Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions

Session Prerequisites Hands-on experience with Windows 2000 or Windows Server 2003 Familiarity with Active Directory and Group Policy Knowledge of Windows system security concepts Working knowledge of TCP/IP concepts An understanding of the basics of Internet Protocol Security (IPSec) Level 300

Session Overview Overview of Internet Protocol Security Understanding Network Isolation Using IPSec Understanding Advanced Network Isolation Scenarios

Overview of Internet Protocol Security Understanding Network Isolation Using IPSec Understanding Advanced Network Isolation Scenarios

Securing Network Communication: What Are the Challenges? Challenges to securing network communication include: Preventing data modification while in transit Preventing data from being read and interpreted while in transit Keeping data secure from unauthorized users Keeping data from being captured and replayed Preventing data modification while in transit Preventing data from being read and interpreted while in transit Keeping data secure from unauthorized users Keeping data from being captured and replayed

What Is Internet Protocol Security? IPSec provides the following benefits: Transparent to users and applications Provides restricted access to servers Customizable security configuration Centralized IPSec policy administration through Active Directory Transparent to users and applications Provides restricted access to servers Customizable security configuration Centralized IPSec policy administration through Active Directory IPSec: A framework of open standards to ensure private, secure communications over IP networks through the use of cryptographic security services

Identifying IPSec Scenarios IPSec can be deployed in: Used to protect host-to-host communications Transport mode Used to protect traffic between a host and a network or between two networks Tunnel mode

Understanding Transport Mode Scenarios End-to-End Host Security Server Isolation

Understanding Tunnel Mode Site-to-Site VPN IPSec Tunnel IPSec Tunnel IPSec Gateway IPSec Gateway Windows XP Client FTP Server Site B Site A IPSec Gateway IPSec Gateway

How Does IPSec Secure Traffic? TCP Layer IPSec Driver TCP Layer IPSec Driver Encrypted IP Packets 3 3 Internet Key Exchange (IKE) Negotiation 2 2 IPSec Policy 1 1 Active Directory

Creating IPSec Security Policies IP security policy Rules IP filter lists Filter actions IP filters Can be assigned to domains, sites, and organizational units

Demonstration 1: Configuring and Assigning IP Security Policies Configure and assign an IP Security policy

Understanding Network Isolation Using IPSec Overview of Internet Protocol Security Understanding Network Isolation Using IPSec Understanding Advanced Network Isolation Scenarios

What Is Network Isolation? Benefits of introducing a logical data isolation defense layer include: Additional security Control of who can access specific information Control of computer management Protection against malware attacks A mechanism to encrypt network data Additional security Control of who can access specific information Control of computer management Protection against malware attacks A mechanism to encrypt network data Network isolation: The ability to allow or deny certain types of network access between computers that have direct Internet Protocol connectivity between them

Identifying Trusted Computers Trusted computer: A managed device that is in a known state and meets minimum security requirements Untrusted computer: A device that may not meet the minimum security requirements, mainly because it is unmanaged or not centrally controlled

Goals That Are Achievable Using Network Isolation The following goals can be achieved by using network isolation: Isolate trusted domain member computers from untrusted devices at the network level Help to ensure that a device meets the security requirements required to access a trusted asset Allow trusted domain members to restrict inbound network access to a specific group of domain member computers Focus and prioritize proactive monitoring and compliance efforts Focus security efforts on the few trusted assets that require access from untrusted devices Focus and accelerate remediation and recovery efforts Isolate trusted domain member computers from untrusted devices at the network level Help to ensure that a device meets the security requirements required to access a trusted asset Allow trusted domain members to restrict inbound network access to a specific group of domain member computers Focus and prioritize proactive monitoring and compliance efforts Focus security efforts on the few trusted assets that require access from untrusted devices Focus and accelerate remediation and recovery efforts

Risks That Cannot Be Mitigated Using Isolation Risks that will not be directly mitigated by network isolation include: Trusted users disclosing sensitive data Compromise of trusted user credentials Untrusted computers accessing other untrusted computers Trusted users misusing or abusing their trusted status Lack of security compliance of trusted devices Compromised trusted computers access other trusted computers Trusted users disclosing sensitive data Compromise of trusted user credentials Untrusted computers accessing other untrusted computers Trusted users misusing or abusing their trusted status Lack of security compliance of trusted devices Compromised trusted computers access other trusted computers

How Does Network Isolation Fit into Network Security? Policies, procedures, and awareness Physical security Application Host Internal network Perimeter Data Logical Data Isolation

