Domain and Server Isolation Using IPsec Jesper M. Johansson Senior Security Strategist Security Technology Unit jesperjo@microsoft.com http://blogs.technet.com/jesper_johansson Evolving network security The vision Endpoints protect themselves from other systems Connections allowed only after authentication All communications are authenticated and authorized Host health is checked The value proposition Increased security for windows and corporate network overall Increase IT efficiency and ROI on active directory management You can do much of this today! Without isolation Access granted or denied based on ACL 4 Share access is checked User is authenticated and authorized Dept Group 1 Check network access permissions 3 Local policy 2 User authentication occurs User attempts to access a file share Life without isolation User authentication and authorization are the focus for most IT professionals Server and domain isolation will change this! The problems All hosts on the network might not be trusted equally by all systems connected Difficult to control who or what physically connects to the network Unmanaged hosts present infection threat Need to provide connectivity to outsiders but limit access a.k.a. partners…vendors…customers… Theft and abuse of trusted user credentials often not recognized—until it’s too late! The problems Large “internal” networks might have independent paths to the Internet Difficult to monitor and control “the edge” anymore External threats present somewhere on the internal network Network attack surface is all TCP/IP ports, traffic Packet filtering (network firewall) helps, but not when clients communicate inside it Need defense-in-depth to include application layer network security Security Lessons From The Physical World Traffic lights control traffic flow Buffer overflows are unheard of Malicious hosts easily quarantined The solution Isolate computers with IPsec Protects all unicast traffic between trusted computers Provides end to end security Authenticates every packet (by default) Can encrypt every packet (optional) Customizable policy deployed in domain, no application changes necessary Where does isolation fit? Security defense-in-depth model Part of a security defense-in-depth approach Logically sits between the network and the host layers Data Application Host Isolation Internal network Perimeter Physical security People, Policies, and Process What are the main benefits? Reduces network attacks on isolated computers Helps protect against internal attacks Provides scalable authentication and encryption for all traffic Even “unsecurable” stuff like SMB Why IPsec? My network vendor says 802.1X can do this! Well they’re wrong. Stay tuned! Solution Benefits IPsec: the foundation Create Active Directory–based IPsec policies with MMC Use one of three authentication methods Kerberos Computer certificates Preshared keys IPsec policies delivered to clients with AD Group Policy Available in Windows 2000, XP, 2003 Solution terminology Hosts Untrusted Trustworthy Trusted Isolation groups Foundational groups Additional groups Network access groups Isolation scenarios Domain isolation Protect hosts from unmanaged machines Enforces domain membership (yay!) by requiring machine authentication All trusted machines can exchange traffic Encryption optional Can include stronger server isolation Server isolation Protect high-value servers Restrict connectivity to a defined subset of certain people and hosts Still must be domain computers Encryption optional but common With isolation Access granted or denied based on ACL 6 Share access is checked Computer and user are authenticated and authorized Dept Group Check network Check network access permissions Access permissions (user) (Computer acct) 5 3 Local Local policy policy 1 IKE negotiation begins 2 4 IKE succeeds, user authN occurs IKE User attempts to access a file share How does isolation work? Uses IPsec to— Handle the computer account authentication Ensure data integrity Provide encryption (if required) Use group policy to— Distribute the IPsec policies Authorize the computer and user access Implementation Planning How do I implement isolation? Organize computers into isolation groups, based on— Security requirements Data classification Identify communication paths Define what’s allowed, block everything else Create policies to enforce business requirements Identify and test a deployment strategy Foundational groups Non-IPsec groups Untrusted systems Default group Exemptions Trusted infrastructure Isolation Domain IPsec groups Isolation domain Default trusted group Boundary Higher risk trusted group Boundary Isolation Group Untrusted All systems Systems Traffic mapping—foundational Plan all allowed data communications between foundational groups ID From To Bidirectional IPsec Fallback Encrypt 1 ID Ex Yes No No No 2 ID BO Yes Yes No No 3 ID UN No Yes Yes No 4 BO EX Yes Yes Yes No 5 BO UN No Yes Yes No 6 UN BO No No No No 7 UN EX Yes No No No Additional isolation groups Driven by business requirements Might not be necessary For example— No fallback allowed isolation group Blocks outbound communications to untrusted hosts Require encryption isolation group High security group All data communications