Ian Hameroff : Secure Wireless

Article Alert: Policy-Driven Network Access with Windows Server 2008

ianhamer — Sun, 16 Mar 2008 04:41:35 GMT

While it has been nearly three months since I moved from the role as product manager for Windows Server networking to the Exchange Server team, I still get the occasional opportunity to strut my old networking stuff.

One such example is a recent article I co-authored with Amith Krishnan (product manager for Network Access Protection) on creating a policy-driven network access solution using a bunch of the new features of Windows Server 2008. The article -- entitled Policy-Driven Network Access with Windows Server 2008 -- appears in the March edition of Microsoft's TechNet Magazine.

Here's the article synopsis:

How do you allow network access to those who need it without sacrificing security? See how new technologies in Windows Server 2008, such as Windows Firewall with Advanced Security and Network Access Protection, let you implement a policy-based approach to help you achieve this goal.

Unfortunately, the online version of article doesn't offer you the opportunity to make comments on the article. So, please feel free to post your thoughts or feedback to this blog posting.

Okay, back to Exchange for me. I'm currently completely week 2 of 3 on the road doing focus groups around our future plans for Exchange Server. Good stuff; albeit exhausting to be traveling across the US, Asia (currently in Tokyo) and then Europe. Yahoo!

-- hama

Tech·Ed 2007 - Day 4: TLC Fun! (Recap)

ianhamer — Thu, 07 Jun 2007 17:42:45 GMT

Once more, I'm plagued by horrifically poor bandwidth on the hotel network.

After having dinner with Sean (aka Seanv6) at the Bahama Breeze, and dodging some hardcore downpours with lots of loud thunder and nearby lightening to boot, I returned to my humble temporary abode to check email, surf for interesting tidbits to kick-off my Thursday afternoon IPsec session with, and -- YIKES! -- discover 89 kbps download rates.

I normally travel with one of them Linksys Wireless-G Travel Routers, which provides a bit of wireless freedom even if the hotel doesn't offer such. Turns out that the hotel has both wired (including a "bank pen like attached CAT-5 cable -- see picture below) and wireless.

I went through every possible iteration of connectivity options, and actually discovered that my private WLAN yielded better transfer rates than being plugged in directly on the hotel's copper, or using their WLAN.

Amazing!

Sean shared similar frustration, and we both wondered why a conference town like Orlando doesn't have more than "two-cans with string" type network access to the "Internets".

This morning was a little bit better:

Anyhow.

Yesterday afternoon I delivered my "Enabling Policy-Driven Network Access" TLC Interactive Theater session (formerly known as Chalk Talks), to a great audience. The session was (more or less) a mini-breakout, and it appeared to be well received. We talked about a long list of built-in Windows Server 2008 and Windows Vista network security functionality that can help you embrace more policy-driven network access.

The topics included:

Windows Firewall with Advanced Security (aka the new Windows Firewall)
IPsec enhancements
Server and Domain Isolation
Secure Wireless LAN
Network Access Protection

If you attended the session, but would like a copy of the presentation deck (which is not up on CommNet) please contact me.

We also had a little fun yesterday with the Virtual TechEd Security Track folks. Brian Seitz shot a video of (approx. 10 minutes) me and Rodrigo (our MVP) talking about Server and Domain Isolation on the show floor, and Rodrigo's experience deploying the solution at his university in Brazil.

Check it out:

Video: Ian Hameroff at TechEd

You can see more cool stuff like this up on Brian's blog at: http://brianseitz.spaces.live.com.

For fans of my session from the Tuesday (SRV310 - Deploying High Performance and Scalable Networking with Windows Server 2008), here's an article that talks about the Tolly Group performance report that will be posted to MSCOM very shortly (I promise!) that John Fontana from Network World posted yesterday afternoon:

Microsoft-sponsored study says Vista improves TCP/IP performance

Okay, time to get sorted and over to The O.C.C.C.! I have one more session this afternoon SEC309 - Implementing the IPsec Simple Policy Update for Microsoft Windows Server 2003 and Windows XP. Here's the abstract:

Common IPsec-based scenarios, like Server and Domain Isolation, require the configuration of an IPsec policy that contains rules for protected and permitted traffic. For some enterprise deployments, the IPsec policy rules can require hundreds of IP filter definitions that must be maintained over time. The Simple Policy Update for Microsoft Windows XP and Windows Server 2003 changes the behavior of IPsec negotiation so that the IPsec policy rules can be simplified, in some cases drastically reducing the number of required IP filters and their ongoing maintenance. This session dives into what these changes are and how they can be applied to both existing and new deployments of Server and Domain Isolation.

Don't forget to stop by the show floor (aka the Yellow TLC) and say hello!

-- hama

Windows Server 2008 Network Security Webcast

ianhamer — Sat, 26 May 2007 01:07:37 GMT

The next few days in the US is Memorial Day weekend, also known as the unofficial start to summer. The means there will be plenty of barbeques, parties, and a Monday off.

