Transcript 防火牆與IPSec 的功能改進

Windows Vista網路架構、
防火牆與 IPSec 的功能改進
謝合宜
微軟特約技術顧問
MCSE : Security/Messaging MVP/MCT
BS7799/ISO27001 Lead Auditor
預備知識
• 熟悉群組原則的使用與管理
• TCP/IP網路管理
Level 300
講題大綱
•
•
•
•
網路架構的新變動
Windows Firewall的使用
IPSec的使用
網域與伺服器隔離(Isolation)
下一世代的 TCP/IP
對管理員與使用者的好處
– 改善的安全性且不影響使用者的使用經驗
– 更可靠、更方便使用也更方便管理
– 更佳的擴展性來彈性適用於複雜的網路環境
– 內建的診斷功能減少技術的協助需求
完全重新設計的TCP/IP Stack
Winsock
User Mode
TDI Clients
WSK Clients
AFD
Kernel Mode
TDI
WSK
TDX
Next Generation TCP/IP Stack (tcpip.sys)
IPv6
IPv4
802.3
RAW
UDP
WLAN
Loopback
IPv4
Tunnel
IPv6
Tunnel
Windows Filtering
Platform API
TCP
NDIS
•
•
•
•
•
Dual-IP layer架構來支援原生的 IPv4 與 IPv6
延伸的IPSec安全整合
改善的網路效能
網路自動調校與最佳化演算法
豐富的APIs提供更佳的延展性與可靠性
新功能簡表
Technologies
Security
IPsec
X
VPN Routing Compartments
X
Windows Filtering Platform (WFP)
X
Secure Sockets API
X
Experience
Scalability
X
IPv6
X
TCP Chimney
X
TCP-A (I/OAT)
X
Receive Side Scaling (RSS)
X
Receive Window Auto-Tuning
X
X
Compound-TCP (CTCP) – Congestion Control
X
X
Wireless Reliability
X
Black-Hole Router Detection (BHRD)
X
Dead Gateway Detection
X
Network Diagnostics Framework/Extended TCP Statistics
X
Policy-based Quality of Service (eQoS)
X
X
http://www.microsoft.com/technet/itsolutions/network/evaluate/new_network.mspx
Receive Window Auto-Tuning
Application performance with Windows Vista between Redmond and Sydney
Advanced Congestion Control
TCP data transfer using Compound-TCP (green) and vanilla TCP (red) between
Bay Area, CA and Tukwila, WA data centers
路由區隔(Routing Compartments)
•
•
•
•
網路介面隔絕在虛擬區隔之中
一個路由區隔一個路由表
應用程式只在單一區隔中執行
隔絕功能位於 Kernel mode
Client 1
Client 2
Session 1
Session 2
Session 1
IE
Email
Email
VPN
Ethernet
Messenger
User
Kernel
Ethernet
Internet
Intranet
QoS Policies的情境
• Source/Destination IPv4/IPv6
addresses
• Protocol
• Source or destination ports
• Application
QoS Policy的使用
• 使用Differentiated Service Code Point(DSCP)
值來控制(RFC 2474)
– Default: 0 (Best Effort)
– Example:
• Backup :10 (low)
• Server Apps :26(Medium)
• VoIP :46 (High)
• 指定 Throttle Rate
– Example: HTTP 512Kbps
QoS Policy
QoS
Policy for Live Messenger Traffic
Windows filtering platform
• 系列APIs提供3rd-party產品在不同layers可
以進行過濾機制
• 提供下一世代的過濾特性
– Authenticated communication
– Dynamic firewall configuration based on
WinSock calls
– Windows Firewall and IPsec的基礎
– 與加密網路流共同運作
• e.g., RPC
WFP架構
講題大綱
•
•
•
•
網路架構的新變動
Windows Firewall的使用
IPSec的使用
網域與伺服器隔離(Isolation)
網路封包過濾
Inbound
Outbound
Default:
Block most
Few core exceptions
Default:
Allow all interactive
Restrict services
Allow rules:
Programs, services
Users, computers
Protocols, ports
Block rules:
Programs, services
Users, computers
Protocols, ports
功能比較
Windows XP SP2
Windows Vista
Direction
Inbound
Inbound, outbound
Default action
Block
Configurable for direction
Packet types
TCP, UDP, some ICMP
All
Rule types
Application, global ports, Multiple conditions from basic
ICMP types
five-tuple to IPsec metadata
Rule actions
Block
Block, allow, bypass; with rule
