View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Domain andDomain andServer IsolationServer IsolationUsing IPsecUsing IPsec
Jesper M. JohanssonJesper M. JohanssonSenior Security StrategistSenior Security StrategistSecurity Technology UnitSecurity Technology [email protected]@microsoft.comhttp://blogs.technet.com/jesper_johanssonhttp://blogs.technet.com/jesper_johansson
Evolving network securityEvolving network securityThe visionThe vision
Endpoints protect themselves from other systemsEndpoints protect themselves from other systemsConnections allowed only after authenticationConnections allowed only after authenticationAll communications are authenticated and All communications are authenticated and authorized authorized Host health is checkedHost health is checked
The value propositionThe value propositionIncreased security for windows and corporate Increased security for windows and corporate network overallnetwork overallIncrease IT efficiency and ROI on active directory Increase IT efficiency and ROI on active directory managementmanagement
You can do much of this today!You can do much of this today!
Without isolationWithout isolation
11
22
User authenticationUser authenticationoccursoccurs
User attempts to User attempts to access a file shareaccess a file share
Dept Group
44 Share access isShare access ischeckedchecked
Access grantedAccess grantedor denied or denied
based on ACLbased on ACL
User is authenticated User is authenticated and authorizedand authorized
33
Check networkCheck networkaccess permissionsaccess permissions
Local Local policypolicy
Life without isolationLife without isolationUser authentication and authorization are the User authentication and authorization are the focus for most IT professionalsfocus for most IT professionalsServer and domain isolation will change this!Server and domain isolation will change this!
The problemsThe problemsAll hosts on the network might not be trusted All hosts on the network might not be trusted equally by all systems connectedequally by all systems connected
Difficult to control who or what physically connects Difficult to control who or what physically connects to the networkto the networkUnmanaged hosts present infection threatUnmanaged hosts present infection threatNeed to provide connectivity to outsiders but limit Need to provide connectivity to outsiders but limit accessaccess
a.k.a. partners…vendors…customers…a.k.a. partners…vendors…customers…
Theft and abuse of trusted user credentials Theft and abuse of trusted user credentials often not recognized—until it’s too late!often not recognized—until it’s too late!
The problemsThe problemsLarge “internal” networks might have Large “internal” networks might have independent paths to the Internetindependent paths to the Internet
Difficult to monitor and control “the edge” Difficult to monitor and control “the edge” anymore anymore External threats present somewhere on the External threats present somewhere on the internal networkinternal network
Network attack surface is all TCP/IP ports, Network attack surface is all TCP/IP ports, traffictraffic
Packet filtering (network firewall) helps, but not Packet filtering (network firewall) helps, but not when clients communicate inside itwhen clients communicate inside itNeed defense-in-depth to include application layer Need defense-in-depth to include application layer network securitynetwork security
Security Lessons From The Security Lessons From The Physical WorldPhysical World
Traffic lights control traffic flowTraffic lights control traffic flowBuffer overflows are unheard ofBuffer overflows are unheard ofMalicious hosts easily quarantinedMalicious hosts easily quarantined
The solutionThe solutionIsolate computers with IPsecIsolate computers with IPsec
Protects all unicast traffic between trusted Protects all unicast traffic between trusted computerscomputersProvides end to end securityProvides end to end securityAuthenticates every packet (by default)Authenticates every packet (by default)Can encrypt every packet (optional)Can encrypt every packet (optional)Customizable policy deployed in domain, no Customizable policy deployed in domain, no application changes necessaryapplication changes necessary
Where does isolation fit?Where does isolation fit?
Part of a security Part of a security defense-in-depth defense-in-depth approachapproach
Logically sits Logically sits between the between the network and the network and the host layershost layers
People, Policies, and ProcessPeople, Policies, and Process
Physical securityPhysical security
PerimeterPerimeter
Internal networkInternal network
HostHost
ApplicationApplication
DataData
Isolation
Security defense-in-depth modelSecurity defense-in-depth model
What are the main benefits?What are the main benefits?Reduces network attacks on isolated Reduces network attacks on isolated computerscomputersHelps protect against internal attacksHelps protect against internal attacksProvides scalable authentication and Provides scalable authentication and encryption for all trafficencryption for all traffic
Even “unsecurable” stuff like SMB Even “unsecurable” stuff like SMB
Why IPsec?Why IPsec?My network vendor says 802.1X can do My network vendor says 802.1X can do this!this!Well they’re wrong.Well they’re wrong. Stay tuned! Stay tuned!
