SEC305SEC305Deploying Server and Domain Deploying Server and Domain Isolation with IPsecIsolation with IPsec

SEC305SEC305Deploying Server and Domain Deploying Server and Domain Isolation with IPsecIsolation with IPsec

Gene FerioliGene FerioliProgram ManagerProgram ManagerMicrosoft CorporationMicrosoft Corporationgenef@microsoft.com genef@microsoft.com

http://www.microsoft.com/http://www.microsoft.com/sdisolationsdisolation

Session AgendaSession Agenda

Server and Domain Isolation OverviewServer and Domain Isolation Overview

DemonstrationDemonstration

Deployment GuidanceDeployment Guidance

Windows Network Security RoadmapWindows Network Security Roadmap

Next Steps and ResourcesNext Steps and Resources

Challenges and ThreatsChallenges and Threats

Network topology is more complexNetwork topology is more complexLimiting access to the right peopleLimiting access to the right people

Threats are more sophisticatedThreats are more sophisticatedMitigating risk can be Mitigating risk can be challengingchallenging

Heightened focus on data Heightened focus on data privacyprivacyKeeping costs and overhead lowKeeping costs and overhead low

More mobility for better More mobility for better productivityproductivityManaging changing requirementsManaging changing requirements

Viruses, Worms Viruses, Worms and other and other

Malicious CodeMalicious Code

New Regulatory New Regulatory and Business and Business RequirementsRequirements

Increased Increased Connectivity Connectivity

NeedsNeeds

Laptops, New Laptops, New Devices and Devices and

Remote WorkersRemote Workers

Server and Domain IsolationServer and Domain Isolation

Dynamically Dynamically segment your segment your

Windows Windows environment into environment into more more secure secure and and isolated logical isolated logical

networksnetworksbased onbased on policy policy

LabsUnmanaged guests

Server IsolationServer Isolation Protect specific high-valued servers and Protect specific high-valued servers and datadata

Domain IsolationDomain IsolationProtect managed computers from Protect managed computers from unmanaged or rogue computers and unmanaged or rogue computers and usersusers

Isolation Solution DetailsIsolation Solution Details

Policies are created, distributed, and managed Policies are created, distributed, and managed through Active Directory Security Groups and through Active Directory Security Groups and Group PolicyGroup Policy

Domain membership is required to access trusted resourcesDomain membership is required to access trusted resources

Helps expand the use of supportive tools like SMS or WSUSHelps expand the use of supportive tools like SMS or WSUS

Authentication is based on machine level Authentication is based on machine level credentialscredentials

KerberosKerberos

X.509 certificatesX.509 certificates

Policies are enforced at the network layer by Policies are enforced at the network layer by Windows IPsecWindows IPsec

Uses IPsec transport mode for end-to-end security and NAT Uses IPsec transport mode for end-to-end security and NAT traversaltraversal

All packets encapsulated with ESP-Null for authentication and All packets encapsulated with ESP-Null for authentication and integrity integrity

Optionally, highly sensitive network traffic can be encryptedOptionally, highly sensitive network traffic can be encrypted

Policy ManagementPolicy Management AuthenticationAuthentication EnforcementEnforcement

Risks That Cannot be MitigatedRisks That Cannot be Mitigated

Trusted users disclosing high value dataTrusted users disclosing high value data

Compromise of trusted credentialsCompromise of trusted credentials

Untrusted computers compromising other Untrusted computers compromising other untrusted computersuntrusted computers

Loss of physical security of trusted Loss of physical security of trusted computerscomputers

Lack of policy compliance mechanisms for Lack of policy compliance mechanisms for trusted computerstrusted computers

Highlights the importance of a defense-in-depth strategy

UntrustedUntrusted

Unmanaged/Rogue Computer

Domain Domain IsolationIsolation

Active Directory Domain Controller

X

Server Server IsolationIsolation

Servers with Sensitive DataHR Workstation

Managed Computer

X

Managed Computer

Trusted Resource Server

Corporate Network

Define the logical isolation boundariesDistribute policies and credentialsManaged computers can communicateBlock inbound connections from untrustedEnable tiered-access to sensitive resources

Policy-based Dynamic Policy-based Dynamic SegmentationSegmentation

Protecting Critical Systems and Data with Server and Domain Isolation

Protecting Critical Systems and Data with Server and Domain Isolation

Getting Started!Getting Started!

