Implementing Network and Perimeter Security. Prerequisite Knowledge Understanding of network...

Implementing Network Implementing Network and Perimeter Securityand Perimeter Security

Prerequisite KnowledgePrerequisite Knowledge

Understanding of network security Understanding of network security essentialsessentials

Hands-on experience with WindowsHands-on experience with Windows®® 2000 Server or Windows Server2000 Server or Windows Server™™ 2003 2003

Experience with Windows management Experience with Windows management toolstools

Level 300Level 300

AgendaAgenda

IntroductionIntroduction Using Perimeter DefensesUsing Perimeter Defenses Using MicrosoftUsing Microsoft®® Internet Security and Internet Security and

Acceleration (ISA) Server to Protect Acceleration (ISA) Server to Protect PerimetersPerimeters

Using Internet Connection Firewall (ICF) to Using Internet Connection Firewall (ICF) to Protect ClientsProtect Clients

Protecting Wireless NetworksProtecting Wireless Networks Protecting Communications by Using Protecting Communications by Using

IPSecIPSec

Defense in DepthDefense in Depth Using a layered approach:Using a layered approach:

Increases an attacker’s risk of detection Increases an attacker’s risk of detection Reduces an attacker’s chance of successReduces an attacker’s chance of success

Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

OS hardening, update management, OS hardening, update management, authentication, HIDSauthentication, HIDS

Firewalls, VPN quarantineFirewalls, VPN quarantine

Guards, locks, tracking devicesGuards, locks, tracking devices

Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS

Application hardening, antivirusApplication hardening, antivirus

ACL, encryptionACL, encryption

User educationUser education

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

HostHost

ApplicationApplication

DataData

Purpose and Limitations of Purpose and Limitations of Perimeter DefensesPerimeter Defenses Properly configured firewalls and border Properly configured firewalls and border

routers are the cornerstone for perimeter routers are the cornerstone for perimeter securitysecurity

The Internet and mobility increase security The Internet and mobility increase security risksrisks

VPNs have softened the perimeter and, along VPNs have softened the perimeter and, along with wireless networking, have essentially with wireless networking, have essentially caused the disappearance of the traditional caused the disappearance of the traditional concept of network perimeter concept of network perimeter

Traditional packet-filtering firewalls block only Traditional packet-filtering firewalls block only network ports and computer addressesnetwork ports and computer addresses

Most modern attacks occur at the application Most modern attacks occur at the application layer layer

Purpose and Limitations of Client Purpose and Limitations of Client DefensesDefenses Client defenses block attacks that bypass perimeter Client defenses block attacks that bypass perimeter

defenses or originate on the internal networkdefenses or originate on the internal network Client defenses include, among others:Client defenses include, among others:

Operating system hardeningOperating system hardening Antivirus softwareAntivirus software Personal firewallsPersonal firewalls

Client defenses require configuring many computersClient defenses require configuring many computers In unmanaged environments, users may bypass client In unmanaged environments, users may bypass client

defensesdefenses

Purpose and Limitations of Purpose and Limitations of Intrusion DetectionIntrusion Detection

Detects the pattern of common attacks, Detects the pattern of common attacks, records suspicious traffic in event logs, records suspicious traffic in event logs, and/or alerts administratorsand/or alerts administrators

Threats and vulnerabilities are constantly Threats and vulnerabilities are constantly evolving, which leaves systems evolving, which leaves systems vulnerable until a new attack is known vulnerable until a new attack is known and a new signature is created and and a new signature is created and distributeddistributed

Goals of Network SecurityGoals of Network Security

Perimeter Perimeter DefenseDefense

Client Client DefenseDefense

Intrusion Intrusion DetectionDetection

Network Network Access Access ControlControl

Confi-Confi-dentialitydentiality

SecureSecureRemote Remote AccessAccess

ISA ISA ServerServerICFICF

802.1x / 802.1x / WPAWPAIPSecIPSec

AgendaAgenda

IntroductionIntroduction Using Perimeter DefensesUsing Perimeter Defenses Using ISA Server to Protect PerimetersUsing ISA Server to Protect Perimeters Using ICF to Protect ClientsUsing ICF to Protect Clients Protecting Wireless NetworksProtecting Wireless Networks Protecting Communications by Using Protecting Communications by Using

IPSecIPSec

Perimeter Connections OverviewPerimeter Connections Overview

The Internet Branch offices Business partners Remote users Wireless networks Internet applications

