Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Network Security

Published byClarissa Roberts Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing Network Security"— Presentation transcript:

1 Implementing Network Security
20687B 6: Implementing Network Security Presentation: 70 minutes Lab: 50 minutes After completing this module, students will be able to: Describe the threats to network security. Explain how to configure Windows® Firewall. Explain how to secure network traffic. Explain how to configure Windows Defender. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20687B_06.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Module 6 Implementing Network Security

2 Configuring Windows Defender
20687B Module Overview 6: Implementing Network Security Configuring Windows Defender

3 Lesson 1: Overview of Threats to Network Security
20687B Lesson 1: Overview of Threats to Network Security 6: Implementing Network Security Options for Mitigation of Network Security Threats

4 Common Network Security Threats
20687B Common Network Security Threats 6: Implementing Network Security There are a variety of network security threats, but they fall into a number of categories Common network-based security threats include: Eavesdropping Denial-of-service Port scanning Man-in-the-middle Hacking is a generic term that refers to the act of trying to crack a computer program or code Discuss the various types of attacks. Emphasize that once an attacker can perform one type of attack, it is quite likely to lead to another, more formidable attack.

5 What Is Defense-in-Depth?
20687B What Is Defense-in-Depth? 6: Implementing Network Security Policies, Procedures, and Awareness Physical Security Hardening, authentication, update management, host-based intrusion detection system Firewalls, Network Access Quarantine Control Guards, locks, tracking devices Network segments, Internet Protocol Security, Network Intrusion Detection System Application hardening, antivirus Access Control Lists, encryption, Encrypting File System, Digital Rights Management Security documents, user education Perimeter Internal Network Host Application Data Defense-in-depth uses a layered approach to security, which: Reduces an attacker’s chance of success Increases an attacker’s risk of detection Briefly describe each layer of the defense-in-depth model. Explain that later topics will go into detail on how to increase security for each of these layers. The key point is that creating multiple layers of security is inherently safer than focusing on a single layer. When discussing the Application layer discuss examples of advanced persistent threats, possibly recent threats. Additional Reading: At the time this course was written Operation Aurora would have been an interesting discussion.

6 Options for Mitigation of Network Security Threats
20687B Options for Mitigation of Network Security Threats 6: Implementing Network Security It is important to implement a holistic approach to network security to ensure that one loophole or omission does not result in another Briefly review the general concepts behind the mitigation methods shown. Attack Mitigations Eavesdropping IPsec, VPNs, intrusion detection Denial-of-service Firewalls, perimeter networks, IPsec, server hardening Port scanning Server hardening, firewalls Man-in-the-middle IPsec, DNSSEC Virus, malicious code Software updates

7 Lesson 2: Configuring Windows Firewall
20687B Lesson 2: Configuring Windows Firewall 6: Implementing Network Security Demonstration: Configuring Inbound and Outbound Rules

8 Network Location Profiles
20687B Network Location Profiles 6: Implementing Network Security The first time that your server connects to a network, you must select a network location There are three network location types: Private networks Public networks Domain networks If possible, reconfigure your virtual machine so that it connects to a new network. Show the students the profile option for network location.

9 Configuring Basic Firewall Settings
6: Implementing Network Security Configure network locations Turn Windows Firewall on or off, and customize network location settings Windows® 8 centralizes management of Windows Firewall information in Control Panel. Choose network locations to set appropriate firewall and security settings automatically for specific networks. When users are connecting to networks in different locations, choosing a network location can help to ensure that the computer is always set to an appropriate security level. Click through the slide to practice building it. Screenshots appear after each item. Towards the end, the two notification areas are included. At the end, all items will show again for review. Talk about the different network location types. Show where you can modify the firewall settings for each type of network location from the main Windows Firewall page. Click Turn Windows Firewall on or off, select the network location, and then make your selection. Talk about firewall exceptions, and continue to build on the door and lock scenario from the previous topic. When you add a program to the list of allowed programs or open a firewall port, you are allowing that program to send information to or from the computer. This action is like unlocking a door in the firewall. Each time the door opens, the computer becomes less secure. Show where you can set exceptions, by clicking Allow an app or feature through Windows Firewall in the left pane of the Windows Firewall page, and then clicking Change. Describe this real-life scenario for situations where you want to allow an exception: when you want to view performance counters from a remote computer. Show how you must enable the Performance Logs and Alerts firewall exception on the remote computer. Share the information that in Windows 8, multiple active firewalls enable IT professionals to maintain a single set of rules for remote clients and for clients that connect physically to their corporate network. To set up or modify network location profile settings, click Change advanced sharing settings in the left pane of the Network and Sharing Center. Show the areas where notifications are available: In the All Control Panel Items area of Control Panel, click the Action Center, and then click the Change Action Center settings link. Add, change, or remove allowed programs Set up or modify multiple active profile settings Configure notifications for Windows Firewall