High-level Deployment Steps:High-level Deployment Steps:1.1. Define goals for deploymentDefine goals for deployment

2.2. Document infrastructure componentsDocument infrastructure components

3.3. Create machine groups in Active Create machine groups in Active DirectoryDirectory

4.4. Design IPsec policies and exceptionsDesign IPsec policies and exceptions

5.5. Validate policies by deploying in Validate policies by deploying in “request mode”“request mode”

6.6. Gradually add computers to managed Gradually add computers to managed domaindomain

7.7. Refine policies and interoperability plansRefine policies and interoperability plansRESOURCE: Extensive, step-by-step guidance available at: RESOURCE: Extensive, step-by-step guidance available at: http://www.microsoft.com/sdisolationhttp://www.microsoft.com/sdisolation

Defining Scope of DeploymentDefining Scope of Deployment

Conduct a risk assessmentConduct a risk assessment

Determine business objectives and risks to Determine business objectives and risks to mitigatemitigate

Identify infrastructure components and Identify infrastructure components and subnets subnets

Map out allowed communications pathsMap out allowed communications paths

Document boundary machines and policy Document boundary machines and policy exceptionsexceptions

Create Active Directory GroupsCreate Active Directory Groups

Non-IPsec GroupsNon-IPsec GroupsUntrusted SystemsUntrusted Systems

Default groupDefault group

ExemptionsExemptionsTrusted infrastructureTrusted infrastructure

IPsec GroupsIPsec GroupsIsolation DomainIsolation Domain

Default trusted groupDefault trusted group

BoundaryBoundaryHigher risk trusted Higher risk trusted groupgroup

Additional Groups to ConsiderAdditional Groups to Consider

Driven By Business Driven By Business Requirements Requirements

For ExampleFor ExampleNo Fallback AllowedNo Fallback AllowedIsolation GroupIsolation Group

Blocks outboundBlocks outboundcommunications tocommunications tountrusted hostsuntrusted hosts

Require EncryptionRequire EncryptionHigh security groupHigh security group

All data All data communicationscommunicationsmust use encryptionmust use encryption

New “Simplified Policy” UpdateNew “Simplified Policy” Update

Simplifies the creation and maintenance of Simplifies the creation and maintenance of IPsec policies for Windows Server 2003 and IPsec policies for Windows Server 2003 and Windows XPWindows XP

Significantly reduces the number of IPsec Significantly reduces the number of IPsec filtersfilters

Removes the requirement for explicit network Removes the requirement for explicit network infrastructure permit filters and for special infrastructure permit filters and for special filters to help secure a subnetfilters to help secure a subnet

Enhances "fallback to clear" functionalityEnhances "fallback to clear" functionalityFallback to clear time-out value is reduced from 3 seconds to Fallback to clear time-out value is reduced from 3 seconds to 500 ms500 ms

Credential and policy mismatch failures are now permitted to Credential and policy mismatch failures are now permitted to use the fallback to clear functionalityuse the fallback to clear functionality

More Information: http://support.microsoft.com/default.aspx/kb/914841/en-usMore Information: http://support.microsoft.com/default.aspx/kb/914841/en-us

Defined Filter ActionsDefined Filter Actions

Request ModeRequest ModeAccept unauthenticated inbound Accept unauthenticated inbound communicationscommunications

Allow unauthenticated outbound Allow unauthenticated outbound communicationscommunications

Secure Request ModeSecure Request ModeAllow unauthenticated outbound Allow unauthenticated outbound communicationscommunications

Full Require ModeFull Require ModeAll unicast communications require IPsecAll unicast communications require IPsec

Require Encryption ModeRequire Encryption ModeOnly negotiates encryptionOnly negotiates encryption

Deploying and Validating Deploying and Validating PoliciesPoliciesStaged DeploymentStaged Deployment