Solution BenefitsSolution Benefits
IPsec: the foundationIPsec: the foundationCreate Active Directory–based IPsec policies Create Active Directory–based IPsec policies with MMCwith MMCUse one of three authentication methodsUse one of three authentication methods
KerberosKerberosComputer certificatesComputer certificatesPreshared keysPreshared keys
IPsec policies delivered to clients with AD IPsec policies delivered to clients with AD Group PolicyGroup PolicyAvailable in Windows 2000, XP, 2003Available in Windows 2000, XP, 2003
Solution terminologySolution terminologyHostsHosts
UntrustedUntrustedTrustworthyTrustworthyTrustedTrusted
Isolation groupsIsolation groupsFoundational groupsFoundational groupsAdditional groupsAdditional groups
Network access groupsNetwork access groups
Isolation scenariosIsolation scenarios
Protect hosts from Protect hosts from unmanaged machinesunmanaged machinesEnforces domain Enforces domain membership (yay!) by membership (yay!) by requiring machine requiring machine authenticationauthenticationAll trusted machines can All trusted machines can exchange trafficexchange trafficEncryption optionalEncryption optionalCan include stronger Can include stronger server isolationserver isolation
Protect high-value Protect high-value serversserversRestrict connectivity to a Restrict connectivity to a defined subset of certain defined subset of certain people and hostspeople and hostsStill must be domain Still must be domain computerscomputersEncryption optional but Encryption optional but commoncommon
Domain isolationDomain isolation Server isolationServer isolation
33
Check networkCheck networkAccess permissionsAccess permissions
(Computer acct)(Computer acct)
Local Local policypolicy
With isolationWith isolation
11
4422
IKE
User attempts to User attempts to access a file shareaccess a file share
IKE negotiation IKE negotiation beginsbegins
IKE succeeds, IKE succeeds, user authN occursuser authN occurs
Computer Computer andand user user are authenticated are authenticated
and authorizedand authorized
Dept Group
66 Share access isShare access ischeckedchecked
Access grantedAccess grantedor denied or denied
based on ACLbased on ACL
55
Check networkCheck networkaccess permissionsaccess permissions
(user)(user)
Local Local policypolicy
How does isolation work?How does isolation work?Uses IPsec to—Uses IPsec to—
Handle the computer account authenticationHandle the computer account authenticationEnsure data integrityEnsure data integrityProvide encryption (if required) Provide encryption (if required)
Use group policy to—Use group policy to—Distribute the IPsec policiesDistribute the IPsec policiesAuthorize the computer and user accessAuthorize the computer and user access
ImplementationImplementationPlanningPlanning
How do I implement isolation?How do I implement isolation?Organize computers into isolation groups, Organize computers into isolation groups, based on—based on—
Security requirementsSecurity requirementsData classificationData classification
Identify communication pathsIdentify communication pathsDefine what’s allowed, block everything elseDefine what’s allowed, block everything else
Create policies to enforce business Create policies to enforce business requirementsrequirementsIdentify and test a deployment strategyIdentify and test a deployment strategy
All Systems
Foundational groupsFoundational groupsNon-IPsec groupsNon-IPsec groups
Untrusted systemsUntrusted systemsDefault groupDefault group
ExemptionsExemptionsTrusted infrastructureTrusted infrastructure
IPsec groupsIPsec groupsIsolation domainIsolation domain
Default trusted groupDefault trusted group
BoundaryBoundaryHigher risk trusted groupHigher risk trusted group
Untrustedsystems
IsolationDomain
BoundaryIsolationGroup
Traffic mapping—foundationalTraffic mapping—foundationalPlan all allowed data communications Plan all allowed data communications between foundational groupsbetween foundational groups
IDID FromFrom ToTo BidirectionalBidirectional IPsecIPsec FallbackFallback EncryptEncrypt
11 IDID ExEx YesYes NoNo NoNo NoNo