must use encryption Isolation Domain Encryption Isolation Group No fallback Isolation Group Boundary Isolation Group Untrusted systems Traffic mapping—additional ID From To Bidirectional IPsec Fallback Encrypt 8 EN EX Yes No No No 9 EN ID Yes Yes No Yes 10 EN NF Yes Yes No Yes 11 EN BO No Yes No Yes 12 NF ID Yes Yes No No 13 NF EX Yes No No No 14 NF BO Yes Yes No No Network access groups NAGs are used to explicitly allow or deny access to a system through the network Names reflect function— ANAG: allow network access group DNAG: deny network access group Can contain users, computers or groups Defined in domain local groups IPsec policy construction IPsec Policy Key Exchange Methods (IKE) Rules Authentication Methods Kerberos Filter List Action Certificates Security Methods Encryption Filters Pre-Shared Keys Key Lifetimes Hashing Defined filter actions Request mode Accept inbound in the clear Allow outbound in the clear Secure request mode Allow outbound in the clear Full require mode All unicast communications require IPsec Require encryption mode Only negotiates encryption Selecting a deployment strategy Build up Policy has exemptions, but no requirements for IPsec on secure subnets Request mode filter action is used with secure subnet filter lists Subnets are slowly added to secure subnet filter list and tested Deploy by group IPsec policy defined and linked Use groups to control application of the policy Isolation Scenarios Isolation in action Active Directory Domain Controller Domain Isolation Un-trusted X Optional outbound authentication X Unmanaged Devices (exempted) Server Isolation Required authentication ` Authenticating Host Firewalls Domain isolation Domain controller User: any type Client: Untrusted or non-IPsec capable Ping succeeds others fail Server: domain isolation IPsec policy Active (requires IPsec for all traffic except for ICMP) Domain isolation Domain controller User: domain member Client: Windows XP SP2 Trusted machine Ping succeeds, others succeed over IPsec Server: domain isolation IPsec policy Active (requires IPsec for all traffic except for ICMP) Server isolation Domain controller User: domain member Client: Windows XP SP2 “CLIENT2” Trusted machine Ping succeeds others fail because IKE fails Authorization only for CLIENT1 in group policy via “Access this computer from network” right Server: server isolation IPsec policy Active (requires IPsec for all traffic except for ICMP) Server isolation Domain controller User: domain member Client: Windows XP SP2 “CLIENT1” Trusted machine Ping succeeds, other succeed over IPsec Authorization only for CLIENT1 and this user in group policy via “Access this computer from network” right Server: server isolation IPsec policy Active (requires IPsec for all traffic except for ICMP) The Brokenness of 802.1X What is 802.1X? Port-based access control method defined by IEEE http://standards.ieee.org/getieee802/download/802.1X-2001.pdf EAP provides mutual authentication between devices ftp://ftp.rfc-editor.org/in-notes/rfc3748.txt Works over anything Wired Wireless What do you need for 802.1X? Network infrastructure that supports it Switches, mostly Clients and servers that support it Supplicants included in Windows XP, 2003 Download for Windows 2000 Why is it perfect for wireless? The supplicant (client) and authentication server (RADIUS) generate session keys Keys are never sent over the air Nothing for an attacker to use to conduct impersonation or man-in-the-middle attacks Can manage centrally with GPOs Why is it useless for wired? No GPOs—and we can’t retrofit Worse…a fundamental protocol design flaw 802.1X authenticates only at the start of traffic between client and switch After the switch port opens, everything after that is assumed to be valid These kinds of assumptions allow MITM attacks! Does require physical access to the network The attack …authenticate… 1.2.3.4 aa:bb:cc:dd:ee:ff drop all inbound not for me 1.2.3.4 aa:bb:cc:dd:ee:ff Why does it work? 802.1X lacks per-packet authentication It assumes that the post-authentication traffic is valid—based on MAC and IP only Switch has no idea what’s happened! Attacker can communicate only over UDP Victim would reset any TCP reply it received but didn’t send (victim sees reply to shadow) The attack ACK-SYN ACK-RST RST 1.2.3.4 aa:bb:cc:dd:ee:ff ACK-SYN ACK-RST SYN 1.2.3.4 aa:bb:cc:dd:ee:ff But wait! If the victim computer happens to run a personal firewall… …which drops unsolicited ACK-SYNs… It gets better! The attack…improved ACK-SYN 1.2.3.4 aa:bb:cc:dd:ee:ff ACK-SYN ACK SYN 1.2.3.4 aa:bb:cc:dd:ee:ff So then Despite what the networking vendors claim, 802.1X is inappropriate for preventing rogue access to the network Good security mechanisms never assume that computers are playing nicely 802.1X makes this incorrect assumption IPsec does not If you’re worried about bad guys flooding your network… Then 802.1X + IPsec is the way to go Or just disable their switch port You are able to monitor for this, right? What’s Next? The main challenges Learning curve for IPsec; fundamentally changes TCP/IP communication May lose ability to inspect network traffic when IPsec-protected ESP null is clear-text, but need parsers ESP with encryption—you can’t see