Upload
sandra4211
View
239
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
SEC305SEC305Deploying Server and Domain Deploying Server and Domain Isolation with IPsecIsolation with IPsec
SEC305SEC305Deploying Server and Domain Deploying Server and Domain Isolation with IPsecIsolation with IPsec
Gene FerioliGene FerioliProgram ManagerProgram ManagerMicrosoft CorporationMicrosoft [email protected] [email protected]
http://www.microsoft.com/http://www.microsoft.com/sdisolationsdisolation
Session AgendaSession Agenda
Server and Domain Isolation OverviewServer and Domain Isolation Overview
DemonstrationDemonstration
Deployment GuidanceDeployment Guidance
Windows Network Security RoadmapWindows Network Security Roadmap
Next Steps and ResourcesNext Steps and Resources
Challenges and ThreatsChallenges and Threats
Network topology is more complexNetwork topology is more complexLimiting access to the right peopleLimiting access to the right people
Threats are more sophisticatedThreats are more sophisticatedMitigating risk can be Mitigating risk can be challengingchallenging
Heightened focus on data Heightened focus on data privacyprivacyKeeping costs and overhead lowKeeping costs and overhead low
More mobility for better More mobility for better productivityproductivityManaging changing requirementsManaging changing requirements
Viruses, Worms Viruses, Worms and other and other
Malicious CodeMalicious Code
New Regulatory New Regulatory and Business and Business RequirementsRequirements
Increased Increased Connectivity Connectivity
NeedsNeeds
Laptops, New Laptops, New Devices and Devices and
Remote WorkersRemote Workers
Server and Domain IsolationServer and Domain Isolation
Dynamically Dynamically segment your segment your
Windows Windows environment into environment into more more secure secure and and isolated logical isolated logical
networksnetworksbased onbased on policy policy
LabsUnmanaged guests
Server IsolationServer Isolation Protect specific high-valued servers and Protect specific high-valued servers and datadata
Domain IsolationDomain IsolationProtect managed computers from Protect managed computers from unmanaged or rogue computers and unmanaged or rogue computers and usersusers
Isolation Solution DetailsIsolation Solution Details
Policies are created, distributed, and managed Policies are created, distributed, and managed through Active Directory Security Groups and through Active Directory Security Groups and Group PolicyGroup Policy
Domain membership is required to access trusted resourcesDomain membership is required to access trusted resources
Helps expand the use of supportive tools like SMS or WSUSHelps expand the use of supportive tools like SMS or WSUS
Authentication is based on machine level Authentication is based on machine level credentialscredentials
KerberosKerberos
X.509 certificatesX.509 certificates
Policies are enforced at the network layer by Policies are enforced at the network layer by Windows IPsecWindows IPsec
Uses IPsec transport mode for end-to-end security and NAT Uses IPsec transport mode for end-to-end security and NAT traversaltraversal
All packets encapsulated with ESP-Null for authentication and All packets encapsulated with ESP-Null for authentication and integrity integrity
Optionally, highly sensitive network traffic can be encryptedOptionally, highly sensitive network traffic can be encrypted
Policy ManagementPolicy Management AuthenticationAuthentication EnforcementEnforcement
Risks That Cannot be MitigatedRisks That Cannot be Mitigated
Trusted users disclosing high value dataTrusted users disclosing high value data
Compromise of trusted credentialsCompromise of trusted credentials
Untrusted computers compromising other Untrusted computers compromising other untrusted computersuntrusted computers
Loss of physical security of trusted Loss of physical security of trusted computerscomputers
Lack of policy compliance mechanisms for Lack of policy compliance mechanisms for trusted computerstrusted computers
Highlights the importance of a defense-in-depth strategy
UntrustedUntrusted
Unmanaged/Rogue Computer
Domain Domain IsolationIsolation
Active Directory Domain Controller
X
Server Server IsolationIsolation
Servers with Sensitive DataHR Workstation
Managed Computer
X
Managed Computer
Trusted Resource Server
Corporate Network
Define the logical isolation boundariesDistribute policies and credentialsManaged computers can communicateBlock inbound connections from untrustedEnable tiered-access to sensitive resources
Policy-based Dynamic Policy-based Dynamic SegmentationSegmentation
Protecting Critical Systems and Data with Server and Domain Isolation
Protecting Critical Systems and Data with Server and Domain Isolation
Getting Started!Getting Started!
