Using the FREE network security tools you get in Windows (and who doesn't love free tools?)

pfetty — Fri, 20 Feb 2009 01:42:00 GMT

In my last post I talked extensively about the use of 802.1x for network authentication (wired or wireless) and talked about the benefits of the 2 common approaches to controlling machine access (VLAN vs. Port ACL). While 802.1x remains a very popular mechanism for controlling port based access for machines coming onto the network, it also has some significant requirements associated with it, primarily, having 802.1x capable switches and/or access points in place today. You would be surprised how many people think that their devices support this capability, but in reality, they may find that this is not the case. What this means is that if your hardware vendor tells you that what you have isn't 802.1x capable, be prepared for some sticker shock when you find out how much it will cost for an upgrade!

Given the state of IT budgets today, doing a massive hardware upgrade is probably not something you are prepared to do now, or any time in the near future. That being said, you still have the requirement of securing the endpoints that are on your network and ensuring that they are kept up to date with patches, AV signatures, Anti-Malware Definitions etc. These 2 efforts may seem to conflict, but they certainly don't have to.

Let me introduce you to Server and Domain Isolation (SDI) with IPsec, all built into Windows, all free of charge!

Now, as to not sound like a late night infomercial peddler of dodgy wares, I will explain what I mean by "free of charge". What this means is that if you have purchased Windows Server (any SKU or version) and a Windows Desktop OS (Windows 2000 or later) and an associated Client Access License (CAL) (you usually purchase a CAL when you buy a server from Microsoft), these technologies do not have any additional licensing requirements whatsoever.

Now that we have the cost definition out of the way, let's talk about what these technologies can do for you.

Server and Domain Isolation (SDI)

Simply put, SDI utilizes the IPsec (Internet Protocol Security) technologies that have existed in Windows ever since the days of Windows 2000. What SDI allows you to do is to create access policies based on Active Directory groupings that can require authentication between any set of machines in the network (or all machines). The tools for creating and distributing these policies are also built into Windows and policies are distributed via the Group Policy mechanism, meaning that yes, a machine must be joined to the domain to easily take advantage of SDI. Since we are talking machine and/or user authentication here, there are 2 options for credential use in SDI, they are X509 certificates, or a Kerberos ticket. There are advantages and disadvantages to the use of each of these credentials which I won't go into here, but the message is that there is flexibility here with both credentials being secure (i.e no passwords.)

Now, let's talk about one big option that 802.1x cannot offer you, and that is data encryption.

Many customers have never really ever considered doing any kind of encryption on their network because they probably never understood how easy it is to implement. Many think that there is some hardware requirement, or that their machines will come to a crawl performance wise, when in reality, neither are true. Granted, you have the option to create very stringent policies that require stronger encryption, but in many cases you simply won't need to do something like this, or may choose to bypass encryption all together.

Example

Here's a real world example of how SDI can be used:

The Microsoft network uses SDI technologies to protect our assets. Pat Fetty (aka me) is a known and trusted employee and is allowed to access the network from his office, or remotely every day. However, since Pat is not a Windows developer, pat is unable to access or even see or ping our source code servers. Pat is also unable to see things like our HR server, financial servers etc. How is that you ask, well, Pat is not in the proper security groups in AD to have the proper policy applied to him, or his machines, that allow this type of access.

Using this simple example, think of some of the other scenarios that you, or your customers may be faced with that you may be able to solve. Here are some others I have come across in my job in the WinCAT team:

- Allow only doctors to see patient records, and encrypt all traffic going to and from those servers

- Allow only attorneys to be able to see servers X, Y and Z

- Encrypt all traffic to and from an ATM machine to the banks home offices

- Encrypt all Active Directory synchronizations between servers where traffic is going over the Internet

- Authenticate all traffic from my Windows machines, but exempt traffic from my main frame machines and all Macintosh machines (we'll talk a bit more about this)

This is just a small sample list of real business problems that are out there that SDI can help to solve.

Now, getting back to the last item regarding mainframes (let's just say all *ix) and Macs. There are Ipsec stack implementations available for these platforms, but I have personally not seem them work. As previously mentioned, the Microsoft SDI set of technologies are based 100% on public RFC's so there is no reason to expect that any implementation that is RFC compliant wouldn't work with any Windows machine.

Another reason why this is important is because the tools to build and manage SDI policies allow you to create very simply policies to address this scenario. For instance, you can have a policy that looks like this:

If you are a machine in group A, and you are capable of negotiating IPsec, then negotiate IPsec with a (Kerb ticket or cert)

else

Allow traffic to flow in the clear

You may be asking yourself "what kind of security policy is that" and the answer is that it is one that doesn't disrupt the flow of traffic on the network, and yet will negotiate the security you dictate when possible. This is a very important concept since the reality is that your machines today are most likely not doing any kind of SDI today, so by having your policies based on AD group membership, and by having a "best effort" type of policy like this you can ease this type of technology into your network with little or no disruption!

SDI versus 802.1x

We talked about this at the beginning and I think that SDI is the hands down winner here given that if you are a Windows environment

Deployment

To do 802.1x means you will have to touch all the switches and AP's in your network and configure them to do 1x on their ports, and to then send all traffic to a back end authentication server. In many cases, the group that manages desktops and servers in your company is not the same group that manages the infrastructure, so you now are getting more people involved in the effort.

SDI utilizes Group Policy and other built in tools to distribute policies and credentials, and the best part about this whole thing, is that SDI will work across whatever hardware you have in place today!

Management

This is a bit of a toss up, but I'd give SDI an edge since you can use a variety of methods to manage who is on the network accessing resources. 802.1x usually requires an enterprise ready SNMP (Simple Network Management Protocol) solution either from our hardware vendor or from a third party

Security

This is the one that gets the networking guys feathers ruffled, but I give SDI the advantage here for a couple of reasons. First, SDI offers you the ability to encrypt traffic which is something that 1x cannot offer. Second, in 802.1x, once you get passed the switch you are on the network doing what you please until you either reboot, or the switch kicks you off the port. SDI allows you to control the credential that is given to that client so that if for some reason you need to remove the client from the network, you can more quickly do so via SDI than 1x.

Overall I feel that both technologies here offer up some nice benefits (we didn't even touch on Guest Access which I feel is better done with 802.1x than SDI), but in the end, you should evaluate what your business needs are and make your technology decision on that. Usually the second phase of that decision process is cost, and that is where using the tools we have built into Windows can save you loads of money down the road assuming you plan on running Windows for the foreseeable future (which we hope that you are of course!)

With budgets shrinking and/or disappearing I would encourage everyone to take a look at what you have purchased in the Windows platform and ask Microsoft how to best utilize it because we are definitely here to help you get the most out of Windows!

Windows Server Customer Engineering : network security

Using the FREE network security tools you get in Windows (and who doesn't love free tools?)