Sei sulla pagina 1di 20

Module 5: Designing Security for Internal Networks

Module Overview
Designing Windows Firewall Implementation Overview of IPSec

Designing IPSec Implementation

Lesson 1: Designing Windows Firewall Implementation


Reasons for Implementing Windows Firewall Methods for Configuring Windows Firewall

Discussion: Guidelines for Designing Inbound Rules


Discussion: Guidelines for Designing Outbound Rules

Reasons for Implementing Windows Firewall

Windows Firewall can block incoming and outgoing network traffic on a host.

Reasons for implementing Windows Firewall are: Protect servers from internal threats Prevent malware from propagating

Methods for Configuring Windows Firewall

You can configure Windows Firewall by using: Basic Firewall configuration in Control Panel Windows Firewall with Advanced Security Group Policy

Discussion: Guidelines for Designing Inbound Rules


What rules should exist for inbound packets?

Discussion: Guidelines for Designing Outbound Rules


What rules should exist for outbound packets?

Lesson 2: Overview of IPSec


Benefits of IPSec Connection Security Rules

Types of Connection Security Rules


IPSec Authentication Demonstration: Creating a Connection Security Rule

Benefits of IPSec

Benefits of IPSec are: Authentication of communication Ensuring that data is not modified in transit Encrypting to secure communication

Integrating with Windows Firewall rules as part of Network Access Protection (NAP)
Protecting communication between two hosts or two networks

Connection Security Rules


Connection security rules: Are new in Windows Server 2008 and Windows Vista Replace IPSec policies from previous versions of Windows

Determine which network traffic is affected by IPSec


Must exist on both hosts to be effective Apply to all traffic between hosts Can be applied to specific profiles

Types of Connection Security Rules


Rule type
Isolation
Server-to-server

Description
Restricts connections based on criteria such

as user, computer, or certificates

Authenticates communication based on

individual computer IP addresses or subnets

Tunnel

Secures communication between two

computers that are acting as routers between two networks

Authentication exemption
Custom

Prevents specific computers or IP addresses

from the requirement to authenticate Wizard for creating other options

Allows access to options not available in the

IPSec Authentication
Authentication requirements specify when authentication is performed. Request for inbound and outbound Require for inbound and request for outbound Require for inbound and outbound

Authentication method specifies how authentication is performed. Kerberos V5 (user, computer, or both) NTLMv2 (computer) Computer certificate Preshared key

Demonstration: Creating a Connection Security Rule


In this demonstration, you will see how to create a connection security rule.

Lesson 3: Designing IPSec Implementation


Deployment Methods for Connection Security Rules Determining the Authentication Method

Co-existence with IPSec Policies


Integration with Windows Firewall Rules Guidelines for Designing IPSec Implementation

Deployment Methods for Connection Security Rules


Method
Windows Firewall with Advanced Security Netsh

Description
Is suitable for configuring a small number

of hosts Is prone to errors during creation

Is suitable for scripting Is configured in the netsh advfirewall

consec context

Allows rules to be deployed to a large

Group Policy

number of computers easily Reduces the chance of data entry errors during configuration Requires all computers to be a member of a domain
Is suitable for scripting Accesses network settings through WMI

Windows PowerShell

objects

Determining the Authentication Method

Authentication method
Kerberos V5 security protocol

Use
Users and computers running Windows

2000 (and later versions) that are part of an Active Directory domain Internet access Remote access to corporate resources External business partners On computers that do not run the Kerberos V5 security protocol configure IPSec

Public key certificate

Preshared secret key

When both computers must manually

Co-existence with IPSec Policies

IPSec policies are still required for earlier versions of Windows operating systems

IPSec policies can be used by Windows Vista and Windows Server 2008
IPSec policies and connection security rules can be applied at the same time

Integration with Windows Firewall Rules

Windows Firewall rules can apply to specific users and computers

Authentication by IPSec provides the user or computer identity to Windows Firewall rules
Windows Firewall rules can require a secure connection for NAP

Guidelines for Designing IPSec Implementation

Deploy with Group Policy Avoid combining IPSec policies and connection security rules Test thoroughly before implementation Use only when appropriate in your security plan

Lab: Designing a Secure Internal Network


Exercise 1: Designing a Windows Firewall Implementation Exercise 2: Designing an IPSec Implementation

Logon information

Virtual machine User name Password

xxxx xxxx Pa$$w0rd

Estimated time: 60 minutes

Potrebbero piacerti anche