10 Windows Firewall with Advanced Security Settings
20687B Windows Firewall with Advanced Security Settings 6: Implementing Network Security Use inbound rules to explicitly allow or block traffic that matches the rule’s criteria Use outbound rules to explicitly allow or deny traffic that originates from the computer that matches the rule’s criteria Use IPsec rules to use IPsec to secure traffic while it crosses the network Use the monitoring interface to view information about current firewall rules, IPsec rules, and security associations Use the Properties page to configure firewall properties for domain, private, and public network profiles, and to configure IPsec settings The Properties page is used to configure firewall properties for domain, private, and public network profiles, and to configure IPsec settings. Windows Firewall with Advanced Security filters incoming and outgoing connections based on its configuration Similar to previous releases, Windows 8 includes the Windows Firewall with Advanced Security feature, which enables rule management. This provides you with greater control and flexibility over Windows Firewall configuration. Practice building this slide before you present. Then the rest of the items build (on-click) with an arrow pointing at the feature. Discuss each feature before continuing to build the slide. The section on Monitoring does not expand, because you will demonstrate this later in the module. The final page for this slide displays all the items in one list, without the screenshot. Show that the Windows Firewall with Advanced Security snap-in is accessible in Control Panel from the Windows Firewall page, by clicking Advanced Settings in the left pane. The snap-in provides an interface for configuring Windows Firewall locally, on remote computers, and by using Group Policy. Open the Windows Firewall with Advanced Security Properties page, and show where you can configure firewall properties for domain, private, and public network profiles, and Internet Protocol security (IPsec) settings. Use the screenshot on the slide to talk about each style of rule that you can create: inbound, outbound, and IPsec rules. Talk about the rule types that are available for each rule, and discuss the following scenarios: You want to create and manage tasks on a remote computer by using the Task Scheduler user interface. Before connecting to the remote computer, you must enable the Remote Scheduled Tasks Management firewall exception on the remote computer. You can do this by using the predefined rule type on an inbound rule. Alternatively, you may want to block all web traffic on the default TCP web server port, 80. In this scenario, you create an outbound port rule that blocks the port that you specify. The next topic discusses well-known ports, such as port 80. Inbound rules explicitly allow or explicitly block traffic that matches criteria in the rule. Outbound rules explicitly allow or explicitly deny traffic originating from the computer that matches the criteria in the rule. Connection security rules secure traffic by using IPsec while it crosses the network. The monitoring interface displays information about current firewall rules, connection security rules, and security associations.

11 20687B Well-Known Ports 6: Implementing Network Security When an application wants to establish communications with an application on a remote host, it creates a TCP or UDP socket TCP/IP Protocol Suite TCP UDP Ethernet HTTP (80) FTP (21) SMTP (25) DNS (53) POP3 (110) SNMP (161) IPv6 IPv4 ARP IGMP ICMP HTTPS (443) Before you can configure either inbound or outbound firewall rules properly, you must understand how applications communicate on a TCP/IP network. On the slide, some of the well-known TCP ports are shown above the TCP bar. DNS uses both TCP port 53 and UDP port 53 and SNMP is shown above UDP. Explain that Internet Control Message Protocol (ICMP), Internet Group Management Protocol (IGMP) and Address Resolution Protocol (ARP) are in the IPv4 stack at the same level as TCP and UDP, and as such do not have associated ports. Mention that the IANA assigns port numbers, which range between 0 and 65,535, and fall into three ranges. Well-known ports are in the 0 through 1,023 range. Ask students to help you with the well-known ports that common application use.

12 Demonstration: Configuring Inbound and Outbound Rules
6: Implementing Network Security In this demonstration, you will see how to: Configure an inbound rule Test the inbound rule Configure an outbound rule Test the outbound rule In this demonstration, you will see how to configure Windows Firewall advanced rules. Time permitting, show and discuss the additional tabs available on the inbound and outbound rules. Preparation Steps The following systems need to be running: 20687B-LON-DC1 20687B-LON-CL1 20687B-LON-CL2 Demonstration Steps Test remote desktop connectivity Sign in to the LON-CL2 virtual machine as Adatum\Administrator with the password Pa$$w0rd. On the Start screen, type r. In the Apps search screen, click Remote Desktop Connection. In the computer field, type LON-CL1, and then press Enter. Sign in to LON-CL1 as Adatum\Administrator with the course password. Open the Start screen on LON-CL1, click Administrator, and then click Sign out. Configure an Inbound Rule Sign in to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd. On the Start screen click the Desktop tile. Open the Settings charm, and then click Control Panel. Click System and Security, and then click Windows Firewall. In the left pane, click Advanced settings. Click Inbound Rules. (More notes on the next slide)

13 6: Implementing Network Security
20687B 6: Implementing Network Security Click Remote Desktop – User Mode (TCP-In) and then click Disable Rule in the Actions pane. Click Remote Desktop – User Mode (UDP-In) and then click Disable Rule in the Actions pane. Minimize the Windows Firewall with Advanced Security window. Test the inbound rule Switch to LON-CL2. Open the Start screen, type r. In the Apps search screen, click Remote Desktop Connection. In the computer field, type LON-CL1, and then press Enter. Sign in to LON-CL1 as Adatum\Administrator with the course password. Verify that the connection attempt fails. Test outbound remote desktop connectivity Switch to LON-DC1. On the Start screen, click Control Panel. Click System and Security, and then click Allow an app through Windows Firewall. Select the Remote Desktop check box, select the Domain check box, and click OK. Close the open windows. Switch to LON-CL1. On the Start screen, type r. In the Apps search screen, click Remote Desktop Connection. In the computer field, type LON-DC1, and then press Enter. Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. Open the Start screen on LON-DC1, click Administrator, and then click Sign out. (More notes on the next slide)