Network perimeters include connections to:

Business Partner

LAN

Main Office

LAN

Branch Office

LAN

Wireless Network

Remote User

Internet

Firewall Design: Three-Homed Firewall Design: Three-Homed

Screened SubnetInternet

LAN

Firewall

Firewall Design: Back-to-Back Firewall Design: Back-to-Back

Internet

ExternalFirewall

LANInternalFirewall

Screened Subnet

Malicious traffic that is passed on open ports and not inspected at the application layer by the firewall

Any traffic that passes through an encrypted Any traffic that passes through an encrypted tunnel or sessiontunnel or session

Attacks after a network has been penetrated Traffic that appears legitimate Users and administrators who intentionally or

accidentally install viruses Administrators who use weak passwords

What Firewalls Do NOT Protect What Firewalls Do NOT Protect Against Against

Software vs. Hardware Firewalls Software vs. Hardware Firewalls

Decision Factors Description

Flexibility Updating for latest vulnerabilities and patches is often easier with software-based firewalls.

Extensibility Many hardware firewalls allow only limited customizability.

Choice of Vendors

Software firewalls allow you to choose from hardware for a wide variety of needs, and there is no reliance on single vendor for additional hardware.

Cost

Initial purchase price for hardware firewalls might be less. Software firewalls take advantage of low CPU costs. The hardware can be easily upgraded, and old hardware can be repurposed.

Complexity Hardware firewalls are often less complex.

Overall Suitability

The most important decision factor is whether a firewall can perform the required tasks. Often the lines between hardware and software firewalls are blurred.

Types of Firewall FunctionsTypes of Firewall Functions

Packet FilteringPacket Filtering Stateful InspectionStateful Inspection Application-Layer Inspection Application-Layer Inspection

Multi-layer InspectionMulti-layer Inspection(Including Application-Layer Filtering)(Including Application-Layer Filtering)

InternetInternet

AgendaAgenda

IntroductionIntroduction Using Perimeter DefensesUsing Perimeter Defenses Using ISA Server to Protect PerimetersUsing ISA Server to Protect Perimeters Using ICF to Protect ClientsUsing ICF to Protect Clients Protecting Wireless NetworksProtecting Wireless Networks Protecting Communications by Using IPSecProtecting Communications by Using IPSec








ISA ISA ServerServer

**

ICFICF


* * Basic intrusion detection, extended by partnersBasic intrusion detection, extended by partners

Protecting Perimeters Protecting Perimeters

ISA Server has full screening capabilities:ISA Server has full screening capabilities: Packet filteringPacket filtering Stateful inspectionStateful inspection Application-level inspectionApplication-level inspection

ISA Server blocks all network traffic unless you allow itISA Server blocks all network traffic unless you allow it ISA Server provides secure VPN connectivityISA Server provides secure VPN connectivity ISA Server is ICSA certified and Common Criteria certifiedISA Server is ICSA certified and Common Criteria certified

Protecting ClientsProtecting Clients

Method Description

Proxy Functions Processes all requests for clients and never allows direct connections.

Client SupportSupport for all clients without special software. Installation of ISA Firewall software on Windows clients allows for greater functionality.

Rules Protocol Rules, Site and Content Rules, and Publishing Rules determine if access is allowed.

Add-ons

Initial purchase price for hardware firewalls might be less. Software firewalls take advantage of low CPU costs. The hardware can be easily upgraded and old hardware can be repurposed.

Protecting Web ServersProtecting Web Servers

Web Publishing RulesWeb Publishing Rules Protect Web servers behind the firewall from Protect Web servers behind the firewall from

external attacks by inspecting HTTP traffic and external attacks by inspecting HTTP traffic and ensuring that it is properly formatted and ensuring that it is properly formatted and complies with standardscomplies with standards

Inspection of Secure Socket Layer Inspection of Secure Socket Layer (SSL) traffic(SSL) traffic Decrypts and inspects incoming encrypted Web Decrypts and inspects incoming encrypted Web

requests for proper formatting and standards requests for proper formatting and standards compliance compliance

Will optionally re-encrypt the traffic before Will optionally re-encrypt the traffic before sending them to your Web serversending them to your Web server

URLScan URLScan

ISA Server Feature Pack 1 includes URLScan ISA Server Feature Pack 1 includes URLScan 2.5 for ISA Server2.5 for ISA Server

Allows URLScan ISAPI filter to be applied at Allows URLScan ISAPI filter to be applied at the network perimeter the network perimeter General blocking for all Web servers behind the General blocking for all Web servers behind the

firewallfirewall Perimeter blocking for known and newly Perimeter blocking for known and newly

discovered attacksdiscovered attacksWeb

Server 1

ISA Server

Web Server 2

Web Server 3

Protecting Exchange ServerProtecting Exchange Server

Method Description

Mail Publishing Wizard

Configures ISA Server rules to securely publish internal mail services to external users

Message Screener

Screens SMTP e-mail messages that enter the internal network

RPC Publishing Secures native protocol access for Microsoft Outlook® clients.

