Domain andDomain andServer IsolationServer IsolationUsing IPsecUsing IPsec

Jesper M. JohanssonJesper M. JohanssonSenior Security StrategistSenior Security StrategistSecurity Technology UnitSecurity Technology Unitjesperjo@microsoft.comjesperjo@microsoft.comhttp://blogs.technet.com/jesper_johanssonhttp://blogs.technet.com/jesper_johansson

Evolving network securityEvolving network securityThe visionThe vision

Endpoints protect themselves from other systemsEndpoints protect themselves from other systemsConnections allowed only after authenticationConnections allowed only after authenticationAll communications are authenticated and All communications are authenticated and authorized authorized Host health is checkedHost health is checked

The value propositionThe value propositionIncreased security for windows and corporate Increased security for windows and corporate network overallnetwork overallIncrease IT efficiency and ROI on active directory Increase IT efficiency and ROI on active directory managementmanagement

You can do much of this today!You can do much of this today!

Without isolationWithout isolation

11

22

User authenticationUser authenticationoccursoccurs

User attempts to User attempts to access a file shareaccess a file share

Dept Group

44 Share access isShare access ischeckedchecked

Access grantedAccess grantedor denied or denied

based on ACLbased on ACL

User is authenticated User is authenticated and authorizedand authorized

33

Check networkCheck networkaccess permissionsaccess permissions

Local Local policypolicy

Life without isolationLife without isolationUser authentication and authorization are the User authentication and authorization are the focus for most IT professionalsfocus for most IT professionalsServer and domain isolation will change this!Server and domain isolation will change this!

The problemsThe problemsAll hosts on the network might not be trusted All hosts on the network might not be trusted equally by all systems connectedequally by all systems connected

Difficult to control who or what physically connects Difficult to control who or what physically connects to the networkto the networkUnmanaged hosts present infection threatUnmanaged hosts present infection threatNeed to provide connectivity to outsiders but limit Need to provide connectivity to outsiders but limit accessaccess

a.k.a. partners…vendors…customers…a.k.a. partners…vendors…customers…

Theft and abuse of trusted user credentials Theft and abuse of trusted user credentials often not recognized—until it’s too late!often not recognized—until it’s too late!

The problemsThe problemsLarge “internal” networks might have Large “internal” networks might have independent paths to the Internetindependent paths to the Internet

Difficult to monitor and control “the edge” Difficult to monitor and control “the edge” anymore anymore External threats present somewhere on the External threats present somewhere on the internal networkinternal network

Network attack surface is all TCP/IP ports, Network attack surface is all TCP/IP ports, traffictraffic

Packet filtering (network firewall) helps, but not Packet filtering (network firewall) helps, but not when clients communicate inside itwhen clients communicate inside itNeed defense-in-depth to include application layer Need defense-in-depth to include application layer network securitynetwork security

Security Lessons From The Security Lessons From The Physical WorldPhysical World

Traffic lights control traffic flowTraffic lights control traffic flowBuffer overflows are unheard ofBuffer overflows are unheard ofMalicious hosts easily quarantinedMalicious hosts easily quarantined

The solutionThe solutionIsolate computers with IPsecIsolate computers with IPsec

Protects all unicast traffic between trusted Protects all unicast traffic between trusted computerscomputersProvides end to end securityProvides end to end securityAuthenticates every packet (by default)Authenticates every packet (by default)Can encrypt every packet (optional)Can encrypt every packet (optional)Customizable policy deployed in domain, no Customizable policy deployed in domain, no application changes necessaryapplication changes necessary

Where does isolation fit?Where does isolation fit?

Part of a security Part of a security defense-in-depth defense-in-depth approachapproach

Logically sits Logically sits between the between the network and the network and the host layershost layers

People, Policies, and ProcessPeople, Policies, and Process

Physical securityPhysical security

PerimeterPerimeter

Internal networkInternal network

HostHost

ApplicationApplication

DataData

Isolation

Security defense-in-depth modelSecurity defense-in-depth model

What are the main benefits?What are the main benefits?Reduces network attacks on isolated Reduces network attacks on isolated computerscomputersHelps protect against internal attacksHelps protect against internal attacksProvides scalable authentication and Provides scalable authentication and encryption for all trafficencryption for all traffic

Even “unsecurable” stuff like SMB Even “unsecurable” stuff like SMB

Why IPsec?Why IPsec?My network vendor says 802.1X can do My network vendor says 802.1X can do this!this!Well they’re wrong.Well they’re wrong. Stay tuned! Stay tuned!