14 6: Implementing Network Security
20687B 6: Implementing Network Security Configure an outbound rule On LON-CL1, on the taskbar, click the Windows Firewall with Advanced Security window. Click Outbound Rules. In the Actions pane, click New Rule. On the Rule Type page, verify that you are creating a Program rule, and then click Next. On the Program page, browse and select C:\Windows\System32\mstsc.exe, click Open, and then click Next. On the Action page, verify the action is Block the Connection, and then click Next. On the Profile page, verify that all profiles are selected, and then click Next. On the Name page, type Block Outbound RDP to LON-DC1 in the Name field, and then click Finish. In the Windows Advanced Firewall with Advanced Security window, click the Block Outbound RDP to LON-DC1 rule, and then in the Actions pane, click Properties. Click the Scope tab, and then under the Remote IP address heading, select the These IP addresses option. Under the Remote IP address heading, click the Add button, and then in the This IP address or subnet field, type Click OK. On the Block Outbound RDP to LON-DC1 Properties, click OK. Test outbound remote desktop connectivity Open the Start screen, and then type r. In the Apps search screen, click Remote Desktop Connection. In the computer field, type LON-DC1, and then press Enter. (More notes on the next slide)

15 6: Implementing Network Security
20687B 6: Implementing Network Security In the Remote Desktop Connection dialog box, click OK. In the computer field, type LON-CL2, and then press Enter. Click Cancel, and then close all open windows.

16 Lab A: Configuring Inbound and Outbound Firewall Rules
6: Implementing Network Security Exercise 2: Creating an Outbound Firewall Rule Exercise 1: Creating an Inbound Firewall Rule You must implement a firewall rule on LON-CL1. The rule must allow inbound RDP traffic. Exercise 2: Creating an Outbound Firewall Rule You must implement a firewall rule on LON-CL1 that blocks outbound Remote Desktop traffic. Virtual Machines B-LON-DC1 20687B-LON-CL1 20687B-LON-CL2 User Name Adatum\Administrator Password Pa$$w0rd Logon Information Estimated Time: 20 minutes

17 20687B Lab Scenario 6: Implementing Network Security Remote desktop is enabled on all client systems through a Group Policy Object (GPO). However, as part of your infrastructure security plan, you must configure certain desktops systems, such as the HR department systems, for limited exposure to remote connections. Before implementing the firewall rules in a GPO you want to validate your plan by manually configuring the rules on local systems. Due to the sensitive nature of the data that could be on these systems, you decide to use firewall rules to prevent all but specific systems from connecting to them remotely. Additionally certain helpdesk systems are not allowed to use the Remote Desktop Connection (MSTSC.exe) program to connect to certain servers. You decide to control this through local firewall rules blocking outbound traffic on the client systems.

18 In your environment, where do you use workstation-based firewalls?
Lab Review 6: Implementing Network Security In your environment, where do you use workstation-based firewalls? Question In your environment, where do you use workstation-based firewalls? Answer Answers will vary based on students’ experience, but one possible answer is on workstations with sensitive financial data.

19 Lesson 3: Securing Network Traffic
20687B Lesson 3: Securing Network Traffic 6: Implementing Network Security Demonstration: Configuring an IPsec Rule

20 20687B Benefits of IPsec 6: Implementing Network Security IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network IPsec has two goals: packet encryption and mutual authentication between systems Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other IPsec secures network traffic by using encryption and data signing An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated IPsec is a set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite, and is required for IPv6, except ARP. For virtual private network (VPN) connections, you would use IPsec in conjunction with Layer Two Tunneling Protocol (L2TP). The major benefit of IPsec is that it provides encryption for all protocols, from Open Systems Interconnection (OSI) model layer 3 (network layer) and higher by: Providing mutual authentication before and during communications. Forcing both parties to identify themselves during the communication process. Helping to ensure confidentiality through IP traffic encryption and digital authentication of packets. IPsec provides IP traffic integrity of IP traffic by rejecting modified traffic. IPsec has two modes: Encapsulating Security Payload (ESP), which provides encryption by using one of a few different algorithms, and Authentication Header (AH), which signs the traffic but does not encrypt it. Both ESP and AH verify the integrity of all IP traffic. If a packet has been modified, the digital signature will not match, and IPsec discards the packet. ESP in tunnel mode encrypts the source and destination addresses as part of the payload. In tunnel mode, a new IP header will be added to the packet, specifying the source and destination addresses of the tunnel endpoints. IPsec provides protection from replay attacks. Both ESP and AH use sequence numbers. Therefore, any packets that a malicious user captures for later replay are using numbers out of sequence. Using sequenced numbers ensures that an attacker cannot reuse or replay captured data to establish a session or gain information illegally. Using sequenced numbers also protects against attempts to intercept a message, and then use the identical message to access resources illegally in the future.

