Microsoft Domain and Server Isolation Model
Esmaeil SarabadaniMCT, MCSA/MCSE Security
IPSec as a savior against network threats on Windows Server 2008 R2
What will be coveredProtecting the network in a highly-connected worldDefence in depthNetwork without isolationMicrosoft domain and server isolation modelFocus on IPSecDifferent stages of implementing the modelDemonstrations on different steps of configuration
Life in a Highly-Connected World
Local Area NetworksBusiness ExtranetsWireless NetworksMobile WorkersLaptopsVirtual Private NetworksMobile Smart Devices
Protecting Your Network means
Reducing the risk of malicious activitiesProtecting the data against unauthorized manipulationLowering the costs and administrative overheadDecreasing the impact of denial-of-service attacksReducing the risk of malicious software threatsEliminating the chance of intruding the network and servers
Typical Network Infrastructure
Is the whole infrastructure secure?What is missing?
VPN
Con
necti
on
Partner’s Network
Remote User
Extr
anet
Con
necti
on
Network Firewalls
Secure VPN Connections
How important is it in the world today?
“Malicious insiders” has been ranked the second in 2010 and the first in 2009 in the top ten information security threats as reported by Perimeter E-Security.
Logical Isolation
Defence in DepthA layered approach to protecting a computer instead of reliance on a single mechanism for the protection
Controls network communicationsProtects all unicast trafficMore similar to a host-based firewallProvides end-to-end security
Bob Alice
Sorry! I do not trust you!The communication does not take place!
Without Isolation
11
22
User authenticationoccurs
User attempts to access a file share
Dept Group
44 Share access ischecked
Access grantedor denied
based on ACL
User is authenticated and authorized
33
Check networkaccess permissions
Local policy
Without IsolationThe Problems:
Too much dependence on users’ credentialsTheft and abuse of user credentials often not realized... Until it’s too lateDifficult to control who or what physically connects to the networkLarge internal networks might have independent path to the internetEven if there are firewalls, they help but not when clients communicate inside the network
Question:What does a HACKER need to penetrate into the network and servers?
•Access to the network•A username and password
How difficult do you think it is for a hacker to get them?
Microsoft Domain and Server Isolation Model
Controls end-to-end communications using IPSec policiesAdds a layer of defence-in-depth IPSec policies are received by the host through Group PolicyAuthenticates every packetCan encrypt every packetSupported Operating Systems:
Windows 2000-SP4Windows XP-SP2Windows VistaWindows 7Windows Server 2003Windows Server 2008
With Isolation
33
Check networkAccess permissions
(Computer acct)
Local policy
11
4422
IKE
User attempts to access a file share
IKE negotiation begins
IKE succeeds, user authN occurs
Computer and user are authenticated
and authorized
Dept Group
66 Share access ischecked
Access grantedor denied
based on ACL
55
Check networkaccess permissions
(user)
Local policy
Why IPSec?
IPSec is a protocol suit to provide security over IP networksIt operates at layer 3 (Network) of OSI modelIt has two modes of operations:
Tunnel modeTransport mode
IPSec
Tunnel Mode:IPSec gateway at each siteNo security inside the site networkSecures messages going through the gateway and the internet
LocalNetwork
Internet LocalNetwork
IPsecGateway Secure
Communication
Protected data field
ProtectedOriginal IP
Header
TunnelSecurityHeader
A security header to IP packets before the main IP headerThe new header contains the source and destination addresses of the IPSec gatewaysThe source and destination of the hosts are protected The original IP header is protectedThe original data field is protected
IPSec
Transport Mode:End-to-end communication and security between the hostsSecurity inside the site networksRequires configuration on the host
LocalNetwork
Internet LocalNetwork
Secure end-to-endCommunication
Protected data field
TransportSecurityHeader
OriginalIP Header
Transport Mode:Adds a security header to IP packets after the main IP headerThe source and destination of the hosts can be learned by a hacker in the middleThe original data field is protected
AH vs. ESPTwo forms of encryptionESP (Encapsulating Security Payload) Confidentiality Authentication
AH (Authentication Header) Authentication
ESP in Transport modeESP in Tunnel mode
AH vs. ESPAH (Authentication Header)
AH in Transport mode
No Encryption Only Authentication
AH in Tunnel mode
No EncryptionOnly Authentication
IKE, SA, Encryption Algorithms
Security Association (SA) are agreements between two hosts or two IPSec server for how security will be performed.
Host A Host B
NegotiateSecurity Association
The security agreements can also negotiate different methods of integrity and encryption.
These agreements start with IKE (Internet Key Exchange)
IKE is not IPSec-specific.