Solution BenefitsSolution Benefits

IPsec: the foundationIPsec: the foundationCreate Active Directory–based IPsec policies Create Active Directory–based IPsec policies with MMCwith MMCUse one of three authentication methodsUse one of three authentication methods

KerberosKerberosComputer certificatesComputer certificatesPreshared keysPreshared keys

IPsec policies delivered to clients with AD IPsec policies delivered to clients with AD Group PolicyGroup PolicyAvailable in Windows 2000, XP, 2003Available in Windows 2000, XP, 2003

Solution terminologySolution terminologyHostsHosts

UntrustedUntrustedTrustworthyTrustworthyTrustedTrusted

Isolation groupsIsolation groupsFoundational groupsFoundational groupsAdditional groupsAdditional groups

Network access groupsNetwork access groups

Isolation scenariosIsolation scenarios

Protect hosts from Protect hosts from unmanaged machinesunmanaged machinesEnforces domain Enforces domain membership (yay!) by membership (yay!) by requiring machine requiring machine authenticationauthenticationAll trusted machines can All trusted machines can exchange trafficexchange trafficEncryption optionalEncryption optionalCan include stronger Can include stronger server isolationserver isolation

Protect high-value Protect high-value serversserversRestrict connectivity to a Restrict connectivity to a defined subset of certain defined subset of certain people and hostspeople and hostsStill must be domain Still must be domain computerscomputersEncryption optional but Encryption optional but commoncommon

Domain isolationDomain isolation Server isolationServer isolation

33

Check networkCheck networkAccess permissionsAccess permissions

(Computer acct)(Computer acct)

Local Local policypolicy

With isolationWith isolation

11

4422

IKE

User attempts to User attempts to access a file shareaccess a file share

IKE negotiation IKE negotiation beginsbegins

IKE succeeds, IKE succeeds, user authN occursuser authN occurs

Computer Computer andand user user are authenticated are authenticated

and authorizedand authorized

Dept Group

66 Share access isShare access ischeckedchecked

Access grantedAccess grantedor denied or denied

based on ACLbased on ACL

55

Check networkCheck networkaccess permissionsaccess permissions

(user)(user)

Local Local policypolicy

How does isolation work?How does isolation work?Uses IPsec to—Uses IPsec to—

Handle the computer account authenticationHandle the computer account authenticationEnsure data integrityEnsure data integrityProvide encryption (if required) Provide encryption (if required)

Use group policy to—Use group policy to—Distribute the IPsec policiesDistribute the IPsec policiesAuthorize the computer and user accessAuthorize the computer and user access

ImplementationImplementationPlanningPlanning

How do I implement isolation?How do I implement isolation?Organize computers into isolation groups, Organize computers into isolation groups, based on—based on—

Security requirementsSecurity requirementsData classificationData classification

Identify communication pathsIdentify communication pathsDefine what’s allowed, block everything elseDefine what’s allowed, block everything else

Create policies to enforce business Create policies to enforce business requirementsrequirementsIdentify and test a deployment strategyIdentify and test a deployment strategy

All Systems

Foundational groupsFoundational groupsNon-IPsec groupsNon-IPsec groups

Untrusted systemsUntrusted systemsDefault groupDefault group

ExemptionsExemptionsTrusted infrastructureTrusted infrastructure

IPsec groupsIPsec groupsIsolation domainIsolation domain

Default trusted groupDefault trusted group

BoundaryBoundaryHigher risk trusted groupHigher risk trusted group

Untrustedsystems

IsolationDomain

BoundaryIsolationGroup

Traffic mapping—foundationalTraffic mapping—foundationalPlan all allowed data communications Plan all allowed data communications between foundational groupsbetween foundational groups

