Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | kenneth-ford |
View: | 226 times |
Download: | 0 times |
Prerequisite KnowledgePrerequisite Knowledge
Understanding of network security Understanding of network security essentialsessentials
Hands-on experience with WindowsHands-on experience with Windows®® 2000 Server or Windows Server2000 Server or Windows Server™™ 2003 2003
Experience with Windows management Experience with Windows management toolstools
Level 300Level 300
AgendaAgenda
IntroductionIntroduction Using Perimeter DefensesUsing Perimeter Defenses Using MicrosoftUsing Microsoft®® Internet Security and Internet Security and
Acceleration (ISA) Server to Protect Acceleration (ISA) Server to Protect PerimetersPerimeters
Using Internet Connection Firewall (ICF) to Using Internet Connection Firewall (ICF) to Protect ClientsProtect Clients
Protecting Wireless NetworksProtecting Wireless Networks Protecting Communications by Using Protecting Communications by Using
IPSecIPSec
Defense in DepthDefense in Depth Using a layered approach:Using a layered approach:
Increases an attacker’s risk of detection Increases an attacker’s risk of detection Reduces an attacker’s chance of successReduces an attacker’s chance of success
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
OS hardening, update management, OS hardening, update management, authentication, HIDSauthentication, HIDS
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devicesGuards, locks, tracking devices
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User educationUser education
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
Purpose and Limitations of Purpose and Limitations of Perimeter DefensesPerimeter Defenses Properly configured firewalls and border Properly configured firewalls and border
routers are the cornerstone for perimeter routers are the cornerstone for perimeter securitysecurity
The Internet and mobility increase security The Internet and mobility increase security risksrisks
VPNs have softened the perimeter and, along VPNs have softened the perimeter and, along with wireless networking, have essentially with wireless networking, have essentially caused the disappearance of the traditional caused the disappearance of the traditional concept of network perimeter concept of network perimeter
Traditional packet-filtering firewalls block only Traditional packet-filtering firewalls block only network ports and computer addressesnetwork ports and computer addresses
Most modern attacks occur at the application Most modern attacks occur at the application layer layer
Purpose and Limitations of Client Purpose and Limitations of Client DefensesDefenses Client defenses block attacks that bypass perimeter Client defenses block attacks that bypass perimeter
defenses or originate on the internal networkdefenses or originate on the internal network Client defenses include, among others:Client defenses include, among others:
Operating system hardeningOperating system hardening Antivirus softwareAntivirus software Personal firewallsPersonal firewalls
Client defenses require configuring many computersClient defenses require configuring many computers In unmanaged environments, users may bypass client In unmanaged environments, users may bypass client
defensesdefenses
Purpose and Limitations of Purpose and Limitations of Intrusion DetectionIntrusion Detection
Detects the pattern of common attacks, Detects the pattern of common attacks, records suspicious traffic in event logs, records suspicious traffic in event logs, and/or alerts administratorsand/or alerts administrators
Threats and vulnerabilities are constantly Threats and vulnerabilities are constantly evolving, which leaves systems evolving, which leaves systems vulnerable until a new attack is known vulnerable until a new attack is known and a new signature is created and and a new signature is created and distributeddistributed
Goals of Network SecurityGoals of Network Security
Perimeter Perimeter DefenseDefense
Client Client DefenseDefense
Intrusion Intrusion DetectionDetection
Network Network Access Access ControlControl
Confi-Confi-dentialitydentiality
SecureSecureRemote Remote AccessAccess
ISA ISA ServerServerICFICF
802.1x / 802.1x / WPAWPAIPSecIPSec
AgendaAgenda
IntroductionIntroduction Using Perimeter DefensesUsing Perimeter Defenses Using ISA Server to Protect PerimetersUsing ISA Server to Protect Perimeters Using ICF to Protect ClientsUsing ICF to Protect Clients Protecting Wireless NetworksProtecting Wireless Networks Protecting Communications by Using Protecting Communications by Using
IPSecIPSec
Perimeter Connections OverviewPerimeter Connections Overview
The Internet Branch offices Business partners Remote users Wireless networks Internet applications
Network perimeters include connections to:
Business Partner
LAN
Main Office
LAN
Branch Office
LAN
Wireless Network
Remote User
Internet
Firewall Design: Back-to-Back Firewall Design: Back-to-Back
Internet
ExternalFirewall
LANInternalFirewall
Screened Subnet
Malicious traffic that is passed on open ports and not inspected at the application layer by the firewall
Any traffic that passes through an encrypted Any traffic that passes through an encrypted tunnel or sessiontunnel or session
Attacks after a network has been penetrated Traffic that appears legitimate Users and administrators who intentionally or
accidentally install viruses Administrators who use weak passwords
What Firewalls Do NOT Protect What Firewalls Do NOT Protect Against Against
Software vs. Hardware Firewalls Software vs. Hardware Firewalls
Decision Factors Description
Flexibility Updating for latest vulnerabilities and patches is often easier with software-based firewalls.
