1 / 37

Network Isolation Using Group Policy and IPSec

Network Isolation Using Group Policy and IPSec. Paula Kiernan Senior Consultant Ward Solutions. Session Prerequisites. Hands-on experience with Windows 2000 or Windows Server 2003 Familiarity with Active Directory and Group Policy Knowledge of Windows system security concepts

afra
Download Presentation

Network Isolation Using Group Policy and IPSec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions

  2. Session Prerequisites • Hands-on experience with Windows 2000 or Windows Server 2003 • Familiarity with Active Directory and Group Policy • Knowledge of Windows system security concepts • Working knowledge of TCP/IP concepts • An understanding of the basics of Internet Protocol Security (IPSec) Level 300

  3. Session Overview • Overview of Internet Protocol Security • Understanding Network Isolation Using IPSec • Understanding Advanced Network Isolation Scenarios

  4. Overview of Internet Protocol Security • Overview of Internet Protocol Security • Understanding Network Isolation Using IPSec • Understanding Advanced Network Isolation Scenarios

  5. Securing Network Communication: What Are the Challenges? Challenges to securing network communication include: • Preventing data modification while in transit • Preventing data from being read and interpreted while in transit • Keeping data secure from unauthorized users • Keeping data from being captured and replayed

  6. What Is Internet Protocol Security? IPSec: A framework of open standards to ensure private, secure communications over IP networks through the use of cryptographic security services IPSec provides the following benefits: • Transparent to users and applications • Provides restricted access to servers • Customizable security configuration • Centralized IPSec policy administration through Active Directory

  7. Transport mode Tunnel mode Used to protect host-to-host communications Used to protect traffic between a host and a network or between two networks Identifying IPSec Scenarios IPSec can be deployed in:

  8. Server Isolation End-to-End Host Security Understanding Transport Mode Scenarios

  9. Understanding Tunnel Mode Site-to-Site VPN IPSec Tunnel Site A Site B Windows XP Client FTP Server IPSec Gateway IPSec Gateway

  10. Active Directory 1 IPSec Policy IPSec Policy Internet Key Exchange (IKE) Negotiation 2 TCP Layer TCP Layer IPSec Driver IPSec Driver Encrypted IP Packets How Does IPSec Secure Traffic? 3

  11. Creating IPSec Security Policies IP security policy Rules IP filter lists Filter actions IP filter lists IP filter lists IP filter lists IP filter lists IP filters Can be assigned to domains, sites, and organizational units

  12. Demonstration 1: Configuring and Assigning IP Security Policies Configure and assign an IP Security policy

  13. Understanding Network Isolation Using IPSec • Overview of Internet Protocol Security • Understanding Network Isolation Using IPSec • Understanding Advanced Network Isolation Scenarios

  14. What Is Network Isolation? Network isolation: The ability to allow or deny certain types of network access between computers that have direct Internet Protocol connectivity between them Benefits of introducing a logical data isolation defense layer include: • Additional security • Control of who can access specific information • Control of computer management • Protection against malware attacks • A mechanism to encrypt network data

  15. Identifying Trusted Computers Trusted computer: A managed device that is in a known state and meets minimum security requirements Untrusted computer: A device that may not meet the minimum security requirements, mainly because it is unmanaged or not centrally controlled

  16. Goals That Are Achievable Using Network Isolation The following goals can be achieved by using network isolation: • Isolate trusted domain member computers from untrusted devices at the network level • Help to ensure that a device meets the security requirements required to access a trusted asset • Allow trusted domain members to restrict inbound network access to a specific group of domain member computers • Focus and prioritize proactive monitoring and compliance efforts • Focus security efforts on the few trusted assets that require access from untrusted devices • Focus and accelerate remediation and recovery efforts

  17. Risks That Cannot Be Mitigated Using Isolation Risks that will not be directly mitigated by network isolation include: • Trusted users disclosing sensitive data • Compromise of trusted user credentials • Untrusted computers accessing other untrusted computers • Trusted users misusing or abusing their trusted status • Lack of security compliance of trusted devices • Compromised trusted computers access other trusted computers

  18. How Does Network Isolation Fit into Network Security? Policies, procedures, and awareness Physical security Data Application Host Logical Data Isolation Internal network Perimeter