IDID FromFrom ToTo BidirectionalBidirectional IPsecIPsec FallbackFallback EncryptEncrypt

11 IDID ExEx YesYes NoNo NoNo NoNo

22 IDID BOBO YesYes YesYes NoNo NoNo

33 IDID UNUN NoNo YesYes YesYes NoNo

44 BOBO EXEX YesYes YesYes YesYes NoNo

55 BOBO UNUN NoNo YesYes YesYes NoNo

66 UNUN BOBO NoNo NoNo NoNo NoNo

77 UNUN EXEX YesYes NoNo NoNo NoNo

Additional isolation groupsAdditional isolation groupsDriven by business requirementsDriven by business requirements

Might not be necessaryMight not be necessaryFor example—For example—

No fallback allowedNo fallback allowedisolation groupisolation group

Blocks outboundBlocks outboundcommunications tocommunications tountrusted hostsuntrusted hosts

Require encryptionRequire encryptionisolation groupisolation group

High security groupHigh security groupAll data communicationsAll data communicationsmust use encryptionmust use encryption

Untrustedsystems

IsolationDomain

BoundaryIsolationGroup

EncryptionIsolationGroup

No fallbackIsolationGroup

Traffic mapping—additionalTraffic mapping—additional

IDID FromFrom ToTo BidirectionalBidirectional IPsecIPsec FallbackFallback EncryptEncrypt

88 ENEN EXEX YesYes NoNo NoNo NoNo

99 ENEN IDID YesYes YesYes NoNo YesYes

1010 ENEN NFNF YesYes YesYes NoNo YesYes

1111 ENEN BOBO NoNo YesYes NoNo YesYes

1212 NFNF IDID YesYes YesYes NoNo NoNo

1313 NFNF EXEX YesYes NoNo NoNo NoNo

1414 NFNF BOBO YesYes YesYes NoNo NoNo

Network access groupsNetwork access groupsNAGs are used to explicitly allow or deny NAGs are used to explicitly allow or deny access to a system through the networkaccess to a system through the networkNames reflect function—Names reflect function—

ANAG: allow network access groupANAG: allow network access groupDNAG: deny network access groupDNAG: deny network access group

Can contain users, computers or groupsCan contain users, computers or groupsDefined in domain local groupsDefined in domain local groups

IPsec policy constructionIPsec policy constructionIPsec Policy

Filter List

Action

Key Exchange Methods (IKE)

Security Methods

Filters

Rules

Key Lifetimes

HashingEncryption

Authentication Methods

CertificatesPre-Shared

KeysKerberos

Defined filter actionsDefined filter actionsRequest modeRequest mode

Accept inbound in the clearAccept inbound in the clearAllow outbound in the clearAllow outbound in the clear

Secure request modeSecure request modeAllow outbound in the clearAllow outbound in the clear

Full require modeFull require modeAll unicast communications require IPsecAll unicast communications require IPsec

Require encryption modeRequire encryption modeOnly negotiates encryptionOnly negotiates encryption

Selecting a deployment strategySelecting a deployment strategy

Build upBuild upPolicy has exemptions, but no requirements for Policy has exemptions, but no requirements for IPsec on secure subnetsIPsec on secure subnetsRequest mode filter action is used with secure Request mode filter action is used with secure subnet filter listssubnet filter listsSubnets are slowly added to secure subnet filter Subnets are slowly added to secure subnet filter list and testedlist and tested

Deploy by groupDeploy by groupIPsec policy defined and linkedIPsec policy defined and linkedUse groups to control application of the policyUse groups to control application of the policy

Isolation ScenariosIsolation Scenarios

Isolation in actionIsolation in action

Un-trusted

Server Isolation

`

Unmanaged Devices

Active Directory Domain

Controller

(exempted)Domain IsolationOptional outbound authentication

Required authentication

X Authenticating Host Firewalls

X

Domain isolationDomain isolation

DomainDomaincontrollercontroller

Server:Server:domain isolationdomain isolation

IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all

traffic except for traffic except for ICMP)ICMP)