OWA PublishingProvides protection of the OWA front-end for remote Outlook users accessing Microsoft Exchange Server over untrusted networks without a VPN

Traffic That Bypasses Firewall Traffic That Bypasses Firewall Inspection Inspection

SSL tunnels through traditional firewalls SSL tunnels through traditional firewalls because it is encrypted, which allows viruses because it is encrypted, which allows viruses and worms to pass through undetected and and worms to pass through undetected and infect internal serversinfect internal servers

VPN traffic is encrypted and cannot be VPN traffic is encrypted and cannot be inspectedinspected

Instant Messenger (IM) traffic often is not Instant Messenger (IM) traffic often is not inspected and might be used to transfer filesinspected and might be used to transfer files

Inspecting All TrafficInspecting All Traffic

Use intrusion detection and other Use intrusion detection and other mechanisms to inspect VPN traffic after it has mechanisms to inspect VPN traffic after it has been decryptedbeen decrypted Remember: Defense in DepthRemember: Defense in Depth

Use a firewall that can inspect SSL trafficUse a firewall that can inspect SSL traffic Expand inspection capabilities of your Expand inspection capabilities of your

firewallfirewall Use firewall add-ons to inspect IM trafficUse firewall add-ons to inspect IM traffic

SSL InspectionSSL Inspection

SSL tunnels through traditional firewalls SSL tunnels through traditional firewalls because it is encrypted, which allows viruses because it is encrypted, which allows viruses and worms to pass through undetected and and worms to pass through undetected and infect internal servers.infect internal servers.

ISA Server can decrypt and inspect SSL ISA Server can decrypt and inspect SSL traffic. Inspected traffic can be sent to the traffic. Inspected traffic can be sent to the internal server internal server re-encrypted or in the clear.re-encrypted or in the clear.

ISA Server HardeningISA Server Hardening

Harden the network stackHarden the network stack Disable unnecessary network protocols on Disable unnecessary network protocols on

the external network interface:the external network interface: Client for Microsoft NetworksClient for Microsoft Networks File and Printer Sharing for Microsoft NetworksFile and Printer Sharing for Microsoft Networks NetBIOS over TCP/IPNetBIOS over TCP/IP

Best Practices Best Practices

Use access rules that only allow Use access rules that only allow requests that are specifically allowed requests that are specifically allowed

Use ISA Server’s authentication Use ISA Server’s authentication capabilities to restrict and log Internet capabilities to restrict and log Internet access access

Configure Web publishing rules only Configure Web publishing rules only for specific destination setsfor specific destination sets

Use SSL Inspection to inspect Use SSL Inspection to inspect encrypted data that is entering your encrypted data that is entering your networknetwork

AgendaAgenda

IntroductionIntroduction Using Perimeter DefensesUsing Perimeter Defenses Using ISA Server to Protect Using ISA Server to Protect

PerimetersPerimeters Using ICF to Protect ClientsUsing ICF to Protect Clients Protecting Wireless NetworksProtecting Wireless Networks Protecting Communications by Protecting Communications by

Using IPSecUsing IPSec










Overview of ICF Overview of ICF

Internet Connection Firewall in Internet Connection Firewall in Microsoft Windows XP and Microsoft Microsoft Windows XP and Microsoft Windows Server 2003Windows Server 2003

Helps stop network-based attacks, such Helps stop network-based attacks, such as Blaster, by blocking all unsolicited as Blaster, by blocking all unsolicited inbound trafficinbound traffic

Ports can be opened for services Ports can be opened for services running on the computerrunning on the computer

Enterprise administration through Enterprise administration through Group PolicyGroup Policy

What It IsWhat It Is

What It DoesWhat It Does

Key FeaturesKey Features

Enabled by:Enabled by: Selecting one Selecting one

check boxcheck box Network Setup WizardNetwork Setup Wizard New Connection WizardNew Connection Wizard

