• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Microsoft Domain and Server Isolation Model
 

Microsoft Domain and Server Isolation Model

on

  • 1,527 views

 

Statistics

Views

Total Views
1,527
Views on SlideShare
1,470
Embed Views
57

Actions

Likes
0
Downloads
25
Comments
0

1 Embed 57

http://esihere.wordpress.com 57

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • isolation requires knowledge of the current state of the network and its devices, the communication requirements that define how computers should interact with one another, and the security requirements that may limit those requirements to achieve the appropriate balance between security and communication.
  • Presenters please use this slide to direct participants to websites, books, trials, product pages etc as a follow through to your presentation

Microsoft Domain and Server Isolation Model Microsoft Domain and Server Isolation Model Presentation Transcript

  • Microsoft Domain and Server Isolation Model
    IPSec as a savior against network threats on Windows Server 2008 R2
    Esmaeil Sarabadani
    MCT, MCSA/MCSE Security
  • What will be covered
    Protecting the network in a highly-connected world
    Defence in depth
    Network without isolation
    Microsoft domain and server isolation model
    Focus on IPSec
    Different stages of implementing the model
    Demonstrations on different steps of configuration
  • Life in a Highly-Connected World
    Local Area Networks
    Business Extranets
    Wireless Networks
    Mobile Workers
    Laptops
    Virtual Private Networks
    Mobile Smart Devices
  • Protecting Your Network means
    Reducing the risk of malicious activities
    Protecting the data against unauthorized manipulation
    Lowering the costs and administrative overhead
    Decreasing the impact of denial-of-service attacks
    Reducing the risk of malicious software threats
    Eliminating the chance of intruding the network and servers
  • Typical Network Infrastructure
    Is the whole infrastructure secure?
    What is missing?
    How important is it in the world today?
    “Malicious insiders” has been ranked the second in 2010 and the first in 2009 in the top ten information security threats as reported by Perimeter E-Security.
    Logical Isolation
    Extranet Connection
    VPN Connection
    Partner’s Network
    Network Firewalls
    Remote User
    Secure VPN Connections
  • Defence in Depth
    A layered approach to protecting a computer instead of reliance on a single mechanism for the protection
    Controls network communications
    Protects all unicast traffic
    More similar to a host-based firewall
    Provides end-to-end security
    Bob
    Alice
    Sorry! I do not trust you!
    The communication does not take place!
  • 1
    2
    Without Isolation
    Access granted
    or denied
    based on ACL
    Share access is
    checked
    4
    User is authenticated and authorized
    User attempts to access a file share
    Check network
    access permissions
    3
    User authentication
    occurs
    Local policy
  • Without Isolation
    The Problems:
    Too much dependence on users’ credentials
    Theft and abuse of user credentials often not realized... Until it’s too late
    Difficult to control who or what physically connects to the network
    Large internal networks might have independent path to the internet
    Even if there are firewalls, they help but not when clients communicate inside the network
    Question:
    What does a HACKER need to penetrate into the network and servers?
    • Access to the network
    • A username and password
    How difficult do you think it is for a hacker to get them?
  • Microsoft Domain and Server Isolation Model
    Controls end-to-end communications using IPSec policies
    Adds a layer of defence-in-depth
    IPSec policies are received by the host through Group Policy
    Authenticates every packet
    Can encrypt every packet
    Supported Operating Systems:
    Windows 2000-SP4
    Windows XP-SP2
    Windows Vista
    Windows 7
    Windows Server 2003
    Windows Server 2008
  • Access granted
    or denied
    based on ACL
    Share access is
    checked
    6
    1
    Check network
    Access permissions
    (Computer acct)
    Check network
    access permissions
    (user)
    2
    3
    5
    4
    Local policy
    Local policy
    With Isolation
    Computer and user are authenticated and authorized
    User attempts to access a file share
    IKE negotiation begins
