Do You Know Who Is Using Your Network?
By Rodrigo Immaginario
Security MVP and Chief Information Officer, Universidade de Vila Velha
See other Security MVP Article of the Month columns.
Managing the security of a company’s data and systems is one of the biggest challenges that information technology (IT) security professionals face today.
In today's environment, in which remote access, wireless networking, and the integration of several branches and distributed systems is a reality in most companies, it is important to know who your users are and what devices they are using to access your network. A firewall is only one of the many things you need to worry about in order to reduce the surface of attack in your enterprises. You cannot limit your security investments to just one solution if you want to prevent attacks from coming through the Internet.
Is Your Intranet Safe?
Can you say for sure right now in your network that only the desktop clients that you know are connected and using your resources and servers? It is exponentially more difficult to accomplish this if your company has several buildings, several thousand network ports, hundreds of access points for wireless connection, hundreds of partner companies working on joint-venture projects, and so on.
One way to address this problem is to use Server and Domain Isolation based on Microsoft Windows® Internet Protocol security (IPsec) and Group Policy. Figure 1 illustrates a typical usage scenario for Domain Isolation. In this example, the company needs to grant access to servers and intra-network data only to trusted desktop clients—that is, those desktop clients that are under the company's domain. They also need to isolate, inside the already protected network that is created by using this IPsec-based solution, the source code server so that only a restricted group of desktop clients can access the server and so that it uses maximum security, with all data traffic encrypted.
Because IPsec works in the network layer of the TCP/IP protocol, which is below the application layer, you can authenticate and optionally encrypt traffic in a centralized way by using group policies in the Active Directory directory service.
An IPsec policy is composed of a group of rules, as shown in the following diagram.
To approach the scenario described in the introduction to Figure 1 according the logic of the diagram in Figure 2, we could use the following sequence to implement an IPsec-based solution like Server and Domain Isolation.
Step One: Create the IPsec policy.
In this step, we create policies in Active Directory that will be distributed to every desktop client in the environment.
Step Two: Define the sequence in which the policies are applied.
Step Three: Create universal groups, which receive the objects that the policies affect.
Step Four: Create IP filters inside the IPsec security policies.
IP Filter List
Step Five: Create actions for the IPsec policies.
The Future of IPsec
Microsoft Windows Server® code name "Longhorn" and Windows Vista will incorporate new IPsec improvements that are being developed to help IT security professionals keep their environments safe. Among these improvements are:
Integrated firewall and IPsec configuration
Simplified IPsec policy configuration
Improved IPsec authentication (including user authentication)
New cryptographic support
Currently, user authentication occurs solely with desktop clients. In the next releases of Windows, administrators will be able, with only a few policies, to solve the same scenarios that today demand the creation of dozens of rules in IPsec.
The way we look at demilitarized zones (DMZs), or network perimeters, is changing. Some experts in the field now even go so far as to say that DMZs are "dying". Many companies today are global, connected both physically and logically to many other entities such as suppliers, consultants, remote users, and more (see the figure below). Protecting only the border of the network by using a firewall simply no longer meets the actual needs of business security.
One of the new challenges facing security staff is how to know how "healthy" the computers connected on their networks are. Microsoft will help to address this issue with Network Access Protection (NAP), a policy enforcement platform built into the Microsoft Windows Vista™ and Windows Server Code Name "Longhorn" operating systems that helps ensure that the computers on your network are up-to-date and in compliance with your company's security policies. For example, you can use NAP to help ensure that the computers on your network are configured with correct antivirus software versions, firewall settings, hotfixes, and so on.
Working together, NAP and IPsec will help ensure that only known and authorized computers have access to your network resources, and also that these computers are in a state of "health" that is approved by your company's security policies. For desktop clients, it will be possible to use it with Windows Vista and Windows XP installations. How can you start now? Implementing Server and Domain Isolation project using IPsec, adopting a Microsoft Public Key Infrastructure (PKI) digital certification structure, and using Internet Authentication Service (IAS) as a Remote Authentication Dial-In User Service (RADIUS) authentication server is an excellent place to start.
For more information about Server and Domain Isolation, please visit http://www.microsoft.com/sdisolation.