How Can Network Isolation Be Achieved? Components of the network isolation solution include: Computers that meet the organization’s minimum security requirements Trusted hosts The use of IPSec to provide host authentication and data encryption Host authentication Verification of security group memberships within the local security policy and access control lists of the resource Host authorization

Controlling Computer Access Using Network Access Groups and IPSec Logical Data Isolation Computer Access Permissions (IPSec) Host access permissions IPSec Policy 2 2 Share and Access Permissions Group Policy Dept_Computers NAG Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation

Controlling Host Access Using Network Access Groups Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation Step 4: User host access permissions checked Step 5: Share and access permissions checked Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation Step 4: User host access permissions checked Step 5: Share and access permissions checked Logical Data Isolation Computer Access Permissions (IPSec) Host access permissions IPSec Policy Group Policy Dept_Computers NAG 4 4 Dept_Users NAG Share and Access Permissions 5 5

Demonstration 2: Configuring and Implementing Network Access Groups Configure network access groups to enhance security

Understanding Advanced Network Isolation Scenarios Overview of Internet Protocol Security Examining Network Isolation Using IPSec Understanding Advanced Network Isolation Scenarios

Creating the Network Isolation Design The network isolation design process involves: Designing the foundational groups Creating Exemption Lists Planning the computer and network access groups Creating additional isolation groups Traffic modeling Assigning the group and network access group memberships Designing the foundational groups Creating Exemption Lists Planning the computer and network access groups Creating additional isolation groups Traffic modeling Assigning the group and network access group memberships

Designing the Foundational Groups Untrusted Systems Isolation Domain Boundary Isolation Group

Creating Exemptions Lists The following conditions might cause a host to be on the Exemptions List: The host is a computer that trusted hosts require access to but it does not have a compatible IPSec implementation If the host is used for an application that is adversely affected by the three-second fall back to clear delay or by IPSec encapsulation of application traffic If the host has issues that impacts its performance If the host is a domain controller The host is a computer that trusted hosts require access to but it does not have a compatible IPSec implementation If the host is used for an application that is adversely affected by the three-second fall back to clear delay or by IPSec encapsulation of application traffic If the host has issues that impacts its performance If the host is a domain controller

Planning the Computer and Network Access Groups Computer groups: Used to contain members of a specific isolation group Assigned to Group Policy Objects to implement various security settings Used to contain members of a specific isolation group Assigned to Group Policy Objects to implement various security settings Network access groups: Can be one of two types, Allow or Deny Assigned to Group Policy to control Allow or Deny access to a computer Can be one of two types, Allow or Deny Assigned to Group Policy to control Allow or Deny access to a computer

Creating Additional Isolation Groups Reasons to create additional isolation groups include: Encryption requirements Alternative outgoing or incoming network traffic requirements Limited computer or user access required at the network level Encryption requirements Alternative outgoing or incoming network traffic requirements Limited computer or user access required at the network level Isolation Domain Boundary Isolation Group Encryption Isolation Group No Fallback Isolation Group Untrusted Systems

Understanding Traffic Modeling Trusted Devices Isolation domain Boundary Untrusted Exemptions Lists IPSec Plaintext or fall back to clear

Assigning Computer Group and Network Access Group Memberships The final tasks of designing isolation groups include assigning: Place each computer into one group based on communication requirements Computer group membership Place the users and computers that require granular permissions into each previously identified NAG NAG membership

Demonstration 3: Implementing Isolation Groups Implement and deploy Isolation Groups using computer security groups

Network Isolation: Additional Considerations Additional considerations include: The maximum number of concurrent connections by unique hosts to servers using IPSec The maximum token size limitation for hosts using IPSec The maximum number of concurrent connections by unique hosts to servers using IPSec The maximum token size limitation for hosts using IPSec

Understanding Predeployment Considerations Before deploying a network isolation solution, consider the following: Overused devices Incompatible devices IP addressing Client/server participation Services that must be isolated Network load balancing and clustering Overused devices Incompatible devices IP addressing Client/server participation Services that must be isolated Network load balancing and clustering

Session Summary Deploy IPSec to provide authentication and encryption Use a combination of IPSec, security groups, and Group Policy for logical data isolation Use the Boundary zone as a starting point when deploying isolation groups using IPSec Implement additional groups to isolate resources or provide functionality as required

Next Steps Find additional security training events: Sign up for security communications: Get additional security tools and content: Find additional e-learning clinics:

Questions and Answers

Contact Details Paula Kiernan Ward Solutions