merge logic
UI and tools
Control Panel, netsh
C-Panel, more netsh, MMC
APIs
Public COM, private C
More COM to expose rules, more
C to expose features
Remote
management
none
Via hardened RPC interface
Group policy
ADM file
MMC, netsh
Terminology
Exceptions; profiles
Rules; categories=profiles
架構的改善
• 程式介面的呼叫是同步的
– 如果程式呼叫回傳成功，規則保證會被套用
• 原則變動的稽核會顯示使用者資訊
• ACLs設定在服務的API呼叫中
– 不再有登錄檔的 ACLs
– 不再有權限的擴展
• 原則的設定是漸增的
設定方式
• 控制台(Control panel)：類似Windows XP
• 新的MMC介面來提供更多的控制
– “Windows Firewall with Advanced Security”
snap-in
– 事先定義在管理工具集的主控台
– 能夠遠端設定
– 整合並簡化 IPsec 設定
• 新的命令列指令 netsh advfirewall
彈性的例外設定
Active Directory user/computer accounts and groups
Source and destination IP addresses (individual or range)
Source and destination TCP/UDP ports
Comma-delimited list of ports (but not low-high range)
IP protocol number
Types of interfaces (wired, wireless, VPN/RAS)
ICMP type and code
Services (used by service profiling to limit access)
Network Location
Domain 當電腦加入網域並連結時；自動選擇
Private 當電腦連結到定義的私人網路
Public 所有其他網路
• 自動偵測網路的變動
• Network profile service在連結時建立設定檔
– Interfaces, DC, authenticated machine, gateway MAC, …
• NPS在網路變動時會通知防火牆
– 防火牆在 200ms 內變更 Location 設定
• 未加入網域時，只有 public 或 private 兩種選擇
– 本機管理員才能定義私人網路的條件情形
多網路介面的情形判斷
Examine all
connected nets
Is an interface No
connected to a net
classified “public”?
Yes
Set category
to “public”
Is an interface
connected to a net
classified “private”?
Yes
Set category
to “private”
No
All interfaces see No
domain controller?
Host authenticate?
Yes
Set category
to “domain”
設定 Profile
• 允許本機管理員建立規
則
• 當 inbound 連線被阻隔
時會出現通知訊息
規則種類
Program
Port
Predefined
Custom
允許特定程式的網路流
允許特定 TCP or UDP 連接埠或連接埠清單
允許Windows網路功能的規則集合 (例如： file
and printer sharing, network discovery, remote
assistance, remote service administration,
Windows collaboration, others)
自行設定相關參數
Windows Firewall with Advanced Security
•Profile設定
•規則設定
防火牆規則
DO Action = {By-pass | Allow | Block} IF:
Protocol = X AND
Direction = {In | Out} AND
Local TCP/UDP port is in {Port list} AND
Remote TCP/UDP port is in {Port list} AND
ICMP type code is in {ICMP type-code list} AND
Interface NIC is in {Interface ID list} AND
Interface type is in {Interface types list} AND
Local address is found in {Address list} AND
Remote address is found in {Address list} AND
Application = <Path> AND
Service SID = <Service Short Name> AND
Require authentication = {TRUE | FALSE} AND
Require encryption = {TRUE | FALSE} AND
Remote user has access in {SDDL} AND
Remote computer has access in {SDDL} AND
OS version is in {Platform List}
規則的儲存
GPO
Domain controller’s SysVol; stores the group
policy
GP_RSoP Set of policies applying from the site, domain,
and OU the computer belongs to
Local
Registry hive where applications and users store
local policies
Dynamic
Current effective policy enforced by firewall
• 規則可以匯出/匯入
規則合併與使用順序
Highest
Lowest
Service
restrictions
Restricts connections that services can
establish; OS services already configured