22 IDID BOBO YesYes YesYes NoNo NoNo
33 IDID UNUN NoNo YesYes YesYes NoNo
44 BOBO EXEX YesYes YesYes YesYes NoNo
55 BOBO UNUN NoNo YesYes YesYes NoNo
66 UNUN BOBO NoNo NoNo NoNo NoNo
77 UNUN EXEX YesYes NoNo NoNo NoNo
Additional isolation groupsAdditional isolation groupsDriven by business requirementsDriven by business requirements
Might not be necessaryMight not be necessaryFor example—For example—
No fallback allowedNo fallback allowedisolation groupisolation group
Blocks outboundBlocks outboundcommunications tocommunications tountrusted hostsuntrusted hosts
Require encryptionRequire encryptionisolation groupisolation group
High security groupHigh security groupAll data communicationsAll data communicationsmust use encryptionmust use encryption
Untrustedsystems
IsolationDomain
BoundaryIsolationGroup
EncryptionIsolationGroup
No fallbackIsolationGroup
Traffic mapping—additionalTraffic mapping—additional
IDID FromFrom ToTo BidirectionalBidirectional IPsecIPsec FallbackFallback EncryptEncrypt
88 ENEN EXEX YesYes NoNo NoNo NoNo
99 ENEN IDID YesYes YesYes NoNo YesYes
1010 ENEN NFNF YesYes YesYes NoNo YesYes
1111 ENEN BOBO NoNo YesYes NoNo YesYes
1212 NFNF IDID YesYes YesYes NoNo NoNo
1313 NFNF EXEX YesYes NoNo NoNo NoNo
1414 NFNF BOBO YesYes YesYes NoNo NoNo
Network access groupsNetwork access groupsNAGs are used to explicitly allow or deny NAGs are used to explicitly allow or deny access to a system through the networkaccess to a system through the networkNames reflect function—Names reflect function—
ANAG: allow network access groupANAG: allow network access groupDNAG: deny network access groupDNAG: deny network access group
Can contain users, computers or groupsCan contain users, computers or groupsDefined in domain local groupsDefined in domain local groups
IPsec policy constructionIPsec policy constructionIPsec Policy
Filter List
Action
Key Exchange Methods (IKE)
Security Methods
Filters
Rules
Key Lifetimes
HashingEncryption
Authentication Methods
CertificatesPre-Shared
KeysKerberos
Defined filter actionsDefined filter actionsRequest modeRequest mode
Accept inbound in the clearAccept inbound in the clearAllow outbound in the clearAllow outbound in the clear
Secure request modeSecure request modeAllow outbound in the clearAllow outbound in the clear
Full require modeFull require modeAll unicast communications require IPsecAll unicast communications require IPsec
Require encryption modeRequire encryption modeOnly negotiates encryptionOnly negotiates encryption
Selecting a deployment strategySelecting a deployment strategy
Build upBuild upPolicy has exemptions, but no requirements for Policy has exemptions, but no requirements for IPsec on secure subnetsIPsec on secure subnetsRequest mode filter action is used with secure Request mode filter action is used with secure subnet filter listssubnet filter listsSubnets are slowly added to secure subnet filter Subnets are slowly added to secure subnet filter list and testedlist and tested
Deploy by groupDeploy by groupIPsec policy defined and linkedIPsec policy defined and linkedUse groups to control application of the policyUse groups to control application of the policy
Isolation ScenariosIsolation Scenarios
Isolation in actionIsolation in action
Un-trusted
Server Isolation
`
Unmanaged Devices
Active Directory Domain
Controller
(exempted)Domain IsolationOptional outbound authentication
Required authentication
X Authenticating Host Firewalls
X
Domain isolationDomain isolation
DomainDomaincontrollercontroller
Server:Server:domain isolationdomain isolation
IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all
traffic except for traffic except for ICMP)ICMP)
Client:Client:Untrusted orUntrusted or
non-IPsec capablenon-IPsec capable
User:User:any typeany type
Ping succeedsPing succeedsothers failothers fail
Domain isolationDomain isolation
DomainDomaincontrollercontroller
Server:Server:domain isolationdomain isolation
IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all
traffic except for traffic except for ICMP)ICMP)
Client:Client:Windows XP SP2Windows XP SP2Trusted machineTrusted machine
