Ian Hameroff : Windows Firewall

Article Alert: Policy-Driven Network Access with Windows Server 2008

ianhamer — Sun, 16 Mar 2008 04:41:35 GMT

While it has been nearly three months since I moved from the role as product manager for Windows Server networking to the Exchange Server team, I still get the occasional opportunity to strut my old networking stuff.

One such example is a recent article I co-authored with Amith Krishnan (product manager for Network Access Protection) on creating a policy-driven network access solution using a bunch of the new features of Windows Server 2008. The article -- entitled Policy-Driven Network Access with Windows Server 2008 -- appears in the March edition of Microsoft's TechNet Magazine.

Here's the article synopsis:

How do you allow network access to those who need it without sacrificing security? See how new technologies in Windows Server 2008, such as Windows Firewall with Advanced Security and Network Access Protection, let you implement a policy-based approach to help you achieve this goal.

Unfortunately, the online version of article doesn't offer you the opportunity to make comments on the article. So, please feel free to post your thoughts or feedback to this blog posting.

Okay, back to Exchange for me. I'm currently completely week 2 of 3 on the road doing focus groups around our future plans for Exchange Server. Good stuff; albeit exhausting to be traveling across the US, Asia (currently in Tokyo) and then Europe. Yahoo!

-- hama

Greetings from the Future (Or, At Least GMT+8)

ianhamer — Sat, 15 Sep 2007 06:41:31 GMT

It's the Saturday following my week here in Kuala Lumpur (aka KL) and TechEd 2007 SEA (aka South East Asia). The week was a good time, and it was great to connect with the local 'softies, MVPs, partners, and of course, the regional customers.

I delivered two sessions, both basically repeats of my sessions at TechEd 2007 USA:

Implementing the IPsec Simple Policy Update for Windows XP and Windows Server 2003
Enabling Policy-Driven Network Access

The second of the two was based on my TLC interactive theater session by the same name. However, I re-worked the slides and introduce a pretty neat demo.

The demo illustrates a few of the Policy-Driven Network Access features of Windows Server 2008 and Windows Vista. In particular, Network Access Protection (using IPsec enforcement), and the Windows Firewall with Advanced Security.

Here's a snap-shot of my demo environment:

The actual physical setup included two laptops and simple switch. My trusty ThinkPad T60p booted the client side (Windows Vista Enterprise) off of my second hard disk in the UltraBay, and my Acer Ferrari ran the three Windows Server 2008 servers as VMs via Virtual Server 2005 R2 SP1. I'm looking forward to trying these out on Windows Server virtualization!

I had also planned on showing our Secure Wireless LAN solution (aka using the built in 802.1X supplicant in Windows Vista, the WS08 Network Policy Server/RADIUS, and EAP-TLS), but the Linksys wireless access point I brought along was only rated for 120V/60Hz. This certainly a disappointment. I mean, no offense to our friends at Cisco, but come on! Almost every piece of technology I own can handle, at the very least 100-240V. Well, thanks to a local colleague, I was able to re-work the demo with a borrowed switch.

The demo was a bit of a re-work of the Security and Policy Enforcement demo I showed at WinHEC. I cut the bits about how AD Rights Management Services integrates with MOSS, blah blah, and focused more on the network controls. Like being able to perform network layer authentications using health (aka NAP Health Certifications) and User credentials (via the Windows Firewall with Advanced Security's "Allow if Secure" filters in conjunction with Connection Security Rules). I plan on expanding the demo even further to include a few more bells and whistles (and a little more time spent on the back-end policy creation).

I'll be speaking to an SBS User Group in Singapore on Tuesday, and I hope to re-run the demo there with these additional bells and whistles.

To close: We had our company meeting on September 6th. This happened to coincide with flight from Seattle to Singapore. Nevertheless, I attempted to get into the spirit of the Company Meeting, by wearing the bright orange (wow!) long sleeved T-shirt our entire team had planned on showing off at the big show, but for me on the airplane:

You can almost see the flag from the Windows Server 2008 logo on my left arm. I attempted to capture the whole of the sleeve by flexing it a bit while using my Palm Treo 750's built-in camera to snap the shot. At the same time, I was trying to avoid making it looking I was trying to show off my "guns" (even though I have been working out at the Pro Club and it would be nice if you did notice!). Talk about team pride!