High-level Deployment Steps:High-level Deployment Steps:1.1. Define goals for deploymentDefine goals for deployment
2.2. Document infrastructure componentsDocument infrastructure components
3.3. Create machine groups in Active Create machine groups in Active DirectoryDirectory
4.4. Design IPsec policies and exceptionsDesign IPsec policies and exceptions
5.5. Validate policies by deploying in Validate policies by deploying in “request mode”“request mode”
6.6. Gradually add computers to managed Gradually add computers to managed domaindomain
7.7. Refine policies and interoperability plansRefine policies and interoperability plansRESOURCE: Extensive, step-by-step guidance available at: RESOURCE: Extensive, step-by-step guidance available at: http://www.microsoft.com/sdisolationhttp://www.microsoft.com/sdisolation
Defining Scope of DeploymentDefining Scope of Deployment
Conduct a risk assessmentConduct a risk assessment
Determine business objectives and risks to Determine business objectives and risks to mitigatemitigate
Identify infrastructure components and Identify infrastructure components and subnets subnets
Map out allowed communications pathsMap out allowed communications paths
Document boundary machines and policy Document boundary machines and policy exceptionsexceptions
Create Active Directory GroupsCreate Active Directory Groups
Non-IPsec GroupsNon-IPsec GroupsUntrusted SystemsUntrusted Systems
Default groupDefault group
ExemptionsExemptionsTrusted infrastructureTrusted infrastructure
IPsec GroupsIPsec GroupsIsolation DomainIsolation Domain
Default trusted groupDefault trusted group
BoundaryBoundaryHigher risk trusted Higher risk trusted groupgroup
Additional Groups to ConsiderAdditional Groups to Consider
Driven By Business Driven By Business Requirements Requirements
For ExampleFor ExampleNo Fallback AllowedNo Fallback AllowedIsolation GroupIsolation Group
Blocks outboundBlocks outboundcommunications tocommunications tountrusted hostsuntrusted hosts
Require EncryptionRequire EncryptionHigh security groupHigh security group
All data All data communicationscommunicationsmust use encryptionmust use encryption
New “Simplified Policy” UpdateNew “Simplified Policy” Update
Simplifies the creation and maintenance of Simplifies the creation and maintenance of IPsec policies for Windows Server 2003 and IPsec policies for Windows Server 2003 and Windows XPWindows XP
Significantly reduces the number of IPsec Significantly reduces the number of IPsec filtersfilters
Removes the requirement for explicit network Removes the requirement for explicit network infrastructure permit filters and for special infrastructure permit filters and for special filters to help secure a subnetfilters to help secure a subnet
Enhances "fallback to clear" functionalityEnhances "fallback to clear" functionalityFallback to clear time-out value is reduced from 3 seconds to Fallback to clear time-out value is reduced from 3 seconds to 500 ms500 ms
Credential and policy mismatch failures are now permitted to Credential and policy mismatch failures are now permitted to use the fallback to clear functionalityuse the fallback to clear functionality
More Information: http://support.microsoft.com/default.aspx/kb/914841/en-usMore Information: http://support.microsoft.com/default.aspx/kb/914841/en-us
Defined Filter ActionsDefined Filter Actions
Request ModeRequest ModeAccept unauthenticated inbound Accept unauthenticated inbound communicationscommunications
Allow unauthenticated outbound Allow unauthenticated outbound communicationscommunications
Secure Request ModeSecure Request ModeAllow unauthenticated outbound Allow unauthenticated outbound communicationscommunications
Full Require ModeFull Require ModeAll unicast communications require IPsecAll unicast communications require IPsec
Require Encryption ModeRequire Encryption ModeOnly negotiates encryptionOnly negotiates encryption
Deploying and Validating Deploying and Validating PoliciesPoliciesStaged DeploymentStaged Deployment
Policy has exemptions, but no requirements for Policy has exemptions, but no requirements for IPsec on secure subnetsIPsec on secure subnets
Request Mode filter action is used with secure Request Mode filter action is used with secure subnet filter listssubnet filter lists
Subnets are slowly added to secure subnet Subnets are slowly added to secure subnet filter list and testedfilter list and tested
Deploy by GroupDeploy by GroupIPsec Policy defined and linkedIPsec Policy defined and linked
Groups are used to control application of the Groups are used to control application of the policypolicy
TroubleshootingTroubleshooting
The majority of issues often attributed to IPsec are The majority of issues often attributed to IPsec are actually issues in other supporting componentsactually issues in other supporting components