Well, if you find yourself without something to done during this extended weekend, why not checkout this 90 minute TechNet webcast Amith Krishnan (NAP product manager) and I recorded back on May 17th:

TechNet Webcast: Windows Server 2008: Advancing Network Security (Level 300)

Here's the abstract of what was covered:

Among the long list of enhancements and innovations coming in Windows Server 2008 are a number of networking advancements and policy-driven network security features. In this webcast, we discuss the next generation of networking features in Windows Server 2008 and the network security solution scenarios these features enable. We examine the new Windows Firewall with Advanced Security, Server and Domain Isolation, and Network Access Protection (NAP). Discover how you can use these new networking innovations to provide your users with a more secure, reliable, and cost-effective connection experience.

We answered a bunch of questions on the call, but happy to answer any more you might have after watching the replay.

Enjoy, and have a great extended weekend!

-- hama

WinServer "Longhorn" B3: This time it's "Ready, Set, (Download), and Evaluate!"

ianhamer — Thu, 26 Apr 2007 04:01:00 GMT

That's right Windows Server "Longhorn" fans, Beta 3 is ready for your evaluation!

Simply visit http://www.microsoft.com/getbeta3, and you're halfway there to trying out the first major public preview of our next generation of Windows Server.

As our press release touts:

"[With] Beta 3, customers will see new features and enhancements that include stronger security, better performance, new server roles and features, and additional server management and remote administration tools."

What that translates to is, well, a lot of new features and functionality that are ready for "tire kicking."

Heck, we even provided a little cheat sheet to help you zero in on some of the key new features:

New and improved features in Beta 3 include the following:

Windows PowerShell is now included in the product.

Active Directory Federation Services improvements allow customers to implement new policies and make it easier to set up a relationship between trusted partners.

The Server Core installation option now comes with additional roles and enhanced functionality, such as print services and Active Directory Lightweight Directory Services.

The Server Manager console includes additional remote administration tools to provide a more integrated management environment.

Windows Firewall with Advanced Security, now on by default, provides a persistent and more secure environment beginning at installation.

NAP is integrated with Microsoft Update and Windows Update to enable administrators to decide which updates are critical and set policies accordingly. It also has a new administrative interface for simplified setup, scalability and better performance.

Hey, there are two key features of mine on that list! NAP and the Windows Firewall with Advanced Security.

Now, there's been enough written about that NAP thingy, so I'll concentrate on the Windows Firewall instead. You didn't misread the bullet above -- we have switched it on by default to help further the defense-in-depth security controls for Windows Server as well as help reduce attack surface area right out of the gate.

We started down this road with the "Post -Setup Security Update" feature in Windows Server 2003 Service Pack 1 that switched on the newly added Windows Firewall right after install so you could safely venture on to the Internet to retrieve latest updates without increasing the risk of an unpatched vuln being exploited over the network. As you might recall, this feature was described as follows:

"Windows Firewall provides network protection after install while users update their system with the latest patches using the new Post-Setup Security Updates feature.

[Post-Setup Security Updates was] designed to protect the server from the risk of infection between the time the server is first started and the application of the most recent security updates are applied from Windows Update. If Windows Firewall is enabled and the administrator did not explicitly enable Windows Firewall using an unattended-setup script or Group Policy, Post-Setup Security Updates opens the first time an administrator logs on."

The team has been working diligently to test all the major Windows Server scenarios/workloads/roles/etc under this new "on by default" model to ensure we were able to map out the key IP service ports and related communication parameters. We've also done some neat stuff with Server Manager feature (cool stuff!) to help apply the appropriate firewall policies per the role(s)/workload(s) you enable.

I strongly encourage you to check this feature out, and learn about how this default to on works with the applications you run on top of Windows Server!

Well, my battery is just about to die (I'm at SFO getting ready to head back to SEA from the Gartner Symposium/ITxpo event here this week -- more on that later), so I better stop here so I can get this thing posted!

WS3LWC! (Wireless Security 300-Level Webcast)

ianhamer — Thu, 15 Feb 2007 05:23:26 GMT

I'm back from San Fran and a short stop over in Austin. That's good news for my loyal readership (both of you) since it means I didn't become a security conference casualty, but instead have just been too lazy to publish my day 5 and "RSA 2007 Recap and Reflects" posts.

Here's a quick one: We've got a cool webcast scheduled for Friday on troubleshooting wireless networks, how to better secure and manage them all using the built in features of Windows and partner solutions like Aruba's wireless gear.

TechNet Webcast: Best Practices for Troubleshooting Your Wireless Network (Level 300)Date: Friday, February 16, 2007
From: 1:00 PM – 2:00 PM PT

Enjoy!

Better Together Networking Scenarios w/ Vista and Longhorn Server

ianhamer — Tue, 17 Oct 2006 00:27:18 GMT

Last week I delivered two webcasts for the Windows Vista TAP program members on a number of "better together" networking scenarios when you have Windows Vista on the client and Windows Server "Longhorn" on the back end.

