SEC305
Deploying Server and Domain
Isolation with IPsec
http://www.microsoft.com/sdisolation

Gene Ferioli
Program Manager...
Session Agenda

 Server and Domain Isolation Overview
 Demonstration
 Deployment Guidance
 Windows Network Security Roadma...
Challenges and Threats
 Laptops, New    Network topology is more complex
  Devices and
Remote Workers   Limiting access to...
Server and Domain Isolation

                                   Dynamically segment
                                      ...
Isolation Solution Details

  Policy Management          Authentication               Enforcement



Policies are created,...
Risks That Cannot be Mitigated

   Trusted users disclosing high value data
   Compromise of trusted credentials
   Untrus...
Policy-based Dynamic Segmentation
                                           Active Directory
                            ...
Protecting Critical Systems and Data
with Server and Domain Isolation
Getting Started!
High-level Deployment Steps:
  1. Define goals for deployment
  2. Document infrastructure components
  3...
Defining Scope of Deployment

 Conduct a risk assessment
 Determine business objectives and risks to
 mitigate
 Identify i...
Create Active Directory Groups

 Non-IPsec Groups
   Untrusted Systems
     Default group
   Exemptions
     Trusted infra...
Additional Groups to Consider

 Driven By Business
 Requirements
 For Example
   No Fallback Allowed
   Isolation Group
  ...
New “Simplified Policy” Update

     Simplifies the creation and maintenance of IPsec
     policies for Windows Server 200...
Defined Filter Actions

Request Mode
    Accept unauthenticated inbound communications
    Allow unauthenticated outbound ...
Deploying and Validating Policies

Staged Deployment
   Policy has exemptions, but no requirements for IPsec
    on secur...
Troubleshooting

 The majority of issues often attributed to IPsec are
 actually issues in other supporting components
   ...
Overall Best Practices
Minimize securing by port or protocol, use “All IP”
    Simplifies policy design
    Reduces chance...
Staged Deployment Best Practices
 Build shell GPOs and Windows IPsec policies
 Pilot in “Request Mode”
 Deploy an IPsec po...
Isolation Solution Interoperability
  Scope: Enabling interop with legacy and
  non-Windows hosts
  Examples:
    Networke...
Network Security Roadmap

  Supported on Windows 2000, XP and Server 2003
  Authentication based on machine credentials
  ...
Case Study
 Roskilde Technical School

Challenge:
Operated several computer networks for students, faculty, and administra...
Case Study
 Microsoft IT: “SecureNet”

Challenge:
Isolate managed computers from unmanaged (and untrusted) computers to re...
Case Study
 Universidade de Vila Velha

Challenge:
Consolidate and secure two separate campus networks that supports 14,00...
Next Steps and Resources
     Unlock the potential of your
  Windows infrastructure investments
 Server and Domain Isolati...
Fill out a session
       evaluation on
     CommNet and
Win an XBOX 360!
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be...
Extending Defense-in-Depth
                                Security Defense-in-Depth Model

 Adds an additional layer of  ...
Another Look at Isolation in Action
                                      Access granted
                                 ...
Technical and Business Benefits
 Reduce the risk of network security threats
  An additional layer of defense-in-depth
  R...
Design Windows IPsec Polices
          IPsec                   Key Exchange
                                  Methods (IKE...
SEC305
SEC305
Upcoming SlideShare
Loading in...5
×

SEC305

258

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
258
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SEC305