  19. Computers that meet the organization’s minimum security requirements Trusted hosts The use of IPSec to provide host authentication and data encryption Host authentication Verification of security group memberships within the local security policy and access control lists of the resource Host authorization How Can Network Isolation Be Achieved? Components of the network isolation solution include:

  20. Group Policy Dept_Computers NAG IPSec Policy 2 1 Controlling Computer Access Using Network Access Groups and IPSec Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation Share and Access Permissions Logical Data Isolation Host access permissions Computer Access Permissions(IPSec) 3

  21. 5 Dept_Users NAG 4 Controlling Host Access Using Network Access Groups Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation Step 4: User host access permissions checked Step 5: Share and access permissions checked Share and Access Permissions Logical Data Isolation Host access permissions Group Policy Computer Access Permissions(IPSec) Dept_Computers NAG IPSec Policy 2 3 1

  22. Demonstration 2: Configuring and Implementing Network Access Groups Configure network access groups to enhance security

  23. Understanding Advanced Network Isolation Scenarios • Overview of Internet Protocol Security • Examining Network Isolation Using IPSec • Understanding Advanced Network Isolation Scenarios

  24. Creating the Network Isolation Design The network isolation design process involves: • Designing the foundational groups • Creating Exemption Lists • Planning the computer and network access groups • Creating additional isolation groups • Traffic modeling • Assigning the group and network access group memberships

  25. Designing the Foundational Groups Isolation Domain Boundary Isolation Group Untrusted Systems

  26. Creating Exemptions Lists The following conditions might cause a host to be on the Exemptions List: • The host is a computer that trusted hosts require access to but it does not have a compatible IPSec implementation • If the host is used for an application that is adversely affected by the three-second fall back to clear delay or by IPSec encapsulation of application traffic • If the host has issues that impacts its performance • If the host is a domain controller

  27. Planning the Computer and Network Access Groups Computer groups: • Used to contain members of a specific isolation group • Assigned to Group Policy Objects to implement various security settings Network access groups: • Can be one of two types, Allow or Deny • Assigned to Group Policy to control Allow or Deny access to a computer

  28. Boundary Isolation Group Creating Additional Isolation Groups Reasons to create additional isolation groups include: • Encryption requirements • Alternative outgoing or incoming network traffic requirements • Limited computer or user access required at the network level Isolation Domain Encryption Isolation Group No Fallback Isolation Group Untrusted Systems

  29. Understanding Traffic Modeling Trusted Devices Exemptions Lists Isolation domain 1 2 3 Boundary 4 5 6 Untrusted 7 IPSec Plaintext or fall back to clear

  30. Assigning Computer Group and Network Access Group Memberships The final tasks of designing isolation groups include assigning: Place each computer into one group based on communication requirements Computer group membership Place the users and computers that require granular permissions into each previously identified NAG NAG membership

  31. Demonstration 3: Implementing Isolation Groups Implement and deploy Isolation Groups using computer security groups

  32. Network Isolation: Additional Considerations Additional considerations include: • The maximum number of concurrent connections by unique hosts to servers using IPSec • The maximum token size limitation for hosts using IPSec

  33. Understanding Predeployment Considerations Before deploying a network isolation solution, consider the following: • Overused devices • Incompatible devices • IP addressing • Client/server participation • Services that must be isolated • Network load balancing and clustering

  34. Session Summary Deploy IPSec to provide authentication and encryption ü Use a combination of IPSec, security groups, and Group Policy for logical data isolation ü Implement additional groups to isolate resources or provide functionality as required ü Use the Boundary zone as a starting point when deploying isolation groups using IPSec ü

  35. Next Steps • Find additional security training events: http://www.microsoft.com/ireland/security/training.asp • Sign up for security communications: http://www.microsoft.com/technet/security/signup/default.mspx • Get additional security tools and content: http://www.microsoft.com/security/guidance/default.mspx • Find additional e-learning clinics: https://www.microsoftelearning.com/security

  36. Questions and Answers

  37. Contact Details Paula Kiernan Ward Solutions paula.kiernan@ward.ie www.ward.ie

More Related