Your SlideShare is downloading. ×
Microsoft Domain and Server Isolation Model
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Microsoft Domain and Server Isolation Model

1,366

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,366
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • isolation requires knowledge of the current state of the network and its devices, the communication requirements that define how computers should interact with one another, and the security requirements that may limit those requirements to achieve the appropriate balance between security and communication.
  • Presenters please use this slide to direct participants to websites, books, trials, product pages etc as a follow through to your presentation
  • Transcript

    • 1.
    • 2. Microsoft Domain and Server Isolation Model
      IPSec as a savior against network threats on Windows Server 2008 R2
      Esmaeil Sarabadani
      MCT, MCSA/MCSE Security
    • 3. What will be covered
      Protecting the network in a highly-connected world
      Defence in depth
      Network without isolation
      Microsoft domain and server isolation model
      Focus on IPSec
      Different stages of implementing the model
      Demonstrations on different steps of configuration
    • 4. Life in a Highly-Connected World
      Local Area Networks
      Business Extranets
      Wireless Networks
      Mobile Workers
      Laptops
      Virtual Private Networks
      Mobile Smart Devices
    • 5. Protecting Your Network means
      Reducing the risk of malicious activities
      Protecting the data against unauthorized manipulation
      Lowering the costs and administrative overhead
      Decreasing the impact of denial-of-service attacks
      Reducing the risk of malicious software threats
      Eliminating the chance of intruding the network and servers
    • 6. Typical Network Infrastructure
      Is the whole infrastructure secure?
      What is missing?
      How important is it in the world today?
      “Malicious insiders” has been ranked the second in 2010 and the first in 2009 in the top ten information security threats as reported by Perimeter E-Security.
      Logical Isolation
      Extranet Connection
      VPN Connection
      Partner’s Network
      Network Firewalls
      Remote User
      Secure VPN Connections
    • 7. Defence in Depth
      A layered approach to protecting a computer instead of reliance on a single mechanism for the protection
      Controls network communications
      Protects all unicast traffic
      More similar to a host-based firewall
      Provides end-to-end security
      Bob
      Alice
      Sorry! I do not trust you!
      The communication does not take place!
    • 8. 1
      2
      Without Isolation
      Access granted
      or denied
      based on ACL
      Share access is
      checked
      4
      User is authenticated and authorized
      User attempts to access a file share
      Check network
      access permissions
      3
      User authentication
      occurs
      Local policy
    • 9. Without Isolation
      The Problems:
      Too much dependence on users’ credentials
      Theft and abuse of user credentials often not realized... Until it’s too late
      Difficult to control who or what physically connects to the network
      Large internal networks might have independent path to the internet
      Even if there are firewalls, they help but not when clients communicate inside the network
      Question:
      What does a HACKER need to penetrate into the network and servers?
      • Access to the network
      • 10. A username and password
      How difficult do you think it is for a hacker to get them?
    • 11. Microsoft Domain and Server Isolation Model
      Controls end-to-end communications using IPSec policies
      Adds a layer of defence-in-depth
      IPSec policies are received by the host through Group Policy
      Authenticates every packet
      Can encrypt every packet
      Supported Operating Systems:
      Windows 2000-SP4
      Windows XP-SP2
      Windows Vista
      Windows 7
      Windows Server 2003
      Windows Server 2008
    • 12. Access granted
      or denied
      based on ACL
      Share access is
      checked
      6
      1
      Check network
      Access permissions
      (Computer acct)
      Check network
      access permissions
      (user)
      2
      3
      5
      4
      Local policy
      Local policy
      With Isolation
      Computer and user are authenticated and authorized
      User attempts to access a file share
      IKE negotiation begins
      IKE succeeds, user authN occurs
    • 13. Why IPSec?