appropriately
Connection
rules
Restricts connections from particular
computers; uses IPsec to require
authentication and authorization
Authenticated
bypass
Allows specified authenticated computers to
bypass other rules
Block rules
Explicitly blocks specified incoming or
outgoing traffic
Allow rules
Explicitly allows specified incoming or
outgoing traffic
Default rules
Default behavior for a connection
監視規則的情形
Windows Firewall with Advanced Security
•規則匯出與監視
講題大綱
•
•
•
•
網路架構的新變動
Windows Firewall的使用
IPSec的使用
網域與伺服器隔離(Isolation)
IPSec設定
Load Balancing and Clustering
• 2000/XP/2003會在節點失敗時花上 2min 來重
建連線
– 1 minute: idle time expiration
– 1 minute: renegotiate security associations (SAs)
• Vista/Longhorn 改為監控已建立的 SAs
– 如果 TCP 連線開始進行重傳，意指節點已經下線
– IPsec馬上重新與另一個節點 renegotiates SAs
– 馬上進行Failover，不會影響應用程式的穩定性
Load balancing and Failover
renegotiate with cluster IP
activeattempted
SA with node 1
retransmissions
active SA with node 2

新的加密演算法
Encryption
• AES-128
• AES-192
• AES-256
Key
exchange
• P-256 (DH group 19 elliptic curve)
• P-384 (DH group 20 elliptic curve)
改善的身分驗證
• 需要正常使用中的憑證
• 新的 “extended mode”
– IKE extension known as AuthIP
– User authentication: Kerberos, NTLMv2,
certificate
• 會嘗試多種方法
– 不會在第一次失敗就放棄連線嘗試
– 以特定的順序進行嘗試
IPSec的設定操作
IPsec的稽核與問題診斷
• 新增15個 IPsec 稽核相關事件以及20個新的防火牆事件
• 25個舊的事件內容重新改寫來反應更正確的狀態
• 不再有一般的無關事件出現
• 分類好的IPSec稽核和原則控制 (3個主分類，8個子分類)
• 事件內容包含問題診斷所需的相關資訊(no tracing required)
• Oakley log 被 WPP tracing 取代(僅提供 Microsoft 內部使用)
• 定義了相關、不同的效能監視計數器集合 (IKE4, IKEv6, AUTHIPv4,
AuthIPv6, …)
• 新增超過150 個有關IPSec與防火牆的效能監視計數器
• 改善的 IPsecmon
講題大綱
•
•
•
•
網路架構的新變動
Windows Firewall的使用
IPSec的使用
伺服器與網域隔離(Isolation)
伺服器與網域隔離(Isolation)
Corporate
Network
Active Directory
Domain Controller
Trusted Resource
Server
X
Servers with
HR Workstation Sensitive Data
Unmanaged/Rogue
Computer
X
Server
Isolation
Untrusted
Managed
Computer
Managed
Computer
Domain
Isolation
Enable
tiered-access
toand
sensitive
resources
Block
inbound
connections
from
untrusted
Managed
can
communicate
Define
Distribute
thecomputers
logical
policies
isolation
credentials
boundaries
伺服器與網域隔離
講題總結
• Vista/LongHorn的網路架構提供更好的
效率與管理設定
• 從安全的觀點來看，新的防火牆功能與
設定更加符合未來複雜的網路應用
• 深入了解Windows Vista的新增網路功
能加強來應用於特殊的環境
Home Work
• Server and Domain Isolation with Microsoft Windows
– http://www.microsoft.com/downloads/details.aspx?FamilyID=9a3e2b2b-695d4ff9-bcb1-5f2f3001845e&DisplayLang=en
• Network Location Types in Windows Vista
– http://www.microsoft.com/technet/community/columns/cableguy/cg0906.mspx
• The New Windows Firewall in Windows Vista and
Windows Server "Longhorn"
– http://www.microsoft.com/technet/community/columns/cableguy/cg0106.mspx
For More Information…
• TechNet
– www.microsoft.com/taiwan/technet
• Windows Vista
– www.microsoft.com/taiwan/windowsvista
• Windows Vista: Resources for IT Professional
– www.microsoft.com/technet/windowsvista/def
ault.mspx
• MVP Community社群網站
– www.microsoft.com/taiwan/community