Microsoft Domain and Server Isolation ModelPresentation Transcript
Microsoft Domain and Server Isolation Model IPSec as a savior against network threats on Windows Server 2008 R2 Esmaeil Sarabadani MCT, MCSA/MCSE Security
What will be covered Protecting the network in a highly-connected world Defence in depth Network without isolation Microsoft domain and server isolation model Focus on IPSec Different stages of implementing the model Demonstrations on different steps of configuration
Life in a Highly-Connected World Local Area Networks Business Extranets Wireless Networks Mobile Workers Laptops Virtual Private Networks Mobile Smart Devices
Protecting Your Network means Reducing the risk of malicious activities Protecting the data against unauthorized manipulation Lowering the costs and administrative overhead Decreasing the impact of denial-of-service attacks Reducing the risk of malicious software threats Eliminating the chance of intruding the network and servers
Typical Network Infrastructure Is the whole infrastructure secure? What is missing? How important is it in the world today? “Malicious insiders” has been ranked the second in 2010 and the first in 2009 in the top ten information security threats as reported by Perimeter E-Security. Logical Isolation Extranet Connection VPN Connection Partner’s Network Network Firewalls Remote User Secure VPN Connections
Defence in Depth A layered approach to protecting a computer instead of reliance on a single mechanism for the protection Controls network communications Protects all unicast traffic More similar to a host-based firewall Provides end-to-end security Bob Alice Sorry! I do not trust you! The communication does not take place!
1 2 Without Isolation Access granted or denied based on ACL Share access is checked 4 User is authenticated and authorized User attempts to access a file share Check network access permissions 3 User authentication occurs Local policy
Without Isolation The Problems: Too much dependence on users’ credentials Theft and abuse of user credentials often not realized... Until it’s too late Difficult to control who or what physically connects to the network Large internal networks might have independent path to the internet Even if there are firewalls, they help but not when clients communicate inside the network Question: What does a HACKER need to penetrate into the network and servers?
Access to the network
A username and password
How difficult do you think it is for a hacker to get them?
Microsoft Domain and Server Isolation Model Controls end-to-end communications using IPSec policies Adds a layer of defence-in-depth IPSec policies are received by the host through Group Policy Authenticates every packet Can encrypt every packet Supported Operating Systems: Windows 2000-SP4 Windows XP-SP2 Windows Vista Windows 7 Windows Server 2003 Windows Server 2008
Access granted or denied based on ACL Share access is checked 6 1 Check network Access permissions (Computer acct) Check network access permissions (user) 2 3 5 4 Local policy Local policy With Isolation Computer and user are authenticated and authorized User attempts to access a file share IKE negotiation begins IKE succeeds, user authN occurs
Why IPSec? IPSec is a protocol suit to provide security over IP networks It operates at layer 3 (Network) of OSI model It has two modes of operations: Tunnel mode Transport mode
IPSec Tunnel Mode: IPSec gateway at each site No security inside the site network Secures messages going through the gateway and the internet A security header to IP packets before the main IP header The new header contains the source and destination addresses of the IPSec gateways The source and destination of the hosts are protected The original IP header is protected The original data field is protected Local Network Local Network Internet Tunnel Security Header Protected Original IP Header Protected data field IPsec Gateway Secure Communication
IPSec Transport Mode: End-to-end communication and security between the hosts Security inside the site networks Requires configuration on the host Transport Mode: Adds a security header to IP packets after the main IP header The source and destination of the hosts can be learned by a hacker in the middle The original data field is protected Local Network Local Network Internet Transport Security Header Protected data field Original IP Header Secure end-to-end Communication
AH vs. ESP Two forms of encryption ESP (Encapsulating Security Payload) Confidentiality Authentication AH (Authentication Header) Authentication ESP in Transport mode ESP in Tunnel mode
AH vs. ESP AH (Authentication Header) AH in Transport mode AH in Tunnel mode No Encryption Only Authentication No Encryption Only Authentication
IKE, SA, Encryption Algorithms Security Association (SA) are agreements between two hosts or two IPSec server for how security will be performed. The security agreements can also negotiate different methods of integrity and encryption. Integrity Algorithms: MD5 SHA1 AES These agreements start with IKE (Internet Key Exchange) Encryption Algorithms: DES 3DES AES Negotiate Security Association IKE is not IPSec-specific. Host B Host A
Important Isolation Terms Untrusted Hosts Trusted Hosts Boundary Host IPSec-enabled Fall back to clear Able to communicate with both trusted and untrusted hosts Exempted Host: Does not use IPSec Isolation Group A logical group of trusted hosts with the same policy Network Access Group Controls access to a host on the network before any policy takes place Trusted Host: IPSec-enabled Joined to domain Untrusted Host: Known Trusted Host NOT IPSec-enabled Not joined to domain or in an untrusted domain Unknown Trusted Host Connection Terminated Boundary Hosts Exemption Hosts