-- hama

Tech·Ed 2007 - Day 4: TLC Fun! (Recap)

ianhamer — Thu, 07 Jun 2007 17:42:45 GMT

Once more, I'm plagued by horrifically poor bandwidth on the hotel network.

After having dinner with Sean (aka Seanv6) at the Bahama Breeze, and dodging some hardcore downpours with lots of loud thunder and nearby lightening to boot, I returned to my humble temporary abode to check email, surf for interesting tidbits to kick-off my Thursday afternoon IPsec session with, and -- YIKES! -- discover 89 kbps download rates.

I normally travel with one of them Linksys Wireless-G Travel Routers, which provides a bit of wireless freedom even if the hotel doesn't offer such. Turns out that the hotel has both wired (including a "bank pen like attached CAT-5 cable -- see picture below) and wireless.

I went through every possible iteration of connectivity options, and actually discovered that my private WLAN yielded better transfer rates than being plugged in directly on the hotel's copper, or using their WLAN.

Amazing!

Sean shared similar frustration, and we both wondered why a conference town like Orlando doesn't have more than "two-cans with string" type network access to the "Internets".

This morning was a little bit better:

Anyhow.

Yesterday afternoon I delivered my "Enabling Policy-Driven Network Access" TLC Interactive Theater session (formerly known as Chalk Talks), to a great audience. The session was (more or less) a mini-breakout, and it appeared to be well received. We talked about a long list of built-in Windows Server 2008 and Windows Vista network security functionality that can help you embrace more policy-driven network access.

The topics included:

Windows Firewall with Advanced Security (aka the new Windows Firewall)
IPsec enhancements
Server and Domain Isolation
Secure Wireless LAN
Network Access Protection

If you attended the session, but would like a copy of the presentation deck (which is not up on CommNet) please contact me.

We also had a little fun yesterday with the Virtual TechEd Security Track folks. Brian Seitz shot a video of (approx. 10 minutes) me and Rodrigo (our MVP) talking about Server and Domain Isolation on the show floor, and Rodrigo's experience deploying the solution at his university in Brazil.

Check it out:

Video: Ian Hameroff at TechEd

You can see more cool stuff like this up on Brian's blog at: http://brianseitz.spaces.live.com.

For fans of my session from the Tuesday (SRV310 - Deploying High Performance and Scalable Networking with Windows Server 2008), here's an article that talks about the Tolly Group performance report that will be posted to MSCOM very shortly (I promise!) that John Fontana from Network World posted yesterday afternoon:

Microsoft-sponsored study says Vista improves TCP/IP performance

Okay, time to get sorted and over to The O.C.C.C.! I have one more session this afternoon SEC309 - Implementing the IPsec Simple Policy Update for Microsoft Windows Server 2003 and Windows XP. Here's the abstract:

Common IPsec-based scenarios, like Server and Domain Isolation, require the configuration of an IPsec policy that contains rules for protected and permitted traffic. For some enterprise deployments, the IPsec policy rules can require hundreds of IP filter definitions that must be maintained over time. The Simple Policy Update for Microsoft Windows XP and Windows Server 2003 changes the behavior of IPsec negotiation so that the IPsec policy rules can be simplified, in some cases drastically reducing the number of required IP filters and their ongoing maintenance. This session dives into what these changes are and how they can be applied to both existing and new deployments of Server and Domain Isolation.

Don't forget to stop by the show floor (aka the Yellow TLC) and say hello!

-- hama

Windows Server 2008 Network Security Webcast

ianhamer — Sat, 26 May 2007 01:07:37 GMT

The next few days in the US is Memorial Day weekend, also known as the unofficial start to summer. The means there will be plenty of barbeques, parties, and a Monday off.

