Microsoft Domain and Server Isolation Model

Esmaeil SarabadaniMCT, MCSA/MCSE Security

IPSec as a savior against network threats on Windows Server 2008 R2

What will be coveredProtecting the network in a highly-connected worldDefence in depthNetwork without isolationMicrosoft domain and server isolation modelFocus on IPSecDifferent stages of implementing the modelDemonstrations on different steps of configuration

Life in a Highly-Connected World

Local Area NetworksBusiness ExtranetsWireless NetworksMobile WorkersLaptopsVirtual Private NetworksMobile Smart Devices

Protecting Your Network means

Reducing the risk of malicious activitiesProtecting the data against unauthorized manipulationLowering the costs and administrative overheadDecreasing the impact of denial-of-service attacksReducing the risk of malicious software threatsEliminating the chance of intruding the network and servers

Typical Network Infrastructure

Is the whole infrastructure secure?What is missing?

VPN

Con

necti

on

Partner’s Network

Remote User

Extr

anet

Con

necti

on

Network Firewalls

Secure VPN Connections

How important is it in the world today?

“Malicious insiders” has been ranked the second in 2010 and the first in 2009 in the top ten information security threats as reported by Perimeter E-Security.

Logical Isolation

Defence in DepthA layered approach to protecting a computer instead of reliance on a single mechanism for the protection

Controls network communicationsProtects all unicast trafficMore similar to a host-based firewallProvides end-to-end security

Bob Alice

Sorry! I do not trust you!The communication does not take place!

Without Isolation

11

22

User authenticationoccurs

User attempts to access a file share

Dept Group

44 Share access ischecked

Access grantedor denied

based on ACL

User is authenticated and authorized

33

Check networkaccess permissions

Local policy

Without IsolationThe Problems:

Too much dependence on users’ credentialsTheft and abuse of user credentials often not realized... Until it’s too lateDifficult to control who or what physically connects to the networkLarge internal networks might have independent path to the internetEven if there are firewalls, they help but not when clients communicate inside the network

Question:What does a HACKER need to penetrate into the network and servers?

•Access to the network•A username and password

How difficult do you think it is for a hacker to get them?

Microsoft Domain and Server Isolation Model

Controls end-to-end communications using IPSec policiesAdds a layer of defence-in-depth IPSec policies are received by the host through Group PolicyAuthenticates every packetCan encrypt every packetSupported Operating Systems:

Windows 2000-SP4Windows XP-SP2Windows VistaWindows 7Windows Server 2003Windows Server 2008

With Isolation

33

Check networkAccess permissions

(Computer acct)

Local policy

11

4422

IKE

User attempts to access a file share

IKE negotiation begins

IKE succeeds, user authN occurs

Computer and user are authenticated

and authorized

Dept Group

66 Share access ischecked

Access grantedor denied

based on ACL

55

Check networkaccess permissions

(user)

Local policy

Why IPSec?

IPSec is a protocol suit to provide security over IP networksIt operates at layer 3 (Network) of OSI modelIt has two modes of operations:

Tunnel modeTransport mode

IPSec

Tunnel Mode:IPSec gateway at each siteNo security inside the site networkSecures messages going through the gateway and the internet

LocalNetwork

Internet LocalNetwork

IPsecGateway Secure

Communication

Protected data field

ProtectedOriginal IP

Header

TunnelSecurityHeader

A security header to IP packets before the main IP headerThe new header contains the source and destination addresses of the IPSec gatewaysThe source and destination of the hosts are protected The original IP header is protectedThe original data field is protected

IPSec

Transport Mode:End-to-end communication and security between the hostsSecurity inside the site networksRequires configuration on the host

LocalNetwork

Internet LocalNetwork

Secure end-to-endCommunication

Protected data field

TransportSecurityHeader

OriginalIP Header

Transport Mode:Adds a security header to IP packets after the main IP headerThe source and destination of the hosts can be learned by a hacker in the middleThe original data field is protected

AH vs. ESPTwo forms of encryptionESP (Encapsulating Security Payload) Confidentiality Authentication

AH (Authentication Header) Authentication

ESP in Transport modeESP in Tunnel mode

AH vs. ESPAH (Authentication Header)

AH in Transport mode

No Encryption Only Authentication

AH in Tunnel mode

No EncryptionOnly Authentication

IKE, SA, Encryption Algorithms

Security Association (SA) are agreements between two hosts or two IPSec server for how security will be performed.

Host A Host B

NegotiateSecurity Association

The security agreements can also negotiate different methods of integrity and encryption.

These agreements start with IKE (Internet Key Exchange)

IKE is not IPSec-specific.