Extensibility Many hardware firewalls allow only limited customizability.
Choice of Vendors
Software firewalls allow you to choose from hardware for a wide variety of needs, and there is no reliance on single vendor for additional hardware.
Cost
Initial purchase price for hardware firewalls might be less. Software firewalls take advantage of low CPU costs. The hardware can be easily upgraded, and old hardware can be repurposed.
Complexity Hardware firewalls are often less complex.
Overall Suitability
The most important decision factor is whether a firewall can perform the required tasks. Often the lines between hardware and software firewalls are blurred.
Types of Firewall FunctionsTypes of Firewall Functions
Packet FilteringPacket Filtering Stateful InspectionStateful Inspection Application-Layer Inspection Application-Layer Inspection
Multi-layer InspectionMulti-layer Inspection(Including Application-Layer Filtering)(Including Application-Layer Filtering)
InternetInternet
AgendaAgenda
IntroductionIntroduction Using Perimeter DefensesUsing Perimeter Defenses Using ISA Server to Protect PerimetersUsing ISA Server to Protect Perimeters Using ICF to Protect ClientsUsing ICF to Protect Clients Protecting Wireless NetworksProtecting Wireless Networks Protecting Communications by Using IPSecProtecting Communications by Using IPSec
Goals of Network SecurityGoals of Network Security
Perimeter Perimeter DefenseDefense
Client Client DefenseDefense
Intrusion Intrusion DetectionDetection
Network Network Access Access ControlControl
Confi-Confi-dentialitydentiality
SecureSecureRemote Remote AccessAccess
ISA ISA ServerServer
**
ICFICF
802.1x / 802.1x / WPAWPAIPSecIPSec
* * Basic intrusion detection, extended by partnersBasic intrusion detection, extended by partners
Protecting Perimeters Protecting Perimeters
ISA Server has full screening capabilities:ISA Server has full screening capabilities: Packet filteringPacket filtering Stateful inspectionStateful inspection Application-level inspectionApplication-level inspection
ISA Server blocks all network traffic unless you allow itISA Server blocks all network traffic unless you allow it ISA Server provides secure VPN connectivityISA Server provides secure VPN connectivity ISA Server is ICSA certified and Common Criteria certifiedISA Server is ICSA certified and Common Criteria certified
Protecting ClientsProtecting Clients
Method Description
Proxy Functions Processes all requests for clients and never allows direct connections.
Client SupportSupport for all clients without special software. Installation of ISA Firewall software on Windows clients allows for greater functionality.
Rules Protocol Rules, Site and Content Rules, and Publishing Rules determine if access is allowed.
Add-ons
Initial purchase price for hardware firewalls might be less. Software firewalls take advantage of low CPU costs. The hardware can be easily upgraded and old hardware can be repurposed.
