Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Guide to Network Defense and Countermeasures Second Edition
Final Presentation Topics 1) Firewalls 1) Firewalls 2) Virtual Private Networks 2) Virtual Private Networks 3) Secure Socket Layer 3) Secure Socket Layer.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access for Remote Clients and Networks.
Server and domain isolation using IPsec and group Policy
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Module 3 Windows Server 2008 Branch Office Scenario.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Access Controls Supervised by: Dr.Lo’ai Tawalbeh Prepared by: Abeer Saif.
Internet Protocol Security (IPSec)
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
Security Data Transmission and Authentication
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
Clinic Security and Policy Enforcement in Windows Server 2008.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Intranet, Extranet, Firewall. Intranet and Extranet.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.
Chapter 13 – Network Security
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Windows 7 Firewall.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Module 7 Planning Server and Network Security. Module Overview Overview of Defense-in-Depth Planning for Windows Firewall with Advanced Security Planning.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Security Assessment Tools Paula Kiernan Senior Consultant Ward Solutions.
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Configuring Network Access Protection
Module 5: Designing Security for Internal Networks.
Securing Network Communications Using IPSec Chapter Twelve.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Module 10: Windows Firewall and Caching Fundamentals.
Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
IS3220 Information Technology Infrastructure Security
Securing Access to Data Using IPsec Josh Jones Cosc352.
Security Data Transmission and Authentication Lesson 9.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
UNIT 7 SEMINAR Unit 7 Chapter 9, plus Lab 13 Course Name – IT482 Network Design Instructor – David Roberts – Office Hours: Tuesday.
11 SECURING NETWORK TRAFFIC WITH IPSEC Chapter 6.
SECURING NETWORK TRAFFIC WITH IPSEC
Securing the Network Perimeter with ISA 2004
Module 8: Securing Network Traffic by Using IPSec and Certificates
How to Mitigate the Consequences What are the Countermeasures?
Module 8: Securing Network Traffic by Using IPSec and Certificates
Introduction to Network Security
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions

Session Prerequisites Hands-on experience with Windows 2000 or Windows Server 2003 Familiarity with Active Directory and Group Policy Knowledge of Windows system security concepts Working knowledge of TCP/IP concepts An understanding of the basics of Internet Protocol Security (IPSec) Level 300

Session Overview Overview of Internet Protocol Security Understanding Network Isolation Using IPSec Understanding Advanced Network Isolation Scenarios

Overview of Internet Protocol Security Understanding Network Isolation Using IPSec Understanding Advanced Network Isolation Scenarios

Securing Network Communication: What Are the Challenges? Challenges to securing network communication include: Preventing data modification while in transit Preventing data from being read and interpreted while in transit Keeping data secure from unauthorized users Keeping data from being captured and replayed Preventing data modification while in transit Preventing data from being read and interpreted while in transit Keeping data secure from unauthorized users Keeping data from being captured and replayed

What Is Internet Protocol Security? IPSec provides the following benefits: Transparent to users and applications Provides restricted access to servers Customizable security configuration Centralized IPSec policy administration through Active Directory Transparent to users and applications Provides restricted access to servers Customizable security configuration Centralized IPSec policy administration through Active Directory IPSec: A framework of open standards to ensure private, secure communications over IP networks through the use of cryptographic security services

Identifying IPSec Scenarios IPSec can be deployed in: Used to protect host-to-host communications Transport mode Used to protect traffic between a host and a network or between two networks Tunnel mode

Understanding Transport Mode Scenarios End-to-End Host Security Server Isolation

Understanding Tunnel Mode Site-to-Site VPN IPSec Tunnel IPSec Tunnel IPSec Gateway IPSec Gateway Windows XP Client FTP Server Site B Site A IPSec Gateway IPSec Gateway

How Does IPSec Secure Traffic? TCP Layer IPSec Driver TCP Layer IPSec Driver Encrypted IP Packets 3 3 Internet Key Exchange (IKE) Negotiation 2 2 IPSec Policy 1 1 Active Directory

Creating IPSec Security Policies IP security policy Rules IP filter lists Filter actions IP filters Can be assigned to domains, sites, and organizational units

Demonstration 1: Configuring and Assigning IP Security Policies Configure and assign an IP Security policy

Understanding Network Isolation Using IPSec Overview of Internet Protocol Security Understanding Network Isolation Using IPSec Understanding Advanced Network Isolation Scenarios

What Is Network Isolation? Benefits of introducing a logical data isolation defense layer include: Additional security Control of who can access specific information Control of computer management Protection against malware attacks A mechanism to encrypt network data Additional security Control of who can access specific information Control of computer management Protection against malware attacks A mechanism to encrypt network data Network isolation: The ability to allow or deny certain types of network access between computers that have direct Internet Protocol connectivity between them

Identifying Trusted Computers Trusted computer: A managed device that is in a known state and meets minimum security requirements Untrusted computer: A device that may not meet the minimum security requirements, mainly because it is unmanaged or not centrally controlled

Goals That Are Achievable Using Network Isolation The following goals can be achieved by using network isolation: Isolate trusted domain member computers from untrusted devices at the network level Help to ensure that a device meets the security requirements required to access a trusted asset Allow trusted domain members to restrict inbound network access to a specific group of domain member computers Focus and prioritize proactive monitoring and compliance efforts Focus security efforts on the few trusted assets that require access from untrusted devices Focus and accelerate remediation and recovery efforts Isolate trusted domain member computers from untrusted devices at the network level Help to ensure that a device meets the security requirements required to access a trusted asset Allow trusted domain members to restrict inbound network access to a specific group of domain member computers Focus and prioritize proactive monitoring and compliance efforts Focus security efforts on the few trusted assets that require access from untrusted devices Focus and accelerate remediation and recovery efforts

