Network Isolation Using Group Policy and IPSec

Download Report

Transcript Network Isolation Using Group Policy and IPSec

Network Isolation
Using Group Policy
and IPSec
Paula Kiernan
Senior Consultant
Ward Solutions
Session Prerequisites
Hands-on experience with Windows 2000 or Windows
Server 2003
Familiarity with Active Directory and Group Policy
Knowledge of Windows system security concepts
Working knowledge of TCP/IP concepts
An understanding of the basics of Internet Protocol
Security (IPSec)
Level 300
Session Overview
Overview of Internet Protocol Security
Understanding Network Isolation Using IPSec
Understanding Advanced Network Isolation Scenarios
Overview of Internet Protocol Security
Overview of Internet Protocol Security
Understanding Network Isolation Using IPSec
Understanding Advanced Network Isolation Scenarios
Securing Network Communication: What Are the
Challenges?
Challenges to securing network communication
include:
Preventing data modification while in transit
Preventing data from being read and interpreted while
in transit
Keeping data secure from unauthorized users
Keeping data from being captured and replayed
What Is Internet Protocol Security?
IPSec: A framework of open standards to ensure private,
secure communications over IP networks through the use
of cryptographic security services
IPSec provides the following benefits:
Transparent to users and applications
Provides restricted access to servers
Customizable security configuration
Centralized IPSec policy administration through
Active Directory
Identifying IPSec Scenarios
IPSec can be deployed in:
Transport
mode
Tunnel
mode
Used to protect host-to-host
communications
Used to protect traffic between a host and a
network or between two networks
Understanding Transport Mode Scenarios
Server Isolation
End-to-End Host
Security
Understanding Tunnel Mode
Site-to-Site VPN
IPSec
Tunnel
Site A
Site B
Windows XP Client
IPSec
Gateway
IPSec
Gateway
FTP Server
How Does IPSec Secure Traffic?
Active Directory
1
IPSec Policy
IPSec Policy
Internet Key Exchange
(IKE) Negotiation
2
TCP Layer
TCP Layer
IPSec Driver
IPSec Driver
3
Encrypted IP Packets
Creating IPSec Security Policies
IP security policy
Rules
IPfilter
filterlists
lists
IPIPfilter
lists
Filter
actions
filterlists
lists
IPIPfilter
IP filters
Can be assigned to domains, sites, and organizational units
Demonstration 1: Configuring and Assigning IP
Security Policies
Configure and assign an IP Security policy
Understanding Network Isolation Using IPSec
Overview of Internet Protocol Security
Understanding Network Isolation Using IPSec
Understanding Advanced Network
Isolation Scenarios
What Is Network Isolation?
Network isolation: The ability to allow or deny certain
types of network access between computers that have
direct Internet Protocol connectivity between them
Benefits of introducing a logical data isolation defense
layer include:
Additional security
Control of who can access specific information
Control of computer management
Protection against malware attacks
A mechanism to encrypt network data
Identifying Trusted Computers
Trusted computer:
A managed device that is in a known state and meets
minimum security requirements
Untrusted computer:
A device that may not meet the minimum security
requirements, mainly because it is unmanaged or not
centrally controlled
Goals That Are Achievable Using
Network Isolation
The following goals can be achieved by using
network isolation:
Isolate trusted domain member computers from untrusted
devices at the network level
Help to ensure that a device meets the security requirements
required to access a trusted asset
Allow trusted domain members to restrict inbound network
access to a specific group of domain member computers
Focus and prioritize proactive monitoring and
compliance efforts
Focus security efforts on the few trusted assets that require
access from untrusted devices
Focus and accelerate remediation and recovery efforts
Risks That Cannot Be Mitigated Using Isolation
Risks that will not be directly mitigated by network
isolation include:
Trusted users disclosing sensitive data
Compromise of trusted user credentials
Untrusted computers accessing other
untrusted computers
Trusted users misusing or abusing their trusted status
Lack of security compliance of trusted devices
Compromised trusted computers access other trusted
computers
How Does Network Isolation Fit into
Network Security?
Data
Application
Host
Logical Data Isolation
Internal network
Perimeter
Physical security
Policies, procedures, and awareness
How Can Network Isolation Be Achieved?
Components of the network isolation
solution include:
Trusted hosts
Computers that meet the organization’s
minimum security requirements
Host
authentication