User:User:domain domain membermember
Ping succeeds,Ping succeeds,others succeed others succeed
over IPsecover IPsec
Server isolationServer isolation
DomainDomaincontrollercontroller
Server:Server:server isolationserver isolation
IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all
traffic except for traffic except for ICMP)ICMP)
Client:Client:Windows XP SP2Windows XP SP2
““CLIENT2CLIENT2””Trusted machineTrusted machine
User:User:domain domain membermember
Ping succeedsPing succeedsothers fail others fail
because IKE because IKE failsfails
Authorization only forAuthorization only forCLIENT1CLIENT1 in group policy in group policyvia “Access this computervia “Access this computerfrom network” rightfrom network” right
Server isolationServer isolation
DomainDomaincontrollercontroller
Server:Server:server isolationserver isolation
IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all
traffic except for traffic except for ICMP)ICMP)
Client:Client:Windows XP SP2Windows XP SP2
““CLIENT1CLIENT1””Trusted machineTrusted machine
User:User:domain domain membermember
Ping succeeds, Ping succeeds, other succeed other succeed
over IPsecover IPsec
Authorization only forAuthorization only forCLIENT1CLIENT1 andand this userthis userin group policyin group policyvia “Access this computervia “Access this computerfrom network” rightfrom network” right
The BrokennessThe Brokennessof 802.1Xof 802.1X
What is 802.1X?What is 802.1X?Port-based access control method defined by Port-based access control method defined by IEEE IEEE http://standards.ieee.org/getieee802/download/802.1X-2001.pdfhttp://standards.ieee.org/getieee802/download/802.1X-2001.pdf
EAP provides mutual authentication between EAP provides mutual authentication between devices devices ftp://ftp.rfc-editor.org/in-notes/rfc3748.txtftp://ftp.rfc-editor.org/in-notes/rfc3748.txt
Works over anythingWorks over anythingWiredWiredWirelessWireless
What do you need for What do you need for 802.1X?802.1X?Network infrastructure that supports itNetwork infrastructure that supports it
Switches, mostlySwitches, mostly
Clients and servers that support itClients and servers that support itSupplicants included in Windows XP, 2003Supplicants included in Windows XP, 2003Download for Windows 2000Download for Windows 2000
Why is it perfect for wireless?Why is it perfect for wireless?The supplicant (client) and authentication The supplicant (client) and authentication server (RADIUS) generate session keysserver (RADIUS) generate session keysKeys are never sent over the airKeys are never sent over the airNothing for an attacker to use to conduct Nothing for an attacker to use to conduct impersonation or man-in-the-middle attacksimpersonation or man-in-the-middle attacksCan manage centrally with GPOsCan manage centrally with GPOs
Why is it useless for wired?Why is it useless for wired?No GPOs—and we can’t retrofitNo GPOs—and we can’t retrofitWorseWorse…a fundamental protocol design flaw…a fundamental protocol design flaw
802.1X authenticates only at the start of traffic 802.1X authenticates only at the start of traffic between client and switchbetween client and switchAfter the switch port opens, everything after After the switch port opens, everything after that that is assumed to be validis assumed to be valid
These kinds of assumptions allow MITM attacks!These kinds of assumptions allow MITM attacks!Does require physical access to the networkDoes require physical access to the network
The attackThe attack
1.2.3.41.2.3.4aa:bb:cc:dd:eaa:bb:cc:dd:e
e:ffe:ff
1.2.3.41.2.3.4aa:bb:cc:dd:eaa:bb:cc:dd:e
e:ffe:ff
drop all drop all inbound not for inbound not for
meme
……authenticate…authenticate…
……authenticate…authenticate…
Why does it work?Why does it work?802.1X lacks per-packet authentication802.1X lacks per-packet authenticationIt assumes that the post-authentication traffic It assumes that the post-authentication traffic is valid—based on MAC and IP onlyis valid—based on MAC and IP onlySwitch has Switch has no ideano idea what’s happened! what’s happened!
