© 2006 Microsoft Corporation. All rights reserved.

Presentación del tema: "© 2006 Microsoft Corporation. All rights reserved."— Transcripción de la presentación:

1 © 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2 Windows Firewall con Seguridad Avanzada.
Slide Title: Title Slide Keywords: Title Slide Key Message: Title Slide Slide Builds: 0 Slide Script: Hello and welcome to this Microsoft TechNet session on the Windows Firewall with Advanced Security. My name is {insert name}. Slide Transition: Microsoft Windows Vista greatly improves the ability of administrators to manage the firewall settings, along with advanced security configuration, such as IPSec. Slide Comment: Additional Information: José Parada Gimeno ITPro Evangelist Microsoft Corporation

3 Agenda Windows Vista Firewall Configuración y solución de problemas.
Integración del Firewall con IPSec Slide Title: Agenda: Exploring Windows Vista Firewall Keywords: Agenda Key Message: Agenda Slide Builds: 2 Slide Script: We’ll start today with a brief overview of the need for an integrated firewall solution and how we’ve addressed this need in Windows XP. Then we’ll look at specific features of Windows Firewall in Windows Vista. We will examine new functionality and also discuss how to manage Windows Firewall. [BUILD1] We will look at how you can configure and troubleshoot Windows Firewall. [BUILD2] In addition, we will give an overview of IPSec and discuss how the two are integrated in Windows Vista. We will show how this simplifies administration of security. Slide Transition: As technology increases, so do network concerns. Slide Comment: Additional Information:

4 Conocimientos necesarios.
TCP/IP Políticas de grupo. Conocimientos de Firewall Slide Title: Helpful Experience Keywords: Helpful Experience Key Message: Helpful Experience Slide Builds: 2 Slide Script: While we will explain all new terms related to today's session, there are some general terms from the industry or from other versions of Microsoft products that we may not spend time on. To help you out, we have listed the areas that it may be helpful to be familiar with, either prior to this session or to reference afterwards. Although we will give an overview of firewall functionality, it is helpful to have a basic understanding of the different types of firewalls and how they work to filter network traffic. [BUILD1] When discussing Windows Firewall and IPSec, we will mention many networking technologies, especially TCP/IP, in regards to IP addresses and the sending and receiving of network traffic. Knowledge of networking technologies will help you generate a better picture of these processes. [BUILD2] Finally, Windows Firewall can be configured through Group Policy. IPSec and domain isolation occur through Group Policy Objects, so, a general understanding of Group Policy with Microsoft Windows will help you in this discussion. Slide Transition: To cover the topics mentioned and keep the session flow going, we have divided the session up into the following agenda items. Slide Comment: Additional Information: Nivel 200

5 Problemas de las redes actuales
Slide Title: Current Network Concerns Keywords: firewall, malware, pain points, network concerns Key Message: Currently, there are several network concerns. Slide Builds: 2 Slide Script: The increasing use of laptops, handheld devices, and remote workers complicates physical network topology. A mobile workforce presents a growing concern of how to prevent unauthorized access to trusted network resources. In addition, organizations need to limit access to sensitive data to qualified personnel. [BUILD1] Unfortunately, as programs become more complex, providing greater benefits for companies, hackers utilize the technology to create viruses and worms in increasing complexity. Companies are faced with the challenge of thwarting malware threats and denial-of-service attacks. [BUILD2] Finally, as regulatory burdens increase, companies are required to maintain compliance with legislative regulations. Slide Transition: Windows Firewall was introduced to alleviate some of the burdens companies face within their networks. Slide Comment: Additional Information:

6 Historia del Windows Firewall
Slide Title: History of Windows Firewall Keywords: firewall, Windows Firewall, ICF Key Message: A firewall wasn’t built into Windows until Windows XP. Slide Builds: 1 Slide Script: Before Windows XP, Windows did not come with a built-in firewall. With these earlier versions of Windows, you had to either install your own software firewall or use a hardware firewall with a router or other networking device. [BUILD1] With the release of Windows XP, a firewall was integrated with the operating system. Originally, Windows Firewall was known as Internet Connection Firewall or ICF. With Windows XP, the ICF software was used to restrict what information was communicated between the Internet and your home or small office network. ICF was also used to protect a single computer connected to the Internet with a cable modem, a DSL modem, or a dial-up modem. Slide Transition: One of the shortcomings of the Windows Firewall with Windows XP is that it only blocked incoming traffic. Slide Comment: Additional Information:

