Transcript Slide 1
SEC305 Deploying Server and Domain Isolation with IPsec http://www.microsoft.com/sdisolation Gene Ferioli Program Manager Microsoft Corporation [email protected] Session Agenda Server and Domain Isolation Overview Demonstration Deployment Guidance Windows Network Security Roadmap Next Steps and Resources Challenges and Threats Laptops, New Devices and Remote Workers Network topology is more complex Limiting access to the right people Viruses, Worms and other Malicious Code Threats are more sophisticated Mitigating risk can be challenging New Regulatory and Business Requirements Heightened focus on data privacy Keeping costs and overhead low Increased Connectivity Needs More mobility for better productivity Managing changing requirements Server and Domain Isolation Labs Unmanaged guests Dynamically segment your Windows environment into more secure and isolated logical networks based on policy Server Isolation Protect specific high-valued servers and data Domain Isolation Protect managed computers from unmanaged or rogue computers and users Isolation Solution Details Policy Management Authentication Enforcement Policies are created, distributed, and managed through Active Directory Security Groups and Group Policy Domain membership is required to access trusted resources Helps expand the use of supportive tools like SMS or WSUS Authentication is based on machine level credentials Kerberos X.509 certificates Policies are enforced at the network layer by Windows IPsec Uses IPsec transport mode for end-to-end security and NAT traversal All packets encapsulated with ESP-Null for authentication and integrity Optionally, highly sensitive network traffic can be encrypted Risks That Cannot be Mitigated Trusted users disclosing high value data Compromise of trusted credentials Untrusted computers compromising other untrusted computers Loss of physical security of trusted computers Lack of policy compliance mechanisms for trusted computers Highlights the importance of a defense-in-depth strategy Policy-based Dynamic Segmentation Corporate Network Active Directory Domain Controller Trusted Resource Server X Servers with HR Workstation Sensitive Data Unmanaged/Rogue Computer X Server Isolation Untrusted Managed Computer Managed Computer Domain Isolation Enable tiered-access toand sensitive resources Block inbound connections from untrusted Managed can communicate Define Distribute thecomputers logical policies isolation credentials boundaries Protecting Critical Systems and Data with Server and Domain Isolation Getting Started! High-level Deployment Steps: 1. Define goals for deployment 2. Document infrastructure components 3. Create machine groups in Active Directory 4. Design IPsec policies and exceptions 5. Validate policies by deploying in “request mode” 6. Gradually add computers to managed domain 7. Refine policies and interoperability plans RESOURCE: Extensive, step-by-step guidance available at: http://www.microsoft.com/sdisolation Defining Scope of Deployment Conduct a risk assessment Determine business objectives and risks to mitigate Identify infrastructure components and subnets Map out allowed communications paths Document boundary machines and policy exceptions Create Active Directory Groups Non-IPsec Groups Untrusted Systems Default group Exemptions Trusted infrastructure IPsec Groups Isolation Domain Default trusted group Boundary Higher risk trusted group Additional Groups to Consider Driven By Business Requirements For Example No Fallback Allowed Isolation Group Blocks outbound communications to untrusted hosts Require Encryption High security group All data communications must use encryption New “Simplified Policy” Update Simplifies the creation and maintenance of IPsec policies for Windows Server 2003 and Windows XP Significantly reduces the number of IPsec filters Removes the requirement for explicit network infrastructure permit filters and for special filters to help secure a subnet Enhances "fallback to clear" functionality Fallback to clear time-out value is reduced from 3 seconds to 500 ms Credential and policy mismatch failures are now permitted to use the fallback to clear functionality More Information: http://support.microsoft.com/default.aspx/kb/914841/en-us Defined Filter Actions Request Mode Accept unauthenticated inbound communications Allow unauthenticated outbound communications Secure Request Mode Allow unauthenticated outbound communications Full Require Mode All unicast communications require IPsec Require Encryption Mode Only negotiates encryption Deploying and Validating Policies Staged Deployment Policy has exemptions, but no requirements for IPsec on secure subnets Request Mode filter action is used with secure subnet filter lists Subnets are slowly added to secure subnet filter list and tested Deploy by Group IPsec Policy defined and linked Groups are used to control application of the policy Troubleshooting The majority of issues often attributed to IPsec are actually issues in other supporting components Authentication Group Policy System Services, drivers, active applications Name resolution Network Connectivity: TCP/IP, Router ACLs IPsec Policy, e.g., mis-configured filters The TCP/IP error returned on a connection failure is “error 53: The network path was not found” Example: MSIT enables auditing via domain policy to capture IPsec 541/542/543 and 547 failure events Overall Best Practices Minimize securing by port or protocol, use “All IP” Simplifies policy design Reduces chances of policy mismatch Do not use Default Response rule with custom policy Not compatible with permitting ICMP or other protocols or ports Does not work with secure request behavior Permit ICMP (ping) Support connectivity troubleshooting and PMTU Create empty IPsec filter with versioning data Supports identifying applied IPsec policy Staged Deployment Best Practices Build shell GPOs and Windows IPsec policies Pilot in “Request Mode” Deploy an IPsec policy with only exceptions Define permitted subnets and IP’s first Filter the scope of the GPO to a pilot security group Expand