《使用Windows2000和“Whistler”部署安全的外联网Extra》由会员分享,可在线阅读,更多相关《使用Windows2000和“Whistler”部署安全的外联网Extra(48页珍藏版)》请在金锄头文库上搜索。
1、SEC311: 使用Windows 2000 和 “Whistler” 部署安全的外联网(Extranets),日程,外联网分类 典型的外联网问题 架构方针 安全方针 协作外联网样例 Active Directory 管理方案,Extranet 分类,什么是外联网?,定义 Multiple networks connected together to share information and technology assets between members of a community of interest 分类 Purpose Workflow Partner relationship
2、,外联网目的,信息发布 Subscription services, Repair manuals 分发渠道 Order entry and tracking, Customer service 供应链 Inventory control, Corporate portal 协作 Joint R&D, Medical record access,基于Web-的工作流,内容发布 (IIS) Personalized data searching and browsing Subscription services, Repair manuals 应用共享 (IIS) One interface
3、to diverse services Corporate purchasing, Service portals 反向代理 (ISA) Cache boosts client and server performance Web interface to legacy applications,基于文件的工作流,共享的数据库 (SQL) Relational integrity, structured queries Medical records, customer service 共享的文件 (NTFS, CIFS, WebDAV) Different applications, ide
4、ntifies relationships Branch offices, Joint R&D,基于消息的工作流,Email (Exchange) Global reach, no server management Coauthor/edit document EDI & XML-based Forms (BizTalk) B2B transactions with different MRP/MRO systems, workflow Distribution channels, supply chains,合作伙伴关联,不对称(Asymmetric) Primary versus sec
5、ondary partners Primary owns and controls shared assets Distribution: Order entry and tracking Symmetric Peer partners Each one shares assets it owns Each one controls its own assets Collaboration: Medical records,典型的外联网问题,外联网暴露资产,Share (some) assets with partners Protect shared assets from competit
6、ors Protect corporate assets from everyone,外联网架构方针,资产隔离,Restrict partners to DMZ Well understood, Defense in depth Offsets inconsistent management policies Data copying, Extra hardware & admin Connect partners to Intranet One copy of data, No extra hardware Too complex to manage securely (yet),DMZ资产
7、隔离网络分界隔离共享和内部资产,在 DMZ 设立专用的森林-Forest,Save training $ Leverage intranet Admin training & skills Save Admin time, Avoid errors Manage once in AD not on every server User accounts Groups Group Policy and Security templates Maximize asset isolation If DMZ server (DC, DNS, CA) compromised it has no autho
8、rity on intranet If DMZ account compromised it has no rights on intranet,DMZ 网络连接,Private circuits (leased lines) Data path control, Physical security High cost, Not scalable Internet Low cost, Flexible, Scalable Data path and QoS vary Shared private network Uniform SLA and security policy Members o
9、nly, Restricted use,DMZ IP 地址分配,Private Hides internal IP, Not routable NAT prevents using IPSec Public Simplifies routing, Supports IPSec Exposes internal IP Firewall or VPN hides IP and controls reach-ability Static Simplifies VPN demand-dial interfaces and RRAS/IPSec filters, No DHCP issues,外联网安全
10、方针,起点: 制定安全策略,Develop a security plan (RFC 2196) Analyze risk Identify assets Determine threats Calculate potential loss Implement cost-effective protection Keep plan up to date Key to risk analysis is balance Business needs Ease Of Use, Connectivity, Performance, Manageability Security goals Availa
11、bility, Confidentiality, Integrity, Accountability,NetSec 要求,No one solution can do it all today Perimeter packet inspection End-end data confidentiality Data integrity IP visibility IP reachability Authentication for network access Endpoint mutual authentication Intrusion detection,NetSec 使用 SSL/TL
12、S,SSL/TLS Cross-platform, Firewall acceptance Web apps: HTTPS built into IIS & IE Other apps: SSPI, Schannel & special ports SSL-aware apps, NO authN for net access IP exposed, NO perimeter packet inspection add Firewall with web publishing (ISA) NAT hides IP & controls reachability SSL-bridging wit
13、h app-level packet filtering Intrusion detection, Logging, Alerts,NetSec 使用 VPN 隧道,VPN tunnels (RRAS) Transparent to app/protocol, Filters control IP visibility and reach-ability Client authN for net access Machine for gateway-gateway, User for client-gateway Remote access policy per user/group for
14、client-gateway Complex admin Setup every gateway, Centralized policy requires RADIUS Hard to add firewall for packet inspection use Firewall-VPN Gateway (ISA) Simplified management Setup wizard and scripts, Manage arrays, Policy in AD Intrusion detection, Logging, Alerts,NetSec 使用 IPSec,IPSec (Windo
15、ws2000 Server) Permit/block filters control IP reachability Transparent end-end protection Computer mutual authN (Certs, Kerberos, password) Data encryption & integrity, Automated key mgt NIC hardware acceleration: 85-92Mbits/sec 3DES Group Policy-based admin NO authN for net access, NO perimeter pa
16、cket inspection Hard to manage policy across companies Manual config no defaults would work for everyone Many options must agree on basic settings,NetSec 推荐,InfoSec 要求,核心安全服务 验证 授权和访问控制 审计和入侵检测 Cryptographic services 安全管理 身份管理 信任管理 策略管理 Public Key Infrastructure,辨别和验证,Credentials Use the strongest one you can Password, Cert, Smart Card, Physical token (EAP) Multiple credentials are inevitable (Whistler) Credential manager Protocols Kerberos Mutual authN, Delegation, Smart Card logon (PKINIT) HTT
