Module 5:Designing Security for

Internal Networks

Module Overview

• Designing Windows Firewall Implementation

• Overview of IPSec

• Designing IPSec Implementation

Methods for Configuring Windows Firewall

You can configure Windows Firewall by using:

Basic Firewall configuration in Control Panel

• Windows Firewall with Advanced Security

• Group Policy

Benefits of IPSec

Benefits of IPSec are:

Authentication of communication

• Ensuring that data is not modified in transit

• Encrypting to secure communication

• Integrating with Windows Firewall rules as part of Network Access Protection (NAP)

• Protecting communication between two hosts or two networks

Connection Security Rules

Connection security rules:

• Are new in Windows Server 2008 and Windows Vista

• Replace IPSec policies from previous versions of Windows

• Determine which network traffic is affected by IPSec

• Must exist on both hosts to be effective

• Apply to all traffic between hosts

• Can be applied to specific profiles

Types of Connection Security Rules

Rule type Description

Isolation• Restricts connections based on criteria such

as user, computer, or certificates

Server-to-server • Authenticates communication based on

individual computer IP addresses or subnets

Tunnel• Secures communication between two

computers that are acting as routers between two networks

Authentication exemption

• Prevents specific computers or IP addresses from the requirement to authenticate

Custom • Allows access to options not available in the

Wizard for creating other options

IPSec Authentication

Authentication requirements specify when authentication is performed.

Request for inbound and outbound

Require for inbound and request for outbound

Require for inbound and outbound

Authentication method specifies how authentication is performed.

Kerberos V5 (user, computer, or both)

NTLMv2 (computer)

Computer certificate

Preshared key

Deployment Methods for Connection Security Rules

Method Description

Windows Firewall with Advanced Security

• Is suitable for configuring a small number of hosts

• Is prone to errors during creation

Netsh • Is suitable for scripting• Is configured in the “netsh advfirewall

consec” context

Group Policy

• Allows rules to be deployed to a large number of computers easily

• Reduces the chance of data entry errors during configuration

• Requires all computers to be a member of a domain

Windows PowerShell

• Is suitable for scripting• Accesses network settings through WMI

objects

Determining the Authentication Method

Authentication method Use

Kerberos V5 security protocol

• Users and computers running Windows 2000 (and later versions) that are part of an Active Directory domain

Public key certificate

• Internet access• Remote access to corporate resources• External business partners• On computers that do not run the

Kerberos V5 security protocol

Preshared secret key• When both computers must manually

configure IPSec

Co-existence with IPSec Policies

• IPSec policies are still required for earlier versions of Windows operating systems

• IPSec policies can be used by Windows Vista and Windows Server 2008

• IPSec policies and connection security rules can be applied at the same time

Integration with Windows Firewall Rules

• Windows Firewall rules can apply to specificusers and computers

• Authentication by IPSec provides the user orcomputer identity to Windows Firewall rules

• Windows Firewall rules can require a secureconnection for NAP

Guidelines for Designing IPSec Implementation

• Deploy with Group Policy

• Avoid combining IPSec policies and connection security rules

• Test thoroughly before implementation

• Use only when appropriate in your security plan