Protecting Web ServersProtecting Web Servers
Web Publishing RulesWeb Publishing Rules Protect Web servers behind the firewall from Protect Web servers behind the firewall from
external attacks by inspecting HTTP traffic and external attacks by inspecting HTTP traffic and ensuring that it is properly formatted and ensuring that it is properly formatted and complies with standardscomplies with standards
Inspection of Secure Socket Layer Inspection of Secure Socket Layer (SSL) traffic(SSL) traffic Decrypts and inspects incoming encrypted Web Decrypts and inspects incoming encrypted Web
requests for proper formatting and standards requests for proper formatting and standards compliance compliance
Will optionally re-encrypt the traffic before Will optionally re-encrypt the traffic before sending them to your Web serversending them to your Web server
URLScan URLScan
ISA Server Feature Pack 1 includes URLScan ISA Server Feature Pack 1 includes URLScan 2.5 for ISA Server2.5 for ISA Server
Allows URLScan ISAPI filter to be applied at Allows URLScan ISAPI filter to be applied at the network perimeter the network perimeter General blocking for all Web servers behind the General blocking for all Web servers behind the
firewallfirewall Perimeter blocking for known and newly Perimeter blocking for known and newly
discovered attacksdiscovered attacksWeb
Server 1
ISA Server
Web Server 2
Web Server 3
Protecting Exchange ServerProtecting Exchange Server
Method Description
Mail Publishing Wizard
Configures ISA Server rules to securely publish internal mail services to external users
Message Screener
Screens SMTP e-mail messages that enter the internal network
RPC Publishing Secures native protocol access for Microsoft Outlook® clients.
OWA PublishingProvides protection of the OWA front-end for remote Outlook users accessing Microsoft Exchange Server over untrusted networks without a VPN
Traffic That Bypasses Firewall Traffic That Bypasses Firewall Inspection Inspection
SSL tunnels through traditional firewalls SSL tunnels through traditional firewalls because it is encrypted, which allows viruses because it is encrypted, which allows viruses and worms to pass through undetected and and worms to pass through undetected and infect internal serversinfect internal servers
VPN traffic is encrypted and cannot be VPN traffic is encrypted and cannot be inspectedinspected
Instant Messenger (IM) traffic often is not Instant Messenger (IM) traffic often is not inspected and might be used to transfer filesinspected and might be used to transfer files
Inspecting All TrafficInspecting All Traffic
Use intrusion detection and other Use intrusion detection and other mechanisms to inspect VPN traffic after it has mechanisms to inspect VPN traffic after it has been decryptedbeen decrypted Remember: Defense in DepthRemember: Defense in Depth
Use a firewall that can inspect SSL trafficUse a firewall that can inspect SSL traffic Expand inspection capabilities of your Expand inspection capabilities of your
firewallfirewall Use firewall add-ons to inspect IM trafficUse firewall add-ons to inspect IM traffic
SSL InspectionSSL Inspection
SSL tunnels through traditional firewalls SSL tunnels through traditional firewalls because it is encrypted, which allows viruses because it is encrypted, which allows viruses and worms to pass through undetected and and worms to pass through undetected and infect internal servers.infect internal servers.
ISA Server can decrypt and inspect SSL ISA Server can decrypt and inspect SSL traffic. Inspected traffic can be sent to the traffic. Inspected traffic can be sent to the internal server internal server re-encrypted or in the clear.re-encrypted or in the clear.