Attacker can communicate only over UDPAttacker can communicate only over UDPVictim would reset any TCP reply it received but Victim would reset any TCP reply it received but didn’t send (victim sees reply to shadow)didn’t send (victim sees reply to shadow)
The attackThe attack
1.2.3.41.2.3.4aa:bb:cc:dd:eaa:bb:cc:dd:e
e:ffe:ff
1.2.3.41.2.3.4aa:bb:cc:dd:eaa:bb:cc:dd:e
e:ffe:ff
SYNSYN
ACK-SYNACK-SYN
ACK-SYNACK-SYNACK-SYNACK-SYN
RSTRST
ACK-RSTACK-RST
ACK-RSTACK-RSTACK-RSTACK-RST
But wait!But wait!If the If the victimvictim computer happens to run a computer happens to run a personal firewall…personal firewall………which drops unsolicited ACK-SYNs…which drops unsolicited ACK-SYNs…
It gets better!It gets better!
The attack…The attack…improvedimproved
1.2.3.41.2.3.4aa:bb:cc:dd:eaa:bb:cc:dd:e
e:ffe:ff
1.2.3.41.2.3.4aa:bb:cc:dd:eaa:bb:cc:dd:e
e:ffe:ff
SYNSYN
ACK-SYNACK-SYN
ACK-SYNACK-SYNACK-SYNACK-SYN
ACKACK
So thenSo thenDespite what the networking vendors claim, Despite what the networking vendors claim, 802.1X is inappropriate for preventing rogue 802.1X is inappropriate for preventing rogue access to the networkaccess to the networkGood security mechanisms never assume Good security mechanisms never assume that computers are playing nicelythat computers are playing nicely
802.1X makes this incorrect assumption802.1X makes this incorrect assumptionIPsec does notIPsec does not
If you’re worried about bad guys flooding If you’re worried about bad guys flooding your network…your network…
Then 802.1X + IPsec is the way to goThen 802.1X + IPsec is the way to goOr just disable their switch portOr just disable their switch port
You are able to monitor for this, right?You are able to monitor for this, right?
What’s Next?What’s Next?
The main challengesThe main challengesLearning curve for IPsec; fundamentally Learning curve for IPsec; fundamentally changes TCP/IP communicationchanges TCP/IP communicationMay lose ability to inspect network traffic May lose ability to inspect network traffic when IPsec-protectedwhen IPsec-protected
ESP null is clear-text, but need parsersESP null is clear-text, but need parsersESP with encryption—you can’t see it!ESP with encryption—you can’t see it!
Detailed planning and coordination required Detailed planning and coordination required for domain isolationfor domain isolation
The main challengesThe main challengesLocal administrator can disable IPsec or Local administrator can disable IPsec or change the local dynamic policychange the local dynamic policy
But…such a computer can’t connect to other But…such a computer can’t connect to other trusted computers anymoretrusted computers anymore
Not all domain members may be able to be Not all domain members may be able to be protected (DC, DNS, DHCP)protected (DC, DNS, DHCP)
Risks that aren’t mitigatedRisks that aren’t mitigatedTrusted users disclosing high value dataTrusted users disclosing high value dataCompromise of trusted credentialsCompromise of trusted credentialsUntrusted computers compromising other Untrusted computers compromising other untrusted computersuntrusted computersLoss of physical security of trusted computersLoss of physical security of trusted computersLack of compliance mechanisms for trusted Lack of compliance mechanisms for trusted computerscomputers
How to get started?How to get started?Download the MSS guide—read and trainDownload the MSS guide—read and trainSet requirementsSet requirements
To include isolation needsTo include isolation needsClassify your dataClassify your data
Determine current stateDetermine current stateActive Directory structureActive Directory structureNetwork topology and designNetwork topology and design
Plan initial designPlan initial designBuild a test environmentBuild a test environment
Test all changes before production deploymentTest all changes before production deployment
How do I deploy?How do I deploy?Create goals for deploymentCreate goals for deployment
Which assets you want to protect?Which assets you want to protect?Do you want to ensure more machines are managed?Do you want to ensure more machines are managed?What regulatory requirements do you need to comply?What regulatory requirements do you need to comply?Is it important to limit spread of worms/virus?Is it important to limit spread of worms/virus?
