Improving Security with Domain Isolation Microsoft IT Implements IP Security (IPsec) Published: June 2004.

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

The following 10 questions test your knowledge of client site assignment in Configuration Manager Configuration Manager 2007 Client Site Assignment.

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.

Guide to Network Defense and Countermeasures Second Edition

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

Internet Protocol Security (IPSec)

ESupport Shifting Customers to the Internet for Support Published: January 2002.

Managing LOB Applications by Using System Center Operations Manager Published: March 2007.

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

Understanding Active Directory

Security Data Transmission and Authentication

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Test Review. What is the main advantage to using shadow copies?

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Intranet, Extranet, Firewall. Intranet and Extranet.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.

Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.

Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003.

Hands-On Microsoft Windows Server 2008

Chapter 13 – Network Security

70-411: Administering Windows Server 2012

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

Deploying SharePoint Products and Technologies for Enterprise Collaboration Microsoft IT group’s Centrally Hosted Collaboration Solution.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Module 11: Implementing ISA Server 2004 Enterprise Edition.

Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.

Page 1 TCP/IP Networking and Remote Access Lecture 9 Hassan Shuja 11/23/2004.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.

Sudarshan Yadav Sr. Program Manager, Microsoft

Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

Configuring Network Access Protection

Module 5: Designing Security for Internal Networks.

Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.

Windows XP Service Pack 2 Customer Awareness Workshop XP SP2 Technical Drilldown – Part 1 Craig Schofield Microsoft Ltd. UK September.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

Security fundamentals Topic 10 Securing the network perimeter.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

© 2002 Global Knowledge Network, Inc. All rights reserved. Windows Server 2003 MCSA and MCSE Upgrade Clustering Servers.

Module 10: Windows Firewall and Caching Fundamentals.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

IPSec The Wonder Protocol Anurag Vij Microsoft IT.

Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Securing Access to Data Using IPsec Josh Jones Cosc352.

Security Data Transmission and Authentication Lesson 9.

VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.

Virtual Private Network Access for Remote Networks

Secure Connected Infrastructure

Configuring Windows Firewall with Advanced Security

SECURING NETWORK TRAFFIC WITH IPSEC

Securing the Network Perimeter with ISA 2004

Microsoft Virtual Academy

Goals Introduce the Windows Server 2003 family of operating systems

Cengage Learning: Computer Networking from LANs to WANs

Presentation transcript:

Improving Security with Domain Isolation Microsoft IT Implements IP Security (IPsec) Published: June 2004

Solution Overview Situation ● Managed computers had to be isolated from unmanaged computers to improve security Solution ● Deployment of IPsec Benefits ● Allows creation of logical secure network segments ● Works independently of other infrastructure for end- to-end security ● Can be deployed and managed centrally

Products and Technologies ● IPsec protocols (ESP, IKE) ● Windows Server 2003 ● Windows XP Professional SP1 ● Windows 2000 SP3 ● Group Policy ● Active Directory ● PKI and CA

Levels of Trusted Assets U1U1 U2U2 U2U2 XX B DHCPDHCP DNSDNS WINSWINS DCDC SecureNet Clients, Servers, Home LAN, Trustworthy Labs (203,000) Untrustworthy Labs (75,000) PocketPC/ Xbox (18,000) MAC (2,000) Boundary Machines (5,000) Infrastructure (500) Internet Servers Business Partners Extranet DTaps (no connectivity to CorpNet) (1,800) External Exclusions Internal Exclusions Microsoft Corporate Network ACL Controlled

Business Benefits ● Decreased network risks ● Improved asset management information

Business Benefits ● Protection of intellectual property ● Increased policy compliance ● Improved malware detection

Domain Isolation at Microsoft ● IPsec allows creation of logical, secure networks within a larger network ● Group policy provides a framework for easily deploying IPsec to hosts ● Active Directory infrastructure and Group Policy enable deployment and administration of IPsec enterprise wide

Domain Isolation at Microsoft ● Microsoft IT considered two segmentation technologies: ● IPsec provides end-to-end authentication and encryption between hosts on a network ● 802.1x provides only authentication ● Microsoft IT chose IPsec because it is a complete solution

Domain Isolation at Microsoft ● IPsec is a standards-based framework of security protocols and cryptographic services ● IPsec is a foundation for a secure environment, but is not a secure environment itself ● Microsoft IT uses two of the four nodes in IPsec negotiated security

Domain Isolation at Microsoft ● Active and challenging security environment at Microsoft ● Unique aspects of Microsoft environment include: ● Multiple computers per user ● Diverse desktop implementations ● Frequently rebuilt computers ● Diverse mix of approved software versions

Planning 1. Determine segmentation requirements 2. Choose technology 3. Design IPsec/group policies 4. Test policies/IPsec functionality and behaviors 5. Create a rollout schedule

Planning ● Test process and strategy ● Focus on minimal user impact ● Phased subnet deployment approach ● Creation of new rule/filter list and assignment of secure request filter action ● Change of rollout process to deploy to individual domains instead of subnets

