Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving Security with Domain Isolation Microsoft IT Implements IP Security (IPsec) Published: June 2004.

Published byAlison Harrell Modified over 9 years ago

Similar presentations

Presentation on theme: "Improving Security with Domain Isolation Microsoft IT Implements IP Security (IPsec) Published: June 2004."— Presentation transcript:

1 Improving Security with Domain Isolation Microsoft IT Implements IP Security (IPsec) Published: June 2004

2 Solution Overview Situation ● Managed computers had to be isolated from unmanaged computers to improve security Solution ● Deployment of IPsec Benefits ● Allows creation of logical secure network segments ● Works independently of other infrastructure for end- to-end security ● Can be deployed and managed centrally

3 Products and Technologies ● IPsec protocols (ESP, IKE) ● Windows Server 2003 ● Windows XP Professional SP1 ● Windows 2000 SP3 ● Group Policy ● Active Directory ● PKI and CA

4 Levels of Trusted Assets U1U1 U2U2 U2U2 XX B DHCPDHCP DNSDNS WINSWINS DCDC SecureNet Clients, Servers, Home LAN, Trustworthy Labs (203,000) Untrustworthy Labs (75,000) PocketPC/ Xbox (18,000) MAC (2,000) Boundary Machines (5,000) Infrastructure (500) Internet Servers Business Partners Extranet DTaps (no connectivity to CorpNet) (1,800) External Exclusions Internal Exclusions Microsoft Corporate Network ACL Controlled

5 Business Benefits ● Decreased network risks ● Improved asset management information

6 Business Benefits ● Protection of intellectual property ● Increased policy compliance ● Improved malware detection

7 Domain Isolation at Microsoft ● IPsec allows creation of logical, secure networks within a larger network ● Group policy provides a framework for easily deploying IPsec to hosts ● Active Directory infrastructure and Group Policy enable deployment and administration of IPsec enterprise wide

8 Domain Isolation at Microsoft ● Microsoft IT considered two segmentation technologies: ● IPsec provides end-to-end authentication and encryption between hosts on a network ● 802.1x provides only authentication ● Microsoft IT chose IPsec because it is a complete solution

9 Domain Isolation at Microsoft ● IPsec is a standards-based framework of security protocols and cryptographic services ● IPsec is a foundation for a secure environment, but is not a secure environment itself ● Microsoft IT uses two of the four nodes in IPsec negotiated security

10 Domain Isolation at Microsoft ● Active and challenging security environment at Microsoft ● Unique aspects of Microsoft environment include: ● Multiple computers per user ● Diverse desktop implementations ● Frequently rebuilt computers ● Diverse mix of approved software versions

11 Planning 1. Determine segmentation requirements 2. Choose technology 3. Design IPsec/group policies 4. Test policies/IPsec functionality and behaviors 5. Create a rollout schedule

12 Planning ● Test process and strategy ● Focus on minimal user impact ● Phased subnet deployment approach ● Creation of new rule/filter list and assignment of secure request filter action ● Change of rollout process to deploy to individual domains instead of subnets

13 Planning ● Communication with users ● Transparency of IPsec deployment to users ● Low volume of Helpdesk calls ● Training of Helpdesk personnel ● Restrictions on access to servers that contain sensitive information ● Notifications of deployment progress and system requirements

14 Deployment ● Group Policy for IPsec Distribution ● Create dedicated GPOs for IPsec ● Create security groups ● Create universal security groups to control the application of GPOs ● Create a universal security group for group/IPsec policy administration ● Administer Group Policy

15 Deployment Filter ListAction Rules IPsec Policy Filters Key Exchange Methods (IKE) Authentication Methods (Kerberos, Certificates, Static Keys) Security Methods (Encryption, Hashing, Key Lifetimes) IPsec policies are applied to a GPO, contain a set of rules, and specify how to perform IKE. Each rule associates a Filter List with an Action, and specifies authentication methods. A Filter List specifies a set of individual filters, and is used to group filters together in a rule. A Filter describes a pattern of traffic to match, by IP address, subnet, port, and protocol for both ends of a connection. An Action designates what to do with traffic that matches a filter: Permit, Block, or Negotiate Security.

