Network Isolation Using Group Policy and IPSec

1
Network Isolation Using Group Policy and IPSec

• Paula Kiernan
• Senior Consultant
• Ward Solutions

2
Session Prerequisites

• Hands-on experience with Windows 2000 or Windows
  Server 2003
• Familiarity with Active Directory and Group
  Policy
• Knowledge of Windows system security concepts
• Working knowledge of TCP/IP concepts
• An understanding of the basics of Internet
  Protocol Security (IPSec)

Level 300
3
Session Overview

• Overview of Internet Protocol Security
• Understanding Network Isolation Using IPSec
• Understanding Advanced Network Isolation
  Scenarios

4
Overview of Internet Protocol Security

• Overview of Internet Protocol Security
• Understanding Network Isolation Using IPSec
• Understanding Advanced Network Isolation
  Scenarios

5
Securing Network Communication What Are the
Challenges?
Challenges to securing network communication
include

• Preventing data modification while in transit
• Preventing data from being read and interpreted
  while in transit
• Keeping data secure from unauthorized users
• Keeping data from being captured and replayed

6
What Is Internet Protocol Security?
IPSec A framework of open standards to ensure
private, secure communications over IP networks
through the use of cryptographic security
services
IPSec provides the following benefits

• Transparent to users and applications
• Provides restricted access to servers
• Customizable security configuration
• Centralized IPSec policy administration through
  Active Directory

7
Identifying IPSec Scenarios
IPSec can be deployed in
8
Understanding Transport Mode Scenarios
9
Understanding Tunnel Mode
Site-to-Site VPN
IPSec Tunnel
Site B
Site A
Windows XP Client
FTP Server
IPSec Gateway
IPSec Gateway
10
How Does IPSec Secure Traffic?
3
11
Creating IPSec Security Policies
IP security policy
Rules
IP filter lists
Filter actions
IP filter lists
IP filter lists
IP filter lists
IP filter lists
IP filters
Can be assigned to domains, sites, and
organizational units
12
Demonstration 1 Configuring and Assigning IP
Security Policies

• Configure and assign an IP Security policy

13
Understanding Network Isolation Using IPSec

• Overview of Internet Protocol Security
• Understanding Network Isolation Using IPSec
• Understanding Advanced Network Isolation
  Scenarios

14
What Is Network Isolation?
Network isolation The ability to allow or deny
certain types of network access between computers
that have direct Internet Protocol connectivity
between them
Benefits of introducing a logical data isolation
defense layer include

• Additional security
• Control of who can access specific information
• Control of computer management
• Protection against malware attacks
• A mechanism to encrypt network data

15
Identifying Trusted Computers
Trusted computer
A managed device that is in a known state and
meets minimum security requirements
Untrusted computer
A device that may not meet the minimum security
requirements, mainly because it is unmanaged or
not centrally controlled
16
Goals That Are Achievable Using Network Isolation

The following goals can be achieved by using
network isolation

• Isolate trusted domain member computers from
  untrusted devices at the network level
• Help to ensure that a device meets the security
  requirements required to access a trusted asset
• Allow trusted domain members to restrict inbound
  network access to a specific group of domain
  member computers
• Focus and prioritize proactive monitoring and
  compliance efforts
• Focus security efforts on the few trusted assets
  that require access from untrusted devices
• Focus and accelerate remediation and recovery
  efforts

17
Risks That Cannot Be Mitigated Using Isolation

Risks that will not be directly mitigated by
network isolation include

• Trusted users disclosing sensitive data
• Compromise of trusted user credentials
• Untrusted computers accessing other untrusted
  computers
• Trusted users misusing or abusing their trusted
  status
• Lack of security compliance of trusted devices
• Compromised trusted computers access other
  trusted computers

18
How Does Network Isolation Fit into Network
Security?

Policies, procedures, and awareness
Physical security
Data
Application
Host
Logical Data Isolation
Internal network
Perimeter
19
How Can Network Isolation Be Achieved?

