Windows Firewall con seguridad avanzada. Alberto Camina Álvarez
Agenda Windows Vista Firewall Configuración y como solucionar problemas. Integrar el Firewall con IPSec
Conocimientos necesarios. TCP/IP Políticas de grupo. Conocimientos de Firewall Level 200
Problemas actuales de las redes.
Nueva Pila TCP/IP de Windows Vista 3/24/2017 3:58 PM 3/24/2017 3:58 PM Winsock User Mode Kernel Mode WSK Clients AFD TDI Clients TDI WSK TDX Next Generation TCP/IP Stack (tcpip.sys) TCP UDP RAW IPv4 IPv6 Windows Filtering Platform API 802.3 WLAN Loop-back IPv4 Tunnel IPv6 Tunnel NDIS Arquitectura Dual-IP para un soporte nativo de IPv4 y IPv6. Mejor integración con IPsec. Mejor rendimiento gracias a la aceleración por HW. Capacidad de auto-tuning y mejores algoritmos de optimización. Mejor extensibilidad y fiabilidad gracias a nuevos APIs © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 5 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Nuevas Características. 3/24/2017 3:58 PM 3/24/2017 3:58 PM Technologies Security Experience Scalability IPsec X VPN Routing Compartments Windows Filtering Platform (WFP) Secure Sockets API IPv6 TCP Chimney TCP-A (I/OAT) Receive Side Scaling Receive Window Auto-Tuning Compound-TCP (CTCP) – Congestion Control Wireless Reliability Black-Hole Router Detection (BHRD) Dead Gateway Detection Network Diagnostics / Extended TCP Statistics Policy-based Quality of Service (eQoS) © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 6 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Drill-down: Performance 3/24/2017 3:58 PM Automatically adjusts for maximum efficiency Faster network transfers, especially across WAN links Optimized use of available network bandwidth Reduced packet loss resulting in fewer retransmits Optimized performance without loss Intelligent, automated tuning of TCP receive window size Better packet loss resiliency (e.g. wireless connectivity) Advanced congestion control for better throughput © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
The Receive Window Limitation 3/24/2017 3:58 PM 3/24/2017 3:58 PM The Receive Window Limitation North America Satellite Intercontinental Fiber © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 8 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Historia del Windows Firewall
Características del Windows Firewall
Windows Firewall Features - Notes
Connection Security Rules Authenticated Bypass Rules Reglas del Firewall Service Restrictions Connection Security Rules GPO Authenticated Bypass Rules Block Rules Allow Rules Local Policy Default Rules
Nuevos algoritmos criptográficos. Encryption: AES-128, AES-192, AES-256 Key Exchange: ECDH P-256, ECDH P-384
Nueva consola de seguridad avanzada Por nombre de aplicación Todos los adaptadores wireless Todos ó múltiples puertos Usuario de AD ó cuenta de maquina. Todas las IP’s en un rango. ICMP ó ICMP v6 Todas la direcciones dentro de una subnet. Servicios
Consola de seguridad avanzada By application name All wireless adapters All or multiple ports Active Directory user or computer account All addresses in a numeric range ICMP or ICMP v6 type or code value All addresses on a local subnet For services
Netsh Advfirewall
Demo demo Administrando Windows Firewall
Agenda Windows Vista Firewall Configuración y como solucionar problemas Integrar el Firewall con IPSec
Reglas del Firewall Cuentas y grupos del Active Directory Direcciones Ip de Origen y Destino Puertos TCP y UDP de Origen y Destino Tipos de Interfaces. Servicios
Conocimiento de la RED Ping Ping Ping
Conocimiento de la RED (2) Ping Ping Ping
Demo demo Configurar el Firewall
Troubleshooting 192.000.0.0 192.000.1.0 192.000.0.1 192.000.0.2
Demo demonstration Solucionar problemas del Firewall
Mixed Environments
Agenda Windows Vista Firewall Configuración y como solucionar problemas Integrar el Firewall con IPSec
IPSec Overview Key Exchange Methods (IKE) IPSec Policy Rules Authentication Methods (Kerberos, Certificates, Static Keys) Filter List Security Methods (Encryption, Hashing, Key Lifetimes) Action Filters
IPSec Overview - Notes Key Exchange Methods (IKE) IPSec Policy Rules Authentication Methods (Kerberos, Certificates, Static Keys) Filter List Security Methods (Encryption, Hashing, Key Lifetimes) Action Filters
Firewall con IPSec IPSec
Windows Firewall and IPSec - Notes
Segmentación Dinámica basada en Políticas
Policy-Based Dynamic Segmentation - Notes
Configuración de Políticas IPSec
Simplified IPSec Policy Configuration - Notes
Protección IPSec Cliente -a- DC Improved load balancing and clustering server support. You don’t need to configure rules for domain controllers. IPSec policy in the domain can request protected traffic but not require it. You can require protected traffic for domain controllers.
Client-to-DC IPSec Protection - Notes Improved load balancing and clustering server support. You don’t need to configure rules for domain controllers. IPSec policy in the domain can request protected traffic but not require it. You can require protected traffic for domain controllers.
Autentificación IPSec mejorada Health Certificate Server Health Certificate Kerberos credentials of the logged-on user account NTLM v2 credentials of the logged-on user account A user certificate A computer health certificate Extended Mode Multiple Authentication Methods
Improved IPSec Authentication - Notes Health Certificate Server Health Certificate Kerberos credentials of the logged-on user account NTLM v2 credentials of the logged-on user account A user certificate A computer health certificate Extended Mode Multiple Authentication Methods
Resumen Mejores Opciones de configuración Solución de problemas mas sencilla Mejor integración de IPSec con Windows Firewall
Where Else Can I Get Help? Free chats and webcasts List of newsgroups Microsoft community sites Community events and columns www.microsoft.com/technet/community