ISA Server HardeningISA Server Hardening
Harden the network stackHarden the network stack Disable unnecessary network protocols on Disable unnecessary network protocols on
the external network interface:the external network interface: Client for Microsoft NetworksClient for Microsoft Networks File and Printer Sharing for Microsoft NetworksFile and Printer Sharing for Microsoft Networks NetBIOS over TCP/IPNetBIOS over TCP/IP
Best Practices Best Practices
Use access rules that only allow Use access rules that only allow requests that are specifically allowed requests that are specifically allowed
Use ISA Server’s authentication Use ISA Server’s authentication capabilities to restrict and log Internet capabilities to restrict and log Internet access access
Configure Web publishing rules only Configure Web publishing rules only for specific destination setsfor specific destination sets
Use SSL Inspection to inspect Use SSL Inspection to inspect encrypted data that is entering your encrypted data that is entering your networknetwork
AgendaAgenda
IntroductionIntroduction Using Perimeter DefensesUsing Perimeter Defenses Using ISA Server to Protect Using ISA Server to Protect
PerimetersPerimeters Using ICF to Protect ClientsUsing ICF to Protect Clients Protecting Wireless NetworksProtecting Wireless Networks Protecting Communications by Protecting Communications by
Using IPSecUsing IPSec
Goals of Network SecurityGoals of Network Security
Perimeter Perimeter DefenseDefense
Client Client DefenseDefense
Intrusion Intrusion DetectionDetection
Network Network Access Access ControlControl
Confi-Confi-dentialitydentiality
SecureSecureRemote Remote AccessAccess
ISA ISA ServerServerICFICF
802.1x / 802.1x / WPAWPAIPSecIPSec
Overview of ICF Overview of ICF
Internet Connection Firewall in Internet Connection Firewall in Microsoft Windows XP and Microsoft Microsoft Windows XP and Microsoft Windows Server 2003Windows Server 2003
Helps stop network-based attacks, such Helps stop network-based attacks, such as Blaster, by blocking all unsolicited as Blaster, by blocking all unsolicited inbound trafficinbound traffic
Ports can be opened for services Ports can be opened for services running on the computerrunning on the computer
Enterprise administration through Enterprise administration through Group PolicyGroup Policy
What It IsWhat It Is
What It DoesWhat It Does
Key FeaturesKey Features
Enabled by:Enabled by: Selecting one Selecting one
check boxcheck box Network Setup WizardNetwork Setup Wizard New Connection WizardNew Connection Wizard
Enabled separately Enabled separately for each network connectionfor each network connection
Enabling ICFEnabling ICF
Network servicesNetwork services Web-based applicationsWeb-based applications
ICF Advanced SettingsICF Advanced Settings
Logging optionsLogging options Log file optionsLog file options
ICF Security LoggingICF Security Logging
ICF in the EnterpriseICF in the Enterprise
Configure ICF by using Group PolicyConfigure ICF by using Group Policy Combine ICF with Network Access Combine ICF with Network Access
Quarantine ControlQuarantine Control
Use ICF for home offices and small business to Use ICF for home offices and small business to provide protection for computers directly provide protection for computers directly connected to the Internetconnected to the Internet
Do not turn on ICF for a VPN connection (but do Do not turn on ICF for a VPN connection (but do enable ICF for the underlying LAN or dial-up enable ICF for the underlying LAN or dial-up connectionconnection
Configure service definitions for each ICF Configure service definitions for each ICF connection through which you want the service connection through which you want the service to work to work
Set the size of the security log to 16 megabytes Set the size of the security log to 16 megabytes to prevent an overflow that might be caused by to prevent an overflow that might be caused by denial-of-service attacksdenial-of-service attacks
Best Practices Best Practices
AgendaAgenda
IntroductionIntroduction Using Perimeter DefensesUsing Perimeter Defenses Using ISA Server to Protect PerimetersUsing ISA Server to Protect Perimeters Using ICF to Protect ClientsUsing ICF to Protect Clients Protecting Wireless NetworksProtecting Wireless Networks Protecting Communications by Using IPSecProtecting Communications by Using IPSec
Goals of Network SecurityGoals of Network Security
Perimeter Perimeter DefenseDefense
Client Client DefenseDefense
Intrusion Intrusion DetectionDetection
Network Network Access Access ControlControl
Confi-Confi-dentialitydentiality
SecureSecureRemote Remote AccessAccess
ISA ISA ServerServerICFICF
802.1x / 802.1x / WPAWPAIPSecIPSec
Limitations of Wired Equivalent PrivacyLimitations of Wired Equivalent Privacy ((WEP)WEP) Static WEP keys are not dynamically Static WEP keys are not dynamically
changed and therefore are vulnerable to changed and therefore are vulnerable to attack.attack.