16 Deployment ● Policy settings ● Different IPsec policies via different GPOs during different phases of deployment ● IPsec filter design ● Basic filter rules as the default policy ● Management and deployment of IPsec through Group Policy and Active Directory ● No active IPsec policies on Internet-facing NIC on multi-homed computers

17 Deployment ● Some computers and devices cannot use IPsec ● These computers and devices cannot access computers inside SecureNet ● Exception servers can become boundary machines ● Legacy and test environments are not a priority for adding to SecureNet

18 Deployment ● Managing boundary computers ● Extra management and security ● Creation of security groups ● Deploying boundary computers ● Request process ● Case-by-case basis for granting insecure network traffic

19 Known Issues and Problem Applications ● LAN performance ● Added bandwidth consumption ● CPU performance ● Negligible overhead on most clients ● IPsec and Windows VPN servers ● Special IPsec policies for deployments that use Kerberos

20 Known Issues and Problem Applications ● RFC 1918 private IP ranges ● Connecting to the corporate network through a VPN requires use of specific private IP ranges ● Two private subnets are excluded from the list of secure subnets

21 Known Issues and Problem Applications ● Network device issues ● IPsec changes TCP/IP offsets for destination ports and protocols ● IPsec generally defeats network-based prioritization and port or protocol-based traffic management ● IPsec adds to use of system resources

22 Known Issues and Problem Applications ● Filter processing issues ● IPsec driver caches filters that match a particular connection ● IPsec and NLB clusters ● Clients connected an offline server must renegotiate the connection ● If a node in the cluster fails, IPsec connections cannot rebuild the security association until the preset time-out period

23 Known Issues and Problem Applications ● NAT-T ● NAT-T addresses problems between NAT and IPsec ● Troubleshooting issues ● IPSec depends on correct configuration of supporting technologies ● Microsoft IT enables auditing using domain-based group policies ● Diagnostics may require Oakley logging

24 Best Practices ● Group Policy design ● Set up group policies for all behavior types to support IPsec testing ● Filter the “Apply Group Policy” ACE for each policy to only the limited security user groups ● Use a naming convention that covers the policy and group function for easier management and troubleshooting

25 Best Practices ● IPsec design ● Minimize the overall number of filters ● Use “Any” instead of “Me” as the base approach to filter design ● Create “Any Corporate subnet” rules instead of “Me Any” for secure subnets ● Manage permitted subnets ● Use “Any” rules for virtual IP addresses used by clusters

26 Best Practices ● IPsec design ● Permit unsecured traffic to infrastructure servers ● Use Kerberos as the default authentication mechanism ● Set NoDefaultExempt = 1 via group policy ADM template ● Permit the ICMP protocol

27 Best Practices ● IPsec design ● Minimize securing by port or protocol ● Avoid “Any Any” filters ● Don’t use IPsec Default Response rule with custom policy

28 Best Practices ● Deployment options ● Deploy by subnet ● Deploy by security group ● Deploy by domain

29 Best Practices ● Recommended deployment steps ● Pilot Request Mode IPsec ● Deploy Request Mode IPsec ● Pilot Secure Request IPsec policy ● Deploy Secure Request IPsec policy

30 Best Practices ● Non-domain joined clients ● Use Kerberos exclusively for an IPSec deployment ● Carefully evaluate the need to create exceptions to global IPsec policies ● IPsec and NLB ● Consider exempting business-critical services that require high availability

31 Conclusion ● Phase 1: deployment if IPsec to >160,000 computers ● Phase 2: deployment of Secure Request mode across the enterprise (208,000 computers) ● Minimal impact on Helpdesk ● Less exposure to worms and attackers ● Project is now in review/maintenance

32 For More Information ● Additional content on Microsoft IT deployments and best practices can be found on http://www.microsoft.comhttp://www.microsoft.com ● Microsoft TechNet http://www.microsoft.com/technet/itshowcase http://www.microsoft.com/technet/itshowcase ● Microsoft Services http://www.microsoft.com/itshowcase ● E-mail IT Showcase showcase@microsoft.com

33 This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Download ppt "Improving Security with Domain Isolation Microsoft IT Implements IP Security (IPsec) Published: June 2004."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
The following 10 questions test your knowledge of client site assignment in Configuration Manager 2007. Configuration Manager 2007 Client Site Assignment.

The following 10 questions test your knowledge of client site assignment in Configuration Manager Configuration Manager 2007 Client Site Assignment.
The following 10 questions test your knowledge of Internet-based client management in Configuration Manager 2007. Configuration Manager 2007 Internet-Based.

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
ESupport Shifting Customers to the Internet for Support Published: January 2002.

ESupport Shifting Customers to the Internet for Support Published: January 2002.
Managing LOB Applications by Using System Center Operations Manager Published: March 2007.

Managing LOB Applications by Using System Center Operations Manager Published: March 2007.
Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)
Understanding Active Directory

Understanding Active Directory
Security Data Transmission and Authentication

Security Data Transmission and Authentication
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Test Review. What is the main advantage to using shadow copies?

Test Review. What is the main advantage to using shadow copies?
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Similar presentations

Ads by Google