Microsoft Domain and Server Isolation Model


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • isolation requires knowledge of the current state of the network and its devices, the communication requirements that define how computers should interact with one another, and the security requirements that may limit those requirements to achieve the appropriate balance between security and communication.
  • Presenters please use this slide to direct participants to websites, books, trials, product pages etc as a follow through to your presentation
  • Microsoft Domain and Server Isolation Model

    1. 1.
    2. 2. Microsoft Domain and Server Isolation Model<br />IPSec as a savior against network threats on Windows Server 2008 R2<br />Esmaeil Sarabadani<br />MCT, MCSA/MCSE Security<br />
    3. 3. What will be covered<br />Protecting the network in a highly-connected world<br />Defence in depth<br />Network without isolation<br />Microsoft domain and server isolation model<br />Focus on IPSec<br />Different stages of implementing the model<br />Demonstrations on different steps of configuration<br />
    4. 4. Life in a Highly-Connected World<br />Local Area Networks<br />Business Extranets<br />Wireless Networks<br />Mobile Workers<br />Laptops<br />Virtual Private Networks<br />Mobile Smart Devices<br />
    5. 5. Protecting Your Network means<br />Reducing the risk of malicious activities<br />Protecting the data against unauthorized manipulation<br />Lowering the costs and administrative overhead<br />Decreasing the impact of denial-of-service attacks<br />Reducing the risk of malicious software threats<br />Eliminating the chance of intruding the network and servers<br />
    6. 6. Typical Network Infrastructure<br />Is the whole infrastructure secure?<br />What is missing?<br />How important is it in the world today?<br />“Malicious insiders” has been ranked the second in 2010 and the first in 2009 in the top ten information security threats as reported by Perimeter E-Security.<br />Logical Isolation<br />Extranet Connection<br />VPN Connection<br />Partner’s Network<br />Network Firewalls<br />Remote User<br />Secure VPN Connections<br />
    7. 7. Defence in Depth<br />A layered approach to protecting a computer instead of reliance on a single mechanism for the protection<br />Controls network communications<br />Protects all unicast traffic<br />More similar to a host-based firewall<br />Provides end-to-end security<br />Bob<br />Alice<br />Sorry! I do not trust you!<br />The communication does not take place!<br />
    8. 8. 1<br />2<br />Without Isolation<br />Access granted<br />or denied <br />based on ACL<br />Share access is<br />checked<br />4<br />User is authenticated and authorized<br />User attempts to access a file share<br />Check network<br />access permissions<br />3<br />User authentication<br />occurs<br />Local policy<br />
    9. 9. Without Isolation<br />The Problems:<br />Too much dependence on users’ credentials<br />Theft and abuse of user credentials often not realized... Until it’s too late<br />Difficult to control who or what physically connects to the network<br />Large internal networks might have independent path to the internet<br />Even if there are firewalls, they help but not when clients communicate inside the network<br />Question:<br />What does a HACKER need to penetrate into the network and servers?<br /><ul><li>Access to the network
    10. 10. A username and password</li></ul>How difficult do you think it is for a hacker to get them?<br />
    11. 11. Microsoft Domain and Server Isolation Model<br />Controls end-to-end communications using IPSec policies<br />Adds a layer of defence-in-depth <br />IPSec policies are received by the host through Group Policy<br />Authenticates every packet<br />Can encrypt every packet<br />Supported Operating Systems:<br />Windows 2000-SP4<br />Windows XP-SP2<br />Windows Vista<br />Windows 7<br />Windows Server 2003<br />Windows Server 2008<br />
    12. 12. Access granted<br />or denied <br />based on ACL<br />Share access is<br />checked<br />6<br />1<br />Check network<br />Access permissions<br />(Computer acct)<br />Check network<br />access permissions<br />(user)<br />2<br />3<br />5<br />4<br />Local policy<br />Local policy<br />With Isolation<br />Computer and user are authenticated and authorized<br />User attempts to access a file share<br />IKE negotiation begins<br />IKE succeeds, user authN occurs<br />
    13. 13. Why IPSec?<br />IPSec is a protocol suit to provide security over IP networks<br />It operates at layer 3 (Network) of OSI model<br />It has two modes of operations:<br />Tunnel mode<br />Transport mode<br />