21 Using IPsec Recommended uses of IPsec include: Packet filtering
20687B Using IPsec 6: Implementing Network Security Recommended uses of IPsec include: Packet filtering Authenticating and encrypting host-to-host traffic Authenticating and encrypting traffic to specific servers Providing L2TP/IPsec for VPN connections Site-to-site tunneling Enforcing logical networks Packet Filtering IPsec provides limited firewall capabilities for end systems. You can permit or block inbound or outbound traffic using IPsec with the network address translation NAT/Basic Firewall component of the Routing and Remote Access Service. Securing Host-to-Host Traffic on Specific Paths You can use IPsec to provide protection for traffic between servers or other static IP addresses or subnets. For example, IPsec can secure traffic between domain controllers in different sites, or between web servers and database servers. Securing Traffic to Servers You can require IPsec protection for all client computers that access a server. Additionally, you can set restrictions on which computers you will allow to connect to a server running Windows Server® 2003. L2TP/IPsec for VPN Connections You can use the combination of the L2TP and IPsec (L2TP/IPsec) for all VPN scenarios. This does not require that you configure and deploy IPsec policies. Site-to-Site (Gateway-to-Gateway) Tunneling You can use IPsec in tunnel mode for site-to-site (gateway-to-gateway) tunnels when you need interoperability with third-party routers, gateways, or end systems that do not support L2TP/IPsec or Point- to-Point Tunneling Protocol (PPTP) connections. Enforcing Logical Networks (server/domain isolation) A Server and Domain Isolation solution based on Microsoft Windows IPsec and the Active Directory® directory service enables administrators to segment their Windows environment dynamically into more secure and isolated logical networks based on policy, without making costly changes to their network infrastructure or applications. With the Windows operating systems, you can isolate your domain and server resources logically to limit access to authenticated and authorized computers. For example, you can create a logical network consisting of computers that share a common security framework and a set of requirements for secure communication. A logical network is a group of network nodes that is independent of the physical network (More notes on the next slide)

22 6: Implementing Network Security
20687B 6: Implementing Network Security topology. For example, with virtual local area network (VLAN) technology, you can create logical networks by grouping computers regardless of their physical connection to a set of switches. Each computer on the logically isolated network can prove its network membership by providing authentication credentials to the network’s other computers. Requests for communication are ignored if they originate from computers that are not part of the isolated network. Isolating and logically grouping computers occurs at Layer 3 (the Network layer) of the Open Systems Interconnection (OSI) model. Therefore, the isolated network can span hubs, switches, and routers across the physical and geographical boundaries of your organization’s network. Note: Because IPsec depends on IP addresses for establishing secure connections, you cannot specify dynamic IP addresses. It often is necessary for a server to have a static IP address in IPsec policy filters. In large network deployments, and in some mobile user cases, using dynamic IP addresses at both ends of the connection can increase the complexity of IPsec policy design. IPsec Uses That We Do Not Recommend IPsec can reduce processing performance and increase network bandwidth consumption. Additionally, IPsec policies can be quite complex to configure and manage. Finally, using IPsec can introduce application compatibility issues. For these reasons, we do not recommend IPsec for the following uses: Securing communication between domain members and their controllers. We do not recommend that you use IPsec for this scenario because, in addition to reducing network performance, it greatly increases the complexity of the required IPsec policy configuration and management. Securing all network traffic in a network. In addition to reducing network performance, we do not recommend using IPsec for this scenario because: IPsec cannot negotiate security for multicast and broadcast traffic. Traffic from real-time communications, applications that require Internet Control Message Protocol (ICMP), and peer-to-peer applications might be incompatible with IPsec. Network management functions that must inspect the TCP, User Datagram Protocol (UDP), and protocol headers are less effective or cannot function at all, due to IPsec encapsulation or encryption of IP payloads.

23 Tools for Configuring IPsec
20687B Tools for Configuring IPsec 6: Implementing Network Security To configure IPsec, you can use: Windows Firewall with Advanced Security MMC (also used for Windows Server 2008 R2 and Windows 7) IP Security Policy MMC (Used for mixed environments and to configure policies that apply to all Windows versions) Netsh command-line tool PowerShell NetSecurity module cmdlets For the Firewall with Advanced Security console, when the administrative tools are shown on the Start screen, open the Start screen, and then click Windows Firewall with Advanced Security. If the Administrative tools are not being shown on the start menu, open the control panel, open Administrative Tools, and then click Windows Firewall with Advanced Security. For the IP Security Policy MMC, at the Start screen, type MMC, and then press Enter. In the MMC window, click File, and then click Add/Remove Snap-in. From the list of snap-ins available, select IP Security Policy Management, click Add, choose the target, and then click OK. For Netsh usage, you need to open a command prompt. Use an administrative command prompt. Use the netsh and ipsec commands to configure policies, and the netsh and advfirewall commands to display the configuration. Additional Reading: For a comparison of Netsh and Windows PowerShell®, refer the students to the following site: Note: Mention that IPsec policies provide backwards compatibility with Microsoft Windows XP® and Windows Server It is far easier to implement domain isolation, for example, by using IPsec rules in Windows Firewall with Advanced Security. It also is worth mentioning that IPsec policies enable more accurate targeting than IPsec rules. For example, you can specify particular types of traffic to require authentication and encryption.