Policy has exemptions, but no requirements for Policy has exemptions, but no requirements for IPsec on secure subnetsIPsec on secure subnets

Request Mode filter action is used with secure Request Mode filter action is used with secure subnet filter listssubnet filter lists

Subnets are slowly added to secure subnet Subnets are slowly added to secure subnet filter list and testedfilter list and tested

Deploy by GroupDeploy by GroupIPsec Policy defined and linkedIPsec Policy defined and linked

Groups are used to control application of the Groups are used to control application of the policypolicy

TroubleshootingTroubleshooting

The majority of issues often attributed to IPsec are The majority of issues often attributed to IPsec are actually issues in other supporting componentsactually issues in other supporting components

AuthenticationAuthentication

Group PolicyGroup Policy

System Services, drivers, active applicationsSystem Services, drivers, active applications

Name resolutionName resolution

Network Connectivity: TCP/IP, Router ACLsNetwork Connectivity: TCP/IP, Router ACLs

IPsec Policy, e.g., mis-configured filters IPsec Policy, e.g., mis-configured filters

The TCP/IP error returned on a connection failure The TCP/IP error returned on a connection failure is “error 53: The network path was not found”is “error 53: The network path was not found”

Example: MSIT enables auditing via domain policy Example: MSIT enables auditing via domain policy to capture IPsec 541/542/543 and 547 failure to capture IPsec 541/542/543 and 547 failure eventsevents

Overall Best PracticesOverall Best PracticesMinimize securing by port or protocol, use Minimize securing by port or protocol, use “All IP”“All IP”

Simplifies policy designSimplifies policy design

Reduces chances of policy mismatchReduces chances of policy mismatch

Do not use Default Response rule with Do not use Default Response rule with custom policycustom policy

Not compatible with permitting ICMP or other Not compatible with permitting ICMP or other protocols or portsprotocols or ports

Does not work with secure request behaviorDoes not work with secure request behavior

Permit ICMP (ping)Permit ICMP (ping)Support connectivity troubleshooting and PMTUSupport connectivity troubleshooting and PMTU

Create empty IPsec filter with versioning dataCreate empty IPsec filter with versioning dataSupports identifying applied IPsec policySupports identifying applied IPsec policy

Staged Deployment Best Staged Deployment Best PracticesPractices

Build shell GPOs and Windows IPsec Build shell GPOs and Windows IPsec policiespolicies

Pilot in “Request Mode”Pilot in “Request Mode”

Deploy an IPsec policy with only exceptionsDeploy an IPsec policy with only exceptions

Define permitted subnets and IP’s firstDefine permitted subnets and IP’s first

Filter the scope of the GPO to a pilot Filter the scope of the GPO to a pilot security groupsecurity group

Expand the exception-only policy to all Expand the exception-only policy to all hostshosts

Add subnet filters one at a time to Add subnet filters one at a time to complete subnet listcomplete subnet list

““Any <-> Subnet # 1, All IP, Request Security”Any <-> Subnet # 1, All IP, Request Security”

““Any <-> Subnet # 2, All IP, Request Security”Any <-> Subnet # 2, All IP, Request Security”

Isolation Solution Isolation Solution InteroperabilityInteroperabilityScope: Enabling interop with legacy and Scope: Enabling interop with legacy and

non-Windows hostsnon-Windows hostsExamples:Examples:

Networked printersNetworked printersMacintosh Macintosh Unix and LinuxUnix and Linux

Range of interoperability options available, Range of interoperability options available, from basic to full “Isolation Citizen”:from basic to full “Isolation Citizen”:

Use policy exceptionsUse policy exceptionsUtilize ISA Server 2004 as an “IPsec Gateway”Utilize ISA Server 2004 as an “IPsec Gateway”Create policies on non-Windows platform with Create policies on non-Windows platform with certificate-based authenticationcertificate-based authenticationProvide Terminal Services access to key Provide Terminal Services access to key corporate resourcescorporate resources

Network Security RoadmapNetwork Security Roadmap

New Windows Vista/Windows Server New Windows Vista/Windows Server “Longhorn” UI“Longhorn” UI