Planning ● Communication with users ● Transparency of IPsec deployment to users ● Low volume of Helpdesk calls ● Training of Helpdesk personnel ● Restrictions on access to servers that contain sensitive information ● Notifications of deployment progress and system requirements

Deployment ● Group Policy for IPsec Distribution ● Create dedicated GPOs for IPsec ● Create security groups ● Create universal security groups to control the application of GPOs ● Create a universal security group for group/IPsec policy administration ● Administer Group Policy

Deployment Filter ListAction Rules IPsec Policy Filters Key Exchange Methods (IKE) Authentication Methods (Kerberos, Certificates, Static Keys) Security Methods (Encryption, Hashing, Key Lifetimes) IPsec policies are applied to a GPO, contain a set of rules, and specify how to perform IKE. Each rule associates a Filter List with an Action, and specifies authentication methods. A Filter List specifies a set of individual filters, and is used to group filters together in a rule. A Filter describes a pattern of traffic to match, by IP address, subnet, port, and protocol for both ends of a connection. An Action designates what to do with traffic that matches a filter: Permit, Block, or Negotiate Security.

Deployment ● Policy settings ● Different IPsec policies via different GPOs during different phases of deployment ● IPsec filter design ● Basic filter rules as the default policy ● Management and deployment of IPsec through Group Policy and Active Directory ● No active IPsec policies on Internet-facing NIC on multi-homed computers

Deployment ● Some computers and devices cannot use IPsec ● These computers and devices cannot access computers inside SecureNet ● Exception servers can become boundary machines ● Legacy and test environments are not a priority for adding to SecureNet

Deployment ● Managing boundary computers ● Extra management and security ● Creation of security groups ● Deploying boundary computers ● Request process ● Case-by-case basis for granting insecure network traffic

Known Issues and Problem Applications ● LAN performance ● Added bandwidth consumption ● CPU performance ● Negligible overhead on most clients ● IPsec and Windows VPN servers ● Special IPsec policies for deployments that use Kerberos

Known Issues and Problem Applications ● RFC 1918 private IP ranges ● Connecting to the corporate network through a VPN requires use of specific private IP ranges ● Two private subnets are excluded from the list of secure subnets

Known Issues and Problem Applications ● Network device issues ● IPsec changes TCP/IP offsets for destination ports and protocols ● IPsec generally defeats network-based prioritization and port or protocol-based traffic management ● IPsec adds to use of system resources

Known Issues and Problem Applications ● Filter processing issues ● IPsec driver caches filters that match a particular connection ● IPsec and NLB clusters ● Clients connected an offline server must renegotiate the connection ● If a node in the cluster fails, IPsec connections cannot rebuild the security association until the preset time-out period

Known Issues and Problem Applications ● NAT-T ● NAT-T addresses problems between NAT and IPsec ● Troubleshooting issues ● IPSec depends on correct configuration of supporting technologies ● Microsoft IT enables auditing using domain-based group policies ● Diagnostics may require Oakley logging

Best Practices ● Group Policy design ● Set up group policies for all behavior types to support IPsec testing ● Filter the “Apply Group Policy” ACE for each policy to only the limited security user groups ● Use a naming convention that covers the policy and group function for easier management and troubleshooting

Best Practices ● IPsec design ● Minimize the overall number of filters ● Use “Any” instead of “Me” as the base approach to filter design ● Create “Any Corporate subnet” rules instead of “Me Any” for secure subnets ● Manage permitted subnets ● Use “Any” rules for virtual IP addresses used by clusters

Best Practices ● IPsec design ● Permit unsecured traffic to infrastructure servers ● Use Kerberos as the default authentication mechanism ● Set NoDefaultExempt = 1 via group policy ADM template ● Permit the ICMP protocol

Best Practices ● IPsec design ● Minimize securing by port or protocol ● Avoid “Any Any” filters ● Don’t use IPsec Default Response rule with custom policy

Best Practices ● Deployment options ● Deploy by subnet ● Deploy by security group ● Deploy by domain

Best Practices ● Recommended deployment steps ● Pilot Request Mode IPsec ● Deploy Request Mode IPsec ● Pilot Secure Request IPsec policy ● Deploy Secure Request IPsec policy

Best Practices ● Non-domain joined clients ● Use Kerberos exclusively for an IPSec deployment ● Carefully evaluate the need to create exceptions to global IPsec policies ● IPsec and NLB ● Consider exempting business-critical services that require high availability

Conclusion ● Phase 1: deployment if IPsec to >160,000 computers ● Phase 2: deployment of Secure Request mode across the enterprise (208,000 computers) ● Minimal impact on Helpdesk ● Less exposure to worms and attackers ● Project is now in review/maintenance

For More Information ● Additional content on Microsoft IT deployments and best practices can be found on ● Microsoft TechNet ● Microsoft Services ● IT Showcase

This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.