Enabled separately Enabled separately for each network connectionfor each network connection

Enabling ICFEnabling ICF

Network servicesNetwork services Web-based applicationsWeb-based applications

ICF Advanced SettingsICF Advanced Settings

Logging optionsLogging options Log file optionsLog file options

ICF Security LoggingICF Security Logging

ICF in the EnterpriseICF in the Enterprise

Configure ICF by using Group PolicyConfigure ICF by using Group Policy Combine ICF with Network Access Combine ICF with Network Access

Quarantine ControlQuarantine Control

Use ICF for home offices and small business to Use ICF for home offices and small business to provide protection for computers directly provide protection for computers directly connected to the Internetconnected to the Internet

Do not turn on ICF for a VPN connection (but do Do not turn on ICF for a VPN connection (but do enable ICF for the underlying LAN or dial-up enable ICF for the underlying LAN or dial-up connectionconnection

Configure service definitions for each ICF Configure service definitions for each ICF connection through which you want the service connection through which you want the service to work to work

Set the size of the security log to 16 megabytes Set the size of the security log to 16 megabytes to prevent an overflow that might be caused by to prevent an overflow that might be caused by denial-of-service attacksdenial-of-service attacks

Best Practices Best Practices

AgendaAgenda

IntroductionIntroduction Using Perimeter DefensesUsing Perimeter Defenses Using ISA Server to Protect PerimetersUsing ISA Server to Protect Perimeters Using ICF to Protect ClientsUsing ICF to Protect Clients Protecting Wireless NetworksProtecting Wireless Networks Protecting Communications by Using IPSecProtecting Communications by Using IPSec










Limitations of Wired Equivalent PrivacyLimitations of Wired Equivalent Privacy ((WEP)WEP) Static WEP keys are not dynamically Static WEP keys are not dynamically

changed and therefore are vulnerable to changed and therefore are vulnerable to attack.attack.

There is no standard method for There is no standard method for provisioning static WEP keys to clients.provisioning static WEP keys to clients.

Scalability: Compromise of a static WEP Scalability: Compromise of a static WEP key by anyone exposes everyone.key by anyone exposes everyone.

Limitations of MAC Address FilteringLimitations of MAC Address Filtering Attacker could spoof an allowed MAC Attacker could spoof an allowed MAC

address.address.

Wireless Security IssuesWireless Security Issues

Password-based Layer 2 AuthenticationPassword-based Layer 2 Authentication IEEE 802.1x PEAP/MSCHAP v2IEEE 802.1x PEAP/MSCHAP v2

Certificate-based Layer 2 AuthenticationCertificate-based Layer 2 Authentication IEEE 802.1x EAP-TLSIEEE 802.1x EAP-TLS

Other OptionsOther Options VPN Connectivity VPN Connectivity

L2TP/IPsec (preferred) or PPTPL2TP/IPsec (preferred) or PPTP Does not allow for roamingDoes not allow for roaming Useful when using public wireless hotspotsUseful when using public wireless hotspots No computer authentication or processing of No computer authentication or processing of

computer settings in Group Policycomputer settings in Group Policy IPSecIPSec

Interoperability issuesInteroperability issues

Possible Solutions Possible Solutions

WLAN Security Type Security Level

Ease of Deployment

Usability and Integration

Static WEPStatic WEP LowLow HighHigh HighHigh

IEEE 802.1X PEAP IEEE 802.1X PEAP HighHigh MediumMedium HighHigh

IEEE 802.1x TLSIEEE 802.1x TLS HighHigh LowLow HighHigh

VPNVPN High High (L2TP/IPSec)(L2TP/IPSec) MediumMedium LowLow

IPSecIPSec HighHigh LowLow LowLow

WLAN Security ComparisonsWLAN Security Comparisons

Defines port-based access control Defines port-based access control mechanismmechanism Works on anything, wired or wirelessWorks on anything, wired or wireless No special encryption key requirementsNo special encryption key requirements

Allows choice of authentication methods Allows choice of authentication methods using Extensible Authentication Protocol using Extensible Authentication Protocol (EAP)(EAP) Chosen by peers at authentication timeChosen by peers at authentication time Access point doesn’t care about EAP methodsAccess point doesn’t care about EAP methods

Manages keys automaticallyManages keys automatically No need to preprogram wireless encryption keysNo need to preprogram wireless encryption keys