Client:Client:Untrusted orUntrusted or

non-IPsec capablenon-IPsec capable

User:User:any typeany type

Ping succeedsPing succeedsothers failothers fail

Domain isolationDomain isolation

DomainDomaincontrollercontroller

Server:Server:domain isolationdomain isolation

IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all

traffic except for traffic except for ICMP)ICMP)

Client:Client:Windows XP SP2Windows XP SP2Trusted machineTrusted machine

User:User:domain domain membermember

Ping succeeds,Ping succeeds,others succeed others succeed

over IPsecover IPsec

Server isolationServer isolation

DomainDomaincontrollercontroller

Server:Server:server isolationserver isolation

IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all

traffic except for traffic except for ICMP)ICMP)

Client:Client:Windows XP SP2Windows XP SP2

““CLIENT2CLIENT2””Trusted machineTrusted machine

User:User:domain domain membermember

Ping succeedsPing succeedsothers fail others fail

because IKE because IKE failsfails

Authorization only forAuthorization only forCLIENT1CLIENT1 in group policy in group policyvia “Access this computervia “Access this computerfrom network” rightfrom network” right

Server isolationServer isolation

DomainDomaincontrollercontroller

Server:Server:server isolationserver isolation

IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all

traffic except for traffic except for ICMP)ICMP)

Client:Client:Windows XP SP2Windows XP SP2

““CLIENT1CLIENT1””Trusted machineTrusted machine

User:User:domain domain membermember

Ping succeeds, Ping succeeds, other succeed other succeed

over IPsecover IPsec

Authorization only forAuthorization only forCLIENT1CLIENT1 andand this userthis userin group policyin group policyvia “Access this computervia “Access this computerfrom network” rightfrom network” right

The BrokennessThe Brokennessof 802.1Xof 802.1X

What is 802.1X?What is 802.1X?Port-based access control method defined by Port-based access control method defined by IEEE IEEE http://standards.ieee.org/getieee802/download/802.1X-2001.pdfhttp://standards.ieee.org/getieee802/download/802.1X-2001.pdf

EAP provides mutual authentication between EAP provides mutual authentication between devices devices ftp://ftp.rfc-editor.org/in-notes/rfc3748.txtftp://ftp.rfc-editor.org/in-notes/rfc3748.txt

Works over anythingWorks over anythingWiredWiredWirelessWireless

What do you need for What do you need for 802.1X?802.1X?Network infrastructure that supports itNetwork infrastructure that supports it

Switches, mostlySwitches, mostly

Clients and servers that support itClients and servers that support itSupplicants included in Windows XP, 2003Supplicants included in Windows XP, 2003Download for Windows 2000Download for Windows 2000

Why is it perfect for wireless?Why is it perfect for wireless?The supplicant (client) and authentication The supplicant (client) and authentication server (RADIUS) generate session keysserver (RADIUS) generate session keysKeys are never sent over the airKeys are never sent over the airNothing for an attacker to use to conduct Nothing for an attacker to use to conduct impersonation or man-in-the-middle attacksimpersonation or man-in-the-middle attacksCan manage centrally with GPOsCan manage centrally with GPOs

Why is it useless for wired?Why is it useless for wired?No GPOs—and we can’t retrofitNo GPOs—and we can’t retrofitWorseWorse…a fundamental protocol design flaw…a fundamental protocol design flaw

802.1X authenticates only at the start of traffic 802.1X authenticates only at the start of traffic between client and switchbetween client and switchAfter the switch port opens, everything after After the switch port opens, everything after that that is assumed to be validis assumed to be valid

These kinds of assumptions allow MITM attacks!These kinds of assumptions allow MITM attacks!Does require physical access to the networkDoes require physical access to the network

The attackThe attack

1.2.3.41.2.3.4aa:bb:cc:dd:eaa:bb:cc:dd:e

e:ffe:ff

1.2.3.41.2.3.4aa:bb:cc:dd:eaa:bb:cc:dd:e

e:ffe:ff

drop all drop all inbound not for inbound not for

meme

……authenticate…authenticate…

……authenticate…authenticate…

Why does it work?Why does it work?802.1X lacks per-packet authentication802.1X lacks per-packet authenticationIt assumes that the post-authentication traffic It assumes that the post-authentication traffic is valid—based on MAC and IP onlyis valid—based on MAC and IP onlySwitch has Switch has no ideano idea what’s happened! what’s happened!