There is no standard method for There is no standard method for provisioning static WEP keys to clients.provisioning static WEP keys to clients.
Scalability: Compromise of a static WEP Scalability: Compromise of a static WEP key by anyone exposes everyone.key by anyone exposes everyone.
Limitations of MAC Address FilteringLimitations of MAC Address Filtering Attacker could spoof an allowed MAC Attacker could spoof an allowed MAC
address.address.
Wireless Security IssuesWireless Security Issues
Password-based Layer 2 AuthenticationPassword-based Layer 2 Authentication IEEE 802.1x PEAP/MSCHAP v2IEEE 802.1x PEAP/MSCHAP v2
Certificate-based Layer 2 AuthenticationCertificate-based Layer 2 Authentication IEEE 802.1x EAP-TLSIEEE 802.1x EAP-TLS
Other OptionsOther Options VPN Connectivity VPN Connectivity
L2TP/IPsec (preferred) or PPTPL2TP/IPsec (preferred) or PPTP Does not allow for roamingDoes not allow for roaming Useful when using public wireless hotspotsUseful when using public wireless hotspots No computer authentication or processing of No computer authentication or processing of
computer settings in Group Policycomputer settings in Group Policy IPSecIPSec
Interoperability issuesInteroperability issues
Possible Solutions Possible Solutions
WLAN Security Type Security Level
Ease of Deployment
Usability and Integration
Static WEPStatic WEP LowLow HighHigh HighHigh
IEEE 802.1X PEAP IEEE 802.1X PEAP HighHigh MediumMedium HighHigh
IEEE 802.1x TLSIEEE 802.1x TLS HighHigh LowLow HighHigh
VPNVPN High High (L2TP/IPSec)(L2TP/IPSec) MediumMedium LowLow
IPSecIPSec HighHigh LowLow LowLow
WLAN Security ComparisonsWLAN Security Comparisons
Defines port-based access control Defines port-based access control mechanismmechanism Works on anything, wired or wirelessWorks on anything, wired or wireless No special encryption key requirementsNo special encryption key requirements
Allows choice of authentication methods Allows choice of authentication methods using Extensible Authentication Protocol using Extensible Authentication Protocol (EAP)(EAP) Chosen by peers at authentication timeChosen by peers at authentication time Access point doesn’t care about EAP methodsAccess point doesn’t care about EAP methods
Manages keys automaticallyManages keys automatically No need to preprogram wireless encryption keysNo need to preprogram wireless encryption keys
802.1x802.1x
EthernetEthernet
Access PointAccess Point
Radius ServerRadius Server
EAPOL-StartEAPOL-Start
EAP-Response/IdentityEAP-Response/Identity
Radius-Access-ChallengeRadius-Access-Challenge
EAP-Response EAP-Response (credentials)(credentials)
Access BlockedAccess Blocked
AssociationAssociation
Radius-Access-AcceptRadius-Access-Accept
EAP-Request/IdentityEAP-Request/Identity
EAP-RequestEAP-Request
Radius-Access-RequestRadius-Access-Request
Radius-Access-RequestRadius-Access-Request
RADIUSRADIUS
Laptop ComputerLaptop Computer
WirelessWireless
802.11802.11802.11 Associate802.11 Associate
EAP-SuccessEAP-Success
Access AllowedAccess AllowedEAPOL-Key (Key)EAPOL-Key (Key)
802.1x on 802.11802.1x on 802.11
System Requirements for 802.1xSystem Requirements for 802.1x
Client: Windows XPClient: Windows XP Server: Windows Server 2003 IASServer: Windows Server 2003 IAS
Internet Authentication Service—our Internet Authentication Service—our RADIUS serverRADIUS server
Certificate on IAS computerCertificate on IAS computer 802.1x on Windows 2000802.1x on Windows 2000
Client and IAS must have SP3Client and IAS must have SP3 See KB article 313664See KB article 313664 No zero-configuration support in the No zero-configuration support in the
clientclient Supports only EAP-TLS and MS-CHAPv2Supports only EAP-TLS and MS-CHAPv2
Future EAP methods in Windows XP and Future EAP methods in Windows XP and Windows Server 2003 might not be Windows Server 2003 might not be backportedbackported
802.1x Setup802.1x Setup
1.1. Configure Windows Server 2003 with IASConfigure Windows Server 2003 with IAS