802.1x802.1x

EthernetEthernet

Access PointAccess Point

Radius ServerRadius Server

EAPOL-StartEAPOL-Start

EAP-Response/IdentityEAP-Response/Identity

Radius-Access-ChallengeRadius-Access-Challenge

EAP-Response EAP-Response (credentials)(credentials)

Access BlockedAccess Blocked

AssociationAssociation

Radius-Access-AcceptRadius-Access-Accept

EAP-Request/IdentityEAP-Request/Identity

EAP-RequestEAP-Request

Radius-Access-RequestRadius-Access-Request

Radius-Access-RequestRadius-Access-Request

RADIUSRADIUS

Laptop ComputerLaptop Computer

WirelessWireless

802.11802.11802.11 Associate802.11 Associate

EAP-SuccessEAP-Success

Access AllowedAccess AllowedEAPOL-Key (Key)EAPOL-Key (Key)

802.1x on 802.11802.1x on 802.11

System Requirements for 802.1xSystem Requirements for 802.1x

Client: Windows XPClient: Windows XP Server: Windows Server 2003 IASServer: Windows Server 2003 IAS

Internet Authentication Service—our Internet Authentication Service—our RADIUS serverRADIUS server

Certificate on IAS computerCertificate on IAS computer 802.1x on Windows 2000802.1x on Windows 2000

Client and IAS must have SP3Client and IAS must have SP3 See KB article 313664See KB article 313664 No zero-configuration support in the No zero-configuration support in the

clientclient Supports only EAP-TLS and MS-CHAPv2Supports only EAP-TLS and MS-CHAPv2

Future EAP methods in Windows XP and Future EAP methods in Windows XP and Windows Server 2003 might not be Windows Server 2003 might not be backportedbackported

802.1x Setup802.1x Setup

1.1. Configure Windows Server 2003 with IASConfigure Windows Server 2003 with IAS

2.2. Join a domainJoin a domain

3.3. Enroll computer certificateEnroll computer certificate

4.4. Register IAS in Active DirectoryRegister IAS in Active Directory

5.5. Configure RADIUS loggingConfigure RADIUS logging

6.6. Add AP as RADIUS clientAdd AP as RADIUS client

7.7. Configure AP for RADIUS and 802.1xConfigure AP for RADIUS and 802.1x

8.8. Create wireless client access policyCreate wireless client access policy

9.9. Configure clientsConfigure clients Don’t forget to import the root certificateDon’t forget to import the root certificate

Access PolicyAccess Policy

Policy conditionPolicy condition NAS-port-type NAS-port-type

matches Wireless matches Wireless IEEE 802.11 OR IEEE 802.11 OR Wireless OtherWireless Other

Windows-group = Windows-group = <some group in AD><some group in AD> Optional; allows Optional; allows

administrative controladministrative control Should contain user Should contain user

and computer and computer accountsaccounts

Access Policy ProfileAccess Policy Profile

ProfileProfile Time-out: 60 min. Time-out: 60 min.

(802.11b) or 10 min. (802.11b) or 10 min. (802.11a/g)(802.11a/g)

No regular No regular authentication methodsauthentication methods

EAP type: protected EAP type: protected EAP; use computer EAP; use computer certificatecertificate

Encryption: only Encryption: only strongest strongest (MPPE 128-bit)(MPPE 128-bit)

Attributes: Attributes: Ignore-User-Ignore-User-Dialin-Properties = TrueDialin-Properties = True

A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems

WPA Requires 802.1x authentication for network access

GoalsGoals Enhanced data encryptionEnhanced data encryption Provide user authenticationProvide user authentication Be forward compatible with 802.11iBe forward compatible with 802.11i Provide non-RADIUS solution for Small/Home officesProvide non-RADIUS solution for Small/Home offices

Wi-Fi Alliance began certification testing for interoperability on WPA products in February 2003

Wireless Protected Access (WPA)Wireless Protected Access (WPA)

Best PracticesBest Practices

Use 802.1x authenticationUse 802.1x authentication Organize wireless users and computers into groupsOrganize wireless users and computers into groups Apply wireless access policies using Group PolicyApply wireless access policies using Group Policy Use EAP-TLS for certificate-based authentication Use EAP-TLS for certificate-based authentication

and PEAP for password-based authenticationand PEAP for password-based authentication Configure your remote access policy to support Configure your remote access policy to support

user authentication as well as machine user authentication as well as machine authenticationauthentication