    14. 14. IPSec<br />Tunnel Mode:<br />IPSec gateway at each site<br />No security inside the site network<br />Secures messages going through the gateway and the internet<br />A security header to IP packets before the main IP header<br />The new header contains the source and destination addresses of the IPSec gateways<br />The source and destination of the hosts are protected <br />The original IP header is protected<br />The original data field is protected<br />Local<br />Network<br />Local<br />Network<br />Internet<br />Tunnel<br />Security<br />Header<br />Protected<br />Original IP<br />Header<br />Protected <br />data field<br />IPsec<br />Gateway<br />Secure <br />Communication<br />
    15. 15. IPSec<br />Transport Mode:<br />End-to-end communication and security between the hosts<br />Security inside the site networks<br />Requires configuration on the host<br />Transport Mode:<br />Adds a security header to IP packets after the main IP header<br />The source and destination of the hosts can be learned by a hacker in the middle<br />The original data field is protected<br />Local<br />Network<br />Local<br />Network<br />Internet<br />Transport<br />Security<br />Header<br />Protected <br />data field<br />Original<br />IP Header<br />Secure end-to-end<br />Communication<br />
    16. 16. AH vs. ESP<br />Two forms of encryption<br />ESP (Encapsulating Security Payload)<br />Confidentiality<br /> Authentication<br />AH (Authentication Header) <br />Authentication<br />ESP in Transport mode<br />ESP in Tunnel mode<br />
    17. 17. AH vs. ESP<br />AH (Authentication Header) <br />AH in Transport mode<br />AH in Tunnel mode<br />No Encryption <br />Only Authentication<br />No Encryption<br />Only Authentication<br />
    18. 18. IKE, SA, Encryption Algorithms<br />Security Association (SA) are agreements between two hosts or two IPSec server for how security will be performed.<br />The security agreements can also negotiate different methods of integrity and encryption.<br />Integrity Algorithms:<br />MD5<br />SHA1<br />AES<br />These agreements start with IKE (Internet Key Exchange)<br />Encryption Algorithms:<br />DES<br />3DES<br />AES<br />Negotiate<br />Security Association<br />IKE is not IPSec-specific.<br />Host B<br />Host A<br />
    19. 19. Important Isolation Terms<br />Untrusted Hosts<br />Trusted Hosts<br />Boundary Host<br />IPSec-enabled<br />Fall back to clear<br />Able to communicate with both trusted and untrusted hosts<br />Exempted Host:<br />Does not use IPSec<br />Isolation Group<br />A logical group of trusted hosts with the same policy<br />Network Access Group<br />Controls access to a host on the network before any policy takes place<br />Trusted Host:<br />IPSec-enabled<br />Joined to domain<br />Untrusted Host:<br />Known Trusted Host<br />NOT IPSec-enabled<br />Not joined to domain or in an untrusted domain<br />Unknown Trusted Host<br />Connection Terminated<br />Boundary Hosts<br />Exemption Hosts<br />
    20. 20. Isolation Scope<br />Hosts to be isolated<br />Any computer joined to domain as long as the requirement is met<br />To a very large extent depends on the isolation policies<br />Servers to be isolated<br />Importance of the information stored on that server<br />Domain Controller<br />DC-to-DC<br />GC-to-GC<br />Client-to-DC (Generally NOT recommendedbut possible without Kerberos for authentication)<br />Exchange Server<br />Edge Transport server to the other servers holding the other roles<br />Isolation of Edge Transport Server (Front-End Server)<br />Communication between Exchange servers with different roles<br />Servers to be isolated<br />Office Communications Server 2007<br />Isolation of edge servers<br />Communication between the edge server and the internal servers<br />File Servers<br />Web Servers<br />Block specific ports<br />And ...<br />Servers to be exempted<br />DHCP Servers<br />Computers connect to get an IP address and before that they do not receive any policies<br />Need to have no delay<br />DNS Servers<br />Need to have no delay<br />Involved with every computer in the network<br />Firewalls<br />Host-based firewalls, filtering in routers, network firewalls and any other filters must support Fragmentation and the following ports must be open on them:<br />IKE: UDP Port 500<br />IKE/IPSec NAT-T: UDP Port 4500<br />IPSec ESP: IP Protocol 50<br />IPSec AH: IP Protocol 51<br />