    IKE succeeds, user authN occurs
  • Why IPSec?
    IPSec is a protocol suit to provide security over IP networks
    It operates at layer 3 (Network) of OSI model
    It has two modes of operations:
    Tunnel mode
    Transport mode
  • IPSec
    Tunnel Mode:
    IPSec gateway at each site
    No security inside the site network
    Secures messages going through the gateway and the internet
    A security header to IP packets before the main IP header
    The new header contains the source and destination addresses of the IPSec gateways
    The source and destination of the hosts are protected
    The original IP header is protected
    The original data field is protected
    Local
    Network
    Local
    Network
    Internet
    Tunnel
    Security
    Header
    Protected
    Original IP
    Header
    Protected
    data field
    IPsec
    Gateway
    Secure
    Communication
  • IPSec
    Transport Mode:
    End-to-end communication and security between the hosts
    Security inside the site networks
    Requires configuration on the host
    Transport Mode:
    Adds a security header to IP packets after the main IP header
    The source and destination of the hosts can be learned by a hacker in the middle
    The original data field is protected
    Local
    Network
    Local
    Network
    Internet
    Transport
    Security
    Header
    Protected
    data field
    Original
    IP Header
    Secure end-to-end
    Communication
  • AH vs. ESP
    Two forms of encryption
    ESP (Encapsulating Security Payload)
    Confidentiality
    Authentication
    AH (Authentication Header)
    Authentication
    ESP in Transport mode
    ESP in Tunnel mode
  • AH vs. ESP
    AH (Authentication Header)
    AH in Transport mode
    AH in Tunnel mode
    No Encryption
    Only Authentication
    No Encryption
    Only Authentication
  • IKE, SA, Encryption Algorithms
    Security Association (SA) are agreements between two hosts or two IPSec server for how security will be performed.
    The security agreements can also negotiate different methods of integrity and encryption.
    Integrity Algorithms:
    MD5
    SHA1
    AES
    These agreements start with IKE (Internet Key Exchange)
    Encryption Algorithms:
    DES
    3DES
    AES
    Negotiate
    Security Association
    IKE is not IPSec-specific.
    Host B
    Host A
  • Important Isolation Terms
    Untrusted Hosts
    Trusted Hosts
    Boundary Host
    IPSec-enabled
    Fall back to clear
    Able to communicate with both trusted and untrusted hosts
    Exempted Host:
    Does not use IPSec
    Isolation Group
    A logical group of trusted hosts with the same policy
    Network Access Group
    Controls access to a host on the network before any policy takes place
    Trusted Host:
    IPSec-enabled
    Joined to domain
    Untrusted Host:
    Known Trusted Host
    NOT IPSec-enabled
    Not joined to domain or in an untrusted domain
    Unknown Trusted Host
    Connection Terminated
    Boundary Hosts
    Exemption Hosts
  • Isolation Scope
    Hosts to be isolated
    Any computer joined to domain as long as the requirement is met
    To a very large extent depends on the isolation policies
    Servers to be isolated
    Importance of the information stored on that server
    Domain Controller
    DC-to-DC
    GC-to-GC
    Client-to-DC (Generally NOT recommendedbut possible without Kerberos for authentication)
    Exchange Server
    Edge Transport server to the other servers holding the other roles
    Isolation of Edge Transport Server (Front-End Server)
    Communication between Exchange servers with different roles
    Servers to be isolated
    Office Communications Server 2007
    Isolation of edge servers
    Communication between the edge server and the internal servers
    File Servers
    Web Servers
    Block specific ports
    And ...
    Servers to be exempted
    DHCP Servers
    Computers connect to get an IP address and before that they do not receive any policies
    Need to have no delay
    DNS Servers
    Need to have no delay
    Involved with every computer in the network
    Firewalls
    Host-based firewalls, filtering in routers, network firewalls and any other filters must support Fragmentation and the following ports must be open on them:
    IKE: UDP Port 500
    IKE/IPSec NAT-T: UDP Port 4500
    IPSec ESP: IP Protocol 50
    IPSec AH: IP Protocol 51
  • Planning phase
    Inform team members about IPSec
    IT Manager, System Architect, Security Manager, Support Specialist and etc.