2.2. Join a domainJoin a domain
3.3. Enroll computer certificateEnroll computer certificate
4.4. Register IAS in Active DirectoryRegister IAS in Active Directory
5.5. Configure RADIUS loggingConfigure RADIUS logging
6.6. Add AP as RADIUS clientAdd AP as RADIUS client
7.7. Configure AP for RADIUS and 802.1xConfigure AP for RADIUS and 802.1x
8.8. Create wireless client access policyCreate wireless client access policy
9.9. Configure clientsConfigure clients Don’t forget to import the root certificateDon’t forget to import the root certificate
Access PolicyAccess Policy
Policy conditionPolicy condition NAS-port-type NAS-port-type
matches Wireless matches Wireless IEEE 802.11 OR IEEE 802.11 OR Wireless OtherWireless Other
Windows-group = Windows-group = <some group in AD><some group in AD> Optional; allows Optional; allows
administrative controladministrative control Should contain user Should contain user
and computer and computer accountsaccounts
Access Policy ProfileAccess Policy Profile
ProfileProfile Time-out: 60 min. Time-out: 60 min.
(802.11b) or 10 min. (802.11b) or 10 min. (802.11a/g)(802.11a/g)
No regular No regular authentication methodsauthentication methods
EAP type: protected EAP type: protected EAP; use computer EAP; use computer certificatecertificate
Encryption: only Encryption: only strongest strongest (MPPE 128-bit)(MPPE 128-bit)
Attributes: Attributes: Ignore-User-Ignore-User-Dialin-Properties = TrueDialin-Properties = True
A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems
WPA Requires 802.1x authentication for network access
GoalsGoals Enhanced data encryptionEnhanced data encryption Provide user authenticationProvide user authentication Be forward compatible with 802.11iBe forward compatible with 802.11i Provide non-RADIUS solution for Small/Home officesProvide non-RADIUS solution for Small/Home offices
Wi-Fi Alliance began certification testing for interoperability on WPA products in February 2003
Wireless Protected Access (WPA)Wireless Protected Access (WPA)
Best PracticesBest Practices
Use 802.1x authenticationUse 802.1x authentication Organize wireless users and computers into groupsOrganize wireless users and computers into groups Apply wireless access policies using Group PolicyApply wireless access policies using Group Policy Use EAP-TLS for certificate-based authentication Use EAP-TLS for certificate-based authentication
and PEAP for password-based authenticationand PEAP for password-based authentication Configure your remote access policy to support Configure your remote access policy to support
user authentication as well as machine user authentication as well as machine authenticationauthentication
Develop a method to deal with rogue access points, Develop a method to deal with rogue access points, such as LAN-based 802.1x authentication, site such as LAN-based 802.1x authentication, site surveys, network monitoring, and user educationsurveys, network monitoring, and user education
AgendaAgenda
Introduction/Defense in DepthIntroduction/Defense in Depth Using Perimeter DefensesUsing Perimeter Defenses Using ISA Server to Protect PerimetersUsing ISA Server to Protect Perimeters Using ICF to Protect ClientsUsing ICF to Protect Clients Protecting Wireless NetworksProtecting Wireless Networks Protecting Communications by Using IPSecProtecting Communications by Using IPSec
Goals of Network SecurityGoals of Network Security
Perimeter Perimeter DefenseDefense
Client Client DefenseDefense
Intrusion Intrusion DetectionDetection
Network Network Access Access ControlControl
Confi-Confi-dentialitydentiality
SecureSecureRemote Remote AccessAccess
ISA ISA ServerServerICFICF
802.1x / 802.1x / WPAWPAIPSecIPSec
What is IP Security (IPSec)?What is IP Security (IPSec)? A method to secure IP trafficA method to secure IP traffic Framework of open standards developed by the Framework of open standards developed by the
Internet Engineering Task Force (IETF)Internet Engineering Task Force (IETF)
