improving security with domain isolation microsoft it implements ip security (ipsec) published: june...
TRANSCRIPT
Improving Security with Domain Isolation
Microsoft IT Implements IP Security (IPsec)
Published: June 2004
Solution Overview
Situation● Managed computers had to be isolated from
unmanaged computers to improve security
Solution● Deployment of IPsec
Benefits● Allows creation of logical secure network segments● Works independently of other infrastructure for end-to-
end security● Can be deployed and managed centrally
Products and Technologies● IPsec protocols (ESP, IKE)● Windows Server 2003● Windows XP Professional
SP1● Windows 2000 SP3● Group Policy● Active Directory● PKI and CA
Levels of Trusted Assets
U1 U2 U2
X XB
DHCP
DNS
WINS
DC
SecureNet
Clients, Servers, Home LAN,
Trustworthy Labs (203,000)
Untrustworthy
Labs (75,000)
PocketPC/Xbox
(18,000)
MAC (2,000)
Boundary Machines (5,000)
Infrastructure (500)
Internet ServersBusiness Partners
Extranet
DTaps(no connectivity to
CorpNet)
(1,800)
External Exclusions
Internal Exclusions
Microsoft Corporate Network
ACL Controlled
Business Benefits
● Decreased network risks● Improved asset management
information
Business Benefits
● Protection of intellectual property● Increased policy compliance● Improved malware detection
Domain Isolation at Microsoft● IPsec allows creation of logical, secure
networks within a larger network● Group policy provides a framework for
easily deploying IPsec to hosts● Active Directory infrastructure and
Group Policy enable deployment and administration of IPsec enterprise wide
Domain Isolation at Microsoft● Microsoft IT considered two
segmentation technologies:● IPsec provides end-to-end authentication
and encryption between hosts on a network
● 802.1x provides only authentication
● Microsoft IT chose IPsec because it is a complete solution
Domain Isolation at Microsoft● IPsec is a standards-based framework
of security protocols and cryptographic services
● IPsec is a foundation for a secure environment, but is not a secure environment itself
● Microsoft IT uses two of the four nodes in IPsec negotiated security
Domain Isolation at Microsoft● Active and challenging security
environment at Microsoft● Unique aspects of Microsoft
environment include:● Multiple computers per user● Diverse desktop implementations● Frequently rebuilt computers● Diverse mix of approved software versions
Planning
1. Determine segmentation requirements
2. Choose technology
3. Design IPsec/group policies
4. Test policies/IPsec functionality and behaviors
5. Create a rollout schedule
Planning
● Test process and strategy● Focus on minimal user impact● Phased subnet deployment approach● Creation of new rule/filter list and
assignment of secure request filter action● Change of rollout process to deploy to
individual domains instead of subnets
Planning
● Communication with users● Transparency of IPsec deployment to
users● Low volume of Helpdesk calls● Training of Helpdesk personnel● Restrictions on access to servers that
contain sensitive information● Notifications of deployment progress and
system requirements
Deployment
● Group Policy for IPsec Distribution● Create dedicated GPOs for IPsec● Create security groups● Create universal security groups to control
the application of GPOs● Create a universal security group for
group/IPsec policy administration● Administer Group Policy
Deployment
Filter List Action
Rules
IPsec Policy
Filters
Key Exchange Methods (IKE)
Authentication Methods (Kerberos, Certificates,
Static Keys)
Security Methods (Encryption, Hashing,
Key Lifetimes)
IPsec policies are applied to a GPO, contain a set of rules, and specify how to perform IKE.
Each rule associates a Filter List with an Action, and specifies authentication methods.
A Filter List specifies a set of individual filters, and is used to group filters together in a rule.
A Filter describes a pattern of traffic to match, by IP address, subnet, port, and protocol for both ends of a connection.
An Action designates what to do with traffic that matches a filter: Permit, Block, or Negotiate Security.
Deployment
● Policy settings● Different IPsec policies via different GPOs
during different phases of deployment
● IPsec filter design● Basic filter rules as the default policy● Management and deployment of IPsec
through Group Policy and Active Directory ● No active IPsec policies on Internet-facing
NIC on multi-homed computers
Deployment
● Some computers and devices cannot use IPsec
● These computers and devices cannot access computers inside SecureNet
● Exception servers can become boundary machines
● Legacy and test environments are not a priority for adding to SecureNet
Deployment
● Managing boundary computers● Extra management and security● Creation of security groups
● Deploying boundary computers● Request process● Case-by-case basis for granting insecure
network traffic
Known Issues and Problem Applications● LAN performance
● Added bandwidth consumption
● CPU performance● Negligible overhead on most clients
● IPsec and Windows VPN servers● Special IPsec policies for deployments that
use Kerberos
Known Issues and Problem Applications● RFC 1918 private IP ranges
● Connecting to the corporate network through a VPN requires use of specific private IP ranges
● Two private subnets are excluded from the list of secure subnets
Known Issues and Problem Applications● Network device issues
● IPsec changes TCP/IP offsets for destination ports and protocols
● IPsec generally defeats network-based prioritization and port or protocol-based traffic management
● IPsec adds to use of system resources
Known Issues and Problem Applications● Filter processing issues
● IPsec driver caches filters that match a particular connection
● IPsec and NLB clusters● Clients connected an offline server must
renegotiate the connection● If a node in the cluster fails, IPsec
connections cannot rebuild the security association until the preset time-out period
Known Issues and Problem Applications● NAT-T
● NAT-T addresses problems between NAT and IPsec
● Troubleshooting issues● IPSec depends on correct configuration of
supporting technologies ● Microsoft IT enables auditing using
domain-based group policies● Diagnostics may require Oakley logging
Best Practices
● Group Policy design● Set up group policies for all behavior types
to support IPsec testing● Filter the “Apply Group Policy” ACE for
each policy to only the limited security user groups
● Use a naming convention that covers the policy and group function for easier management and troubleshooting
Best Practices
● IPsec design● Minimize the overall number of filters● Use “Any” instead of “Me” as the base
approach to filter design● Create “Any <-> Corporate subnet” rules
instead of “Me <-> Any” for secure subnets● Manage permitted subnets● Use “Any” rules for virtual IP addresses
used by clusters
Best Practices
● IPsec design● Permit unsecured traffic to infrastructure
servers● Use Kerberos as the default authentication
mechanism● Set NoDefaultExempt = 1 via group policy
ADM template● Permit the ICMP protocol
Best Practices
● IPsec design● Minimize securing by port or protocol● Avoid “Any <-> Any” filters● Don’t use IPsec Default Response rule with
custom policy
Best Practices
● Deployment options● Deploy by subnet● Deploy by security group● Deploy by domain
Best Practices
● Recommended deployment steps● Pilot Request Mode IPsec● Deploy Request Mode IPsec● Pilot Secure Request IPsec policy● Deploy Secure Request IPsec policy
Best Practices
● Non-domain joined clients● Use Kerberos exclusively for an IPSec
deployment● Carefully evaluate the need to create
exceptions to global IPsec policies
● IPsec and NLB● Consider exempting business-critical
services that require high availability
Conclusion
● Phase 1: deployment if IPsec to >160,000 computers
● Phase 2: deployment of Secure Request mode across the enterprise (208,000 computers)
● Minimal impact on Helpdesk● Less exposure to worms and attackers● Project is now in review/maintenance
For More Information● Additional content on Microsoft IT
deployments and best practices can be found on http://www.microsoft.com● Microsoft TechNet
http://www.microsoft.com/technet/itshowcase
● Microsoft Serviceshttp://www.microsoft.com/itshowcase
● E-mail IT [email protected]
This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.