it! Detailed planning and coordination required for domain isolation The main challenges Local administrator can disable IPsec or change the local dynamic policy But…such a computer can’t connect to other trusted computers anymore Not all domain members may be able to be protected (DC, DNS, DHCP) Risks that aren’t mitigated Trusted users disclosing high value data Compromise of trusted credentials Untrusted computers compromising other untrusted computers Loss of physical security of trusted computers Lack of compliance mechanisms for trusted computers How to get started? Download the MSS guide—read and train Set requirements To include isolation needs Classify your data Determine current state Active Directory structure Network topology and design Plan initial design Build a test environment Test all changes before production deployment How do I deploy? Create goals for deployment Which assets you want to protect? Do you want to ensure more machines are managed? What regulatory requirements do you need to comply? Is it important to limit spread of worms/virus? Create machine groups Server isolation: ServerGroupA, ServerGroupB Domain isolation: BoundaryGroup Design IPsec policies Document filter actions and rules that will best meet your requirements How do I deploy? Deploy in “request mode” Use to validate policy and refine as necessary Verify architecture can support IPsec Use ESP-null except where privacy is required When encrypting, reduce CPU load with hardware Start small, protect a number of servers and gradually increase your managed domain Don’t forget a roll-back plan! Establish interoperability plan Many operating systems capable of IPsec Policy and credential distribution requires planning Devices and machines that cannot use IPsec can be “exempted” in policy Customer deployments Remote access/VPN is very common IPsec server isolation is very popular Financial services (top 5 American banks, top 2 Canadian banks) Government (at all domestic and international levels) Education (multiple universities with >30,000 students, inner-city public school systems) Health care, retail, manufacturing, high tech… Majority of AD deployments use IPsec for secure DC-to-DC communication Satisfies regulatory requirements for Sarbanes-Oxley, HIPAA, … Domain isolation attracting interest of large orgs Largest non-Microsoft deployment is >350,000 nodes Used extensively within Microsoft Customer case studies DC-to-DC replication Domain isolation of library Isolate branches from headquarters ? 350,000 domainisolated nodes Protect source code Microsoft IT Requirement 1: protect high-value intellectual property and meet compliance requirements Solution Source code repositories restricted by server isolation Authentication with certificates and machine groups in Active Directory Two levels of authorization—at the network and at the application Results Only Windows developers can see and connect to source code servers Meets Sarbanes Oxley Act requirements for protecting data of material impact to shareholders Microsoft IT Requirement 2: protect managed hosts from worm attacks and unauthorized access Solution A “SecureNet” that uses Active Directory and IPsec Requires Kerberos for authentication Requires certificates for home VPN users Results IPsec is fully deployed on Corpnet for over 12 months ~250,000 domain-joined systems using IPsec worldwide Increase of domain-joined systems of 45% from start of implementation 75% of all network traffic globally is IPsec protected 293 helpdesk calls per month (compared to ~500 for Outlook) Microsoft IT implementation Microsoft Corporate Network SecureNet X X Clients, Servers, Home LANs, Trustworthy Labs (240,000) ACL Controlled Internet Servers Business Partners Extranet (1,800) U1 B Boundary Machines (5,000) U2 U3 Labs Pocket PC MAC 75,000 XBox 2,000 18,000 D H C P D N S W I N S D C I A S Untrustworthy Infrastructure (500) Permitted Infrastructure External Exclusions DTaps (no connectivity to CorpNet) Preparing for Network Access Protection Deploy domain isolation to become familiar with IPsec concepts NAP will provide a richer enforcement mechanism, while adding to server and domain isolation Plan and model to add health authentication and other compliance enforcement mechanisms network access protection provides More guidance available during Longhorn beta IPsec roadmap Server 2003, Windows XP “Longhorn” and beyond Isolation by domain or server • Authentication of machine, but no health check Extensible isolation • User and machine credentials • Health certificates Windows firewall integration • Authenticated bypass capability Overhead offload • 10/100mb NIC—lower CPU Firewall integration • Windows filtering platform Improved administration • One-size-fits-all policy Extensible performance • Gig-E offload for lower CPU Learn more Server and domain isolation using IPsec and Group Policy http://go.microsoft.com/fwlink/?linkid=33947 Microsoft IT experiences with domain isolation http://www.microsoft.com/technet/itsolutions/ msit/security/IPsecdomisolwp.mspx IPsec resources http://www.microsoft.com/ipsec For more information Jesper and Steve finally wrote a book! Order online: http://www.protectyourwindowsnetwork .com jesperjo@microsoft.com