Create machine groups Create machine groups Server isolation: ServerGroupA, ServerGroupBServer isolation: ServerGroupA, ServerGroupBDomain isolation: BoundaryGroupDomain isolation: BoundaryGroup
Design IPsec policiesDesign IPsec policiesDocument filter actions and rules that will best Document filter actions and rules that will best meet your requirementsmeet your requirements
How do I deploy?How do I deploy?Deploy in “request mode” Deploy in “request mode”
Use to validate policy and refine as necessaryUse to validate policy and refine as necessaryVerify architecture can support IPsecVerify architecture can support IPsec
Use ESP-null except where privacy is requiredUse ESP-null except where privacy is requiredWhen encrypting, reduce CPU load with hardwareWhen encrypting, reduce CPU load with hardware
Start small, protect a number of servers and Start small, protect a number of servers and gradually increase your managed domaingradually increase your managed domain
Don’t forget a roll-back plan!Don’t forget a roll-back plan!
Establish interoperability planEstablish interoperability planMany operating systems capable of IPsecMany operating systems capable of IPsec
Policy and credential distribution requires planningPolicy and credential distribution requires planning
Devices and machines that cannot use IPsec can Devices and machines that cannot use IPsec can be “exempted” in policybe “exempted” in policy
Customer deploymentsCustomer deploymentsRemote access/VPN is very commonRemote access/VPN is very commonIPsec server isolation is very popularIPsec server isolation is very popular
Financial services (top 5 American banks, top 2 Canadian Financial services (top 5 American banks, top 2 Canadian banks)banks)Government (at all domestic and international levels)Government (at all domestic and international levels)Education (multiple universities with >30,000 students, Education (multiple universities with >30,000 students, inner-city public school systems)inner-city public school systems)Health care, retail, manufacturing, high tech…Health care, retail, manufacturing, high tech…
Majority of AD deployments use IPsec for secure DC-Majority of AD deployments use IPsec for secure DC-to-DC communicationto-DC communicationSatisfies regulatory requirements for Sarbanes-Satisfies regulatory requirements for Sarbanes-Oxley, HIPAA, …Oxley, HIPAA, …Domain isolation attracting interest of large orgsDomain isolation attracting interest of large orgs
Largest non-Microsoft deployment is >350,000 nodesLargest non-Microsoft deployment is >350,000 nodesUsed extensively within MicrosoftUsed extensively within Microsoft
Customer case studiesCustomer case studiesDC-to-DC replicationDC-to-DC replication
Domain isolation of Domain isolation of librarylibrary
Isolate branches from Isolate branches from headquartersheadquarters
350,000 domain-350,000 domain-isolated nodesisolated nodes
Protect source codeProtect source code
??