Why use IPSec?Why use IPSec? To ensure encrypted and authenticated To ensure encrypted and authenticated
communications at the IP layercommunications at the IP layer To provide transport security that is independent To provide transport security that is independent
of applications or application-layer protocolsof applications or application-layer protocols
Overview of IPSecOverview of IPSec
Basic Basic permit/block permit/block packet filteringpacket filtering
Secure internal Secure internal LAN LAN communicationscommunications
Domain Domain replication replication through firewallsthrough firewalls
VPN across VPN across untrusted mediauntrusted media
IPSec ScenariosIPSec Scenarios
Filters for allowed and blocked trafficFilters for allowed and blocked traffic No actual negotiation of IPSec security No actual negotiation of IPSec security
associationsassociations Overlapping filters—most specific match Overlapping filters—most specific match
determines actiondetermines action Does not provide stateful filteringDoes not provide stateful filtering Must set Must set ""NoDefaultExempt = 1NoDefaultExempt = 1"" to be secure to be secure
From IP To IP Protocol Src Port Dest Port Action
Any My Internet IP Any N/A N/A Block
Any My Internet IP TCP Any 80 Permit
Implementing IPSec Packet FilteringImplementing IPSec Packet Filtering
Spoofed IP packets containing queries or Spoofed IP packets containing queries or malicious content can still reach open malicious content can still reach open ports through firewallsports through firewalls
IPSec does not provide stateful inspectionIPSec does not provide stateful inspection Many hacker tools use source ports 80, Many hacker tools use source ports 80,
88, 135, and so on, to connect to any 88, 135, and so on, to connect to any destination portdestination port
Packet Filtering Is Not Sufficient to Packet Filtering Is Not Sufficient to Protect ServerProtect Server
IP broadcast addressesIP broadcast addresses Cannot secure to multiple receivers Cannot secure to multiple receivers
Multicast addressesMulticast addresses From 224.0.0.0 through 239.255.255.255From 224.0.0.0 through 239.255.255.255
Kerberos—UDP source or destination port 88Kerberos—UDP source or destination port 88 Kerberos is a secure protocol, which the Internet Kerberos is a secure protocol, which the Internet
Key ExchangeKey Exchange (IKE) negotiation service may use (IKE) negotiation service may use for authentication of other computers in a domainfor authentication of other computers in a domain
IKE—UDP destination port 500IKE—UDP destination port 500 Required to allow IKE to negotiate parameters for Required to allow IKE to negotiate parameters for
IPSec securityIPSec security Windows Server 2003 configures only IKE Windows Server 2003 configures only IKE
default exemptiondefault exemption
Traffic Not Filtered by IPSecTraffic Not Filtered by IPSec
Secure Internal CommunicationsSecure Internal Communications
Use IPSec to provide mutual device authenticationUse IPSec to provide mutual device authentication Use certificates or KerberosUse certificates or Kerberos Preshared key suitable for testing onlyPreshared key suitable for testing only
Use Authentication Header (AH) to ensure packet Use Authentication Header (AH) to ensure packet integrityintegrity AH provides packet integrityAH provides packet integrity AH does not encrypt, allowing for network intrusion detectionAH does not encrypt, allowing for network intrusion detection
Use Encapsulation Security Payload (ESP) to encrypt Use Encapsulation Security Payload (ESP) to encrypt sensitive trafficsensitive traffic ESP provides packet integrity and confidentialityESP provides packet integrity and confidentiality Encryption prevents packet inspectionEncryption prevents packet inspection
Carefully plan which traffic should be securedCarefully plan which traffic should be secured
IPSec for Domain Replication IPSec for Domain Replication