Here's a link to one of the webcasts we recorded:
Better Together: Windows Vista and Windows Server "Longhorn" Networking Innovations

Even though 60 minutes isn't enough time to go into the gory technical details, I do cover off scenarios around security (including NAP), performance (like our new TCP Receive Window auto-tuning features) and scalability (from hardware offload, to QoS, to IPv6).

Running with Digital Scissors...

ianhamer — Thu, 12 Oct 2006 09:13:00 GMT

We've all heard it before from our parents, teachers, colleagues, friends, et al. There are certain things we shouldn't do (e.g. run with scissors, run by the pool, etc.) because it's just not safe, yet many of us still do these things knowing full well that there could be dire consequences.

It should come as no surprise that digital safety awareness has improved thanks to that double-edged sword of malicious outbreaks and greater diligence on the part of the media, vendors (like Microsoft) and network operators (including IT departments and ISPs). Yet, many computer users still find themselves doing the digital equivalent of running with scissors.

The catalyst for this posting was the recently released "Understanding Remote Worker Security: A Survey of User Awareness vs. Behavior" released by the newly re-logoed Cisco. The net/net of the survey: people know that they need to exercise greater caution when traversing the digital domains, yet they still have the habit (that's right it's often more of a habit than malicious intentions) to do some things that are not necessarily in the best interest of the net community.

Don't get me wrong; this isn't a cry of "the sky is falling". Reading the Cisco survey showed it was fairly basic things people are doing, like on-line shopping with their work computer or "borrowing" wireless bandwidth. Now either of these examples could result in increased risk to the corporate network, but it's not about these activities I want to point out. It's really about revisiting the importance of what I like to call the three part network security ying-yang: policy, technology and education. It's a cyclic thing since each of these stages should be constantly revisited, updated and evangelized.

Microsoft has and will be releasing a bunch of network security solutions to help fill in that middle bit (technology). These include my personal fav's of Server and Domain Isolation, Secure Wireless and Network Access Protection. Each of these solutions, both by themselves and working in concert, are great tools to help drive the reality of "policy-driven network access". They can help you dynamically segment your network, reduced attack surface and greatly increase the security posture of the hosts connecting to your network. Yet, without the right (paper) policies to dictate what is good and what's not, these tools may not be as effective as they can be.

So, why all this dribble? Well, there are just some things you just need to let slide, like users shopping for birthday presents while in between meetings or (as in the case of this survey) working remotely. Implementing too restrictive policies will end-up backfiring. Instead, you need to focus on what the risk is and utilize solutions (like the ones mentioned above) to help mitigate the things that can go boo at night on the Internet. For example, if a VPN user has clicked on something bad, like a piece of malware that attempts to kill the antivirus process, NAP can help mitigate the risk of this introducing unnecessary network threats.

In closing, we live in a paradoxical network universe. We want to provide the access and mobility our users want to have, yet we often fear the worse when this access gets abused or compromised. That's why you need to limit risk beyond just setting up topological network boundaries (e.g. the edge firewall) through these policy-driven network access mechanisms.

As we inch closer to the release of Windows Vista and then Windows Server "Longhorn", I plan to wrote more on what this subject of policy-driven network access. Now, it's time to finish up my presentation for tomorrow's engagements with the Windows Vista TAP program members.

Securing Wireless: An Impossible Dream? -- Info on a Great Upcoming Webcast

ianhamer — Tue, 15 Aug 2006 00:51:00 GMT

Wireless networking is such a fickle beast, ain't it? Everybody wants it and yet many organizations find it too challenging to deploy it with the same level of confidence as wired Ethernet.

Why?

It can be tough to manage access and to keep secured.

For many, it's a heck of lot easier to manage and secure a length of copper wire than a radio wave. And, to be fair, there haven't been a lot of options available that instilled confidence with those with their butts on the line to keep the corporate network safe.

There is good news: wireless protocols are starting to mature (e.g. WPA2 is a great example). These improvements have not solely focused on increasing broadcast distances and available bandwidth. WPA2 and others offer additional options for connection security and authentication.

At same there are options built into Windows XP and Windows Server 2003 that you may not even know about. The key components include Windows' 802.1X supplicant and the Internet Authenication Service (IAS)..er..Server. The former being built into XP (and Windows Vista) with the latter being the Microsoft implementation of RADIUS.

Using these ingredients, with a dash of Windows Server Certificate Server, Microsoft has rolled out a huge, production wireless LAN across just about every MS office building, world-wide. Take a look at this great Microsoft IT Showcase article for details:

Improving the Wireless Network Infrastructure at Microsoft

Still hungry for more? Then you should check out this upcoming IT Pro webcast:

Secure Wireless LAN Solution Webcast: Microsoft's Authentication Infrastructure with Aruba Networks' Mobile Edge

The webcast will be broadcasted live on Wednesday, August 16th and available for on-demand replay shortly after that.

Lastly, I suggest reviewing these whitepapers on what we're doing to make this experience even better in Windows Vista and Windows Server "Longhorn".