    Collect information about your IT environment
    Network topology
    Security policy and implementation
    Server operating systems and applications
    User types
    Any interoperability issues or concerns
    Determine your isolation needs
    Business needs
    Security requirements
    Service Level Agreements
    Technology needs
    User needs
    Things to consider when planning:
    Analysis of network devices
    Analysis of network traffic flow
    ACLs that affect IPSec directly
    VLAN Segmentation
    Analysis of Active Directory
    Design your IPSec policies
    Deploy the policies in a test environment
    Refine Policies
    Create a deployment schedule
    Prepare for user and infrastructure support
  • Deployment
    Different types of deployment
    Deployment using OUs
    Deployment using Groups
    Policy 1
    applied at the domain level
    Policy 1
    Policy 1
    Policy 1
    Policy 2
    applied at the OU level
    Policy 2
    Group 1
    Group 3
    Group 5
    Group 7
    Allow Read & Apply
    Permission
    Allow Read & Apply
    Permission
    Group 2
    Group 6
    Group 4
    Group 8
    Deny Read & Apply
    Permission
    Policy 2 NOT applied
    Policy 2 applied
    Policy 3 applied
    Policy 3 applied
    Deny Read & Apply
    Permission
    Policy 1 NOT applied
    Policy 1 applied
  • Deployment
    Comparison:
    Deployment by GROUPS is best for organizations with more complex groups hierarchy. Companies that more than one policy is applied to one OU.
    Deployment by GROUPS can get really complicated.
    Deployment by OUs is best for organizations in which computer members of each OU all inherit the same policies.
  • DEMO
    Deployment ScenariosNetwork Access Groups
  • IPSec Policy Components overview
    IPSec Policy
    IPSec policies are all configurable through Group Policies at both the domain and OU levels.
    Authentication methods
    Rules
    Pre-Shared Keys
    Kerberos
    Certificates
    Action
    Filter List
    Security methods
    Filters
    Hashing
    Encryption
    Key Lifetimes
  • Isolation Scope
    Filter Lists:
    Collection of one or more filters used to match network traffic based on:
    Source or destination networks or addresses
    Protocol(s)
    Source and destination TCP or UDP ports
    Filter Actions:
    IPSec-Full Require Mode
    Requires IPSec-secured communication for both inbound and outbound packets.
    Filter Actions:
    IPSec-Block
    Blocks the traffic that matches the filter lists
    IPSec-Permit
    Permits the traffic that matches the filter list
    IPSec-Request Mode
    Accepts both IPSec and non-IPSec inbound traffic
    For outbound, it starts IPSec negotiation and if no response, falls back to clear.
    IPSec-Secure Request Mode
    Accepts only IPSec inbound traffic
    For outbound, it starts IPSec negotiation and if no response, falls back to clear.
  • DEMO
    Configuring Isolation
  • Things to Consider
    Start small when deploying and always deploy in a test environment first
    Local Administrators can disable IPSec or change local dynamic policy
    Always plan for interoperability
    Make sure NAT-T is supported on hosts, if there is a NAT device in your network.
    Be aware of the delays in policy application after a change in policies occurs.
    Using IPSec, network traffic monitoring tools will not work.
  • Risks That Can Not Be Mitigated
    Trusted users stealing or disclosing sensitive data
    Rogue users
    Untrusted computers accessing other untrusted computers
    Loss of physical security of trusted computers
  • Real-World Examples
    Lockheed Martin
    University of Michigan
    BMO Financial Group
    Microsoft IT Department
  • Q&A
    Questions & Answers
  • Required slide
    Resources
    Technet Reference on Domain and Server Isolation
    http://technet.microsoft.com/en-us/network/bb545651.aspx
    Technet Reference on IPSec
    http://www.microsoft.com/ipsec
    Perimeter E-Security TOP 10 Information Security Threats for 2010
    http://www.perimeterusa.com/knowledge-center/company-news/press-releases#100
  • Required slide
    WIN COOL PRIZES!!!
    Complete the True Techie and Crazy Communities Challenge and stand a chance to win…
    Look in your conference bags NOW!!
  • Required slide
    We value your feedback!
    Please remember to complete the overall conference evaluation form (in your bag) and return it to the Registration Counter on the last day in return for a Limited Edition Gift