400 likes | 930 Views
Network Isolation Using Group Policy and IPSec. Paula Kiernan Senior Consultant Ward Solutions. Session Prerequisites. Hands-on experience with Windows 2000 or Windows Server 2003 Familiarity with Active Directory and Group Policy Knowledge of Windows system security concepts
E N D
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions
Session Prerequisites • Hands-on experience with Windows 2000 or Windows Server 2003 • Familiarity with Active Directory and Group Policy • Knowledge of Windows system security concepts • Working knowledge of TCP/IP concepts • An understanding of the basics of Internet Protocol Security (IPSec) Level 300
Session Overview • Overview of Internet Protocol Security • Understanding Network Isolation Using IPSec • Understanding Advanced Network Isolation Scenarios
Overview of Internet Protocol Security • Overview of Internet Protocol Security • Understanding Network Isolation Using IPSec • Understanding Advanced Network Isolation Scenarios
Securing Network Communication: What Are the Challenges? Challenges to securing network communication include: • Preventing data modification while in transit • Preventing data from being read and interpreted while in transit • Keeping data secure from unauthorized users • Keeping data from being captured and replayed
What Is Internet Protocol Security? IPSec: A framework of open standards to ensure private, secure communications over IP networks through the use of cryptographic security services IPSec provides the following benefits: • Transparent to users and applications • Provides restricted access to servers • Customizable security configuration • Centralized IPSec policy administration through Active Directory
Transport mode Tunnel mode Used to protect host-to-host communications Used to protect traffic between a host and a network or between two networks Identifying IPSec Scenarios IPSec can be deployed in:
Server Isolation End-to-End Host Security Understanding Transport Mode Scenarios
Understanding Tunnel Mode Site-to-Site VPN IPSec Tunnel Site A Site B Windows XP Client FTP Server IPSec Gateway IPSec Gateway
Active Directory 1 IPSec Policy IPSec Policy Internet Key Exchange (IKE) Negotiation 2 TCP Layer TCP Layer IPSec Driver IPSec Driver Encrypted IP Packets How Does IPSec Secure Traffic? 3
Creating IPSec Security Policies IP security policy Rules IP filter lists Filter actions IP filter lists IP filter lists IP filter lists IP filter lists IP filters Can be assigned to domains, sites, and organizational units
Demonstration 1: Configuring and Assigning IP Security Policies Configure and assign an IP Security policy
Understanding Network Isolation Using IPSec • Overview of Internet Protocol Security • Understanding Network Isolation Using IPSec • Understanding Advanced Network Isolation Scenarios
What Is Network Isolation? Network isolation: The ability to allow or deny certain types of network access between computers that have direct Internet Protocol connectivity between them Benefits of introducing a logical data isolation defense layer include: • Additional security • Control of who can access specific information • Control of computer management • Protection against malware attacks • A mechanism to encrypt network data
Identifying Trusted Computers Trusted computer: A managed device that is in a known state and meets minimum security requirements Untrusted computer: A device that may not meet the minimum security requirements, mainly because it is unmanaged or not centrally controlled
Goals That Are Achievable Using Network Isolation The following goals can be achieved by using network isolation: • Isolate trusted domain member computers from untrusted devices at the network level • Help to ensure that a device meets the security requirements required to access a trusted asset • Allow trusted domain members to restrict inbound network access to a specific group of domain member computers • Focus and prioritize proactive monitoring and compliance efforts • Focus security efforts on the few trusted assets that require access from untrusted devices • Focus and accelerate remediation and recovery efforts
Risks That Cannot Be Mitigated Using Isolation Risks that will not be directly mitigated by network isolation include: • Trusted users disclosing sensitive data • Compromise of trusted user credentials • Untrusted computers accessing other untrusted computers • Trusted users misusing or abusing their trusted status • Lack of security compliance of trusted devices • Compromised trusted computers access other trusted computers
How Does Network Isolation Fit into Network Security? Policies, procedures, and awareness Physical security Data Application Host Logical Data Isolation Internal network Perimeter