Expanded authentication methods (user and Expanded authentication methods (user and health)health)

Simplified, “one-size-fits-all” policiesSimplified, “one-size-fits-all” policies

Support for “Client to Domain Controller” Support for “Client to Domain Controller” protectionprotection

Improved support for NLB and clusteringImproved support for NLB and clustering

Support for GigE IPsec offload network cardsSupport for GigE IPsec offload network cards

Supported on Windows 2000, XP and Server Supported on Windows 2000, XP and Server 20032003

Authentication based on machine Authentication based on machine credentialscredentials

Integration with Windows FirewallIntegration with Windows Firewall

Support for 10/100Mb IPsec offload network Support for 10/100Mb IPsec offload network cardscards

Case StudyCase StudyRoskilde Technical School

Challenge:Challenge:Operated several computer networks for students, faculty, and Operated several computer networks for students, faculty, and administration to comply with Danish educational regulations, but the administration to comply with Danish educational regulations, but the networks were completely autonomous, difficult to manage, and offered no networks were completely autonomous, difficult to manage, and offered no interoperability. interoperability.

Solution:Solution:Worked with Systemtech, a MicrosoftWorked with Systemtech, a Microsoft®® Certified Partner, to switch to a Certified Partner, to switch to a single campus-wide network using Server and Domain Isolation to provide single campus-wide network using Server and Domain Isolation to provide users the functionality that they need while still complying with the users the functionality that they need while still complying with the stringent security policies required by the Danish Ministry of Education.stringent security policies required by the Danish Ministry of Education.

Improved security and virus protection through client lockdownImproved security and virus protection through client lockdownSimplified system management and interoperabilitySimplified system management and interoperabilityEnabled better utilization of resources resulting in greater productivityEnabled better utilization of resources resulting in greater productivity

“We have been able to consolidate multiple IT departments, pull the work force together, and restructure the group into functional

areas. Now we can better capitalize on the skills within the group.”Gert Jensen, Chief of Development, Roskilde Technical School

Challenge:Challenge:Isolate managed computers from unmanaged (and untrusted) computers Isolate managed computers from unmanaged (and untrusted) computers to restrict unknown access to intellectual property and limited impact of to restrict unknown access to intellectual property and limited impact of viruses and worms to meet business and regulatory requirementsviruses and worms to meet business and regulatory requirements

Solution:Solution:As part of a “defense-in-depth” security strategy, MSIT implemented As part of a “defense-in-depth” security strategy, MSIT implemented Domain Isolation, based on Windows IPsec and Active Directory Group Domain Isolation, based on Windows IPsec and Active Directory Group Policy, across all of Microsoft. Deployed Server Isolation for source code Policy, across all of Microsoft. Deployed Server Isolation for source code servers for added protection of sensitive data. servers for added protection of sensitive data.

Deployed to more than 250,000 of domain joined computersDeployed to more than 250,000 of domain joined computersOver 75% of all network traffic world-wide is protected Over 75% of all network traffic world-wide is protected Increased number of domain joined computers by 45%Increased number of domain joined computers by 45%Achieved compliance with Sarbanes-Oxley requirements for Achieved compliance with Sarbanes-Oxley requirements for protecting data of material impact to shareholdersprotecting data of material impact to shareholders

Case StudyCase StudyMicrosoft IT: “SecureNet”

“Domain joined machines increased. These are now machines that can have policy applied, an SMS agent installed…with the

result a more secure and controlled environment.”Bob Davis, General Manager, Microsoft Corporation

Case StudyCase StudyUniversidade de Vila Velha

Challenge:Challenge:Consolidate and secure two separate campus networks that supports Consolidate and secure two separate campus networks that supports 14,000 students across four campuses within two weeks and protect the 14,000 students across four campuses within two weeks and protect the university’s intellectual property all at a low costuniversity’s intellectual property all at a low cost

Solution:Solution:Implemented a Server and Domain Isolation solution to increase security Implemented a Server and Domain Isolation solution to increase security network-wide, safeguard intellectual property, and simplify network network-wide, safeguard intellectual property, and simplify network management, thereby increasing IT staff productivity—all at no management, thereby increasing IT staff productivity—all at no additional hardware or software expense to the university. additional hardware or software expense to the university.