Attacker can communicate only over UDPAttacker can communicate only over UDPVictim would reset any TCP reply it received but Victim would reset any TCP reply it received but didn’t send (victim sees reply to shadow)didn’t send (victim sees reply to shadow)

The attackThe attack

1.2.3.41.2.3.4aa:bb:cc:dd:eaa:bb:cc:dd:e

e:ffe:ff

1.2.3.41.2.3.4aa:bb:cc:dd:eaa:bb:cc:dd:e

e:ffe:ff

SYNSYN

ACK-SYNACK-SYN

ACK-SYNACK-SYNACK-SYNACK-SYN

RSTRST

ACK-RSTACK-RST

ACK-RSTACK-RSTACK-RSTACK-RST

But wait!But wait!If the If the victimvictim computer happens to run a computer happens to run a personal firewall…personal firewall………which drops unsolicited ACK-SYNs…which drops unsolicited ACK-SYNs…

It gets better!It gets better!

The attack…The attack…improvedimproved

1.2.3.41.2.3.4aa:bb:cc:dd:eaa:bb:cc:dd:e

e:ffe:ff

1.2.3.41.2.3.4aa:bb:cc:dd:eaa:bb:cc:dd:e

e:ffe:ff

SYNSYN

ACK-SYNACK-SYN

ACK-SYNACK-SYNACK-SYNACK-SYN

ACKACK

So thenSo thenDespite what the networking vendors claim, Despite what the networking vendors claim, 802.1X is inappropriate for preventing rogue 802.1X is inappropriate for preventing rogue access to the networkaccess to the networkGood security mechanisms never assume Good security mechanisms never assume that computers are playing nicelythat computers are playing nicely

802.1X makes this incorrect assumption802.1X makes this incorrect assumptionIPsec does notIPsec does not

If you’re worried about bad guys flooding If you’re worried about bad guys flooding your network…your network…

Then 802.1X + IPsec is the way to goThen 802.1X + IPsec is the way to goOr just disable their switch portOr just disable their switch port

You are able to monitor for this, right?You are able to monitor for this, right?

What’s Next?What’s Next?

The main challengesThe main challengesLearning curve for IPsec; fundamentally Learning curve for IPsec; fundamentally changes TCP/IP communicationchanges TCP/IP communicationMay lose ability to inspect network traffic May lose ability to inspect network traffic when IPsec-protectedwhen IPsec-protected

ESP null is clear-text, but need parsersESP null is clear-text, but need parsersESP with encryption—you can’t see it!ESP with encryption—you can’t see it!

Detailed planning and coordination required Detailed planning and coordination required for domain isolationfor domain isolation

The main challengesThe main challengesLocal administrator can disable IPsec or Local administrator can disable IPsec or change the local dynamic policychange the local dynamic policy

But…such a computer can’t connect to other But…such a computer can’t connect to other trusted computers anymoretrusted computers anymore

Not all domain members may be able to be Not all domain members may be able to be protected (DC, DNS, DHCP)protected (DC, DNS, DHCP)

Risks that aren’t mitigatedRisks that aren’t mitigatedTrusted users disclosing high value dataTrusted users disclosing high value dataCompromise of trusted credentialsCompromise of trusted credentialsUntrusted computers compromising other Untrusted computers compromising other untrusted computersuntrusted computersLoss of physical security of trusted computersLoss of physical security of trusted computersLack of compliance mechanisms for trusted Lack of compliance mechanisms for trusted computerscomputers

How to get started?How to get started?Download the MSS guide—read and trainDownload the MSS guide—read and trainSet requirementsSet requirements

To include isolation needsTo include isolation needsClassify your dataClassify your data

Determine current stateDetermine current stateActive Directory structureActive Directory structureNetwork topology and designNetwork topology and design

Plan initial designPlan initial designBuild a test environmentBuild a test environment

Test all changes before production deploymentTest all changes before production deployment

How do I deploy?How do I deploy?Create goals for deploymentCreate goals for deployment

Which assets you want to protect?Which assets you want to protect?Do you want to ensure more machines are managed?Do you want to ensure more machines are managed?What regulatory requirements do you need to comply?What regulatory requirements do you need to comply?Is it important to limit spread of worms/virus?Is it important to limit spread of worms/virus?