Computers that meet the organization’s minimum security requirements Trusted hosts The use of IPSec to provide host authentication and data encryption Host authentication Verification of security group memberships within the local security policy and access control lists of the resource Host authorization How Can Network Isolation Be Achieved? Components of the network isolation solution include:
Group Policy Dept_Computers NAG IPSec Policy 2 1 Controlling Computer Access Using Network Access Groups and IPSec Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation Share and Access Permissions Logical Data Isolation Host access permissions Computer Access Permissions(IPSec) 3
5 Dept_Users NAG 4 Controlling Host Access Using Network Access Groups Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation Step 4: User host access permissions checked Step 5: Share and access permissions checked Share and Access Permissions Logical Data Isolation Host access permissions Group Policy Computer Access Permissions(IPSec) Dept_Computers NAG IPSec Policy 2 3 1
Demonstration 2: Configuring and Implementing Network Access Groups Configure network access groups to enhance security
Understanding Advanced Network Isolation Scenarios • Overview of Internet Protocol Security • Examining Network Isolation Using IPSec • Understanding Advanced Network Isolation Scenarios
Creating the Network Isolation Design The network isolation design process involves: • Designing the foundational groups • Creating Exemption Lists • Planning the computer and network access groups • Creating additional isolation groups • Traffic modeling • Assigning the group and network access group memberships
Designing the Foundational Groups Isolation Domain Boundary Isolation Group Untrusted Systems
Creating Exemptions Lists The following conditions might cause a host to be on the Exemptions List: • The host is a computer that trusted hosts require access to but it does not have a compatible IPSec implementation • If the host is used for an application that is adversely affected by the three-second fall back to clear delay or by IPSec encapsulation of application traffic • If the host has issues that impacts its performance • If the host is a domain controller
Planning the Computer and Network Access Groups Computer groups: • Used to contain members of a specific isolation group • Assigned to Group Policy Objects to implement various security settings Network access groups: • Can be one of two types, Allow or Deny • Assigned to Group Policy to control Allow or Deny access to a computer
Boundary Isolation Group Creating Additional Isolation Groups Reasons to create additional isolation groups include: • Encryption requirements • Alternative outgoing or incoming network traffic requirements • Limited computer or user access required at the network level Isolation Domain Encryption Isolation Group No Fallback Isolation Group Untrusted Systems
Understanding Traffic Modeling Trusted Devices Exemptions Lists Isolation domain 1 2 3 Boundary 4 5 6 Untrusted 7 IPSec Plaintext or fall back to clear
Assigning Computer Group and Network Access Group Memberships The final tasks of designing isolation groups include assigning: Place each computer into one group based on communication requirements Computer group membership Place the users and computers that require granular permissions into each previously identified NAG NAG membership
Demonstration 3: Implementing Isolation Groups Implement and deploy Isolation Groups using computer security groups
Network Isolation: Additional Considerations Additional considerations include: • The maximum number of concurrent connections by unique hosts to servers using IPSec • The maximum token size limitation for hosts using IPSec
Understanding Predeployment Considerations Before deploying a network isolation solution, consider the following: • Overused devices • Incompatible devices • IP addressing • Client/server participation • Services that must be isolated • Network load balancing and clustering
Session Summary Deploy IPSec to provide authentication and encryption ü Use a combination of IPSec, security groups, and Group Policy for logical data isolation ü Implement additional groups to isolate resources or provide functionality as required ü Use the Boundary zone as a starting point when deploying isolation groups using IPSec ü
Next Steps • Find additional security training events: http://www.microsoft.com/ireland/security/training.asp • Sign up for security communications: http://www.microsoft.com/technet/security/signup/default.mspx • Get additional security tools and content: http://www.microsoft.com/security/guidance/default.mspx • Find additional e-learning clinics: https://www.microsoftelearning.com/security
Contact Details Paula Kiernan Ward Solutions paula.kiernan@ward.ie www.ward.ie