Use IPSec for replication through firewallsUse IPSec for replication through firewalls On each domain controller, create an IPSec On each domain controller, create an IPSec
policy to secure all traffic to the other domain policy to secure all traffic to the other domain controller’s IP addresscontroller’s IP address
Use ESP 3DES for encryptionUse ESP 3DES for encryption Allow traffic through the firewall:Allow traffic through the firewall:
UDP Port 500 (IKE)UDP Port 500 (IKE) IP protocol 50 (ESP)IP protocol 50 (ESP)
VPN Across Untrusted MediaVPN Across Untrusted Media
Client VPNClient VPN Use L2TP/IPSecUse L2TP/IPSec
Branch Office VPNBranch Office VPN Between Windows 2000 or Windows Server, Between Windows 2000 or Windows Server,
running RRAS: Use L2TP/IPSec tunnel (easy running RRAS: Use L2TP/IPSec tunnel (easy to configure, appears as routable interface)to configure, appears as routable interface)
To third-party gateway: Use L2TP/ISec or pure To third-party gateway: Use L2TP/ISec or pure IPSec tunnel modeIPSec tunnel mode
To Microsoft Windows NTTo Microsoft Windows NT®® 4 RRAS Gateway: 4 RRAS Gateway: Use PPTP (IPSec not available)Use PPTP (IPSec not available)
IPSec PerformanceIPSec Performance
IPSec processing has some performance IPSec processing has some performance impactimpact IKE negotiation timeIKE negotiation time——about 2about 2––5 seconds initially5 seconds initially
5 round trips5 round trips AuthenticationAuthentication——Kerberos or certificatesKerberos or certificates Cryptographic key generation and encrypted messagesCryptographic key generation and encrypted messages Done once per 8 hours by default, settableDone once per 8 hours by default, settable
Session rekey is fastSession rekey is fast——<1<1––2 seconds, 2 round trips, 2 seconds, 2 round trips, once per hour, settableonce per hour, settable
Encryption of packetsEncryption of packets How to improve?How to improve?
Offloading NICs do IPSec almost at wire speedOffloading NICs do IPSec almost at wire speed Using faster CPUsUsing faster CPUs
Best PracticesBest Practices
Plan your IPSec implementation carefullyPlan your IPSec implementation carefully Choose between AH and ESPChoose between AH and ESP Use Group Policy to implement IPSec PoliciesUse Group Policy to implement IPSec Policies Consider the use of IPSec NICsConsider the use of IPSec NICs Never use Shared Key authentication outside Never use Shared Key authentication outside
your test labyour test lab Choose between certificates and Kerberos Choose between certificates and Kerberos
authenticationauthentication Use care when requiring IPSec for Use care when requiring IPSec for
communications with domain controllers and communications with domain controllers and other infrastructure serversother infrastructure servers
Session SummarySession Summary
Introduction/Defense in DepthIntroduction/Defense in Depth Using Perimeter DefensesUsing Perimeter Defenses Using ISA Server to Protect PerimetersUsing ISA Server to Protect Perimeters Using ICF to Protect ClientsUsing ICF to Protect Clients Protecting Wireless NetworksProtecting Wireless Networks Protecting Networks by Using IPSecProtecting Networks by Using IPSec
Next StepsNext Steps Stay informed and Sign up for security bulletins.Stay informed and Sign up for security bulletins. Get the latest Microsoft security guidance.Get the latest Microsoft security guidance. Get further Security Training.Get further Security Training. Get expert Get expert help help with a Microsoft® Certified Partner.with a Microsoft® Certified Partner.
Microsoft Security Site (all audiences)Microsoft Security Site (all audiences) http://www.microsoft.com/uk/securityhttp://www.microsoft.com/uk/security
TechNet Security Site (IT professionals)TechNet Security Site (IT professionals) http://www.microsoft.com/uk/technet/http://www.microsoft.com/uk/technet/
MSDN Security Site (developers)MSDN Security Site (developers) http://www.microsoft.com/uk/msdn/http://www.microsoft.com/uk/msdn/