Create machine groups Create machine groups Server isolation: ServerGroupA, ServerGroupBServer isolation: ServerGroupA, ServerGroupBDomain isolation: BoundaryGroupDomain isolation: BoundaryGroup

Design IPsec policiesDesign IPsec policiesDocument filter actions and rules that will best Document filter actions and rules that will best meet your requirementsmeet your requirements

How do I deploy?How do I deploy?Deploy in “request mode” Deploy in “request mode”

Use to validate policy and refine as necessaryUse to validate policy and refine as necessaryVerify architecture can support IPsecVerify architecture can support IPsec

Use ESP-null except where privacy is requiredUse ESP-null except where privacy is requiredWhen encrypting, reduce CPU load with hardwareWhen encrypting, reduce CPU load with hardware

Start small, protect a number of servers and Start small, protect a number of servers and gradually increase your managed domaingradually increase your managed domain

Don’t forget a roll-back plan!Don’t forget a roll-back plan!

Establish interoperability planEstablish interoperability planMany operating systems capable of IPsecMany operating systems capable of IPsec

Policy and credential distribution requires planningPolicy and credential distribution requires planning

Devices and machines that cannot use IPsec can Devices and machines that cannot use IPsec can be “exempted” in policybe “exempted” in policy

Customer deploymentsCustomer deploymentsRemote access/VPN is very commonRemote access/VPN is very commonIPsec server isolation is very popularIPsec server isolation is very popular

Financial services (top 5 American banks, top 2 Canadian Financial services (top 5 American banks, top 2 Canadian banks)banks)Government (at all domestic and international levels)Government (at all domestic and international levels)Education (multiple universities with >30,000 students, Education (multiple universities with >30,000 students, inner-city public school systems)inner-city public school systems)Health care, retail, manufacturing, high tech…Health care, retail, manufacturing, high tech…

Majority of AD deployments use IPsec for secure DC-Majority of AD deployments use IPsec for secure DC-to-DC communicationto-DC communicationSatisfies regulatory requirements for Sarbanes-Satisfies regulatory requirements for Sarbanes-Oxley, HIPAA, …Oxley, HIPAA, …Domain isolation attracting interest of large orgsDomain isolation attracting interest of large orgs

Largest non-Microsoft deployment is >350,000 nodesLargest non-Microsoft deployment is >350,000 nodesUsed extensively within MicrosoftUsed extensively within Microsoft

Customer case studiesCustomer case studiesDC-to-DC replicationDC-to-DC replication

Domain isolation of Domain isolation of librarylibrary

Isolate branches from Isolate branches from headquartersheadquarters

350,000 domain-350,000 domain-isolated nodesisolated nodes

Protect source codeProtect source code

??

Microsoft ITMicrosoft IT

SolutionSolutionSource code repositories restricted by server Source code repositories restricted by server isolationisolationAuthentication with certificates and machine Authentication with certificates and machine groups in Active Directorygroups in Active DirectoryTwo levels of authorization—at the network and at Two levels of authorization—at the network and at the applicationthe application

ResultsResultsOnly Windows developers can see and connect to Only Windows developers can see and connect to source code serverssource code serversMeets Sarbanes Oxley Act requirements for Meets Sarbanes Oxley Act requirements for protecting data of material impact to shareholdersprotecting data of material impact to shareholders

