How to Improve Network Security with Microsoft Solutions
Published: November 9, 2011
Author: Rodrigo Immaginario
Safeguarding network data and systems is one of the greatest challenges for IT professionals who work in the area of security. Meeting the demands of enterprises is essential. Therefore, it is important to know who your users are and what your network assets are—particularly since remote access, wireless networks, different sites and distributed systems are a reality.
The traditional model, shown in the figure below, is used to "ensure" security of your environment by using a firewall to restrict access between your network and the Internet.
However, the current situation is somewhat more complex. The increased need for interconnections among networks, devices, and more is forcing us to worry about security closer to the client, or host.
So, how can supported Microsoft technologies help reduce security risks in your environment?
Public Key Infrastructure (PKI)
Major security projects can involve the use of digital certificates through PKI. In some security designs, the use of digital certificates enables interoperability across multiple platforms. For example, with the Server and Domain Isolation Using IPsec and Group Policy Solution Accelerator from Microsoft, digital certificates allow you to work with both Windows and Linux machines.
Some of the most common security projects using Microsoft technologies that benefit from PKI are:
Is Your Internal Network Secure?
How can you ensure that only known machines are connected to your network and using its resources and servers? Imagine a situation in which an enterprise has several buildings, thousands of points on the network, hundreds of wireless access points, and dozens of companies working on projects together. The Server and Domain Isolation Using IPsec and Group Policy Solution Accelerator will help you address situations like this. A typical application scenario for this solution is shown in the figure below.
In this example, our primary goal is to help ensure that access to servers and data from the internal network is only for trusted machines, certified for the domain.
The secondary goal is to limit—within the network already protected by IPsec, access to the source server to a restricted group of machines and, for maximum security, all encrypted traffic.
Because IPsec works at the network layer, below the application layer, traffic can be centrally authenticated or encrypted using Group Policy in Active Directory.
Is Your Wireless Network Secure?
With the increasing number of portable computers and mobile devices used by employees, the wireless network has had an increasing importance in companies. To help ensure the security of your entire environment, you need centralized management of computers and/or users who will have access to your wireless network.
Remote Authentication Dial-In User Service (RADIUS) is commonly used to achieve centralized management. You can create policies for access and security (including the requirement of digital certificates, if you have a PKI solution implemented).
In traditional environments, there are typically several levels of security, including the firewall, DMZ, edge protection, etc. Nonetheless, most security issues occur at the host level, on the user's machine. To address this issue, you can use the Network Access Protection (NAP) feature in Windows Server 2008.. With NAP, you can define “states of health" to help ensure that only machines that conform to the policies of the network and are validated as healthy can access data and servers in your local network. If a client computer is not compliant, NAP provides mechanisms by which these machines are brought back to compliance—for example, by updating the machine using Windows Update. NAP is extensible to multiple products, including antivirus software, network analyzers, and more.
How Can I Provide Secure Remote User Access?
It is crucial to provide employees with secure remote access to the resources and information they need to perform their work. Traditionally, secure access has been provided through a virtual private network (VPN). However, with a VPN, there is a higher risk of exposure due to the fragility of access passwords—regardless of the password policy that your company uses (strong passwords, special characters, etc.). Restricting access by using more than one authentication factor is the best way to mitigate risk. Using PKI, you can help ensure that only users with certificate, or token, access will be authenticated when working remotely.
About the Author
Rodrigo Immaginario has worked in the computer science field and infrastructure projects since 1994 and currently specializes in security solutions in Microsoft environments. He has worked on a security project for the CEBW (Commission of the Brazilian Army in Washington) and worldwide IPsec, Hyper-V, and DirectAccess projects. His certifications include Certified Information Systems Security Professional (CISSP) and Microsoft Certified Systems Engineer (MCSE) in Security. Rodrigo has been a Microsoft Most Valuable Professional (MVP) since 2004 and is presently Chief Information Officer at the Universitario Vila Velha in Brazil where he has developed a post-graduate course in Microsoft .NET.