24 What Are IPsec Rules? Connection security rules involve:
20687B What Are IPsec Rules? 6: Implementing Network Security Connection security rules involve: Authenticating two computers before they begin communications Securing information being sent between two computers Using key exchange, authentication, data integrity, and data encryption (optionally) Ensure that the students understand that by creating IPsec rules, the corresponding firewall policy must exist if the affected traffic is not allowed through by default. IPsec rules are applied between the computers comprising the two endpoints. Note: Emphasize that you can configure firewall rules to allow or block traffic, but also allow authenticated traffic. In other words, you can use IPsec rules to authenticate traffic, and you can configure the firewall to allow only authenticated traffic. You might wish to demonstrate this. Authentication: Defines the requirements for the way in which identities are verified before communications begin. Key exchange: To enable secure communications, two computers must be able to gain the same shared key (session key), without sending the key across a network and compromising the secret. This exchange uses the Diffie-Hellman algorithm. How firewall rules and connection rules are related: Firewall rules allow traffic through, but do not secure that traffic Connection security rules can secure the traffic, but depend on a firewall rule to allow traffic through the firewall

25 Configuring Authentication
20687B Configuring Authentication 6: Implementing Network Security When using the Connection Security Rule Wizard to create a new rule, you use the Requirements page to choose one of the following: Option Description Request Authentication for inbound and outbound connections Ask that all inbound/outbound traffic be authenticated, but allow the connection if authentication fails Require authentication for inbound connections and request authentication for outbound connections Require inbound traffic be authenticated or it will be blocked Outbound traffic can be authenticated, but will be allowed if authentication fails Require authentication for inbound and outbound connections Require that all inbound/outbound traffic be authenticated or the traffic will be blocked You typically use the Request Authentication option in low-security environments or in an environment with computers that must be able to connect, but which cannot perform the types of authentication available with Windows Firewall with Advanced Security. You use the Require Inbound and Request Outbound option most in IT environments in which the computers that must be able to connect can perform the authentication methods available with Windows Firewall with Advanced Security. You use the Require Inbound and Outbound option typically in higher-security environments where you need to secure and control traffic flow, and in which the computers that must be able to connect can perform the authentication methods available with Windows Firewall with Advanced Security.

26 Choosing an Authentication Method
20687B Choosing an Authentication Method 6: Implementing Network Security Method Key Points Default Use the authentication method that you configure on the IPsec Settings tab. Computer and User (Kerberos V5) You can request or require that both the user and computer authenticate before communications can continue. Requires domain membership. Computer (Kerberos V5) Request or require the computer to authenticate using Kerberos v5. Requires domain membership. User (Kerberos V5) Request or require the user to authenticate using Kerberos v5. Requires domain membership. Computer certificate Request or require a valid computer certificate, requires at least one CA. Only accept health certificates: Request or require a valid health certificate to authenticate, requires IPsec NAP. Advanced Configure any available method. You can specify methods for first and second Authentication. Describe support for Authenticated IP (AuthIP). In earlier Windows versions, IPsec supported only the Internet Key Exchange (IKE) protocol for negotiating IPsec security associations (SAs). Windows® 7 and Windows Server 2008 R2 support the IKE extension known as AuthIP, which provides additional authentication capabilities, such as: Support for new credential types that are not available in IKE alone. These include: Health certificates provided by a Health Registration Authority server that is part of a Network Access Protections (NAP) deployment. User-based certificates. Kerberos version 5 protocol user credentials. Windows NTLM v2 user or computer credentials. Note: The above credential types are in addition to those that IKE supports, such as computer-based certificates, Kerberos credentials for the computer account, or simple preshared keys. Support for authentication by using multiple credentials. For example, you can configure IPsec to require that both computer and user credentials process successfully before traffic is allowed. This increases network security by reducing the chance of an untrusted user using a trusted computer. Health certificates differ from regular computer certificates. Health certificates are dynamic in nature, and may or may not be present, depending on the client’s current health state. If a client becomes noncompliant with the health policy, IPsec removes the certificate. Once the client meets the health requirement, IPsec puts the certificate in the certificate store, so that the client can use it for authentication in the unrestricted network.

27 Monitoring Connection Security
20687B Monitoring Connection Security 6: Implementing Network Security Use the Connection Security Rules and Security Associations nodes to monitor IPsec connections Security Associations that you can monitor include: Main Mode Quick Mode The Windows Firewall in Windows 8 incorporates IPsec Options for using the IP Security Monitor: Modify IPsec data refresh interval to update information in the console at a set interval Allow DNS name resolution for IP addresses to provide additional information about computers connecting with IPsec Computers can monitored remotely: To enable remote management editing, the HKLM\system\currentcontrolset\services\policyagent key must have a value of 1 To Discover the Active security policy on a computer, examine the Active Policy Node in the IP Security Monitoring MMC Main Mode Monitoring monitors initial IKE and SA: Information about the Internet Key Exchange Quick Mode Monitoring monitors subsequent key exchanges related to IPsec: Information about the IPsec driver Options Related to the Monitoring Feature of Windows Firewall with Advanced Security You can use this console to monitor security policies that you create in the Connection Security Rules node of Windows Firewall with Advanced Security. You cannot view policies that you create by using the IP Security Policy snap-in. These security options are for use with Windows 7, Windows 8, Windows Vista®, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012. For older operating systems, such as XP and Windows Server 2000, you must use the IP Security Monitor to monitor SAs and connections. Monitoring Connection Security Rules This node lists all of the enabled Connection Security rules, with detailed information about their settings. Connection Security rules define which authentication, key exchange, data integrity, or encryption you can use to form an SA. The SA defines the security used to protect the communication from the sender to the recipient. Monitoring Security Associations This node lists all of the Main Mode and Quick Mode SAs, with detailed information about their settings and endpoints. Main Mode Main mode statistics provide data about total number of SAs created and invalid packet information. Quick Mode Quick mode provides more detailed information about connections. If you are having issues with an IPsec connection, Quick mode statistics can provide insight into the problem. IP Security Monitor Changing default settings such as Automatic Refresh and Domain Name System (DNS) Name Resolution You can change the amount of time that elapses between IPsec data refresh. You also can enable DNS name resolution for IP addresses that you are monitoring. There are some issues to consider when enabling DNS. It works only in the specific filter view of Quick mode and in security associates view for Quick mode and Main mode monitoring. There also is the possibility that you can affect server performance if many items in the view need name resolution. Finally, the DNS record requires a proper PTR in the DNS. (More notes on the next slide)