7 Características del Windows Firewall
Slide Title: Windows Firewall Features Keywords: Windows Firewall, IPv6, Teredo Key Message: Highlight some new features of Windows Firewall. Windows Firewall with Windows Vista blocks both incoming and outgoing traffic. The new Windows Firewall monitors incoming traffic and drops all unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer or unsolicited traffic that has been specified as allowed. By blocking incoming traffic, Windows Firewall helps prevent the infection of computers by network-level viruses and worms that spread through unsolicited incoming traffic. The new Windows Firewall can also block outgoing traffic. For example, a network administrator can configure the new Windows Firewall with a set of rules to block all traffic to specific addresses containing either sensitive or undesirable content. The default behavior of the new Windows Firewall is to block all incoming traffic unless it is solicited or it matches a configured rule. The default for outgoing traffic is to allow all unless it matches a configured rule. Windows Firewall with Windows Vista provides full support for IPv6. Windows Vista includes a new implementation of the TCP/IP protocol stack known as the Next Generation TCP/IP stack. The Next Generation TCP/IP stack is a redesign of TCP/IP functionality for both Internet Protocol version 4, IPv4, and Internet Protocol version 6, IPv6, to meet current connectivity and performance needs. Teredo is an IPv6 transition technology that allows IPv6/IPv4 nodes that are separated by one or more NATs to communicate end-to-end with global IPv6 addresses. An IPv4 network address translator, or NAT, is commonly used on the Internet to preserve the public IPv4 address space by translating the addresses and port numbers of traffic to and from private network hosts that use private IPv4 addresses. Teredo was first released with the Advanced Networking Pack for Windows XP with Service Pack 1, and is provided with Windows Vista. Applications that are already IPv6-enabled require no additional modification. Teredo is just one of the ways in which the Next Generation TCP/IP stack can send and receive IPv6 traffic. Computers running Windows Vista have IPv6, Teredo, and Windows Firewall enabled by default, and are protected from unwanted, unsolicited, incoming IPv6 traffic. All Windows Firewall rules apply to both IPv4 and IPv6 traffic. Because Windows Firewall allows rules for incoming traffic based on TCP or UDP ports, or by specifying a program name, the rules are more specific than rules configured on typical NATs. Windows Firewall also provides interface-type support for RAS, LAN, and wireless communications. As the workforce is becoming more mobile, this adds additional security for communication with the entire network. Slide Transition: Windows Firewall uses program-based rules using the program path or service name.

8 Reglas del Firewall Restricciones por Servicio
Reglas de conexión segura Slide Title: Windows Firewall Rules Keywords: Windows Firewall Rules, service restrictions Key Message: Windows Firewall processes rules in order. Slide Builds: 3 Slide Script: Windows Firewall processes rules in a particular order. Service restrictions have a higher priority than any other Windows Firewall rule, since services are attractive targets for malware. [BUILD1] For example, CodeRed attacked Microsoft services in July 2001, and Sasser was released in April For this reason, security for services is essential to protect important resources. [BUILD2] By specifying service restrictions, you minimize the resource access to only legitimate resources. This reduces the damage potential and number of critical vulnerabilities in services. [BUILD3] After service restrictions, rules are processed in the following order: connection security rules, authenticated bypass rules, block rules, and allow rules. Finally, default rules are processed. Slide Transition: These default rules come from the highest-precedence Group Policy object. Slide Comment: Additional Information: GPO Reglas de autenticación Reglas de Bloqueo Reglas para Permitir Local Policy Reglas por defecto

9 Nuevos algoritmos de cifrado
Slide Title: New Cryptographic Algorithms Keywords: cryptography, encryption algorithms Key Message: Windows Vista supports new cryptographic algorithms. Slide Builds: 2 Slide Script: In response to governmental security requirements and trends in the security industry to support stronger cryptography, Windows Vista supports additional key derivation and encryption algorithms. [BUILD1] In addition to the Data Encryption Standard (DES) and Triple-DES (3DES), Windows Server "Longhorn" and Windows Vista support additional algorithms for encrypting data. The first is Advanced Encryption Standard with cipher block chaining and a 128-bit key size: AES 128. The next is AES with CBC and a 192-bit key size: AES 192, and finally, AES with CBC and a 256-bit key size: AES 256. These new encryption algorithms can’t be used for a security association with a computer running Windows Server 2003, Windows XP, or Windows 2000. [BUILD2] Windows Vista supports the following additional algorithms to negotiate the master key material derived during main mode negotiation: ECDH P-256 and ECDH P-384. These are stronger than the algorithms supported in Windows Server 2003 and Windows XP SP2. Slide Transition: Like the new encryption algorithms, the new DH algorithms can’t be used for main mode negotiation with a computer running Windows Server 2003, Windows XP, or Windows 2000. Slide Comment: Additional Information: Cifrado: AES-128, AES-192, AES-256 Intercambio de claves: ECDH P-256, ECDH P-384