Isolation Scope Hosts to be isolated Any computer joined to domain as long as the requirement is met To a very large extent depends on the isolation policies Servers to be isolated Importance of the information stored on that server Domain Controller DC-to-DC GC-to-GC Client-to-DC (Generally NOT recommendedbut possible without Kerberos for authentication) Exchange Server Edge Transport server to the other servers holding the other roles Isolation of Edge Transport Server (Front-End Server) Communication between Exchange servers with different roles Servers to be isolated Office Communications Server 2007 Isolation of edge servers Communication between the edge server and the internal servers File Servers Web Servers Block specific ports And ... Servers to be exempted DHCP Servers Computers connect to get an IP address and before that they do not receive any policies Need to have no delay DNS Servers Need to have no delay Involved with every computer in the network Firewalls Host-based firewalls, filtering in routers, network firewalls and any other filters must support Fragmentation and the following ports must be open on them: IKE: UDP Port 500 IKE/IPSec NAT-T: UDP Port 4500 IPSec ESP: IP Protocol 50 IPSec AH: IP Protocol 51
Planning phase Inform team members about IPSec IT Manager, System Architect, Security Manager, Support Specialist and etc. Collect information about your IT environment Network topology Security policy and implementation Server operating systems and applications User types Any interoperability issues or concerns Determine your isolation needs Business needs Security requirements Service Level Agreements Technology needs User needs Things to consider when planning: Analysis of network devices Analysis of network traffic flow ACLs that affect IPSec directly VLAN Segmentation Analysis of Active Directory Design your IPSec policies Deploy the policies in a test environment Refine Policies Create a deployment schedule Prepare for user and infrastructure support
Deployment Different types of deployment Deployment using OUs Deployment using Groups Policy 1 applied at the domain level Policy 1 Policy 1 Policy 1 Policy 2 applied at the OU level Policy 2 Group 1 Group 3 Group 5 Group 7 Allow Read & Apply Permission Allow Read & Apply Permission Group 2 Group 6 Group 4 Group 8 Deny Read & Apply Permission Policy 2 NOT applied Policy 2 applied Policy 3 applied Policy 3 applied Deny Read & Apply Permission Policy 1 NOT applied Policy 1 applied
Deployment Comparison: Deployment by GROUPS is best for organizations with more complex groups hierarchy. Companies that more than one policy is applied to one OU. Deployment by GROUPS can get really complicated. Deployment by OUs is best for organizations in which computer members of each OU all inherit the same policies.
DEMO Deployment ScenariosNetwork Access Groups
IPSec Policy Components overview IPSec Policy IPSec policies are all configurable through Group Policies at both the domain and OU levels. Authentication methods Rules Pre-Shared Keys Kerberos Certificates Action Filter List Security methods Filters Hashing Encryption Key Lifetimes
Isolation Scope Filter Lists: Collection of one or more filters used to match network traffic based on: Source or destination networks or addresses Protocol(s) Source and destination TCP or UDP ports Filter Actions: IPSec-Full Require Mode Requires IPSec-secured communication for both inbound and outbound packets. Filter Actions: IPSec-Block Blocks the traffic that matches the filter lists IPSec-Permit Permits the traffic that matches the filter list IPSec-Request Mode Accepts both IPSec and non-IPSec inbound traffic For outbound, it starts IPSec negotiation and if no response, falls back to clear. IPSec-Secure Request Mode Accepts only IPSec inbound traffic For outbound, it starts IPSec negotiation and if no response, falls back to clear.
DEMO Configuring Isolation
Things to Consider Start small when deploying and always deploy in a test environment first Local Administrators can disable IPSec or change local dynamic policy Always plan for interoperability Make sure NAT-T is supported on hosts, if there is a NAT device in your network. Be aware of the delays in policy application after a change in policies occurs. Using IPSec, network traffic monitoring tools will not work.
Risks That Can Not Be Mitigated Trusted users stealing or disclosing sensitive data Rogue users Untrusted computers accessing other untrusted computers Loss of physical security of trusted computers
Real-World Examples Lockheed Martin University of Michigan BMO Financial Group Microsoft IT Department
Q&A Questions & Answers
Required slide Resources Technet Reference on Domain and Server Isolation http://technet.microsoft.com/en-us/network/bb545651.aspx Technet Reference on IPSec http://www.microsoft.com/ipsec Perimeter E-Security TOP 10 Information Security Threats for 2010 http://www.perimeterusa.com/knowledge-center/company-news/press-releases#100
Required slide WIN COOL PRIZES!!! Complete the True Techie and Crazy Communities Challenge and stand a chance to win… Look in your conference bags NOW!!
Required slide We value your feedback! Please remember to complete the overall conference evaluation form (in your bag) and return it to the Registration Counter on the last day in return for a Limited Edition Gift