Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Published byEleanore Booth Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions."— Presentation transcript:

1 Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions

2 Session Prerequisites Hands-on experience with Windows 2000 or Windows Server 2003 Familiarity with Active Directory and Group Policy Knowledge of Windows system security concepts Working knowledge of TCP/IP concepts An understanding of the basics of Internet Protocol Security (IPSec) Level 300

3 Session Overview Overview of Internet Protocol Security Understanding Network Isolation Using IPSec Understanding Advanced Network Isolation Scenarios

4 Overview of Internet Protocol Security Understanding Network Isolation Using IPSec Understanding Advanced Network Isolation Scenarios

5 Securing Network Communication: What Are the Challenges? Challenges to securing network communication include: Preventing data modification while in transit Preventing data from being read and interpreted while in transit Keeping data secure from unauthorized users Keeping data from being captured and replayed Preventing data modification while in transit Preventing data from being read and interpreted while in transit Keeping data secure from unauthorized users Keeping data from being captured and replayed

6 What Is Internet Protocol Security? IPSec provides the following benefits: Transparent to users and applications Provides restricted access to servers Customizable security configuration Centralized IPSec policy administration through Active Directory Transparent to users and applications Provides restricted access to servers Customizable security configuration Centralized IPSec policy administration through Active Directory IPSec: A framework of open standards to ensure private, secure communications over IP networks through the use of cryptographic security services

7 Identifying IPSec Scenarios IPSec can be deployed in: Used to protect host-to-host communications Transport mode Used to protect traffic between a host and a network or between two networks Tunnel mode

8 Understanding Transport Mode Scenarios End-to-End Host Security Server Isolation

9 Understanding Tunnel Mode Site-to-Site VPN IPSec Tunnel IPSec Tunnel IPSec Gateway IPSec Gateway Windows XP Client FTP Server Site B Site A IPSec Gateway IPSec Gateway

10 How Does IPSec Secure Traffic? TCP Layer IPSec Driver TCP Layer IPSec Driver Encrypted IP Packets 3 3 Internet Key Exchange (IKE) Negotiation 2 2 IPSec Policy 1 1 Active Directory

11 Creating IPSec Security Policies IP security policy Rules IP filter lists Filter actions IP filters Can be assigned to domains, sites, and organizational units

12 Demonstration 1: Configuring and Assigning IP Security Policies Configure and assign an IP Security policy

13 Understanding Network Isolation Using IPSec Overview of Internet Protocol Security Understanding Network Isolation Using IPSec Understanding Advanced Network Isolation Scenarios

14 What Is Network Isolation? Benefits of introducing a logical data isolation defense layer include: Additional security Control of who can access specific information Control of computer management Protection against malware attacks A mechanism to encrypt network data Additional security Control of who can access specific information Control of computer management Protection against malware attacks A mechanism to encrypt network data Network isolation: The ability to allow or deny certain types of network access between computers that have direct Internet Protocol connectivity between them

15 Identifying Trusted Computers Trusted computer: A managed device that is in a known state and meets minimum security requirements Untrusted computer: A device that may not meet the minimum security requirements, mainly because it is unmanaged or not centrally controlled

16 Goals That Are Achievable Using Network Isolation The following goals can be achieved by using network isolation: Isolate trusted domain member computers from untrusted devices at the network level Help to ensure that a device meets the security requirements required to access a trusted asset Allow trusted domain members to restrict inbound network access to a specific group of domain member computers Focus and prioritize proactive monitoring and compliance efforts Focus security efforts on the few trusted assets that require access from untrusted devices Focus and accelerate remediation and recovery efforts Isolate trusted domain member computers from untrusted devices at the network level Help to ensure that a device meets the security requirements required to access a trusted asset Allow trusted domain members to restrict inbound network access to a specific group of domain member computers Focus and prioritize proactive monitoring and compliance efforts Focus security efforts on the few trusted assets that require access from untrusted devices Focus and accelerate remediation and recovery efforts

17 Risks That Cannot Be Mitigated Using Isolation Risks that will not be directly mitigated by network isolation include: Trusted users disclosing sensitive data Compromise of trusted user credentials Untrusted computers accessing other untrusted computers Trusted users misusing or abusing their trusted status Lack of security compliance of trusted devices Compromised trusted computers access other trusted computers Trusted users disclosing sensitive data Compromise of trusted user credentials Untrusted computers accessing other untrusted computers Trusted users misusing or abusing their trusted status Lack of security compliance of trusted devices Compromised trusted computers access other trusted computers

18 How Does Network Isolation Fit into Network Security? Policies, procedures, and awareness Physical security Application Host Internal network Perimeter Data Logical Data Isolation

19 How Can Network Isolation Be Achieved? Components of the network isolation solution include: Computers that meet the organization’s minimum security requirements Trusted hosts The use of IPSec to provide host authentication and data encryption Host authentication Verification of security group memberships within the local security policy and access control lists of the resource Host authorization

20 Controlling Computer Access Using Network Access Groups and IPSec Logical Data Isolation Computer Access Permissions (IPSec) Host access permissions IPSec Policy 2 2 Share and Access Permissions 1 1 3 3 Group Policy Dept_Computers NAG Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation

21 Controlling Host Access Using Network Access Groups Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation Step 4: User host access permissions checked Step 5: Share and access permissions checked Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation Step 4: User host access permissions checked Step 5: Share and access permissions checked Logical Data Isolation Computer Access Permissions (IPSec) Host access permissions IPSec Policy 2 2 1 1 3 3 Group Policy Dept_Computers NAG 4 4 Dept_Users NAG Share and Access Permissions 5 5

22 Demonstration 2: Configuring and Implementing Network Access Groups Configure network access groups to enhance security

23 Understanding Advanced Network Isolation Scenarios Overview of Internet Protocol Security Examining Network Isolation Using IPSec Understanding Advanced Network Isolation Scenarios

24 Creating the Network Isolation Design The network isolation design process involves: Designing the foundational groups Creating Exemption Lists Planning the computer and network access groups Creating additional isolation groups Traffic modeling Assigning the group and network access group memberships Designing the foundational groups Creating Exemption Lists Planning the computer and network access groups Creating additional isolation groups Traffic modeling Assigning the group and network access group memberships

25 Designing the Foundational Groups Untrusted Systems Isolation Domain Boundary Isolation Group

26 Creating Exemptions Lists The following conditions might cause a host to be on the Exemptions List: The host is a computer that trusted hosts require access to but it does not have a compatible IPSec implementation If the host is used for an application that is adversely affected by the three-second fall back to clear delay or by IPSec encapsulation of application traffic If the host has issues that impacts its performance If the host is a domain controller The host is a computer that trusted hosts require access to but it does not have a compatible IPSec implementation If the host is used for an application that is adversely affected by the three-second fall back to clear delay or by IPSec encapsulation of application traffic If the host has issues that impacts its performance If the host is a domain controller

27 Planning the Computer and Network Access Groups Computer groups: Used to contain members of a specific isolation group Assigned to Group Policy Objects to implement various security settings Used to contain members of a specific isolation group Assigned to Group Policy Objects to implement various security settings Network access groups: Can be one of two types, Allow or Deny Assigned to Group Policy to control Allow or Deny access to a computer Can be one of two types, Allow or Deny Assigned to Group Policy to control Allow or Deny access to a computer

28 Creating Additional Isolation Groups Reasons to create additional isolation groups include: Encryption requirements Alternative outgoing or incoming network traffic requirements Limited computer or user access required at the network level Encryption requirements Alternative outgoing or incoming network traffic requirements Limited computer or user access required at the network level Isolation Domain Boundary Isolation Group Encryption Isolation Group No Fallback Isolation Group Untrusted Systems

29 Understanding Traffic Modeling Trusted Devices Isolation domain Boundary Untrusted Exemptions Lists IPSec Plaintext or fall back to clear 1 1 2 2 3 3 4 4 5 5 6 6 7 7

30 Assigning Computer Group and Network Access Group Memberships The final tasks of designing isolation groups include assigning: Place each computer into one group based on communication requirements Computer group membership Place the users and computers that require granular permissions into each previously identified NAG NAG membership

31 Demonstration 3: Implementing Isolation Groups Implement and deploy Isolation Groups using computer security groups

32 Network Isolation: Additional Considerations Additional considerations include: The maximum number of concurrent connections by unique hosts to servers using IPSec The maximum token size limitation for hosts using IPSec The maximum number of concurrent connections by unique hosts to servers using IPSec The maximum token size limitation for hosts using IPSec

33 Understanding Predeployment Considerations Before deploying a network isolation solution, consider the following: Overused devices Incompatible devices IP addressing Client/server participation Services that must be isolated Network load balancing and clustering Overused devices Incompatible devices IP addressing Client/server participation Services that must be isolated Network load balancing and clustering

34 Session Summary Deploy IPSec to provide authentication and encryption Use a combination of IPSec, security groups, and Group Policy for logical data isolation Use the Boundary zone as a starting point when deploying isolation groups using IPSec Implement additional groups to isolate resources or provide functionality as required

35 Next Steps Find additional security training events: http://www.microsoft.com/ireland/security/training.asp Sign up for security communications: http://www.microsoft.com/technet/security/signup/default.mspx Get additional security tools and content: http://www.microsoft.com/security/guidance/default.mspx Find additional e-learning clinics: https://www.microsoftelearning.com/security

36 Questions and Answers

37 Contact Details Paula Kiernan Ward Solutions paula.kiernan@ward.ie www.ward.ie

Download ppt "Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Final Presentation Topics 1) Firewalls 1) Firewalls 2) Virtual Private Networks 2) Virtual Private Networks 3) Secure Socket Layer 3) Secure Socket Layer.

Final Presentation Topics 1) Firewalls 1) Firewalls 2) Virtual Private Networks 2) Virtual Private Networks 3) Secure Socket Layer 3) Secure Socket Layer.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Server and domain isolation using IPsec and group Policy

Server and domain isolation using IPsec and group Policy
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Access Controls Supervised by: Dr.Lo’ai Tawalbeh Prepared by: Abeer Saif.

Access Controls Supervised by: Dr.Lo’ai Tawalbeh Prepared by: Abeer Saif.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
Security Data Transmission and Authentication

Security Data Transmission and Authentication

Similar presentations

Ads by Google