Requirement 1: protect high-value Requirement 1: protect high-value intellectual property and meet compliance intellectual property and meet compliance

requirementsrequirements

Microsoft ITMicrosoft IT

SolutionSolutionA “SecureNet” that uses Active Directory and IPsecA “SecureNet” that uses Active Directory and IPsecRequires Kerberos for authenticationRequires Kerberos for authenticationRequires certificates for home VPN usersRequires certificates for home VPN users

ResultsResultsIPsec is fully deployed on Corpnet for over 12 monthsIPsec is fully deployed on Corpnet for over 12 months~250,000 domain-joined systems using IPsec worldwide~250,000 domain-joined systems using IPsec worldwideIncrease of domain-joined systems of 45% from start of Increase of domain-joined systems of 45% from start of implementationimplementation75% of all network traffic globally is IPsec protected75% of all network traffic globally is IPsec protected293 helpdesk calls per month (compared to ~500 for 293 helpdesk calls per month (compared to ~500 for Outlook)Outlook)

Requirement 2: protect managed hostsRequirement 2: protect managed hostsfrom worm attacks and unauthorized accessfrom worm attacks and unauthorized access

X XB

SecureNet

Clients, Servers,Home LANs,

Trustworthy Labs(240,000)

Untrustworthy

Internet ServersInternet ServersBusiness PartnersBusiness Partners

ExtranetExtranet(1,800)(1,800) External External

ExclusionsExclusions

PermittedInfrastructure

Microsoft Corporate Network

Boundary Machines (5,000)

UU11 UU22 UU33

LabsLabs75,00075,000

Pocket PCPocket PCXBoxXBox

18,00018,000

MACMAC2,0002,000

DTapsDTaps(no connectivity to(no connectivity to

CorpNet)CorpNet)

ACL ControlledInfrastructure Infrastructure

(500)(500)

DHC

P

DNS

WINS

DC

IAS

Microsoft IT implementationMicrosoft IT implementation

Preparing for Network Access Preparing for Network Access ProtectionProtection

Deploy domain isolation to become familiar Deploy domain isolation to become familiar with IPsec conceptswith IPsec conceptsNAP will provide a richer enforcement NAP will provide a richer enforcement mechanism, while adding to server and mechanism, while adding to server and domain isolationdomain isolationPlan and model to add health authentication Plan and model to add health authentication and other compliance enforcement and other compliance enforcement mechanisms network access protection mechanisms network access protection providesprovides

More guidance available during Longhorn betaMore guidance available during Longhorn beta

IPsec roadmapIPsec roadmap

““Longhorn” and beyondLonghorn” and beyond

Extensible isolationExtensible isolation• User and machine credentialsUser and machine credentials• Health certificatesHealth certificates

Firewall integrationFirewall integration• Windows filtering platformWindows filtering platform

Improved administrationImproved administration• One-size-fits-all policyOne-size-fits-all policy

Extensible performanceExtensible performance• Gig-E offload for lower CPUGig-E offload for lower CPU

Server 2003, Windows XPServer 2003, Windows XP

Isolation by domain or serverIsolation by domain or server• Authentication of machine, but noAuthentication of machine, but no

health checkhealth check

Windows firewall integrationWindows firewall integration• Authenticated bypass capabilityAuthenticated bypass capability

Overhead offloadOverhead offload• 10/100mb NIC—lower CPU 10/100mb NIC—lower CPU

Learn moreLearn moreServer and domain isolationusing IPsec and Group Policyhttp://go.microsoft.com/fwlink/?linkid=33947http://go.microsoft.com/fwlink/?linkid=33947

Microsoft IT experiences with domain isolationMicrosoft IT experiences with domain isolationhttp://www.microsoft.com/technet/http://www.microsoft.com/technet/itsolutions/msit/security/IPsecdomisolwp.mspxitsolutions/msit/security/IPsecdomisolwp.mspx

IPsec resourceshttp://www.microsoft.com/ipsechttp://www.microsoft.com/ipsec

For more informationFor more informationJesper and Steve finally wrote Jesper and Steve finally wrote a book!a book!

Order online:Order online:http://www.protectyourwindowsnetwhttp://www.protectyourwindowsnetwork.comork.com

jesperjo@microsoft.comjesperjo@microsoft.com