AuthenticationAuthentication
Group PolicyGroup Policy
System Services, drivers, active applicationsSystem Services, drivers, active applications
Name resolutionName resolution
Network Connectivity: TCP/IP, Router ACLsNetwork Connectivity: TCP/IP, Router ACLs
IPsec Policy, e.g., mis-configured filters IPsec Policy, e.g., mis-configured filters
The TCP/IP error returned on a connection failure The TCP/IP error returned on a connection failure is “error 53: The network path was not found”is “error 53: The network path was not found”
Example: MSIT enables auditing via domain policy Example: MSIT enables auditing via domain policy to capture IPsec 541/542/543 and 547 failure to capture IPsec 541/542/543 and 547 failure eventsevents
Overall Best PracticesOverall Best PracticesMinimize securing by port or protocol, use Minimize securing by port or protocol, use “All IP”“All IP”
Simplifies policy designSimplifies policy design
Reduces chances of policy mismatchReduces chances of policy mismatch
Do not use Default Response rule with Do not use Default Response rule with custom policycustom policy
Not compatible with permitting ICMP or other Not compatible with permitting ICMP or other protocols or portsprotocols or ports
Does not work with secure request behaviorDoes not work with secure request behavior
Permit ICMP (ping)Permit ICMP (ping)Support connectivity troubleshooting and PMTUSupport connectivity troubleshooting and PMTU
Create empty IPsec filter with versioning dataCreate empty IPsec filter with versioning dataSupports identifying applied IPsec policySupports identifying applied IPsec policy
Staged Deployment Best Staged Deployment Best PracticesPractices
Build shell GPOs and Windows IPsec Build shell GPOs and Windows IPsec policiespolicies
Pilot in “Request Mode”Pilot in “Request Mode”
Deploy an IPsec policy with only exceptionsDeploy an IPsec policy with only exceptions
Define permitted subnets and IP’s firstDefine permitted subnets and IP’s first
Filter the scope of the GPO to a pilot Filter the scope of the GPO to a pilot security groupsecurity group
Expand the exception-only policy to all Expand the exception-only policy to all hostshosts
Add subnet filters one at a time to Add subnet filters one at a time to complete subnet listcomplete subnet list
““Any <-> Subnet # 1, All IP, Request Security”Any <-> Subnet # 1, All IP, Request Security”
““Any <-> Subnet # 2, All IP, Request Security”Any <-> Subnet # 2, All IP, Request Security”
Isolation Solution Isolation Solution InteroperabilityInteroperabilityScope: Enabling interop with legacy and Scope: Enabling interop with legacy and
non-Windows hostsnon-Windows hostsExamples:Examples:
Networked printersNetworked printersMacintosh Macintosh Unix and LinuxUnix and Linux
Range of interoperability options available, Range of interoperability options available, from basic to full “Isolation Citizen”:from basic to full “Isolation Citizen”:
Use policy exceptionsUse policy exceptionsUtilize ISA Server 2004 as an “IPsec Gateway”Utilize ISA Server 2004 as an “IPsec Gateway”Create policies on non-Windows platform with Create policies on non-Windows platform with certificate-based authenticationcertificate-based authenticationProvide Terminal Services access to key Provide Terminal Services access to key corporate resourcescorporate resources
Network Security RoadmapNetwork Security Roadmap
New Windows Vista/Windows Server New Windows Vista/Windows Server “Longhorn” UI“Longhorn” UI
Expanded authentication methods (user and Expanded authentication methods (user and health)health)
Simplified, “one-size-fits-all” policiesSimplified, “one-size-fits-all” policies
Support for “Client to Domain Controller” Support for “Client to Domain Controller” protectionprotection
Improved support for NLB and clusteringImproved support for NLB and clustering
Support for GigE IPsec offload network cardsSupport for GigE IPsec offload network cards
Supported on Windows 2000, XP and Server Supported on Windows 2000, XP and Server 20032003
Authentication based on machine Authentication based on machine credentialscredentials
Integration with Windows FirewallIntegration with Windows Firewall
Support for 10/100Mb IPsec offload network Support for 10/100Mb IPsec offload network cardscards
Case StudyCase StudyRoskilde Technical School
Challenge:Challenge:Operated several computer networks for students, faculty, and Operated several computer networks for students, faculty, and administration to comply with Danish educational regulations, but the administration to comply with Danish educational regulations, but the networks were completely autonomous, difficult to manage, and offered no networks were completely autonomous, difficult to manage, and offered no interoperability. interoperability.