Risks That Cannot Be Mitigated Using Isolation Risks that will not be directly mitigated by network isolation include: Trusted users disclosing sensitive data Compromise of trusted user credentials Untrusted computers accessing other untrusted computers Trusted users misusing or abusing their trusted status Lack of security compliance of trusted devices Compromised trusted computers access other trusted computers Trusted users disclosing sensitive data Compromise of trusted user credentials Untrusted computers accessing other untrusted computers Trusted users misusing or abusing their trusted status Lack of security compliance of trusted devices Compromised trusted computers access other trusted computers

How Does Network Isolation Fit into Network Security? Policies, procedures, and awareness Physical security Application Host Internal network Perimeter Data Logical Data Isolation

How Can Network Isolation Be Achieved? Components of the network isolation solution include: Computers that meet the organization’s minimum security requirements Trusted hosts The use of IPSec to provide host authentication and data encryption Host authentication Verification of security group memberships within the local security policy and access control lists of the resource Host authorization

Controlling Computer Access Using Network Access Groups and IPSec Logical Data Isolation Computer Access Permissions (IPSec) Host access permissions IPSec Policy 2 2 Share and Access Permissions Group Policy Dept_Computers NAG Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation

Controlling Host Access Using Network Access Groups Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation Step 4: User host access permissions checked Step 5: Share and access permissions checked Step 1: User attempts to access share on server Step 2: IKE main mode negotiation Step 3: IPSec security method negotiation Step 4: User host access permissions checked Step 5: Share and access permissions checked Logical Data Isolation Computer Access Permissions (IPSec) Host access permissions IPSec Policy Group Policy Dept_Computers NAG 4 4 Dept_Users NAG Share and Access Permissions 5 5

Demonstration 2: Configuring and Implementing Network Access Groups Configure network access groups to enhance security

Understanding Advanced Network Isolation Scenarios Overview of Internet Protocol Security Examining Network Isolation Using IPSec Understanding Advanced Network Isolation Scenarios

Creating the Network Isolation Design The network isolation design process involves: Designing the foundational groups Creating Exemption Lists Planning the computer and network access groups Creating additional isolation groups Traffic modeling Assigning the group and network access group memberships Designing the foundational groups Creating Exemption Lists Planning the computer and network access groups Creating additional isolation groups Traffic modeling Assigning the group and network access group memberships

Designing the Foundational Groups Untrusted Systems Isolation Domain Boundary Isolation Group

Creating Exemptions Lists The following conditions might cause a host to be on the Exemptions List: The host is a computer that trusted hosts require access to but it does not have a compatible IPSec implementation If the host is used for an application that is adversely affected by the three-second fall back to clear delay or by IPSec encapsulation of application traffic If the host has issues that impacts its performance If the host is a domain controller The host is a computer that trusted hosts require access to but it does not have a compatible IPSec implementation If the host is used for an application that is adversely affected by the three-second fall back to clear delay or by IPSec encapsulation of application traffic If the host has issues that impacts its performance If the host is a domain controller

Planning the Computer and Network Access Groups Computer groups: Used to contain members of a specific isolation group Assigned to Group Policy Objects to implement various security settings Used to contain members of a specific isolation group Assigned to Group Policy Objects to implement various security settings Network access groups: Can be one of two types, Allow or Deny Assigned to Group Policy to control Allow or Deny access to a computer Can be one of two types, Allow or Deny Assigned to Group Policy to control Allow or Deny access to a computer

Creating Additional Isolation Groups Reasons to create additional isolation groups include: Encryption requirements Alternative outgoing or incoming network traffic requirements Limited computer or user access required at the network level Encryption requirements Alternative outgoing or incoming network traffic requirements Limited computer or user access required at the network level Isolation Domain Boundary Isolation Group Encryption Isolation Group No Fallback Isolation Group Untrusted Systems

Understanding Traffic Modeling Trusted Devices Isolation domain Boundary Untrusted Exemptions Lists IPSec Plaintext or fall back to clear

Assigning Computer Group and Network Access Group Memberships The final tasks of designing isolation groups include assigning: Place each computer into one group based on communication requirements Computer group membership Place the users and computers that require granular permissions into each previously identified NAG NAG membership

Demonstration 3: Implementing Isolation Groups Implement and deploy Isolation Groups using computer security groups

Network Isolation: Additional Considerations Additional considerations include: The maximum number of concurrent connections by unique hosts to servers using IPSec The maximum token size limitation for hosts using IPSec The maximum number of concurrent connections by unique hosts to servers using IPSec The maximum token size limitation for hosts using IPSec

Understanding Predeployment Considerations Before deploying a network isolation solution, consider the following: Overused devices Incompatible devices IP addressing Client/server participation Services that must be isolated Network load balancing and clustering Overused devices Incompatible devices IP addressing Client/server participation Services that must be isolated Network load balancing and clustering

Session Summary Deploy IPSec to provide authentication and encryption Use a combination of IPSec, security groups, and Group Policy for logical data isolation Use the Boundary zone as a starting point when deploying isolation groups using IPSec Implement additional groups to isolate resources or provide functionality as required

Next Steps Find additional security training events: Sign up for security communications: Get additional security tools and content: Find additional e-learning clinics:

Questions and Answers

Contact Details Paula Kiernan Ward Solutions