Well, if you find yourself without something to done during this extended weekend, why not checkout this 90 minute TechNet webcast Amith Krishnan (NAP product manager) and I recorded back on May 17th:

TechNet Webcast: Windows Server 2008: Advancing Network Security (Level 300)

Here's the abstract of what was covered:

Among the long list of enhancements and innovations coming in Windows Server 2008 are a number of networking advancements and policy-driven network security features. In this webcast, we discuss the next generation of networking features in Windows Server 2008 and the network security solution scenarios these features enable. We examine the new Windows Firewall with Advanced Security, Server and Domain Isolation, and Network Access Protection (NAP). Discover how you can use these new networking innovations to provide your users with a more secure, reliable, and cost-effective connection experience.

We answered a bunch of questions on the call, but happy to answer any more you might have after watching the replay.

Enjoy, and have a great extended weekend!

-- hama

WinServer "Longhorn" B3: This time it's "Ready, Set, (Download), and Evaluate!"

ianhamer — Thu, 26 Apr 2007 04:01:00 GMT

That's right Windows Server "Longhorn" fans, Beta 3 is ready for your evaluation!

Simply visit http://www.microsoft.com/getbeta3, and you're halfway there to trying out the first major public preview of our next generation of Windows Server.

As our press release touts:

"[With] Beta 3, customers will see new features and enhancements that include stronger security, better performance, new server roles and features, and additional server management and remote administration tools."

What that translates to is, well, a lot of new features and functionality that are ready for "tire kicking."

Heck, we even provided a little cheat sheet to help you zero in on some of the key new features:

New and improved features in Beta 3 include the following:

Windows PowerShell is now included in the product.

Active Directory Federation Services improvements allow customers to implement new policies and make it easier to set up a relationship between trusted partners.

The Server Core installation option now comes with additional roles and enhanced functionality, such as print services and Active Directory Lightweight Directory Services.

The Server Manager console includes additional remote administration tools to provide a more integrated management environment.

Windows Firewall with Advanced Security, now on by default, provides a persistent and more secure environment beginning at installation.

NAP is integrated with Microsoft Update and Windows Update to enable administrators to decide which updates are critical and set policies accordingly. It also has a new administrative interface for simplified setup, scalability and better performance.

Hey, there are two key features of mine on that list! NAP and the Windows Firewall with Advanced Security.

Now, there's been enough written about that NAP thingy, so I'll concentrate on the Windows Firewall instead. You didn't misread the bullet above -- we have switched it on by default to help further the defense-in-depth security controls for Windows Server as well as help reduce attack surface area right out of the gate.

We started down this road with the "Post -Setup Security Update" feature in Windows Server 2003 Service Pack 1 that switched on the newly added Windows Firewall right after install so you could safely venture on to the Internet to retrieve latest updates without increasing the risk of an unpatched vuln being exploited over the network. As you might recall, this feature was described as follows:

"Windows Firewall provides network protection after install while users update their system with the latest patches using the new Post-Setup Security Updates feature.

[Post-Setup Security Updates was] designed to protect the server from the risk of infection between the time the server is first started and the application of the most recent security updates are applied from Windows Update. If Windows Firewall is enabled and the administrator did not explicitly enable Windows Firewall using an unattended-setup script or Group Policy, Post-Setup Security Updates opens the first time an administrator logs on."

The team has been working diligently to test all the major Windows Server scenarios/workloads/roles/etc under this new "on by default" model to ensure we were able to map out the key IP service ports and related communication parameters. We've also done some neat stuff with Server Manager feature (cool stuff!) to help apply the appropriate firewall policies per the role(s)/workload(s) you enable.

I strongly encourage you to check this feature out, and learn about how this default to on works with the applications you run on top of Windows Server!

Well, my battery is just about to die (I'm at SFO getting ready to head back to SEA from the Gartner Symposium/ITxpo event here this week -- more on that later), so I better stop here so I can get this thing posted!

WinServer 2003 SP2 Comes Alive!

ianhamer — Wed, 14 Mar 2007 02:35:19 GMT

So. Yes. Okay. I'm a Peter Frampton fan. And, when I learned that our planned release of Windows Server 2003 Service Pack 2 (SP2) had, well, released today, it made me think of Frampton's "Frampton Comes Alive!" album from 1976.

Why?

I don't know.

Seriously.

I did happen to go to Plattsburgh State University (of New York) where several of the tracks were recorded (well before my tenure there). Maybe that's it.

Moving on to the business at hand.

