Upload
mervyn-sherman
View
222
Download
2
Embed Size (px)
Citation preview
Module 5:Designing Security for
Internal Networks
Module Overview
• Designing Windows Firewall Implementation
• Overview of IPSec
• Designing IPSec Implementation
Methods for Configuring Windows Firewall
You can configure Windows Firewall by using:
Basic Firewall configuration in Control Panel
• Windows Firewall with Advanced Security
• Group Policy
Benefits of IPSec
Benefits of IPSec are:
Authentication of communication
• Ensuring that data is not modified in transit
• Encrypting to secure communication
• Integrating with Windows Firewall rules as part of Network Access Protection (NAP)
• Protecting communication between two hosts or two networks
Connection Security Rules
Connection security rules:
• Are new in Windows Server 2008 and Windows Vista
• Replace IPSec policies from previous versions of Windows
• Determine which network traffic is affected by IPSec
• Must exist on both hosts to be effective
• Apply to all traffic between hosts
• Can be applied to specific profiles
Types of Connection Security Rules
Rule type Description
Isolation• Restricts connections based on criteria such
as user, computer, or certificates
Server-to-server • Authenticates communication based on
individual computer IP addresses or subnets
Tunnel• Secures communication between two
computers that are acting as routers between two networks
Authentication exemption
• Prevents specific computers or IP addresses from the requirement to authenticate
Custom • Allows access to options not available in the
Wizard for creating other options
IPSec Authentication
Authentication requirements specify when authentication is performed.
Request for inbound and outbound
Require for inbound and request for outbound
Require for inbound and outbound
Authentication method specifies how authentication is performed.
Kerberos V5 (user, computer, or both)
NTLMv2 (computer)
Computer certificate
Preshared key
Deployment Methods for Connection Security Rules
Method Description
Windows Firewall with Advanced Security
• Is suitable for configuring a small number of hosts
• Is prone to errors during creation
Netsh • Is suitable for scripting• Is configured in the “netsh advfirewall
consec” context
Group Policy
• Allows rules to be deployed to a large number of computers easily
• Reduces the chance of data entry errors during configuration
• Requires all computers to be a member of a domain
Windows PowerShell
• Is suitable for scripting• Accesses network settings through WMI
objects
Determining the Authentication Method
Authentication method Use
Kerberos V5 security protocol
• Users and computers running Windows 2000 (and later versions) that are part of an Active Directory domain
Public key certificate
• Internet access• Remote access to corporate resources• External business partners• On computers that do not run the
Kerberos V5 security protocol
Preshared secret key• When both computers must manually
configure IPSec
Co-existence with IPSec Policies
• IPSec policies are still required for earlier versions of Windows operating systems
• IPSec policies can be used by Windows Vista and Windows Server 2008
• IPSec policies and connection security rules can be applied at the same time
Integration with Windows Firewall Rules
• Windows Firewall rules can apply to specificusers and computers
• Authentication by IPSec provides the user orcomputer identity to Windows Firewall rules
• Windows Firewall rules can require a secureconnection for NAP
Guidelines for Designing IPSec Implementation
• Deploy with Group Policy
• Avoid combining IPSec policies and connection security rules
• Test thoroughly before implementation
• Use only when appropriate in your security plan