Title: Network Isolation Using Group Policy and IPSec
1Network Isolation Using Group Policy and IPSec
- Paula Kiernan
- Senior Consultant
- Ward Solutions
2Session Prerequisites
- Hands-on experience with Windows 2000 or Windows
Server 2003 - Familiarity with Active Directory and Group
Policy - Knowledge of Windows system security concepts
- Working knowledge of TCP/IP concepts
- An understanding of the basics of Internet
Protocol Security (IPSec)
Level 300
3Session Overview
- Overview of Internet Protocol Security
- Understanding Network Isolation Using IPSec
- Understanding Advanced Network Isolation
Scenarios
4Overview of Internet Protocol Security
- Overview of Internet Protocol Security
- Understanding Network Isolation Using IPSec
- Understanding Advanced Network Isolation
Scenarios
5Securing Network Communication What Are the
Challenges?
Challenges to securing network communication
include
- Preventing data modification while in transit
- Preventing data from being read and interpreted
while in transit - Keeping data secure from unauthorized users
- Keeping data from being captured and replayed
6 What Is Internet Protocol Security?
IPSec A framework of open standards to ensure
private, secure communications over IP networks
through the use of cryptographic security
services
IPSec provides the following benefits
- Transparent to users and applications
- Provides restricted access to servers
- Customizable security configuration
- Centralized IPSec policy administration through
Active Directory
7Identifying IPSec Scenarios
IPSec can be deployed in
8Understanding Transport Mode Scenarios
9Understanding Tunnel Mode
Site-to-Site VPN
IPSec Tunnel
Site B
Site A
Windows XP Client
FTP Server
IPSec Gateway
IPSec Gateway
10How Does IPSec Secure Traffic?
3
11Creating IPSec Security Policies
IP security policy
Rules
IP filter lists
Filter actions
IP filter lists
IP filter lists
IP filter lists
IP filter lists
IP filters
Can be assigned to domains, sites, and
organizational units
12Demonstration 1 Configuring and Assigning IP
Security Policies
- Configure and assign an IP Security policy
13Understanding Network Isolation Using IPSec
- Overview of Internet Protocol Security
- Understanding Network Isolation Using IPSec
- Understanding Advanced Network Isolation
Scenarios
14What Is Network Isolation?
Network isolation The ability to allow or deny
certain types of network access between computers
that have direct Internet Protocol connectivity
between them
Benefits of introducing a logical data isolation
defense layer include
- Additional security
- Control of who can access specific information
- Control of computer management
- Protection against malware attacks
- A mechanism to encrypt network data
15Identifying Trusted Computers
Trusted computer
A managed device that is in a known state and
meets minimum security requirements
Untrusted computer
A device that may not meet the minimum security
requirements, mainly because it is unmanaged or
not centrally controlled
16Goals That Are Achievable Using Network Isolation
The following goals can be achieved by using
network isolation
- Isolate trusted domain member computers from
untrusted devices at the network level - Help to ensure that a device meets the security
requirements required to access a trusted asset - Allow trusted domain members to restrict inbound
network access to a specific group of domain
member computers - Focus and prioritize proactive monitoring and
compliance efforts - Focus security efforts on the few trusted assets
that require access from untrusted devices - Focus and accelerate remediation and recovery
efforts
17Risks That Cannot Be Mitigated Using Isolation
Risks that will not be directly mitigated by
network isolation include
- Trusted users disclosing sensitive data
- Compromise of trusted user credentials
- Untrusted computers accessing other untrusted
computers - Trusted users misusing or abusing their trusted
status - Lack of security compliance of trusted devices
- Compromised trusted computers access other
trusted computers
18How Does Network Isolation Fit into Network
Security?
Policies, procedures, and awareness
Physical security
Data
Application
Host
Logical Data Isolation
Internal network
Perimeter
19How Can Network Isolation Be Achieved?