WS03SP2 includes a bunch of stuff related to networking, including the following features:

Scalable Networking Pack (TCP Chimney Offload, Receive-side Scaling and NetDMA)
IPsec Simple Policy Update (aka Improved IPsec filter management) for making Server and Domain Isolation deployments easier with WS03 and XP
Wi-Fi Protected Access 2 (WPA2) support for XP x64 and WS03
Enabling ‘Firewall Per Port’ Authentication which means "Firewall per port authentication secures traffic between the Extranet environment and internal assets that are protected via IPsec Domain Isolation."

And, there's a whole lot more that makes Server Pack 2 worth a good look and eventual deployment.

"So, how do I get it?"

It's already available off of Windows Update/Microsoft Update. At first (as pictured below) it was placed under the High-priority updates, but it is now a "Software, Optional".

Nevertheless, we'll be making this an automatic update in the a few months, much like we did with Windows Server 2003 SP1 and XP SP2.

You can also visit the official SP2 site on TechNet and find all different versions of the SP for WS03 and XP x64 Edition:

http://www.microsoft.com/technet/windowsserver/sp2.mspx

The above link includes links the downloads (regular and ISO flavors), overview docs, like the overview and what's new in SP2, and deployment guidance. There's also a great "Top 10 Reasons to Install" which happens to feature two of my favorites as #3 and #4:

Download SP2 and start evaluating. Especially since the WDS features will help you get Windows Vista deployed and, well, heck, it's got a lot of networking goodness to keep you happy while we finish up Windows Server "Longhorn".

Simplifying Client Security Without Sacrificing Protection

ianhamer — Thu, 16 Nov 2006 02:38:21 GMT

Following on to my posting from yesterday, the fine folks over in TechNet have published a Security Viewpoint article I wrote about our new "security client" solution offering.

Entitled Simplifying Client Security Without Sacrificing Protection, the article focuses on the three elements of the solution, and how they help reduce the risk of not only network-borne threats, but the risk of increased complexity when attempting to manage several separate security products while applying a defense-in-depth approach to client protection.

Here's a quick preview of the article:

It’s a common challenge faced by IT professionals today: how to mitigate the risk of a growing number of network-born threats without creating a management nightmare. Windows administrators have no shortage of tools to help combat malware, unwanted software, Denial of Service attacks, and other related threats. However, managing these various security products, especially when deployed together, can create a different kind of risk: complexity. Striking the right balance of protection and manageability is not only important; it can ultimately become the lynchpin of a successful, layered security model.

Give it a read and let me know what you think!

A 3-D Solution for Client Security

ianhamer — Wed, 15 Nov 2006 02:19:00 GMT

In case you haven't noticed, there's a lot of cool news coming out of this week's TechEd IT Forum (NOTE: I can never work out how to stick that '·' thingy between the "Tech" and "Ed") event in Barcelona, Spain.

The one that's most relevant to your humble blogger is the announcement of a public beta for Forefront Client Security (Microsoft's enterprise antivirus and anti-spyware solution). Now don't worry. I haven't switched roles -- although I do work in the Security and Access Products group where the Forefront gang lives. Here's the good stuff: we also kicked off a brand new campaign to promote a multi-layered solution for securing Windows clients from that long list of network-borne threats (i.e. things that go "boo" at night on the Internet) that all IT admins have to deal with.

Affectionately called the "secure client" campaign, this solution promotes the combination of:

platform security features of Windows Vista (e.g. Windows Firewall with Advanced Security),
the end-point authentication capabilities of Server and Domain Isolation, and
the aforementioned Forefront Client Security.

Together, we (and here's that marketing side of me) call this the "Three Dimensions of Client Security" and have setup a brand new portal on the solution at http://www.microsoft.com/secureclient.

Checkout all the info up there, like a newly minted whitepaper, and I encourage you to download the beta of Forefront Client Security.