28 6: Implementing Network Security
20687B 6: Implementing Network Security Adding a computer to be monitored You can monitor computers remotely from a single console. For a remote system to accept a console connection, you must first modify a Registry key: setting EnableRemoteMgmt Registry key to 1 prevents the IPsec service is not running error when attempting to manage a computer remotely. To disable this ability, the HKLM\system\currentcontrolset\services\policyagent key should be set to 0. Describe how to obtain information about the policy that is active on the computer being monitored In the Active Policy Node of the IP Security Monitoring MMC, you can get basic information about the current IP security policy. This is useful during troubleshooting, to enable you to understand which policy IPsec is applying to the server. Information such as the policy location, and when it was last modified, provide key details when validating which policy currently is in place. You also can use the following Windows PowerShell cmdlet to identify installed policies: Show-NetIPsecRule –PolicyStore ActiveStore. Describe the difference related to Main Mode and Quick Mode monitoring Main mode Internet Key Exchange (IKE) is the initial SA that is established between two computers. This negotiates a set of cryptographic protection suites between both hosts. This initial SA allows Quick mode key exchange to occur in a protected environment. The main mode session also is known as the Internet Security Association and Key Management Protocol (ISAKMP) SA. Main mode establishes the secure environment to further exchange keys as necessary for IPsec policy. Quick mode IKE depends on the successful establishment of Main mode. The Quick Mode IKE also is known as Phase 2 IKE. This process establishes keys based on the information that the policy specifies. Quick mode also establishes SAs, known as IPsec SAs. Quick mode establishes secure transmission channels for the actual application IP data, which the policy specifies.

29 Demonstration: Configuring an IPsec Rule
20687B Demonstration: Configuring an IPsec Rule 6: Implementing Network Security In this demonstration, you will see how to: Create a connection security rule Review monitoring settings in Windows Firewall Remind the students that at the end of the last demonstration LON-CL2 could ping LON-CL1. Time permitting, display the LON-CL1 and LON-CL2 windows side-by-side. On LON-CL1 open an Administrator: Windows PowerShell window and run the Get-NetIPsecRule cmdlet and show that the rule created in the UI is identical to the rule created with Windows PowerShell. Preparation Steps You need to complete the previous demonstration, and LON-CL2 must be able to ping LON-CL1. The following systems need to be running: 20687B-LON-DC1 20687B-LON-CL1 20687B-LON-CL2 Demonstration Steps Create a connection rule In the Host system, click the 20687B-LON-CL1 window. Open the Settings charm, and then click Control Panel. Click System and Security, and then click Windows Firewall. In the left pane, click Advanced settings. Click Connection Security Rules. In the Actions pane, click New Rule. On the Rule Type page, verify Isolation is selected, and then click Next. On the Requirements page, select Require authentication for inbound and request authentication for outbound connections, and then click Next. (More notes on the next slide)

30 6: Implementing Network Security
20687B 6: Implementing Network Security On the Authentication Method page, select Computer and user (Kerberos V5), and then click Next. On the Profile page, click Next. On the Name page, in the Name text box, type Authenticate all inbound connections, and then click Finish. Close the Windows Firewall with Advanced Security window. Test connectivity between LON-CL2 and LON-CL1 In the host system, click the 20687B-LON-CL2 window. At the command prompt, type ping LON-CL1, and then press Enter. Verify that the ping generated four Request timed out messages. Close the Command Prompt. Create a connection rule by using Windows PowerShell Open the Start screen, and then type p. Right-click Windows PowerShell, and then click Run as Administrator. In the Administrator: Windows PowerShell window type: New-NetIPsecRule –DisplayName “Authenticate all inbound connections” –InboundSecurity Require – OutboundSecurity Request -Phase1AuthSet ComputerKerberos -Phase2AuthSet UserKerberos Press Enter. In the Administrator: Windows PowerShell window, type ping LON-CL1, and then press Enter. Verify that the ping generated four Reply from : bytes=32 time=xms TTL=128 messages (your times may vary). (More notes on the next slide)

31 6: Implementing Network Security
20687B 6: Implementing Network Security Open the Settings charm, and then click Control Panel. Click System and Security and then click Windows Firewall. In the left pane, click Advanced settings. In the left pane, expand Monitoring, and then expand Security Associations. Click Main Mode, and examine the information in the center pane. Click Quick Mode, and examine the information in the center pane. Close all open windows. Examine the security associations on LON-CL1 by using Windows PowerShell In the Host system, click the 20687B-LON-CL1 window. Open the Start screen, and then type p. Right click Windows PowerShell, and then click Run as Administrator. To examine the Main Mode Security Associations, run the following cmdlet: Get-NetIPsecMainModeSA To examine the Quick Mode Security Associations, run the following cmdlet: Get-NetIPsecQuickModeSA

32 Lab B: Configuring IPsec Rules
6: Implementing Network Security Exercise 1: Creating and Configuring IPsec Rules Exercise 1: Creating and Configuring IPsec Rules You have decided to test using secured connections between computers on sensitive segments of your network. Virtual Machines B-LON-DC1 20687B-LON-CL1 20687B-LON-CL2 User Name Adatum\Administrator Password Pa$$w0rd Logon Information Estimated Time: 20 minutes

33 20687B Lab Scenario 6: Implementing Network Security A. Datum uses many outside consultants. The enterprise’s management has a concern that if a consultant was on the company network, they may be able to connect to unauthorized computers.