      IPSec is a protocol suit to provide security over IP networks
      It operates at layer 3 (Network) of OSI model
      It has two modes of operations:
      Tunnel mode
      Transport mode
    • 14. IPSec
      Tunnel Mode:
      IPSec gateway at each site
      No security inside the site network
      Secures messages going through the gateway and the internet
      A security header to IP packets before the main IP header
      The new header contains the source and destination addresses of the IPSec gateways
      The source and destination of the hosts are protected
      The original IP header is protected
      The original data field is protected
      Local
      Network
      Local
      Network
      Internet
      Tunnel
      Security
      Header
      Protected
      Original IP
      Header
      Protected
      data field
      IPsec
      Gateway
      Secure
      Communication
    • 15. IPSec
      Transport Mode:
      End-to-end communication and security between the hosts
      Security inside the site networks
      Requires configuration on the host
      Transport Mode:
      Adds a security header to IP packets after the main IP header
      The source and destination of the hosts can be learned by a hacker in the middle
      The original data field is protected
      Local
      Network
      Local
      Network
      Internet
      Transport
      Security
      Header
      Protected
      data field
      Original
      IP Header
      Secure end-to-end
      Communication
    • 16. AH vs. ESP
      Two forms of encryption
      ESP (Encapsulating Security Payload)
      Confidentiality
      Authentication
      AH (Authentication Header)
      Authentication
      ESP in Transport mode
      ESP in Tunnel mode
    • 17. AH vs. ESP
      AH (Authentication Header)
      AH in Transport mode
      AH in Tunnel mode
      No Encryption
      Only Authentication
      No Encryption
      Only Authentication
    • 18. IKE, SA, Encryption Algorithms
      Security Association (SA) are agreements between two hosts or two IPSec server for how security will be performed.
      The security agreements can also negotiate different methods of integrity and encryption.
      Integrity Algorithms:
      MD5
      SHA1
      AES
      These agreements start with IKE (Internet Key Exchange)
      Encryption Algorithms:
      DES
      3DES
      AES
      Negotiate
      Security Association
      IKE is not IPSec-specific.
      Host B
      Host A
    • 19. Important Isolation Terms
      Untrusted Hosts
      Trusted Hosts
      Boundary Host
      IPSec-enabled
      Fall back to clear
      Able to communicate with both trusted and untrusted hosts
      Exempted Host:
      Does not use IPSec
      Isolation Group
      A logical group of trusted hosts with the same policy
      Network Access Group
      Controls access to a host on the network before any policy takes place
      Trusted Host:
      IPSec-enabled
      Joined to domain
      Untrusted Host:
      Known Trusted Host
      NOT IPSec-enabled
      Not joined to domain or in an untrusted domain
      Unknown Trusted Host
      Connection Terminated
      Boundary Hosts
      Exemption Hosts
    • 20. Isolation Scope
      Hosts to be isolated
      Any computer joined to domain as long as the requirement is met
      To a very large extent depends on the isolation policies
      Servers to be isolated
      Importance of the information stored on that server
      Domain Controller
      DC-to-DC
      GC-to-GC
      Client-to-DC (Generally NOT recommendedbut possible without Kerberos for authentication)
      Exchange Server
      Edge Transport server to the other servers holding the other roles
      Isolation of Edge Transport Server (Front-End Server)
      Communication between Exchange servers with different roles
      Servers to be isolated
      Office Communications Server 2007
      Isolation of edge servers
      Communication between the edge server and the internal servers
      File Servers
      Web Servers
      Block specific ports
      And ...
      Servers to be exempted
      DHCP Servers
      Computers connect to get an IP address and before that they do not receive any policies
      Need to have no delay
      DNS Servers
      Need to have no delay
      Involved with every computer in the network
      Firewalls
      Host-based firewalls, filtering in routers, network firewalls and any other filters must support Fragmentation and the following ports must be open on them:
      IKE: UDP Port 500
      IKE/IPSec NAT-T: UDP Port 4500
      IPSec ESP: IP Protocol 50
      IPSec AH: IP Protocol 51
    • 21. Planning phase
      Inform team members about IPSec
      IT Manager, System Architect, Security Manager, Support Specialist and etc.