We'll be doing a bunch of things around this solution, including an upcoming webcast on December 12th (details pending) where yours truly will be doing a demo of these three dimensions in action. If things go as planned, my co-presenter Ryan McGee (the mastermind of this campaign) and I will sing one (or more) classics from the 1960s group "The Fifth Dimension". Okay, that may not be a good idea <g>

Better Together Networking Scenarios w/ Vista and Longhorn Server

ianhamer — Tue, 17 Oct 2006 00:27:18 GMT

Last week I delivered two webcasts for the Windows Vista TAP program members on a number of "better together" networking scenarios when you have Windows Vista on the client and Windows Server "Longhorn" on the back end.

Here's a link to one of the webcasts we recorded:
Better Together: Windows Vista and Windows Server "Longhorn" Networking Innovations

Even though 60 minutes isn't enough time to go into the gory technical details, I do cover off scenarios around security (including NAP), performance (like our new TCP Receive Window auto-tuning features) and scalability (from hardware offload, to QoS, to IPv6).

I Can See Clearly Now the Firewall is On...

ianhamer — Mon, 18 Sep 2006 05:13:17 GMT

Thanks to a posting by my hall-mate and fellow SBTU'er Jeff Jones, I'm trying out the beta of Windows Live Writer for this blog entry. What's neat is it looks like Office OneNote (which I use to write most of my posts to begin with), but it can publish right to my blog.

Moving on.

We've just published a new technical whitepaper that drills down on the new Windows Firewall with Advanced Security in Windows Vista and Windows Server "Longhorn". As you'll likely recall, this new firewall offerings a bunch of enhancements and new features. Two big ones: 1) outbound filtering and 2) the integration with IPsec.

The long and the short of it is this improved and advanced host firewall (which is manageable via Group Policy) will help make your environment even more secure, reduce attack surface area and adopt very cool networking solutions like Network Access Protection and Server and Domain Isolation.

Here's the link to the whitepaper:

Introduction to Windows Firewall with Advanced Security

So, here's a funny bit of insider info. When I first joined the Windows Server team from the SBTU, the gang was working on names for what was called (at the time) the "Authenticating Firewall". There were a number of names that came back from the "process" which included the (wait for it!) "Windows Firewall with Network Security". Yup, talk about stating the obvious <g>

So, IPv6, Yeah Great, but is it Secure?

ianhamer — Fri, 14 Apr 2006 04:37:00 GMT

Yesterday evening, just as I was leaving the office, one of my colleagues in WinServer shot me an email about an interesting blog posting by one of our security MVPs on the subject of IPv6 and network security:

The (today) need for IPv6 by Alessandro Perilli

First off, I'm psyched that more and more folks are writing about IPv6. Even though it appears far off for many, non-US federal agencies, IPv6 will help usher in the next "connected" evolution, and move us even closer to realizing the vision of a secure, seamless access experience.

As Alessandro helps illustrate in his post; with any new and emerging IT technology, we always need to evaluate its potential impact to our current security posture, define a risk management strategy and implement the appropriate security controls to enforce this strategy.

IPv6 is no exception to this best practice. Even if the "underground" appears to already be publishing attack tools and few "IPv6 ready" options appear to exist in the security controls space. I firmly believe that's about change, and the next releases of Windows (Windows Vista and Windows Server "Longhorn") will be at the center of it.

As I've blogged before (see my IPv6 archive and a post to the Windows Server Division blog) the support for IPv6 in the next wave of Windows is extensive and complete. All platform components, in both client and server, will be IPv6 ready and willing! This includes the newly updated Windows Firewall, which is now integrated with IPsec.

This is possible, in part, thanks to two major Windows innovations:

The new "Next Generation TCP/IP" stack, featuring is dual IP layer architecture, and
The Windows Filtering Platform or WFP on which the Windows Firewall is built on...just like 3rd host security tools can!

The net/net: security features like IPsec and Firewalling will provide the same experience on IPv6 as they will on IPv4. With a solid, IPv6 ready enterprise platform (Windows Vista and Windows Server "Longhorn") shipping in the near future, third parties will have a base to build IPv6 ready and able security controls.

Now, here's my shameless plug: check out this article I wrote about planning a more secure transition to IPv6 using technologies (like IPsec) that are available today on Windows and will benefit IPv4 too:

IPsec: Securing Your Network Today to Prepare for Tomorrow

There are a lot of things that "go boo at night" on the Internet, and IPv6 will not necessarily make that any better or worse. Instead, applying the experiences and network security best practices compiled over the last few decades will enable you to embrace the benefits of IPv6 while mitigating the risks that could be targeted at your networks, data and users.