Solution:Solution:Worked with Systemtech, a MicrosoftWorked with Systemtech, a Microsoft®® Certified Partner, to switch to a Certified Partner, to switch to a single campus-wide network using Server and Domain Isolation to provide single campus-wide network using Server and Domain Isolation to provide users the functionality that they need while still complying with the users the functionality that they need while still complying with the stringent security policies required by the Danish Ministry of Education.stringent security policies required by the Danish Ministry of Education.
Improved security and virus protection through client lockdownImproved security and virus protection through client lockdownSimplified system management and interoperabilitySimplified system management and interoperabilityEnabled better utilization of resources resulting in greater productivityEnabled better utilization of resources resulting in greater productivity
“We have been able to consolidate multiple IT departments, pull the work force together, and restructure the group into functional
areas. Now we can better capitalize on the skills within the group.”Gert Jensen, Chief of Development, Roskilde Technical School
Challenge:Challenge:Isolate managed computers from unmanaged (and untrusted) computers Isolate managed computers from unmanaged (and untrusted) computers to restrict unknown access to intellectual property and limited impact of to restrict unknown access to intellectual property and limited impact of viruses and worms to meet business and regulatory requirementsviruses and worms to meet business and regulatory requirements
Solution:Solution:As part of a “defense-in-depth” security strategy, MSIT implemented As part of a “defense-in-depth” security strategy, MSIT implemented Domain Isolation, based on Windows IPsec and Active Directory Group Domain Isolation, based on Windows IPsec and Active Directory Group Policy, across all of Microsoft. Deployed Server Isolation for source code Policy, across all of Microsoft. Deployed Server Isolation for source code servers for added protection of sensitive data. servers for added protection of sensitive data.
Deployed to more than 250,000 of domain joined computersDeployed to more than 250,000 of domain joined computersOver 75% of all network traffic world-wide is protected Over 75% of all network traffic world-wide is protected Increased number of domain joined computers by 45%Increased number of domain joined computers by 45%Achieved compliance with Sarbanes-Oxley requirements for Achieved compliance with Sarbanes-Oxley requirements for protecting data of material impact to shareholdersprotecting data of material impact to shareholders
Case StudyCase StudyMicrosoft IT: “SecureNet”
“Domain joined machines increased. These are now machines that can have policy applied, an SMS agent installed…with the
result a more secure and controlled environment.”Bob Davis, General Manager, Microsoft Corporation
Case StudyCase StudyUniversidade de Vila Velha
Challenge:Challenge:Consolidate and secure two separate campus networks that supports Consolidate and secure two separate campus networks that supports 14,000 students across four campuses within two weeks and protect the 14,000 students across four campuses within two weeks and protect the university’s intellectual property all at a low costuniversity’s intellectual property all at a low cost
Solution:Solution:Implemented a Server and Domain Isolation solution to increase security Implemented a Server and Domain Isolation solution to increase security network-wide, safeguard intellectual property, and simplify network network-wide, safeguard intellectual property, and simplify network management, thereby increasing IT staff productivity—all at no management, thereby increasing IT staff productivity—all at no additional hardware or software expense to the university. additional hardware or software expense to the university.