34 20687B Lab Review 6: Implementing Network Security In your environment, where do you use authenticated connections between workstation computers? Question In your environment, where do you use authenticated connections between workstation computers? Answer Answers will vary based on students’ experience, although one possible answer is when computers are on a segment that nonemployees can access.

35 Lesson 4: Configuring Windows Defender
20687B Lesson 4: Configuring Windows Defender 6: Implementing Network Security Demonstration: Configuring Windows Defender Settings

36 What Is Windows Defender?
Windows Defender is software that helps protect the computer against security threats by detecting and removing known spyware from the computer 20687B What Is Windows Defender? 6: Implementing Network Security Windows Defender helps users detect and remove known spyware and other software that users typically do not want, including malware. Explain the purpose and functionality of the Windows Defender tool. Explain how it works conceptually, including definition, and how you can update it via Windows Updates. Talk about how real-time protection works. Include information about the monitoring agents, alert levels, and alert responses. Then, introduce at a high level all the tasks that can be done through Windows Defender. Talk about scan options, history, tools, and the SpyNet community. Open Windows Defender from Control Panel All Items as you discuss it. On the Home page, talk about the information that is displayed. Then talk about the Scan button functionality. Switch to the History page to show where quarantined items that were prevented from running can be removed or restored. Then click the Settings button. On the Settings page, join the online Microsoft Active Protection Service, and then view software that is allowed to run without being monitored. The next topic covers advanced scanning options. Use the following information, as necessary: Real-time protection (RTP) is the mechanism that actively monitors for malware and alerts you when potentially unwanted software attempts to install itself or to run on the computer. It also alerts you when programs attempt to change important Windows settings. You can use the Microsoft Active Protection Service to send updates to Microsoft about malware and other forms of unwanted software. Use the scanning options to check for unwanted software on the computer, to schedule scans on a regular basis, and to remove any malicious software automatically that Windows Defender detects during a scan. Additional information about scan options is available in the next topic. You can set Windows Defender to check online for updated definitions before scanning. Alternatively, you can check for definition updates manually by clicking the Update tab, and then clicking Update. Schedules scans to occur on a regular basis Provides configurable responses to severe, high, medium, and low alert levels Provides customizable options to exclude files, folders, and file types Works with Windows Update to automatically install new spyware definitions

37 Scanning Options in Windows Defender
When a scan results display on the Home page. 20687B Scanning Options in Windows Defender 6: Implementing Network Security You define when to scan: You define scan options: Scan Type Description Quick scan Scan the areas of the computer that are most likely to be infected Full scan Scan all areas of the computer Custom scan Scan specific areas of the computer only Windows Defender includes automatic scanning options that provide regular spyware scanning and on- demand scanning. Describe each scanning option. We recommend that you schedule a daily quick scan. At any time, if you suspect that spyware has infected the computer, run a full scan. Then describe each advanced scanning option: Scan archive files Scan removable drives Create a system restore point Allow all users to view the full History results Remove quarantined files after: <time> Talk about how you can view quarantined items, or remove or restore them. Also talk about how to add an item to the allowed list. Review and remove software from the allowed list from the Settings page. Note: Do not restore software with severe or high alert ratings because it can put your privacy and your computer’s security at risk. Option Description Scan archive files Include any archive files, such as .zip or .cab files Scan removable drives Includes removable drives, such as USB flash drives, when running a full scan Create a system restore point Create a system restore point before removing, running, or quarantining detected items Allow all users to view the full History results Allow all users of this PC to see all detected items on the History tab Remove quarantined files after: <time> Quarantined files remain disabled until you allow or remove them. The default time is one month

38 Demonstration: Configuring Windows Defender Settings
20687B Demonstration: Configuring Windows Defender Settings 6: Implementing Network Security In this demonstration, you will see how to: Perform a quick scan Test Malware Detection Examine the Window Defender History Time permitting, explore and explain the other options available in Windows Defender. Preparation Steps The following systems need to be running: 20687B-LON-DC1 20687B-LON-CL1 Demonstration Steps Perform a quick scan In the Host system, click the 20687B-LON-CL1 window. Open the Settings charm, and then on the Desktop menu, click Control Panel. Click View by: select Large Icons, and then click Windows Defender. On the Windows Defender Home tab, ensure the Quick scan option is selected. Click Scan now. Review the results. Test malware detection Open Windows Explorer, and then browse to E:\Labfiles\Mod06\Malware In the Malware folder, open sample.txt in Notepad. The sample.txt file contains a text string used to test malware detection. In the sample.txt file, delete both instances of <remove> (including the brackets). Save and close the file. Immediately, Windows Defender detects a potential threat. Shortly thereafter, the sample.txt will be removed from the Malware folder (quarantined). (More notes on the next slide)

39 6: Implementing Network Security
20687B 6: Implementing Network Security Examine the Windows Defender history Open the Settings charm, and then on the Desktop menu, click Control Panel. Click Windows Defender. In Windows Defender click the History tab. Click the View details button. Review the results. Select the check box for the Virus:DOS/EICAR_Test_File, and then click Remove. Close all open windows.