  1. 1. SEC305 Deploying Server and Domain Isolation with IPsec http://www.microsoft.com/sdisolation Gene Ferioli Program Manager Microsoft Corporation genef@microsoft.com
  2. 2. Session Agenda Server and Domain Isolation Overview Demonstration Deployment Guidance Windows Network Security Roadmap Next Steps and Resources
  3. 3. Challenges and Threats Laptops, New Network topology is more complex Devices and Remote Workers Limiting access to the right people Viruses, Worms Threats are more sophisticated and other Malicious Code Mitigating risk can be challenging New Regulatory Heightened focus on data privacy and Business Requirements Keeping costs and overhead low Increased More mobility for better productivity Connectivity Needs Managing changing requirements
  4. 4. Server and Domain Isolation Dynamically segment your Windows environment into more secure and Labs Unmanaged isolated logical guests networks based on policy Server Isolation Protect specific high-valued servers and data Domain Isolation Protect managed computers from unmanaged or rogue computers and users
  5. 5. Isolation Solution Details Policy Management Authentication Enforcement Policies are created, distributed, and managed through Active Directory Security Groups and Group Policy Domain membership is required to access trusted resources Helps expand the use of supportive tools like SMS or WSUS Authentication is based on machine level credentials Kerberos X.509 certificates Policies are enforced at the network layer by Windows IPsec Uses IPsec transport mode for end-to-end security and NAT traversal All packets encapsulated with ESP-Null for authentication and integrity Optionally, highly sensitive network traffic can be encrypted
  6. 6. Risks That Cannot be Mitigated Trusted users disclosing high value data Compromise of trusted credentials Untrusted computers compromising other untrusted computers Loss of physical security of trusted computers Lack of policy compliance mechanisms for trusted computers Highlights the importance of a defense-in-depth strategy
  7. 7. Policy-based Dynamic Segmentation Active Directory Domain Controller Corporate Network Trusted Resource Server X Servers with HR Workstation Sensitive Data Unmanaged/Rogue Computer X Server Isolation Managed Untrusted Managed Computer Computer Domain Isolation Enableinbound policies and communicate Block tiered-accessisolation boundaries Define the logical to sensitive resources Distribute connections from untrusted Managed computers can credentials
  8. 8. Protecting Critical Systems and Data with Server and Domain Isolation
  9. 9. Getting Started! High-level Deployment Steps: 1. Define goals for deployment 2. Document infrastructure components 3. Create machine groups in Active Directory 4. Design IPsec policies and exceptions 5. Validate policies by deploying in “request mode” 6. Gradually add computers to managed domain 7. Refine policies and interoperability plans RESOURCE: Extensive, step-by-step guidance available at: http://www.microsoft.com/sdisolation
  10. 10. Defining Scope of Deployment Conduct a risk assessment Determine business objectives and risks to mitigate Identify infrastructure components and subnets Map out allowed communications paths Document boundary machines and policy exceptions
  11. 11. Create Active Directory Groups Non-IPsec Groups Untrusted Systems Default group Exemptions Trusted infrastructure IPsec Groups Isolation Domain Default trusted group Boundary Higher risk trusted group
  12. 12. Additional Groups to Consider Driven By Business Requirements For Example No Fallback Allowed Isolation Group Blocks outbound communications to untrusted hosts Require Encryption High security group All data communications must use encryption
  13. 13. New “Simplified Policy” Update Simplifies the creation and maintenance of IPsec policies for Windows Server 2003 and Windows XP Significantly reduces the number of IPsec filters Removes the requirement for explicit network infrastructure permit filters and for special filters to help secure a subnet Enhances "fallback to clear" functionality Fallback to clear time-out value is reduced from 3 seconds to 500 ms Credential and policy mismatch failures are now permitted to use the fallback to clear functionality More Information: http://support.microsoft.com/default.aspx/kb/914841/en-us
  14. 14. Defined Filter Actions Request Mode Accept unauthenticated inbound communications Allow unauthenticated outbound communications Secure Request Mode Allow unauthenticated outbound communications Full Require Mode All unicast communications require IPsec Require Encryption Mode Only negotiates encryption
  15. 15. Deploying and Validating Policies Staged Deployment  Policy has exemptions, but no requirements for IPsec on secure subnets  Request Mode filter action is used with secure subnet filter lists  Subnets are slowly added to secure subnet filter list and tested Deploy by Group IPsec Policy defined and linked Groups are used to control application of the policy
  16. 16. Troubleshooting The majority of issues often attributed to IPsec are actually issues in other supporting components Authentication Group Policy System Services, drivers, active applications Name resolution Network Connectivity: TCP/IP, Router ACLs IPsec Policy, e.g., mis-configured filters The TCP/IP error returned on a connection failure is “error 53: The network path was not found” Example: MSIT enables auditing via domain policy to capture IPsec 541/542/543 and 547 failure events
  17. 17. Overall Best Practices Minimize securing by port or protocol, use “All IP” Simplifies policy design Reduces chances of policy mismatch Do not use Default Response rule with custom policy Not compatible with permitting ICMP or other protocols or ports Does not work with secure request behavior Permit ICMP (ping) Support connectivity troubleshooting and PMTU Create empty IPsec filter with versioning data Supports identifying applied IPsec policy
  18. 18. Staged Deployment Best Practices Build shell GPOs and Windows IPsec policies Pilot in “Request Mode” Deploy an IPsec policy with only exceptions Define permitted subnets and IP’s first Filter the scope of the GPO to a pilot security group Expand the exception-only policy to all hosts Add subnet filters one at a time to complete subnet list “Any <-> Subnet # 1, All IP, Request Security” “Any <-> Subnet # 2, All IP, Request Security”