      Collect information about your IT environment
      Network topology
      Security policy and implementation
      Server operating systems and applications
      User types
      Any interoperability issues or concerns
      Determine your isolation needs
      Business needs
      Security requirements
      Service Level Agreements
      Technology needs
      User needs
      Things to consider when planning:
      Analysis of network devices
      Analysis of network traffic flow
      ACLs that affect IPSec directly
      VLAN Segmentation
      Analysis of Active Directory
      Design your IPSec policies
      Deploy the policies in a test environment
      Refine Policies
      Create a deployment schedule
      Prepare for user and infrastructure support
    • 22. Deployment
      Different types of deployment
      Deployment using OUs
      Deployment using Groups
      Policy 1
      applied at the domain level
      Policy 1
      Policy 1
      Policy 1
      Policy 2
      applied at the OU level
      Policy 2
      Group 1
      Group 3
      Group 5
      Group 7
      Allow Read & Apply
      Permission
      Allow Read & Apply
      Permission
      Group 2
      Group 6
      Group 4
      Group 8
      Deny Read & Apply
      Permission
      Policy 2 NOT applied
      Policy 2 applied
      Policy 3 applied
      Policy 3 applied
      Deny Read & Apply
      Permission
      Policy 1 NOT applied
      Policy 1 applied
    • 23. Deployment
      Comparison:
      Deployment by GROUPS is best for organizations with more complex groups hierarchy. Companies that more than one policy is applied to one OU.
      Deployment by GROUPS can get really complicated.
      Deployment by OUs is best for organizations in which computer members of each OU all inherit the same policies.
    • 24. DEMO
      Deployment ScenariosNetwork Access Groups
    • 25. IPSec Policy Components overview
      IPSec Policy
      IPSec policies are all configurable through Group Policies at both the domain and OU levels.
      Authentication methods
      Rules
      Pre-Shared Keys
      Kerberos
      Certificates
      Action
      Filter List
      Security methods
      Filters
      Hashing
      Encryption
      Key Lifetimes
    • 26. Isolation Scope
      Filter Lists:
      Collection of one or more filters used to match network traffic based on:
      Source or destination networks or addresses
      Protocol(s)
      Source and destination TCP or UDP ports
      Filter Actions:
      IPSec-Full Require Mode
      Requires IPSec-secured communication for both inbound and outbound packets.
      Filter Actions:
      IPSec-Block
      Blocks the traffic that matches the filter lists
      IPSec-Permit
      Permits the traffic that matches the filter list
      IPSec-Request Mode
      Accepts both IPSec and non-IPSec inbound traffic
      For outbound, it starts IPSec negotiation and if no response, falls back to clear.
      IPSec-Secure Request Mode
      Accepts only IPSec inbound traffic
      For outbound, it starts IPSec negotiation and if no response, falls back to clear.
    • 27. DEMO
      Configuring Isolation
    • 28. Things to Consider
      Start small when deploying and always deploy in a test environment first
      Local Administrators can disable IPSec or change local dynamic policy
      Always plan for interoperability
      Make sure NAT-T is supported on hosts, if there is a NAT device in your network.
      Be aware of the delays in policy application after a change in policies occurs.
      Using IPSec, network traffic monitoring tools will not work.
    • 29. Risks That Can Not Be Mitigated
      Trusted users stealing or disclosing sensitive data
      Rogue users
      Untrusted computers accessing other untrusted computers
      Loss of physical security of trusted computers
    • 30. Real-World Examples
      Lockheed Martin
      University of Michigan
      BMO Financial Group
      Microsoft IT Department
    • 31. Q&A
      Questions & Answers
    • 32. Required slide
      Resources
      Technet Reference on Domain and Server Isolation
      http://technet.microsoft.com/en-us/network/bb545651.aspx
      Technet Reference on IPSec
      http://www.microsoft.com/ipsec
      Perimeter E-Security TOP 10 Information Security Threats for 2010
      http://www.perimeterusa.com/knowledge-center/company-news/press-releases#100
    • 33. Required slide
      WIN COOL PRIZES!!!
      Complete the True Techie and Crazy Communities Challenge and stand a chance to win…
      Look in your conference bags NOW!!
    • 34. Required slide
      We value your feedback!
      Please remember to complete the overall conference evaluation form (in your bag) and return it to the Registration Counter on the last day in return for a Limited Edition Gift

    ×