40 Lab C: Configuring Host-Based Virus and Malware Protection
6: Implementing Network Security Exercise 1: Configuring Windows Defender Exercise 1: Configuring Windows Defender You need to configure Windows Defender to perform a full scan every day at 2:00 AM. Before configuring Windows Defender, you plan on running a quick scan. Finally, you want to configure the default actions for Windows Defender to take and check the items that you do not want it to scan. Logon Information Virtual Machines B-LON-DC1 20687B-LON-CL1 User Name Adatum\Administrator Password Pa$$w0rd Estimated Time: 10 minutes

41 20687B Lab Scenario 6: Implementing Network Security You are planning to use Window Defender to check for malicious files every day. You also want to ensure that Windows Defender will quarantine any files that it considers a severe risk to your system’s security.

42 20687B Lab Review 6: Implementing Network Security In your environment, how often are your client computers infected with malware? Question In your environment, how often are your client computers infected with malware? Answer Answers will vary based on students’ experience, so use this question as a discussion starter on the importance of using malware protection.

43 Module Review and Takeaways
20687B Module Review and Takeaways 6: Implementing Network Security Review Questions Best Practice Review Questions Question You need to ensure that traffic passing between a computer in the perimeter network and one deployed in the internal network is encrypted and authenticated. The computer in the perimeter is not a member of your AD DS forest. What authentication methods could you use if you attempted to establish an IPsec rule between these two computers? Answer You could not use Kerberos because the perimeter computer is not in the forest. Therefore, you could use certificates or a preshared key. If you wanted to ensure that only domain computers can communicate with other domain computers, how could you achieve this easily with Windows Firewall? Windows Firewall with Advanced Security supports the use of IPsec rules, based on IPsec. One of these rule types is a domain isolation rule. Only computers that have a configured domain membership can communicate. You decide to deploy a third-party messaging application on your company’s laptop computers. This application uses POP3 to retrieve from the corporate mail server, and Simple Mail Transfer Protocol (SMTP) to send mail to the corporate relay. Which ports must you open in Windows Firewall? POP3 uses TCP port 110, and SMTP uses TCP Port 25. (More notes on the next slide)

44 6: Implementing Network Security
20687B 6: Implementing Network Security Question What does Windows Defender do to software that it quarantines? Answer It immediately moves the file to a quarantine area. After the scan is complete, you can choose to restore or delete quarantined files. You also can view and manage the quarantined files at any time. Finally, you can configure an option to remove quarantined items automatically after a set period of time. Tools Best Practice: Configuration Guidelines for Windows Firewall with Advanced Security You can configure Windows Firewall with Advanced Security in the following ways: Configure a local or remote computer by using either the Windows Firewall with Advanced Security snap-in or the cmdlets in the PowerShell NetSecurity module. Configure Windows Firewall with Advanced Security settings by using the Group Policy Management Console (GPMC) or the cmdlets in the PowerShell NetSecurity module. If you are configuring the firewall by using Group Policy, you need to ensure that the Windows Firewall service has explicit write access by its service security identifier (SID) to the location that you specify. If you deploy Windows Firewall with Advanced Security by using Group Policy and then block outbound connections, ensure that you enable the Group Policy outbound rules, and do full testing in a test environment before deploying. Otherwise, you might prevent all of the computers that receive the policy from updating the policy in the future, unless you intervene manually. Tool Use for Where to find it Ping Testing network connectivity Command-line Windows Firewall with Advanced Security Managing inbound, outbound, and IPsec rules Control Panel Windows Defender Anti-malware detection and removal (More notes on the next slide)

45 6: Implementing Network Security
20687B 6: Implementing Network Security Best Practice: Implementing Defense-in-Depth Supplement or modify the following best practices for your own work situations: Create specific rules that help prevent social engineering, and educate users on these rules and their relevance. Restrict physical access to servers by locking doors, and then monitor server room access. Implement antivirus and antispyware software. Implement host-based firewalls. Best Practice: Windows Defender When you use Windows Defender, you must have current definitions. To help keep your definitions current, Windows Defender automatically installs new definitions as they are released. You also can set Windows Defender to check online for updated definitions before scanning. When you scan your computer, we recommend that you select the advanced option to Create a restore point before applying actions to detected items. Because you can set Windows Defender to remove detected items automatically, selecting this option allows you to restore system settings in case you want to use software that you did not intend to remove.

Download ppt "Implementing Network Security"

Similar presentations

Configuring and Troubleshooting Network Connections

Configuring and Troubleshooting Network Connections
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.

Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Security Data Transmission and Authentication

Security Data Transmission and Authentication
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
Module 7: Implementing Security Using Group Policies.

Module 7: Implementing Security Using Group Policies.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Securing Windows Servers Using Group Policy Objects

Securing Windows Servers Using Group Policy Objects
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Similar presentations

Ads by Google