the exception-only policy to all hosts Add subnet filters one at a time to complete subnet list “Any <-> Subnet # 1, All IP, Request Security” “Any <-> Subnet # 2, All IP, Request Security” Isolation Solution Interoperability Scope: Enabling interop with legacy and non-Windows hosts Examples: Networked printers Macintosh Unix and Linux Range of interoperability options available, from basic to full “Isolation Citizen”: Use policy exceptions Utilize ISA Server 2004 as an “IPsec Gateway” Create policies on non-Windows platform with certificate-based authentication Provide Terminal Services access to key corporate resources Network Security Roadmap Supported on Windows 2000, XP and Server 2003 Authentication based on machine credentials Integration with Windows Firewall Support for 10/100Mb IPsec offload network cards New Windows Vista/Windows Server “Longhorn” UI Expanded authentication methods (user and health) Simplified, “one-size-fits-all” policies Support for “Client to Domain Controller” protection Improved support for NLB and clustering Support for GigE IPsec offload network cards Case Study Roskilde Technical School Challenge: Operated several computer networks for students, faculty, and administration to comply with Danish educational regulations, but the networks were completely autonomous, difficult to manage, and offered no interoperability. Solution: Worked with Systemtech, a Microsoft® Certified Partner, to switch to a single campuswide network using Server and Domain Isolation to provide users the functionality that they need while still complying with the stringent security policies required by the Danish Ministry of Education. Improved security and virus protection through client lockdown Simplified system management and interoperability Enabled better utilization of resources resulting in greater productivity “We have been able to consolidate multiple IT departments, pull the work force together, and restructure the group into functional areas. Now we can better capitalize on the skills within the group.” Gert Jensen, Chief of Development, Roskilde Technical School Case Study Microsoft IT: “SecureNet” Challenge: Isolate managed computers from unmanaged (and untrusted) computers to restrict unknown access to intellectual property and limited impact of viruses and worms to meet business and regulatory requirements Solution: As part of a “defense-in-depth” security strategy, MSIT implemented Domain Isolation, based on Windows IPsec and Active Directory Group Policy, across all of Microsoft. Deployed Server Isolation for source code servers for added protection of sensitive data. Deployed to more than 250,000 of domain joined computers Over 75% of all network traffic world-wide is protected Increased number of domain joined computers by 45% Achieved compliance with Sarbanes-Oxley requirements for protecting data of material impact to shareholders “Domain joined machines increased. These are now machines that can have policy applied, an SMS agent installed…with the result a more secure and controlled environment.” Bob Davis, General Manager, Microsoft Corporation Case Study Universidade de Vila Velha Challenge: Consolidate and secure two separate campus networks that supports 14,000 students across four campuses within two weeks and protect the university’s intellectual property all at a low cost Solution: Implemented a Server and Domain Isolation solution to increase security networkwide, safeguard intellectual property, and simplify network management, thereby increasing IT staff productivity—all at no additional hardware or software expense to the university. Deployed in just 2 days across 1,000 desktops and 30 servers Lower operating cost that facilitates growth Improved security and productivity “Server and Domain Isolation is an amazing solution. We already had all the tools …. Once we had time to study and to plan the IPsec solution, we did it quickly … and at no additional cost.” Rodrigo Immaginario, Chief Information Officer, Universidade de Vila Velha Next Steps and Resources Unlock the potential of your Windows infrastructure investments Server and Domain Isolation TechNet site: http://www.microsoft.com/sdisolation Windows IPsec TechNet site: http://www.microsoft.com/ipsec Review TechNet on-demand webcasts Newsgroup: microsoft.public.windows.networking.ipsec Engage with your Microsoft account team Fill out a session evaluation on CommNet and Win an XBOX 360! © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Extending Defense-in-Depth Security Defense-in-Depth Model Adds an additional layer of defense-in-depth Compliments existing security investments Based on Windows IPsec and Active Directory® Supported on: Windows 2000 Windows XP Windows Server™ 2003 Windows Vista Windows Server “Longhorn” Data Application Host Server and Domain Isolation Internal Network Perimeter Physical Security Polices, Procedures & Awareness Another Look at Isolation in Action Access granted or denied based on ACL 6 Share Access is Checked Computer and User are Authenticated and Authorized Dept Group Check Network Check Network Access Permissions Access Permissions (User) (Computer Acct) 35 Local Local Policy Policy IKE Negotiation Begins 2 4 IKE succeeds, user AuthN occurs 1 IKE User Attempts to Access a File Share Technical and Business Benefits Reduce the risk of network security threats An additional layer of defense-in-depth Reduced attack surface area Increased manageability and more healthy clients Safeguard sensitive data and intellectual property Authenticated, end-to-end network communications Scalable, tiered access to trusted networked resources Protect the confidentiality and integrity of data Extend the value of existing investments No additional hardware or software required Get more value from Active Directory and Group Policy Complements existing 3rd network security solutions Design Windows IPsec Polices IPsec Policy Key Exchange Methods (IKE) Rules Authentication Methods Kerberos Filter List Action Certificates Security Methods Encryption Filters Pre-Shared Keys Key Lifetimes Hashing