Components of the network isolation solution
include
20Controlling Computer Access Using Network Access
Groups and IPSec
- Step 1 User attempts to access share on server
- Step 2 IKE main mode negotiation
- Step 3 IPSec security method negotiation
Share and Access Permissions
Logical Data Isolation
Host access permissions
Computer Access Permissions(IPSec)
3
21Controlling Host Access Using Network Access
Groups
- Step 1 User attempts to access share on server
- Step 2 IKE main mode negotiation
- Step 3 IPSec security method negotiation
- Step 4 User host access permissions checked
- Step 5 Share and access permissions checked
Share and Access Permissions
Logical Data Isolation
Host access permissions
Group Policy
Computer Access Permissions(IPSec)
Dept_Computers NAG
IPSec Policy
2
3
1
22Demonstration 2 Configuring and Implementing
Network Access Groups
- Configure network access groups to enhance
security
23Understanding Advanced Network Isolation Scenarios
- Overview of Internet Protocol Security
- Examining Network Isolation Using IPSec
- Understanding Advanced Network Isolation
Scenarios
24Creating the Network Isolation Design
The network isolation design process involves
- Designing the foundational groups
- Creating Exemption Lists
- Planning the computer and network access groups
- Creating additional isolation groups
- Traffic modeling
- Assigning the group and network access group
memberships
25Designing the Foundational Groups
Isolation Domain
Boundary Isolation Group
Untrusted Systems
26Creating Exemptions Lists
The following conditions might cause a host to be
on the Exemptions List
- The host is a computer that trusted hosts require
access to but it does not have a compatible
IPSec implementation - If the host is used for an application that is
adversely affected by the three-second fall back
to clear delay or by IPSec encapsulation of
application traffic - If the host has issues that impacts its
performance - If the host is a domain controller
27Planning the Computer and Network Access Groups
Computer groups
- Used to contain members of a specific isolation
group - Assigned to Group Policy Objects to implement
various security settings
Network access groups
- Can be one of two types, Allow or Deny
- Assigned to Group Policy to control Allow or Deny
access to a computer
28Creating Additional Isolation Groups
Reasons to create additional isolation groups
include
- Encryption requirements
- Alternative outgoing or incoming network traffic
requirements - Limited computer or user access required at the
network level
Isolation Domain
Encryption Isolation Group
No Fallback Isolation Group
Untrusted Systems
29Understanding Traffic Modeling
Trusted Devices
Exemptions Lists
Isolation domain
1
2
3
Boundary
4
5
6
Untrusted
7
IPSec
Plaintext or fall back to clear
30Assigning Computer Group and Network Access Group
Memberships
The final tasks of designing isolation groups
include assigning
Place each computer into one group based on
communication requirements
Computer group membership
Place the users and computers that require
granular permissions into each previously
identified NAG
NAG membership
31Demonstration 3 Implementing Isolation Groups
- Implement and deploy Isolation Groups using
computer security groups
32Network Isolation Additional Considerations
Additional considerations include
- The maximum number of concurrent connections by
unique hosts to servers using IPSec - The maximum token size limitation for hosts
using IPSec
33 Understanding Predeployment Considerations
Before deploying a network isolation solution,
consider the following
- Overused devices
- Incompatible devices
- IP addressing
- Client/server participation
- Services that must be isolated
- Network load balancing and clustering
34Session Summary
Deploy IPSec to provide authentication and
encryption
ü
Use a combination of IPSec, security groups, and
Group Policy for logical data isolation
ü
Implement additional groups to isolate resources
or provide functionality as required
ü
Use the Boundary zone as a starting point when
deploying isolation groups using IPSec
ü
35Next Steps
- Find additional security training events
- http//www.microsoft.com/ireland/security/trainin
g.asp - Sign up for security communications
- http//www.microsoft.com/technet/security/signup/
default.mspx - Get additional security tools and content
- http//www.microsoft.com/security/guidance/defaul
t.mspx - Find additional e-learning clinics
- https//www.microsoftelearning.com/security
-
36Questions and Answers
37Contact Details
- Paula Kiernan
- Ward Solutions
- paula.kiernan_at_ward.ie
- www.ward.ie