Time to go home, before someone sends me something else to blog about <grin>.

An IPsec is an IPSec is an IPSEC

ianhamer — Fri, 10 Feb 2006 08:10:00 GMT

So, it's been a while since I've had the chance to post to my blog.

One of the reasons is I've been heads down working on some new content for our IPsec and Server and Domain Isolation offerings. One thing that keeps catching my attention, is that IPsec can be found spelled a number of different ways.

The most common variants are IPsec (which is the official IETF way), IPSec (the older IETF way) and IPSEC (how folks truly passionate about IPsec spell it at the top of their lungs).

All kidding aside, it's interesting to see how this Internet standard doesn't appear to be expressed in any standard fashion. Maybe it's just the marketing guy in me.

I learned recently while working on some new web content and materials that the official spelling was changed some time in 2001. Our Windows releases at the time were already out the door with the old spelling (i.e. IPSec) so we've been spending this whole set of releases (Windows Vista and Windows Server "Longhorn") getting the spelling just right.

Not only are we "releasing" a new spelling "feature", we've done a whole bunch to make deploying IPsec that much easier. This includes new configuration tools to make policies simpler to create and maintain and, of course, the new Windows Firewall with Advanced Security.

Network Access Protection (NAP) is another area that IPsec is getting a facelift for. IPsec will be a key enforcement mechanism for NAP and the integration is virtually seamless.

So, when you look at reports from folks like TheInfoPro (this is a link to their press release), "end-point authentication" is a hot topic amongst enterprises. According to TIP, end-point authentication is set to grow 13% since their last survey. It's not surprising as we've witnessed the blurring of the perimeter between "trusted" intranet and the "untrusted" Internet.

I may be biased, but it's certainly worth taking a look at what this new world of IPsec can offer you today and what's coming in the next releases of Windows to make it better...with the correct spelling to boot!

The buzz on the new Windows Firewall continues to heat up!

ianhamer — Thu, 26 Jan 2006 20:25:00 GMT

One of my colleagues on the Windows client security team was featured in a great article about the new Windows Firewall coming in Windows Vista and Longhorn Server. Check it out here:

Microsoft Readies Two-Way Firewall for Vista

You may wonder why I think this is so darn exciting...well, I'm glad you asked that question. We've made a ton of improvements to the core networking features in the next releases of Windows. When you add up the redesigned TCP/IP, expanded security functionality and support for the next generation of hardware acceleration, there's a boatload of stuff tucked into that release.

Unfortunately, and here's where the marketing guy in me comes out, most of these improvements are "behind the scenes" and the end-user will only notice the overall improved experience Windows Vista will bring.

The new Window Firewall, on the other hand, has this great new UI via the MMC snap-in and it's something that is going turn a lot of heads, as illustrated by the number of articles popping up on the subject.

Getting Ready for Windows Vista? Checkout the new Firewall

ianhamer — Thu, 26 Jan 2006 01:51:00 GMT

There's a lot of excitement brewing around the next release of Windows, and one area that has received a huge facelift (not just from a look and feel, but across the board) is the Windows Firewall. Not only was it built on the new Windows Filtering Platform (WFP), it adds support for inbound and outbound filtering, is easier to manage, and has a brand new MMC snap-in that brings together the policy config and admin for both the firewall and IPsec into a single interface and set of Group Policies.

Checkout the latest edition of "The Cable Guy" to learn more about what's coming:

The New Windows Firewall in Windows Vista and Windows Server "Longhorn"

There's also a great article by Mitch Tulloch up on O'Reilly's WindowsDevCenter site about how the IPsec capabilities have improved in Windows Vista:

An Inside Look at IPSec in Vista

If you're beta testing Windows Vista, be sure to pop open the Windows Firewall with Advanced Security snap-in and take these new and enhanced features for a test drive! We'd love to hear your feedback.

Please note: The Windows Firewall Control Panel will look the same as Windows XPSP2 ro Windows Server 2003 SP1. The new stuff is in the MMC snap-in.