Integrity Algorithms:MD5SHA1AES
Encryption Algorithms:DES3DESAES
Important Isolation TermsTrusted Host:
IPSec-enabledJoined to domain
Untrusted Host:Known Trusted Host
NOT IPSec-enabledNot joined to domain or in an untrusted domain
Unknown Trusted Host
Boundary HostIPSec-enabledFall back to clearAble to communicate with both trusted and untrusted hosts
Exempted Host:Does not use IPSec
Isolation GroupA logical group of trusted hosts with the same policy
Network Access GroupControls access to a host on the network before any policy takes place
Trusted Hosts Untrusted Hosts
Boundary Hosts Exemption Hosts
Connection Terminated
Isolation ScopeHosts to be isolated
Any computer joined to domain as long as the requirement is metTo a very large extent depends on the isolation policies
Servers to be isolatedImportance of the information stored on that serverDomain Controller
DC-to-DCGC-to-GCClient-to-DC (Generally NOT recommended but possible without Kerberos for authentication)
Exchange ServerEdge Transport server to the other servers holding the other rolesIsolation of Edge Transport Server (Front-End Server)Communication between Exchange servers with different roles
Servers to be isolatedOffice Communications Server 2007
Isolation of edge serversCommunication between the edge server and the internal servers
File ServersWeb Servers
Block specific portsAnd ...
Servers to be exemptedDHCP Servers
Computers connect to get an IP address and before that they do not receive any policiesNeed to have no delay
DNS ServersNeed to have no delayInvolved with every computer in the network
FirewallsHost-based firewalls, filtering in routers, network firewalls and any other filters must support Fragmentation and the following ports must be open on them:
IKE: UDP Port 500IKE/IPSec NAT-T: UDP Port 4500IPSec ESP: IP Protocol 50IPSec AH: IP Protocol 51
Planning phaseInform team members about IPSec
IT Manager, System Architect, Security Manager, Support Specialist and etc.
Collect information about your IT environmentNetwork topologySecurity policy and implementationServer operating systems and applicationsUser typesAny interoperability issues or concerns
Determine your isolation needsBusiness needsSecurity requirementsService Level AgreementsTechnology needsUser needs
Things to consider when planning:Analysis of network devicesAnalysis of network traffic flowACLs that affect IPSec directlyVLAN SegmentationAnalysis of Active Directory
Design your IPSec policiesDeploy the policies in a test environmentRefine PoliciesCreate a deployment schedulePrepare for user and infrastructure support
DeploymentDifferent types of deployment
Deployment using OUs
Policy 1 applied Policy 2 applied Policy 3 applied Policy 3 applied
Deployment using Groups
Group 1
Group 2
Group 3
Group 4 Group 6
Group 5 Group 7
Group 8
Policy 1 applied at the domain level
Policy 1
Allow Read & Apply Permission
Deny Read & Apply Permission
Policy 1 NOT applied
Policy 1 Policy 1
Policy 2applied at the OU level
Allow Read & Apply Permission
Policy 2
Deny Read & Apply Permission
Policy 2 NOT applied
Comparison:Deployment by GROUPS is best for organizations with more complex groups hierarchy. Companies that more than one policy is applied to one OU. Deployment by GROUPS can get really complicated.
Deployment by OUs is best for organizations in which computer members of each OU all inherit the same policies.
Deployment
DEMODeployment ScenariosNetwork Access Groups
IPSec Policy Components overviewIPSec Policy
Rules
ActionFilter List
Filters
Pre-Shared KeysKerberos
Authentication methods
Certificates
HashingEncryption
Security methods
Key Lifetimes
IPSec policies are all configurable through Group Policies at both the domain and OU levels.
Isolation ScopeFilter Lists:
Collection of one or more filters used to match network traffic based on:
Source or destination networks or addressesProtocol(s)Source and destination TCP or UDP ports
Filter Actions:IPSec-BlockBlocks the traffic that matches the filter listsIPSec-PermitPermits the traffic that matches the filter listIPSec-Request ModeAccepts both IPSec and non-IPSec inbound trafficFor outbound, it starts IPSec negotiation and if no response, falls back
to clear.IPSec-Secure Request ModeAccepts only IPSec inbound trafficFor outbound, it starts IPSec negotiation and if no response, falls back
to clear.
Filter Actions:IPSec-Full Require ModeRequires IPSec-secured communication for both inbound and outbound packets.
DEMOConfiguring Isolation
Things to ConsiderStart small when deploying and always deploy in a test environment firstLocal Administrators can disable IPSec or change local dynamic policyAlways plan for interoperabilityMake sure NAT-T is supported on hosts, if there is a NAT device in your network.Be aware of the delays in policy application after a change in policies occurs.Using IPSec, network traffic monitoring tools will not work.
Risks That Can Not Be MitigatedTrusted users stealing or disclosing sensitive dataRogue usersUntrusted computers accessing other untrusted computersLoss of physical security of trusted computers
Real-World ExamplesLockheed Martin
University of Michigan
BMO Financial Group
Microsoft IT Department
Q&AQuestions & Answers
Resources
Technet Reference on Domain and Server Isolationhttp://technet.microsoft.com/en-us/network/bb545651.aspx
Perimeter E-Security TOP 10 Information Security Threats for 2010http://www.perimeterusa.com/knowledge-center/company-news/press-releases#100
Technet Reference on IPSechttp://www.microsoft.com/ipsec
Required slide
WIN COOL PRIZES!!!Required slide
Complete the True Techie and Crazy Communities Challenge and stand a chance to win…
Look in your conference bags NOW!!
We value your feedback!Required slide
Please remember to complete the overall conference evaluation form (in your bag) and return it to the Registration Counter on the last day in return for a Limited Edition Gift