Improving Security with Domain Isolation

Microsoft IT Implements IP Security (IPsec)

Published: June 2004

Solution Overview

Situation● Managed computers had to be isolated from

unmanaged computers to improve security

Solution● Deployment of IPsec

Benefits● Allows creation of logical secure network segments● Works independently of other infrastructure for end-to-

end security● Can be deployed and managed centrally

Products and Technologies● IPsec protocols (ESP, IKE)● Windows Server 2003● Windows XP Professional

SP1● Windows 2000 SP3● Group Policy● Active Directory● PKI and CA

Levels of Trusted Assets

U1 U2 U2

X XB

DHCP

DNS

WINS

DC

SecureNet

Clients, Servers, Home LAN,

Trustworthy Labs (203,000)

Untrustworthy

Labs (75,000)

PocketPC/Xbox

(18,000)

MAC (2,000)

Boundary Machines (5,000)

Infrastructure (500)

Internet ServersBusiness Partners

Extranet

DTaps(no connectivity to

CorpNet)

(1,800)

External Exclusions

Internal Exclusions

Microsoft Corporate Network

ACL Controlled

Business Benefits

● Decreased network risks● Improved asset management

information

Business Benefits

● Protection of intellectual property● Increased policy compliance● Improved malware detection

Domain Isolation at Microsoft● IPsec allows creation of logical, secure

networks within a larger network● Group policy provides a framework for

easily deploying IPsec to hosts● Active Directory infrastructure and

Group Policy enable deployment and administration of IPsec enterprise wide

Domain Isolation at Microsoft● Microsoft IT considered two

segmentation technologies:● IPsec provides end-to-end authentication

and encryption between hosts on a network

● 802.1x provides only authentication

● Microsoft IT chose IPsec because it is a complete solution

Domain Isolation at Microsoft● IPsec is a standards-based framework

of security protocols and cryptographic services

● IPsec is a foundation for a secure environment, but is not a secure environment itself

● Microsoft IT uses two of the four nodes in IPsec negotiated security

Domain Isolation at Microsoft● Active and challenging security

environment at Microsoft● Unique aspects of Microsoft

environment include:● Multiple computers per user● Diverse desktop implementations● Frequently rebuilt computers● Diverse mix of approved software versions

Planning

1. Determine segmentation requirements

2. Choose technology

3. Design IPsec/group policies

4. Test policies/IPsec functionality and behaviors

5. Create a rollout schedule

Planning

● Test process and strategy● Focus on minimal user impact● Phased subnet deployment approach● Creation of new rule/filter list and

assignment of secure request filter action● Change of rollout process to deploy to

individual domains instead of subnets

Planning

● Communication with users● Transparency of IPsec deployment to

users● Low volume of Helpdesk calls● Training of Helpdesk personnel● Restrictions on access to servers that

contain sensitive information● Notifications of deployment progress and

system requirements

Deployment

● Group Policy for IPsec Distribution● Create dedicated GPOs for IPsec● Create security groups● Create universal security groups to control

the application of GPOs● Create a universal security group for

group/IPsec policy administration● Administer Group Policy

Deployment

Filter List Action

Rules

IPsec Policy

Filters

Key Exchange Methods (IKE)

Authentication Methods (Kerberos, Certificates,

Static Keys)

Security Methods (Encryption, Hashing,

Key Lifetimes)

IPsec policies are applied to a GPO, contain a set of rules, and specify how to perform IKE.

Each rule associates a Filter List with an Action, and specifies authentication methods.

A Filter List specifies a set of individual filters, and is used to group filters together in a rule.

A Filter describes a pattern of traffic to match, by IP address, subnet, port, and protocol for both ends of a connection.

An Action designates what to do with traffic that matches a filter: Permit, Block, or Negotiate Security.

Deployment

● Policy settings● Different IPsec policies via different GPOs

during different phases of deployment

● IPsec filter design● Basic filter rules as the default policy● Management and deployment of IPsec

through Group Policy and Active Directory ● No active IPsec policies on Internet-facing

NIC on multi-homed computers

Deployment

● Some computers and devices cannot use IPsec

● These computers and devices cannot access computers inside SecureNet

● Exception servers can become boundary machines

● Legacy and test environments are not a priority for adding to SecureNet

Deployment

● Managing boundary computers● Extra management and security● Creation of security groups

● Deploying boundary computers● Request process● Case-by-case basis for granting insecure

network traffic

Known Issues and Problem Applications● LAN performance

● Added bandwidth consumption

● CPU performance● Negligible overhead on most clients

● IPsec and Windows VPN servers● Special IPsec policies for deployments that

use Kerberos

Known Issues and Problem Applications● RFC 1918 private IP ranges

● Connecting to the corporate network through a VPN requires use of specific private IP ranges

● Two private subnets are excluded from the list of secure subnets

Known Issues and Problem Applications● Network device issues

● IPsec changes TCP/IP offsets for destination ports and protocols

● IPsec generally defeats network-based prioritization and port or protocol-based traffic management

● IPsec adds to use of system resources

Known Issues and Problem Applications● Filter processing issues

● IPsec driver caches filters that match a particular connection

● IPsec and NLB clusters● Clients connected an offline server must

renegotiate the connection● If a node in the cluster fails, IPsec

connections cannot rebuild the security association until the preset time-out period

Known Issues and Problem Applications● NAT-T

● NAT-T addresses problems between NAT and IPsec

● Troubleshooting issues● IPSec depends on correct configuration of

supporting technologies ● Microsoft IT enables auditing using

domain-based group policies● Diagnostics may require Oakley logging

Best Practices

● Group Policy design● Set up group policies for all behavior types

to support IPsec testing● Filter the “Apply Group Policy” ACE for

each policy to only the limited security user groups

● Use a naming convention that covers the policy and group function for easier management and troubleshooting

Best Practices

● IPsec design● Minimize the overall number of filters● Use “Any” instead of “Me” as the base

approach to filter design● Create “Any <-> Corporate subnet” rules

instead of “Me <-> Any” for secure subnets● Manage permitted subnets● Use “Any” rules for virtual IP addresses

used by clusters

Best Practices

● IPsec design● Permit unsecured traffic to infrastructure

servers● Use Kerberos as the default authentication

mechanism● Set NoDefaultExempt = 1 via group policy

ADM template● Permit the ICMP protocol

Best Practices

● IPsec design● Minimize securing by port or protocol● Avoid “Any <-> Any” filters● Don’t use IPsec Default Response rule with

custom policy

Best Practices

● Deployment options● Deploy by subnet● Deploy by security group● Deploy by domain

Best Practices

● Recommended deployment steps● Pilot Request Mode IPsec● Deploy Request Mode IPsec● Pilot Secure Request IPsec policy● Deploy Secure Request IPsec policy

Best Practices

● Non-domain joined clients● Use Kerberos exclusively for an IPSec

deployment● Carefully evaluate the need to create

exceptions to global IPsec policies

● IPsec and NLB● Consider exempting business-critical

services that require high availability

Conclusion

● Phase 1: deployment if IPsec to >160,000 computers

● Phase 2: deployment of Secure Request mode across the enterprise (208,000 computers)

● Minimal impact on Helpdesk● Less exposure to worms and attackers● Project is now in review/maintenance

For More Information● Additional content on Microsoft IT

deployments and best practices can be found on http://www.microsoft.com● Microsoft TechNet

http://www.microsoft.com/technet/itshowcase

● Microsoft Serviceshttp://www.microsoft.com/itshowcase

● E-mail IT Showcaseshowcase@microsoft.com

This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.