Deployed in just 2 days across 1,000 desktops and 30 serversDeployed in just 2 days across 1,000 desktops and 30 serversLower operating cost that facilitates growthLower operating cost that facilitates growthImproved security and productivityImproved security and productivity

“Server and Domain Isolation is an amazing solution. We already had all the tools …. Once we had time to study and to plan the IPsec solution, we did it quickly … and at no additional cost.”

Rodrigo Immaginario, Chief Information Officer, Universidade de Vila Velha

Next Steps and ResourcesNext Steps and Resources

Server and Domain Isolation TechNet site:http://www.microsoft.com/sdisolation

Windows IPsec TechNet site:http://www.microsoft.com/ipsec

Review TechNet on-demand webcasts

Newsgroup:microsoft.public.windows.networking.ipsec

Engage with your Microsoft account team

Unlock the potential of your Windows infrastructure investments

Fill out a session Fill out a session evaluation on evaluation on

CommNet andCommNet and Win an XBOX Win an XBOX

360!360!

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Extending Defense-in-DepthExtending Defense-in-Depth

Adds an additional layer of Adds an additional layer of defense-in-depthdefense-in-depth

Compliments existing Compliments existing security investmentssecurity investments

Based on Windows IPsec Based on Windows IPsec and Active Directoryand Active Directory®®

Supported on:Supported on:Windows 2000 Windows 2000

Windows XPWindows XP

Windows ServerWindows Server™ ™ 20032003

Windows VistaWindows Vista

Windows Server Windows Server “Longhorn”“Longhorn”

Polices, Procedures & AwarenessPolices, Procedures & Awareness

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

HostHost

ApplicationApplication

DataData

Server and Domain IsolationServer and Domain Isolation

Security Defense-in-Depth ModelSecurity Defense-in-Depth Model

33

Check NetworkCheck NetworkAccess PermissionsAccess Permissions

(Computer Acct)(Computer Acct)

Local Local PolicyPolicy

11

4422

Another Look at Isolation in Another Look at Isolation in ActionAction

IKE

User Attempts to User Attempts to Access a File ShareAccess a File Share

IKE Negotiation IKE Negotiation BeginsBegins

IKE succeeds, IKE succeeds, user AuthN occursuser AuthN occurs

Computer Computer andand User User are Authenticated are Authenticated

and Authorizedand Authorized

Dept Group

66 Share Access isShare Access isCheckedChecked

Access grantedAccess grantedor denied or denied

based on ACLbased on ACL

55

Check NetworkCheck NetworkAccess PermissionsAccess Permissions

(User)(User)

Local Local PolicyPolicy

Technical and Business BenefitsTechnical and Business Benefits

Extend the value of existing investmentsExtend the value of existing investmentsNo additional hardware or software requiredNo additional hardware or software requiredGet more value from Active Directory and Get more value from Active Directory and Group PolicyGroup PolicyComplements existing 3Complements existing 3rdrd network security network security solutionssolutions

Safeguard sensitive data and intellectual Safeguard sensitive data and intellectual propertypropertyAuthenticated, end-to-end network Authenticated, end-to-end network communicationscommunicationsScalable, tiered access to trusted networked Scalable, tiered access to trusted networked resourcesresourcesProtect the confidentiality and integrity of dataProtect the confidentiality and integrity of data

Reduce the risk of network security Reduce the risk of network security threatsthreatsAn additional layer of defense-in-depthAn additional layer of defense-in-depthReduced attack surface areaReduced attack surface areaIncreased manageability and more healthy Increased manageability and more healthy clientsclients

Design Windows IPsec PolicesDesign Windows IPsec Polices

IPsec Policy

Filter List

Action

Key Exchange Methods (IKE)

Security Methods

Filters

Rules

Key Lifetimes

HashingEncryption

Authentication Methods

CertificatesPre-Shared

KeysKerberos