Components of the network isolation solution
include
20
Controlling Computer Access Using Network Access
Groups and IPSec

• Step 1 User attempts to access share on server
• Step 2 IKE main mode negotiation
• Step 3 IPSec security method negotiation

Share and Access Permissions
Logical Data Isolation
Host access permissions
Computer Access Permissions(IPSec)
3
21
Controlling Host Access Using Network Access
Groups

• Step 1 User attempts to access share on server
• Step 2 IKE main mode negotiation
• Step 3 IPSec security method negotiation
• Step 4 User host access permissions checked
• Step 5 Share and access permissions checked

Share and Access Permissions
Logical Data Isolation
Host access permissions
Group Policy
Computer Access Permissions(IPSec)
Dept_Computers NAG
IPSec Policy
2
3
1
22
Demonstration 2 Configuring and Implementing
Network Access Groups

• Configure network access groups to enhance
  security

23
Understanding Advanced Network Isolation Scenarios

• Overview of Internet Protocol Security
• Examining Network Isolation Using IPSec
• Understanding Advanced Network Isolation
  Scenarios

24
Creating the Network Isolation Design
The network isolation design process involves

• Designing the foundational groups
• Creating Exemption Lists
• Planning the computer and network access groups
• Creating additional isolation groups
• Traffic modeling
• Assigning the group and network access group
  memberships

25
Designing the Foundational Groups

Isolation Domain
Boundary Isolation Group
Untrusted Systems
26
Creating Exemptions Lists
The following conditions might cause a host to be
on the Exemptions List

• The host is a computer that trusted hosts require
  access to but it does not have a compatible
  IPSec implementation
• If the host is used for an application that is
  adversely affected by the three-second fall back
  to clear delay or by IPSec encapsulation of
  application traffic
• If the host has issues that impacts its
  performance
• If the host is a domain controller

27
Planning the Computer and Network Access Groups
Computer groups

• Used to contain members of a specific isolation
  group
• Assigned to Group Policy Objects to implement
  various security settings

Network access groups

• Can be one of two types, Allow or Deny
• Assigned to Group Policy to control Allow or Deny
  access to a computer

28
Creating Additional Isolation Groups
Reasons to create additional isolation groups
include

• Encryption requirements
• Alternative outgoing or incoming network traffic
  requirements
• Limited computer or user access required at the
  network level

Isolation Domain
Encryption Isolation Group
No Fallback Isolation Group
Untrusted Systems
29
Understanding Traffic Modeling
Trusted Devices
Exemptions Lists
Isolation domain
1
2
3
Boundary
4
5
6
Untrusted
7
IPSec
Plaintext or fall back to clear
30
Assigning Computer Group and Network Access Group
Memberships
The final tasks of designing isolation groups
include assigning
Place each computer into one group based on
communication requirements
Computer group membership
Place the users and computers that require
granular permissions into each previously
identified NAG
NAG membership
31
Demonstration 3 Implementing Isolation Groups

• Implement and deploy Isolation Groups using
  computer security groups

32
Network Isolation Additional Considerations
Additional considerations include

• The maximum number of concurrent connections by
  unique hosts to servers using IPSec
• The maximum token size limitation for hosts
  using IPSec

33
Understanding Predeployment Considerations
Before deploying a network isolation solution,
consider the following

• Overused devices
• Incompatible devices
• IP addressing
• Client/server participation
• Services that must be isolated
• Network load balancing and clustering

34
Session Summary
Deploy IPSec to provide authentication and
encryption
ü
Use a combination of IPSec, security groups, and
Group Policy for logical data isolation
ü
Implement additional groups to isolate resources
or provide functionality as required
ü
Use the Boundary zone as a starting point when
deploying isolation groups using IPSec
ü
35
Next Steps

• Find additional security training events
• http//www.microsoft.com/ireland/security/trainin
  g.asp
• Sign up for security communications
• http//www.microsoft.com/technet/security/signup/
  default.mspx
• Get additional security tools and content
• http//www.microsoft.com/security/guidance/defaul
  t.mspx
• Find additional e-learning clinics
• https//www.microsoftelearning.com/security

36
Questions and Answers
37
Contact Details

• Paula Kiernan
• Ward Solutions
• paula.kiernan_at_ward.ie
• www.ward.ie