Deployed in just 2 days across 1,000 desktops and 30 serversDeployed in just 2 days across 1,000 desktops and 30 serversLower operating cost that facilitates growthLower operating cost that facilitates growthImproved security and productivityImproved security and productivity
“Server and Domain Isolation is an amazing solution. We already had all the tools …. Once we had time to study and to plan the IPsec solution, we did it quickly … and at no additional cost.”
Rodrigo Immaginario, Chief Information Officer, Universidade de Vila Velha
Next Steps and ResourcesNext Steps and Resources
Server and Domain Isolation TechNet site:http://www.microsoft.com/sdisolation
Windows IPsec TechNet site:http://www.microsoft.com/ipsec
Review TechNet on-demand webcasts
Newsgroup:microsoft.public.windows.networking.ipsec
Engage with your Microsoft account team
Unlock the potential of your Windows infrastructure investments
Fill out a session Fill out a session evaluation on evaluation on
CommNet andCommNet and Win an XBOX Win an XBOX
360!360!
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Extending Defense-in-DepthExtending Defense-in-Depth
Adds an additional layer of Adds an additional layer of defense-in-depthdefense-in-depth
Compliments existing Compliments existing security investmentssecurity investments
Based on Windows IPsec Based on Windows IPsec and Active Directoryand Active Directory®®
Supported on:Supported on:Windows 2000 Windows 2000
Windows XPWindows XP
Windows ServerWindows Server™ ™ 20032003
Windows VistaWindows Vista
Windows Server Windows Server “Longhorn”“Longhorn”
Polices, Procedures & AwarenessPolices, Procedures & Awareness
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
Server and Domain IsolationServer and Domain Isolation
Security Defense-in-Depth ModelSecurity Defense-in-Depth Model
33
Check NetworkCheck NetworkAccess PermissionsAccess Permissions
(Computer Acct)(Computer Acct)
Local Local PolicyPolicy
11
4422
Another Look at Isolation in Another Look at Isolation in ActionAction
IKE
User Attempts to User Attempts to Access a File ShareAccess a File Share
IKE Negotiation IKE Negotiation BeginsBegins
IKE succeeds, IKE succeeds, user AuthN occursuser AuthN occurs
Computer Computer andand User User are Authenticated are Authenticated
and Authorizedand Authorized
Dept Group
66 Share Access isShare Access isCheckedChecked
Access grantedAccess grantedor denied or denied
based on ACLbased on ACL
55
Check NetworkCheck NetworkAccess PermissionsAccess Permissions
(User)(User)
Local Local PolicyPolicy
Technical and Business BenefitsTechnical and Business Benefits
Extend the value of existing investmentsExtend the value of existing investmentsNo additional hardware or software requiredNo additional hardware or software requiredGet more value from Active Directory and Get more value from Active Directory and Group PolicyGroup PolicyComplements existing 3Complements existing 3rdrd network security network security solutionssolutions
Safeguard sensitive data and intellectual Safeguard sensitive data and intellectual propertypropertyAuthenticated, end-to-end network Authenticated, end-to-end network communicationscommunicationsScalable, tiered access to trusted networked Scalable, tiered access to trusted networked resourcesresourcesProtect the confidentiality and integrity of dataProtect the confidentiality and integrity of data
Reduce the risk of network security Reduce the risk of network security threatsthreatsAn additional layer of defense-in-depthAn additional layer of defense-in-depthReduced attack surface areaReduced attack surface areaIncreased manageability and more healthy Increased manageability and more healthy clientsclients
Design Windows IPsec PolicesDesign Windows IPsec Polices
IPsec Policy
Filter List
Action
Key Exchange Methods (IKE)
Security Methods
Filters
Rules
Key Lifetimes
HashingEncryption
Authentication Methods
CertificatesPre-Shared
KeysKerberos