Develop a method to deal with rogue access points, Develop a method to deal with rogue access points, such as LAN-based 802.1x authentication, site such as LAN-based 802.1x authentication, site surveys, network monitoring, and user educationsurveys, network monitoring, and user education

AgendaAgenda

Introduction/Defense in DepthIntroduction/Defense in Depth Using Perimeter DefensesUsing Perimeter Defenses Using ISA Server to Protect PerimetersUsing ISA Server to Protect Perimeters Using ICF to Protect ClientsUsing ICF to Protect Clients Protecting Wireless NetworksProtecting Wireless Networks Protecting Communications by Using IPSecProtecting Communications by Using IPSec










What is IP Security (IPSec)?What is IP Security (IPSec)? A method to secure IP trafficA method to secure IP traffic Framework of open standards developed by the Framework of open standards developed by the

Internet Engineering Task Force (IETF)Internet Engineering Task Force (IETF)

Why use IPSec?Why use IPSec? To ensure encrypted and authenticated To ensure encrypted and authenticated

communications at the IP layercommunications at the IP layer To provide transport security that is independent To provide transport security that is independent

of applications or application-layer protocolsof applications or application-layer protocols

Overview of IPSecOverview of IPSec

Basic Basic permit/block permit/block packet filteringpacket filtering

Secure internal Secure internal LAN LAN communicationscommunications

Domain Domain replication replication through firewallsthrough firewalls

VPN across VPN across untrusted mediauntrusted media

IPSec ScenariosIPSec Scenarios

Filters for allowed and blocked trafficFilters for allowed and blocked traffic No actual negotiation of IPSec security No actual negotiation of IPSec security

associationsassociations Overlapping filters—most specific match Overlapping filters—most specific match

determines actiondetermines action Does not provide stateful filteringDoes not provide stateful filtering Must set Must set ""NoDefaultExempt = 1NoDefaultExempt = 1"" to be secure to be secure

From IP To IP Protocol Src Port Dest Port Action

Any My Internet IP Any N/A N/A Block

Any My Internet IP TCP Any 80 Permit

Implementing IPSec Packet FilteringImplementing IPSec Packet Filtering

Spoofed IP packets containing queries or Spoofed IP packets containing queries or malicious content can still reach open malicious content can still reach open ports through firewallsports through firewalls

IPSec does not provide stateful inspectionIPSec does not provide stateful inspection Many hacker tools use source ports 80, Many hacker tools use source ports 80,

88, 135, and so on, to connect to any 88, 135, and so on, to connect to any destination portdestination port

Packet Filtering Is Not Sufficient to Packet Filtering Is Not Sufficient to Protect ServerProtect Server

IP broadcast addressesIP broadcast addresses Cannot secure to multiple receivers Cannot secure to multiple receivers

Multicast addressesMulticast addresses From 224.0.0.0 through 239.255.255.255From 224.0.0.0 through 239.255.255.255

Kerberos—UDP source or destination port 88Kerberos—UDP source or destination port 88 Kerberos is a secure protocol, which the Internet Kerberos is a secure protocol, which the Internet

Key ExchangeKey Exchange (IKE) negotiation service may use (IKE) negotiation service may use for authentication of other computers in a domainfor authentication of other computers in a domain

IKE—UDP destination port 500IKE—UDP destination port 500 Required to allow IKE to negotiate parameters for Required to allow IKE to negotiate parameters for

IPSec securityIPSec security Windows Server 2003 configures only IKE Windows Server 2003 configures only IKE

default exemptiondefault exemption

Traffic Not Filtered by IPSecTraffic Not Filtered by IPSec

Secure Internal CommunicationsSecure Internal Communications

Use IPSec to provide mutual device authenticationUse IPSec to provide mutual device authentication Use certificates or KerberosUse certificates or Kerberos Preshared key suitable for testing onlyPreshared key suitable for testing only

Use Authentication Header (AH) to ensure packet Use Authentication Header (AH) to ensure packet integrityintegrity AH provides packet integrityAH provides packet integrity AH does not encrypt, allowing for network intrusion detectionAH does not encrypt, allowing for network intrusion detection

Use Encapsulation Security Payload (ESP) to encrypt Use Encapsulation Security Payload (ESP) to encrypt sensitive trafficsensitive traffic ESP provides packet integrity and confidentialityESP provides packet integrity and confidentiality Encryption prevents packet inspectionEncryption prevents packet inspection