  19. 19. Isolation Solution Interoperability Scope: Enabling interop with legacy and non-Windows hosts Examples: Networked printers Macintosh Unix and Linux Range of interoperability options available, from basic to full “Isolation Citizen”: Use policy exceptions Utilize ISA Server 2004 as an “IPsec Gateway” Create policies on non-Windows platform with certificate-based authentication Provide Terminal Services access to key corporate resources
  20. 20. Network Security Roadmap Supported on Windows 2000, XP and Server 2003 Authentication based on machine credentials Integration with Windows Firewall Support for 10/100Mb IPsec offload network cards New Windows Vista/Windows Server “Longhorn” UI Expanded authentication methods (user and health) Simplified, “one-size-fits-all” policies Support for “Client to Domain Controller” protection Improved support for NLB and clustering Support for GigE IPsec offload network cards
  21. 21. Case Study Roskilde Technical School Challenge: Operated several computer networks for students, faculty, and administration to comply with Danish educational regulations, but the networks were completely autonomous, difficult to manage, and offered no interoperability. Solution: Worked with Systemtech, a Microsoft® Certified Partner, to switch to a single campus- wide network using Server and Domain Isolation to provide users the functionality that they need while still complying with the stringent security policies required by the Danish Ministry of Education. Improved security and virus protection through client lockdown Simplified system management and interoperability Enabled better utilization of resources resulting in greater productivity “We have been able to consolidate multiple IT departments, pull the work force together, and restructure the group into functional areas. Now we can better capitalize on the skills within the group.” Gert Jensen, Chief of Development, Roskilde Technical School
  22. 22. Case Study Microsoft IT: “SecureNet” Challenge: Isolate managed computers from unmanaged (and untrusted) computers to restrict unknown access to intellectual property and limited impact of viruses and worms to meet business and regulatory requirements Solution: As part of a “defense-in-depth” security strategy, MSIT implemented Domain Isolation, based on Windows IPsec and Active Directory Group Policy, across all of Microsoft. Deployed Server Isolation for source code servers for added protection of sensitive data. Deployed to more than 250,000 of domain joined computers Over 75% of all network traffic world-wide is protected Increased number of domain joined computers by 45% Achieved compliance with Sarbanes-Oxley requirements for protecting data of material impact to shareholders “Domain joined machines increased. These are now machines that can have policy applied, an SMS agent installed…with the result a more secure and controlled environment.” Bob Davis, General Manager, Microsoft Corporation
  23. 23. Case Study Universidade de Vila Velha Challenge: Consolidate and secure two separate campus networks that supports 14,000 students across four campuses within two weeks and protect the university’s intellectual property all at a low cost Solution: Implemented a Server and Domain Isolation solution to increase security network- wide, safeguard intellectual property, and simplify network management, thereby increasing IT staff productivity—all at no additional hardware or software expense to the university. Deployed in just 2 days across 1,000 desktops and 30 servers Lower operating cost that facilitates growth Improved security and productivity “Server and Domain Isolation is an amazing solution. We already had all the tools …. Once we had time to study and to plan the IPsec solution, we did it quickly … and at no additional cost.” Rodrigo Immaginario, Chief Information Officer, Universidade de Vila Velha
  24. 24. Next Steps and Resources Unlock the potential of your Windows infrastructure investments Server and Domain Isolation TechNet site: http://www.microsoft.com/sdisolation Windows IPsec TechNet site: http://www.microsoft.com/ipsec Review TechNet on-demand webcasts Newsgroup: microsoft.public.windows.networking.ipsec Engage with your Microsoft account team
  25. 25. Fill out a session evaluation on CommNet and Win an XBOX 360!
  26. 26. © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
  27. 27. Extending Defense-in-Depth Security Defense-in-Depth Model Adds an additional layer of Data defense-in-depth Compliments existing security Application investments Based on Windows IPsec and Host Active Directory® Server and Domain Isolation Supported on: Internal Network Windows 2000 Windows XP Windows Server™ 2003 Perimeter Windows Vista Windows Server “Longhorn” Physical Security Polices, Procedures & Awareness
  28. 28. Another Look at Isolation in Action Access granted or denied based on ACL 6 Share Access is Checked Dept Group Computer and User are Authenticated and Authorized Check Network User Attempts to Check Network Access Permissions IKE Negotiation Begins 1 Access a File Share Access Permissions (User) (Computer Acct) 5 2 3 4 IKE Local IKE succeeds, Local Policy Policy user AuthN occurs
  29. 29. Technical and Business Benefits Reduce the risk of network security threats An additional layer of defense-in-depth Reduced attack surface area Increased manageability and more healthy clients Safeguard sensitive data and intellectual property Authenticated, end-to-end network communications Scalable, tiered access to trusted networked resources Protect the confidentiality and integrity of data Extend the value of existing investments No additional hardware or software required Get more value from Active Directory and Group Policy Complements existing 3rd network security solutions
  30. 30. Design Windows IPsec Polices IPsec Key Exchange Methods (IKE) Policy Authentication Rules Methods Pre-Shared Kerberos Certificates Keys Filter Action Security Methods List Key Encryption Hashing Lifetimes Filters
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×