZ because data stored on the application
server might be compromised.
You can manage the connection between the two servers by using one of three methods:
Attach the server in the DMZ directly to the computer on the private network using a crossover
cable and protocol other than TCP/IP.
Open the firewall to allow the native protocol to transfer between whatever SQL needs to
communicate , TCP/IP etc. and the server in the DMZ and the application server in the private
network.
Use IPSec to encrypt that data transmitted between the server in the DMZ and the application
server in the private network. As long as the internal firewall isn’t performing NAT on the
transmitted data, you can use IPSec to encrypt all data transmitted between the two servers.
======================================================================
winsec14.html PAGE
14 2002/05/07
The risk with this configuration is that the data transmitted between the two servers may be
passed in plaintext to allow confidential data to be inspected by a network sniffer. Network
sniffers are able to view the contents of any unencrypted data packets transmitted on the network.
NOTE: IPSec encryption prevents the firewall from inspecting the actual protocol that’s being
transmitted through the firewall. Be sure to set up your rules so that only server-to-server
connections are allowed to pass using IPSec. This prevents other servers form establishing
IPSec agreements and attempting to pass though the firewall.
It’s the Web server that actually performs the query on behalf of the external customer. For the
transaction to occur, the external customer only needs to connect to the Web server using HTTP
or HTTPS.
**** Review the charts
on page 583 ****
Making the Decision
When configuring a firewall to allow access to an application server on the private network,
configure the firewall rules to match how data transmissions take place. Your design should
include the following:
To go through the Firewall you need port 500 (p583) to IPSec to go through the firewall.
server in the DMZ using the protocols required for the server-based component.
server in the private network.
the private network.
to exchange data between the DMZ an the private network.
NOTE: IKE uses port 500 and protocol UDP.
Securing Terminal Server Traffic
Terminal Services allows an administrator to connect to servers on the network by using Remote
Desktop Protocol (RDP). You can restrict Terminal Services to be used for administrative
purposes only by configuring Terminal Services to run in Remote Administration mode rather
than Application Services mode.
======================================================================
winsec14.html PAGE
15 2002/05/07
Configure the terminal server to require strong encryption of the connection. If the Windows
2000 High Encryption Pack is installed at both the Terminal Services client computer and the
server running Terminal Services, 128-bit RC4 encryption is used to protect transmitted data.
Making the Decision
When configuring a firewall to allow access to a terminal server located in the DMZ, consider
the following design points:
through the firewall.
computers, subject to local import and export laws.
use Remote administration mode.
Securing VPN Traffic
When an organization wants its network to permit VPN traffic, they must consider how the
protocol they use affects their firewall and network infrastructure design. IPSec is unable to
pass through a firewall that performs NAT on incoming and outgoing packets.
Securing PPTP Tunnel Traffic
You don’t have to take any special considerations into account when placing a PPTP tunnel
server in your network. It doesn’t matter if the external firewall performs NAT on incoming
and outgoing packets.
To support the placement of PPTP tunnel server in the DMZ, configure the external firewall
to allow connections to the tunnel server using PPTP (TCP port 1723) and the Generic Routing
Encapsulation (GRE) protocol (protocol ID 47).
The first packet filter allows PPTP connections from any computer on the public network to
the PPTP Server (10.30.30.45). The second packet filter allows GRE packets, which are
used by PPTP to encapsulate the original data packets, to pass through the external firewall
to the PPTP server.
======================================================================
winsec14.html PAGE
16 2002/05/07
To protect the Active Directory database, you can deploy the PPTP server as a member of
a workgroup rather than as a member of the domain. To support domain authentication,
configure the tunnel server as a RADIUS client to a RADIUS server on the private network.
To support this, configure the internal firewall to allow RADIUS authentication (UDP port
1812) packets and RADIUS accounting (UDP port 1813) packets to pass from the tunnel
server to the RADIUS server on the private network.
Securing L2TP/IPSec Tunnel Traffic
L2TP tunnel connections require that the tunnel server not be placed behind a firewall that
performs NAT. You can modify the configuration of the DMZ to met this requirement.
Because the firewall doesn’t perform NAT, you can place the L2TP tunnel server in the
DMZ like a PPTP tunnel server.
In this configuration the outer DMZ (p591) uses public network addressing so that NAT isn’t
performed on any of the packets destined for the L2TP tunnel server.
In this configuration the L2TP tunnel server is a dual-homed server with the external network
interface card (NIC) on the public network, and the internal NIC is attached to the DMZ.
IMPORTANT: To protect the external NIC, you must establish packet filters to allow only
L2TP/IPSec connections. All other connection attempts must be denied.
Making the Decision
When configuring a firewall to allow access to an L2TP tunnel server located in the DMZ,
consider the following:
an outer DMZ that used public network addressing or configuring the L2TP server as a
perimeter server with an interface on the public network to accept tunnel connections.
the DMZ.
the private network. RADIUS authentication provides domain logon capabilities for remote
access when the tunnel server is located in a DMZ.
Lesson Summary:
after deciding on a firewall strategy, you must define the packet filters to fit your strategy.
vulnerable to an attacker.