    21. 21. Planning phase<br />Inform team members about IPSec<br />IT Manager, System Architect, Security Manager, Support Specialist and etc.<br />Collect information about your IT environment<br />Network topology<br />Security policy and implementation<br />Server operating systems and applications<br />User types<br />Any interoperability issues or concerns<br />Determine your isolation needs<br />Business needs<br />Security requirements<br />Service Level Agreements<br />Technology needs<br />User needs<br />Things to consider when planning:<br />Analysis of network devices<br />Analysis of network traffic flow<br />ACLs that affect IPSec directly<br />VLAN Segmentation<br />Analysis of Active Directory<br />Design your IPSec policies<br />Deploy the policies in a test environment<br />Refine Policies<br />Create a deployment schedule<br />Prepare for user and infrastructure support<br />
    22. 22. Deployment<br />Different types of deployment<br />Deployment using OUs<br />Deployment using Groups<br />Policy 1 <br />applied at the domain level<br />Policy 1 <br />Policy 1 <br />Policy 1 <br />Policy 2<br />applied at the OU level<br />Policy 2<br />Group 1<br />Group 3<br />Group 5<br />Group 7<br />Allow Read & Apply <br />Permission<br />Allow Read & Apply <br />Permission<br />Group 2<br />Group 6<br />Group 4<br />Group 8<br />Deny Read & Apply <br />Permission<br />Policy 2 NOT applied<br />Policy 2 applied<br />Policy 3 applied<br />Policy 3 applied<br />Deny Read & Apply <br />Permission<br />Policy 1 NOT applied<br />Policy 1 applied<br />
    23. 23. Deployment<br />Comparison:<br />Deployment by GROUPS is best for organizations with more complex groups hierarchy. Companies that more than one policy is applied to one OU. <br />Deployment by GROUPS can get really complicated.<br />Deployment by OUs is best for organizations in which computer members of each OU all inherit the same policies.<br />
    24. 24. DEMO<br />Deployment ScenariosNetwork Access Groups<br />
    25. 25. IPSec Policy Components overview<br />IPSec Policy<br />IPSec policies are all configurable through Group Policies at both the domain and OU levels.<br />Authentication methods<br />Rules<br />Pre-Shared Keys<br />Kerberos<br />Certificates<br />Action<br />Filter List<br />Security methods<br />Filters<br />Hashing<br />Encryption<br />Key Lifetimes<br />
    26. 26. Isolation Scope<br />Filter Lists:<br />Collection of one or more filters used to match network traffic based on:<br />Source or destination networks or addresses<br />Protocol(s)<br />Source and destination TCP or UDP ports <br />Filter Actions:<br />IPSec-Full Require Mode<br />Requires IPSec-secured communication for both inbound and outbound packets.<br />Filter Actions:<br />IPSec-Block<br />Blocks the traffic that matches the filter lists<br />IPSec-Permit<br />Permits the traffic that matches the filter list<br />IPSec-Request Mode<br />Accepts both IPSec and non-IPSec inbound traffic<br />For outbound, it starts IPSec negotiation and if no response, falls back to clear.<br />IPSec-Secure Request Mode<br />Accepts only IPSec inbound traffic<br />For outbound, it starts IPSec negotiation and if no response, falls back to clear.<br />
    27. 27. DEMO<br />Configuring Isolation<br />
    28. 28. Things to Consider<br />Start small when deploying and always deploy in a test environment first<br />Local Administrators can disable IPSec or change local dynamic policy<br />Always plan for interoperability<br />Make sure NAT-T is supported on hosts, if there is a NAT device in your network.<br />Be aware of the delays in policy application after a change in policies occurs.<br />Using IPSec, network traffic monitoring tools will not work.<br />
    29. 29. Risks That Can Not Be Mitigated<br />Trusted users stealing or disclosing sensitive data<br />Rogue users<br />Untrusted computers accessing other untrusted computers<br />Loss of physical security of trusted computers<br />
    30. 30. Real-World Examples<br />Lockheed Martin <br />University of Michigan<br />BMO Financial Group<br />Microsoft IT Department<br />
    31. 31. Q&A<br />Questions & Answers<br />
    32. 32. Required slide<br />Resources<br />Technet Reference on Domain and Server Isolation<br /><br />Technet Reference on IPSec<br /><br />Perimeter E-Security TOP 10 Information Security Threats for 2010<br /><br />
    33. 33. Required slide<br />WIN COOL PRIZES!!!<br />Complete the True Techie and Crazy Communities Challenge and stand a chance to win…<br />Look in your conference bags NOW!!<br />
    34. 34. Required slide<br />We value your feedback!<br />Please remember to complete the overall conference evaluation form (in your bag) and return it to the Registration Counter on the last day in return for a Limited Edition Gift<br />