Integrity Algorithms:MD5SHA1AES

Encryption Algorithms:DES3DESAES

Important Isolation TermsTrusted Host:

IPSec-enabledJoined to domain

Untrusted Host:Known Trusted Host

NOT IPSec-enabledNot joined to domain or in an untrusted domain

Unknown Trusted Host

Boundary HostIPSec-enabledFall back to clearAble to communicate with both trusted and untrusted hosts

Exempted Host:Does not use IPSec

Isolation GroupA logical group of trusted hosts with the same policy

Network Access GroupControls access to a host on the network before any policy takes place

Trusted Hosts Untrusted Hosts

Boundary Hosts Exemption Hosts

Connection Terminated

Isolation ScopeHosts to be isolated

Any computer joined to domain as long as the requirement is metTo a very large extent depends on the isolation policies

Servers to be isolatedImportance of the information stored on that serverDomain Controller

DC-to-DCGC-to-GCClient-to-DC (Generally NOT recommended but possible without Kerberos for authentication)

Exchange ServerEdge Transport server to the other servers holding the other rolesIsolation of Edge Transport Server (Front-End Server)Communication between Exchange servers with different roles

Servers to be isolatedOffice Communications Server 2007

Isolation of edge serversCommunication between the edge server and the internal servers

File ServersWeb Servers

Block specific portsAnd ...

Servers to be exemptedDHCP Servers

Computers connect to get an IP address and before that they do not receive any policiesNeed to have no delay

DNS ServersNeed to have no delayInvolved with every computer in the network

FirewallsHost-based firewalls, filtering in routers, network firewalls and any other filters must support Fragmentation and the following ports must be open on them:

IKE: UDP Port 500IKE/IPSec NAT-T: UDP Port 4500IPSec ESP: IP Protocol 50IPSec AH: IP Protocol 51

Planning phaseInform team members about IPSec

IT Manager, System Architect, Security Manager, Support Specialist and etc.

Collect information about your IT environmentNetwork topologySecurity policy and implementationServer operating systems and applicationsUser typesAny interoperability issues or concerns

Determine your isolation needsBusiness needsSecurity requirementsService Level AgreementsTechnology needsUser needs

Things to consider when planning:Analysis of network devicesAnalysis of network traffic flowACLs that affect IPSec directlyVLAN SegmentationAnalysis of Active Directory

Design your IPSec policiesDeploy the policies in a test environmentRefine PoliciesCreate a deployment schedulePrepare for user and infrastructure support

DeploymentDifferent types of deployment

Deployment using OUs

Policy 1 applied Policy 2 applied Policy 3 applied Policy 3 applied

Deployment using Groups

Group 1

Group 2

Group 3

Group 4 Group 6

Group 5 Group 7

Group 8

Policy 1 applied at the domain level

Policy 1

Allow Read & Apply Permission

Deny Read & Apply Permission

Policy 1 NOT applied

Policy 1 Policy 1

Policy 2applied at the OU level

Allow Read & Apply Permission

Policy 2

Deny Read & Apply Permission

Policy 2 NOT applied

Comparison:Deployment by GROUPS is best for organizations with more complex groups hierarchy. Companies that more than one policy is applied to one OU. Deployment by GROUPS can get really complicated.

Deployment by OUs is best for organizations in which computer members of each OU all inherit the same policies.

Deployment

DEMODeployment ScenariosNetwork Access Groups

IPSec Policy Components overviewIPSec Policy

Rules

ActionFilter List

Filters

Pre-Shared KeysKerberos

Authentication methods

Certificates

HashingEncryption

Security methods

Key Lifetimes

IPSec policies are all configurable through Group Policies at both the domain and OU levels.

Isolation ScopeFilter Lists:

Collection of one or more filters used to match network traffic based on:

Source or destination networks or addressesProtocol(s)Source and destination TCP or UDP ports

Filter Actions:IPSec-BlockBlocks the traffic that matches the filter listsIPSec-PermitPermits the traffic that matches the filter listIPSec-Request ModeAccepts both IPSec and non-IPSec inbound trafficFor outbound, it starts IPSec negotiation and if no response, falls back

to clear.IPSec-Secure Request ModeAccepts only IPSec inbound trafficFor outbound, it starts IPSec negotiation and if no response, falls back

to clear.

Filter Actions:IPSec-Full Require ModeRequires IPSec-secured communication for both inbound and outbound packets.

DEMOConfiguring Isolation

Things to ConsiderStart small when deploying and always deploy in a test environment firstLocal Administrators can disable IPSec or change local dynamic policyAlways plan for interoperabilityMake sure NAT-T is supported on hosts, if there is a NAT device in your network.Be aware of the delays in policy application after a change in policies occurs.Using IPSec, network traffic monitoring tools will not work.

Risks That Can Not Be MitigatedTrusted users stealing or disclosing sensitive dataRogue usersUntrusted computers accessing other untrusted computersLoss of physical security of trusted computers

Real-World ExamplesLockheed Martin

University of Michigan

BMO Financial Group

Microsoft IT Department

Q&AQuestions & Answers

Resources

Technet Reference on Domain and Server Isolationhttp://technet.microsoft.com/en-us/network/bb545651.aspx

Perimeter E-Security TOP 10 Information Security Threats for 2010http://www.perimeterusa.com/knowledge-center/company-news/press-releases#100

Technet Reference on IPSechttp://www.microsoft.com/ipsec

Required slide

WIN COOL PRIZES!!!Required slide

Complete the True Techie and Crazy Communities Challenge and stand a chance to win…

Look in your conference bags NOW!!

We value your feedback!Required slide

Please remember to complete the overall conference evaluation form (in your bag) and return it to the Registration Counter on the last day in return for a Limited Edition Gift