Carefully plan which traffic should be securedCarefully plan which traffic should be secured

IPSec for Domain Replication IPSec for Domain Replication

Use IPSec for replication through firewallsUse IPSec for replication through firewalls On each domain controller, create an IPSec On each domain controller, create an IPSec

policy to secure all traffic to the other domain policy to secure all traffic to the other domain controller’s IP addresscontroller’s IP address

Use ESP 3DES for encryptionUse ESP 3DES for encryption Allow traffic through the firewall:Allow traffic through the firewall:

UDP Port 500 (IKE)UDP Port 500 (IKE) IP protocol 50 (ESP)IP protocol 50 (ESP)

VPN Across Untrusted MediaVPN Across Untrusted Media

Client VPNClient VPN Use L2TP/IPSecUse L2TP/IPSec

Branch Office VPNBranch Office VPN Between Windows 2000 or Windows Server, Between Windows 2000 or Windows Server,

running RRAS: Use L2TP/IPSec tunnel (easy running RRAS: Use L2TP/IPSec tunnel (easy to configure, appears as routable interface)to configure, appears as routable interface)

To third-party gateway: Use L2TP/ISec or pure To third-party gateway: Use L2TP/ISec or pure IPSec tunnel modeIPSec tunnel mode

To Microsoft Windows NTTo Microsoft Windows NT®® 4 RRAS Gateway: 4 RRAS Gateway: Use PPTP (IPSec not available)Use PPTP (IPSec not available)

IPSec PerformanceIPSec Performance

IPSec processing has some performance IPSec processing has some performance impactimpact IKE negotiation timeIKE negotiation time——about 2about 2––5 seconds initially5 seconds initially

5 round trips5 round trips AuthenticationAuthentication——Kerberos or certificatesKerberos or certificates Cryptographic key generation and encrypted messagesCryptographic key generation and encrypted messages Done once per 8 hours by default, settableDone once per 8 hours by default, settable

Session rekey is fastSession rekey is fast——<1<1––2 seconds, 2 round trips, 2 seconds, 2 round trips, once per hour, settableonce per hour, settable

Encryption of packetsEncryption of packets How to improve?How to improve?

Offloading NICs do IPSec almost at wire speedOffloading NICs do IPSec almost at wire speed Using faster CPUsUsing faster CPUs

Best PracticesBest Practices

Plan your IPSec implementation carefullyPlan your IPSec implementation carefully Choose between AH and ESPChoose between AH and ESP Use Group Policy to implement IPSec PoliciesUse Group Policy to implement IPSec Policies Consider the use of IPSec NICsConsider the use of IPSec NICs Never use Shared Key authentication outside Never use Shared Key authentication outside

your test labyour test lab Choose between certificates and Kerberos Choose between certificates and Kerberos

authenticationauthentication Use care when requiring IPSec for Use care when requiring IPSec for

communications with domain controllers and communications with domain controllers and other infrastructure serversother infrastructure servers

Session SummarySession Summary

Introduction/Defense in DepthIntroduction/Defense in Depth Using Perimeter DefensesUsing Perimeter Defenses Using ISA Server to Protect PerimetersUsing ISA Server to Protect Perimeters Using ICF to Protect ClientsUsing ICF to Protect Clients Protecting Wireless NetworksProtecting Wireless Networks Protecting Networks by Using IPSecProtecting Networks by Using IPSec

Next StepsNext Steps Stay informed and Sign up for security bulletins.Stay informed and Sign up for security bulletins. Get the latest Microsoft security guidance.Get the latest Microsoft security guidance. Get further Security Training.Get further Security Training. Get expert Get expert help help with a Microsoft® Certified Partner.with a Microsoft® Certified Partner.

Microsoft Security Site (all audiences)Microsoft Security Site (all audiences) http://www.microsoft.com/uk/securityhttp://www.microsoft.com/uk/security

TechNet Security Site (IT professionals)TechNet Security Site (IT professionals) http://www.microsoft.com/uk/technet/http://www.microsoft.com/uk/technet/

MSDN Security Site (developers)MSDN Security Site (developers) http://www.microsoft.com/uk/msdn/http://www.microsoft.com/uk/msdn/

Date post:	03-Jan-2016
Category:	Documents
Upload:	kenneth-ford
View:	226 times
Download:	0 times

Implementing Network and Perimeter Security. Prerequisite Knowledge Understanding of network...

Documents