Microsoft ITMicrosoft IT
SolutionSolutionSource code repositories restricted by server Source code repositories restricted by server isolationisolationAuthentication with certificates and machine Authentication with certificates and machine groups in Active Directorygroups in Active DirectoryTwo levels of authorization—at the network and at Two levels of authorization—at the network and at the applicationthe application
ResultsResultsOnly Windows developers can see and connect to Only Windows developers can see and connect to source code serverssource code serversMeets Sarbanes Oxley Act requirements for Meets Sarbanes Oxley Act requirements for protecting data of material impact to shareholdersprotecting data of material impact to shareholders
Requirement 1: protect high-value Requirement 1: protect high-value intellectual property and meet compliance intellectual property and meet compliance
requirementsrequirements
Microsoft ITMicrosoft IT
SolutionSolutionA “SecureNet” that uses Active Directory and IPsecA “SecureNet” that uses Active Directory and IPsecRequires Kerberos for authenticationRequires Kerberos for authenticationRequires certificates for home VPN usersRequires certificates for home VPN users
ResultsResultsIPsec is fully deployed on Corpnet for over 12 monthsIPsec is fully deployed on Corpnet for over 12 months~250,000 domain-joined systems using IPsec worldwide~250,000 domain-joined systems using IPsec worldwideIncrease of domain-joined systems of 45% from start of Increase of domain-joined systems of 45% from start of implementationimplementation75% of all network traffic globally is IPsec protected75% of all network traffic globally is IPsec protected293 helpdesk calls per month (compared to ~500 for 293 helpdesk calls per month (compared to ~500 for Outlook)Outlook)
Requirement 2: protect managed hostsRequirement 2: protect managed hostsfrom worm attacks and unauthorized accessfrom worm attacks and unauthorized access
X XB
SecureNet
Clients, Servers,Home LANs,
Trustworthy Labs(240,000)
Untrustworthy
Internet ServersInternet ServersBusiness PartnersBusiness Partners
ExtranetExtranet(1,800)(1,800) External External
ExclusionsExclusions
PermittedInfrastructure
Microsoft Corporate Network
Boundary Machines (5,000)
UU11 UU22 UU33
LabsLabs75,00075,000
Pocket PCPocket PCXBoxXBox
18,00018,000
MACMAC2,0002,000
DTapsDTaps(no connectivity to(no connectivity to
CorpNet)CorpNet)
ACL ControlledInfrastructure Infrastructure
(500)(500)
DHC
P
DNS
WINS
DC
IAS
Microsoft IT implementationMicrosoft IT implementation
Preparing for Network Access Preparing for Network Access ProtectionProtection
Deploy domain isolation to become familiar Deploy domain isolation to become familiar with IPsec conceptswith IPsec conceptsNAP will provide a richer enforcement NAP will provide a richer enforcement mechanism, while adding to server and mechanism, while adding to server and domain isolationdomain isolationPlan and model to add health authentication Plan and model to add health authentication and other compliance enforcement and other compliance enforcement mechanisms network access protection mechanisms network access protection providesprovides
More guidance available during Longhorn betaMore guidance available during Longhorn beta
IPsec roadmapIPsec roadmap
““Longhorn” and beyondLonghorn” and beyond
Extensible isolationExtensible isolation• User and machine credentialsUser and machine credentials• Health certificatesHealth certificates
Firewall integrationFirewall integration• Windows filtering platformWindows filtering platform
Improved administrationImproved administration• One-size-fits-all policyOne-size-fits-all policy
Extensible performanceExtensible performance• Gig-E offload for lower CPUGig-E offload for lower CPU
Server 2003, Windows XPServer 2003, Windows XP
Isolation by domain or serverIsolation by domain or server• Authentication of machine, but noAuthentication of machine, but no
health checkhealth check
Windows firewall integrationWindows firewall integration• Authenticated bypass capabilityAuthenticated bypass capability
Overhead offloadOverhead offload• 10/100mb NIC—lower CPU 10/100mb NIC—lower CPU
Learn moreLearn moreServer and domain isolationusing IPsec and Group Policyhttp://go.microsoft.com/fwlink/?linkid=33947http://go.microsoft.com/fwlink/?linkid=33947
Microsoft IT experiences with domain isolationMicrosoft IT experiences with domain isolationhttp://www.microsoft.com/technet/http://www.microsoft.com/technet/itsolutions/msit/security/IPsecdomisolwp.mspxitsolutions/msit/security/IPsecdomisolwp.mspx
IPsec resourceshttp://www.microsoft.com/ipsechttp://www.microsoft.com/ipsec
For more informationFor more informationJesper and Steve finally wrote Jesper and Steve finally wrote a book!a book!
Order online:Order online:http://www.protectyourwindowsnetwhttp://www.protectyourwindowsnetwork.comork.com
[email protected]@microsoft.com