The use of IPSec to provide host
authentication and data encryption
Host
authorization
Verification of security group
memberships within the local security
policy and access control lists of
the resource
Controlling Computer Access Using Network
Access Groups and IPSec
Step 1: User attempts to
access share on server
Share and
Access
Permissions
Step 2: IKE main mode
negotiation
Step 3: IPSec security
method negotiation
Host
access
permissions
Group
Policy
Computer
Access
Permissions
(IPSec)
Dept_Computers NAG
2
IPSec
Policy
3
1
Logical Data Isolation
Controlling Host Access Using Network
Access Groups
Step 1: User attempts to
access share on server
Share and
Access
Permissions
Step 2: IKE main mode
negotiation
Step 3: IPSec security
method negotiation
Step 4: User host access
permissions checked
Step 5: Share and access
permissions checked
5
Host
access
permissions
Dept_Users NAG
4
Group
Policy
Computer
Access
Permissions
(IPSec)
Dept_Computers NAG
2
IPSec
Policy
3
1
Logical Data Isolation
Demonstration 2: Configuring and Implementing
Network Access Groups
Configure network access groups to
enhance security
Understanding Advanced Network
Isolation Scenarios
Overview of Internet Protocol Security
Examining Network Isolation Using IPSec
Understanding Advanced Network
Isolation Scenarios
Creating the Network Isolation Design
The network isolation design process involves:
Designing the foundational groups
Creating Exemption Lists
Planning the computer and network access groups
Creating additional isolation groups
Traffic modeling
Assigning the group and network access
group memberships
Designing the Foundational Groups
Isolation Domain
Boundary Isolation
Group
Untrusted
Systems
Creating Exemptions Lists
The following conditions might cause a host to be on
the Exemptions List:
The host is a computer that trusted hosts require
access to but it does not have a compatible
IPSec implementation
If the host is used for an application that is adversely
affected by the three-second fall back to clear delay or
by IPSec encapsulation of application traffic
If the host has issues that impacts its performance
If the host is a domain controller
Planning the Computer and Network
Access Groups
Computer groups:
Used to contain members of a specific
isolation group
Assigned to Group Policy Objects to
implement various security settings
Network access groups:
Can be one of two types, Allow or Deny
Assigned to Group Policy to control
Allow or Deny access to a computer
Creating Additional Isolation Groups
Reasons to create additional
isolation groups include:
Encryption requirements
Alternative outgoing or
incoming network
traffic requirements
Limited computer or user
access required at the
network level
Isolation Domain
Encryption
Isolation
Group
No Fallback
Isolation
Group
Boundary
Isolation Group
Untrusted
Systems
Understanding Traffic Modeling
Trusted Devices
1
Isolation domain
2
3
4
Boundary
5
6
Untrusted
IPSec
Plaintext or fall back to clear
7
Exemptions Lists
Assigning Computer Group and Network
Access Group Memberships
The final tasks of designing isolation groups include
assigning:
Computer
group
membership
Place each computer into one group based
on communication requirements
NAG
membership
Place the users and computers that require
granular permissions into each previously
identified NAG
Demonstration 3: Implementing Isolation Groups
Implement and deploy Isolation Groups
using computer security groups
Network Isolation: Additional Considerations
Additional considerations include:
The maximum number of concurrent connections by
unique hosts to servers using IPSec
The maximum token size limitation for hosts
using IPSec
Understanding Predeployment Considerations
Before deploying a network isolation solution, consider
the following:
Overused devices
Incompatible devices
IP addressing
Client/server participation
Services that must be isolated
Network load balancing and clustering
Session Summary
 Deploy IPSec to provide authentication and encryption
 Use a combination of IPSec, security groups, and
Group Policy for logical data isolation
 Implement additional groups to isolate resources
or provide functionality as required
 Use the Boundary zone as a starting point when
deploying isolation groups using IPSec
Next Steps
Find additional security training events:
http://www.microsoft.com/ireland/security/training.asp
Sign up for security communications:
http://www.microsoft.com/technet/security/signup/default.mspx
Get additional security tools and content:
http://www.microsoft.com/security/guidance/default.mspx
Find additional e-learning clinics:
https://www.microsoftelearning.com/security
Questions and Answers
Contact Details
Paula Kiernan
Ward Solutions
[email protected]
www.ward.ie