10 Nueva consola de seguridad avanzada
Por nombre de aplicación Todos los adaptadores wireless Slide Title: Advanced Security MMC Snap-In Keywords: Windows Firewall Console, Advanced Security MMC Snap-In Key Message: Introduce Advanced Security MMC Snap-In The Windows Firewall in Windows XP utilizes a GUI for configuration that consists of the Windows Firewall item in Control Panel and a series of Group Policy settings in the Group Policy object editor snap-in. With Windows Vista, you can still configure the new Windows Firewall with the Windows Firewall item in Control Panel, which displays the same set of configuration options as for the previous Windows Firewall. However, you can configure basic settings for the new Windows Firewall in Control Panel, and you cannot configure enhanced features. The Windows Firewall with Advanced Security MMC snap-in provides a central location for configuration of both local and Active Directory Group Policy-based configuration. This snap-in allows you to administer the advanced configuration options available with the new Windows Firewall. In addition, with the new Windows Firewall with Advanced Security snap-in, network administrators can configure settings for the new Windows Firewall on remote computers, which was not possible with the previous Windows Firewall without a remote desktop connection. [BUILD1] The snap-in allows you to configure the rules for inbound and outbound stateful IP filtering with configurable defaults. [BUILD2] Also available are location-aware policy profiles, including domain and standard profiles. You can centrally manage the firewall through Group Policy, including delegation, backup and restore, and policy refresh. Scripting integration with Windows Firewall COM APIs allow new interfaces for managing service restrictions and new interfaces for programmatically creating granular firewall rules. From this snap-in, you also can manage IPSec. This prevents conflicts between the technologies and prevents a coordinated front against threats. When you configure IPSec policy with the new Windows Firewall with Advanced Security snap-in, you can configure protected communication with several new settings. You can configure by application name, which simplifies protected traffic configuration, because the ports used by the application do not need to be manually configured. Second, you can now specify all TCP or UDP ports or multiple TCP or UDP ports in a comma-delimited list, simplifying configuration. You can specify addresses in a numeric range or on a local subnet. You can also protect traffic based on the interface type, including wireless, LAN, and remote access. You can specify the list of computer or user accounts or groups in Active Directory that are authorized to initiate protected communication. This allows you to specify that traffic to specific servers with sensitive data must be protected and can only originate from specific user accounts in specific Active Directory security groups. You can configure by ICMP or ICMPv6 Type or Code value. Finally, you can specify that the rule applies to any process, only for services, for a specific service by its service name, or you can type the short name for the service. Slide Transition: For command-line configuration of advanced settings in the new Windows Firewall, you can use commands in the netsh advfirewall context. Slide Comment: Additional Information: Todos ó múltiples puertos Usuario de AD ó cuenta de maquina. Todas las IP’s en un rango. ICMP ó ICMP v6 Todas la direcciones dentro de una subnet. Servicios

11 Linea de Comando-Netsh Advfirewall
Slide Title: netsh advfirewall Keywords: netsh advfirewall, command line tool Key Message: You can use the netsh advfirewall command line tool for Windows Firewall administration. Slide Builds: 1 Slide Script: The command-line tool for Windows Firewall has many of the same options as the Windows Firewall with Advanced Security snap-in. There are options to display a configuration script, export or import a configuration script, reset the local policy to the default out-of-box policy, and set or show the per-profile or global settings. There are four sub-contexts available: consec, inbound, monitor, and outbound. [BUILD1] Each of these sub-contexts has its own options. For example, the inbound context lets you view inbound rules, add or delete inbound rules, display configuration scripts, or set a new value for properties of an existing rule. The consec sub-context is used for connection security rules, and the outbound security context is used for outbound firewall rules. The monitor context lets you perform monitoring of the firewall, much like the monitoring node in the Windows Firewall with Advanced Security snap-in. Slide Transition: Let’s look at the new Windows Firewall with Advanced Security snap-in. Slide Comment: Additional Information:

12 DEMO 1 Demo Administración del Firewall de Windows
Slide Title: Demonstration: Managing Windows Firewall Keywords: Demonstration Key Message: Demonstration Slide Builds: 0 Slide Script: In this demonstration, we will introduce the Windows Firewall with Advanced Security snap-in and Windows Firewall management with the Group Policy Object Editor. Slide Transition: This interface makes the job of configuring Windows Firewall more intuitive for the administrator. Slide Comment: Additional Information: Administración del Firewall de Windows

13 Agenda Windows Vista Firewall Configuración y solución de problemas
Integración del Firewall con IPSec Slide Title: Agenda: Configuring and Troubleshooting Keywords: Agenda Key Message: Agenda Slide Builds: 0 Slide Script: Now that we have seen an overview of the Windows Firewall features with Windows Vista, let’s look at how to configure options for the Windows Firewall and utilize troubleshooting tools. Slide Transition: With Windows Firewall in Windows Vista, there are several configuration options for rules. Slide Comment: Additional Information:

14 Reglas del Firewall Cuentas y grupos del Active Directory
Slide Title: Firewall Rules Keywords: Rules Key Message: Exceptions for Windows Firewall with Windows Vista. Rules can be configured for Active Directory accounts and groups. For rules that specify that incoming or outgoing traffic must be protected with IPSec, you can specify the list of computer accounts and groups or user accounts and groups that are authorized to initiate protected communication. [BUILD1] Rules can be configured for source and destination IP addresses. With previous versions of Windows Firewall, you could specify the portion of the network from which the excepted traffic was allowed to originate – that is, the source IP addresses of incoming traffic. With Windows Firewall in Windows Vista, you can configure both source and destination IP addresses for both incoming and outgoing traffic, allowing you to more closely define the type of traffic that is allowed or blocked. [BUILD2] With the new Windows Firewall, you can configure both source and destination TCP or UDP ports for both incoming and outgoing traffic, allowing you to more closely define the type of TCP or UDP traffic that is allowed or blocked. You can also configure rules for all TCP or UDP ports, or create a comma-delimited list of multiple ports. With previous versions of Windows Firewall, you could create rules based on TCP or UDP traffic, but you couldn’t specify other types of traffic that did not use TCP or UDP. The new Windows Firewall allows you to either select the protocol by name or manually type the value of the IPv4 Protocol or IPv6 Next Header fields for the desired traffic. [BUILD3] Rules can be configured for specific types of interfaces. You can specify that a rule be applied to all interfaces or to specific types of interfaces, including LAN, remote access, or wireless interfaces. [BUILD4] Finally, rules can be configured for services. You can specify that the rule be applied to any process, only for services, for a specific service by its service name, or you can type the short name for the service. Slide Transition: ICMP allows for the generation of error messages, test packets, and informational messages related to IP. Slide Comment: Additional Information: Direcciones IP de Origen y Destino Puertos TCP y UDP de Origen y Destino Tipos de Interfaces. Servicios

15 Conocimiento de la RED Ping Pin Ping Slide Title: Network Awareness
Keywords: ICMP protocol, PING, VPN, network awareness Key Message: Network Location Awareness allows Group Policy to respond better to changing network conditions. The ICMP protocol is used to report problems with delivery of IP datagrams within an IP network. It can be used to warn for things such as when a particular end system is not responding, when an IP network is not reachable, when a node is overloaded, or when an error occurs in the IP header information. The "ping" program contains a client interface to ICMP. It may be used by a user to verify that an end-to-end Internet Path is operational. The ping program also collects performance statistics. Windows Vista introduces the network awareness feature, which removes the reliance on the ICMP protocol for policy application. Instead of ICMP, the Group Policy client will use Network Location Awareness for bandwidth determination. This feature allows organizations to secure their networks with firewalls, filter the ICMP protocol, and apply Group Policy. [BUILD1] Group Policy processes, even if you have removed the ability for computers to respond to the ICMP protocol. In the past, Group Policy settings would fail in this situation because slow link detection relied on ICMP. The Group Policy client in Windows Vista now utilizes Network Location Awareness to determine the network bandwidth, and successfully continues to process Group Policy. Network Location Awareness also provides other benefits. First, the workstation or server will experience more efficient boot-up times with Network Location Awareness. Because Network Location Awareness provides an accurate indicator to Group Policy of when the network is ready and determines if the adapter is disabled or disconnected, Group Policy will shorten its wait time when the network is unavailable. Then the Group Policy client will apply policy settings whenever domain controller availability returns. By more quickly applying Group Policy changes, your workstation will be more sec [BUILD2] Network Location Awareness also allows you to make changes to policy settings and ensure that they are applied efficiently to mobile users. When mobile users connect to the corporate network over Virtual Private Networks or VPN, the Group Policy client will detect the availability of a domain controller. If the Group Policy refresh cycle has elapsed or the previous policy application has failed, Group Policy will initiate a background refresh over the VPN connection, updating both the computer and user policy. Slide Transition: There is no need to reboot or log off before connecting to the corporate network over a VPN. ure. Ping

16 DEMO 2 Demo Configurar el Firewall
Slide Title: Demonstration: Configuring Firewall Options Keywords: Demonstration Key Message: Demonstration Slide Builds: 0 Slide Script: In this demonstration, we will show options for creating rules, including inbound and outbound rules, how to open a port, and how to create a computer connection security rule. Slide Transition: The Windows Firewall log lists the IP addresses of computers that have successfully or unsuccessfully tried to connect to your computer. Slide Comment: Additional Information: Configurar el Firewall

17 Solución de problemas Slide Title: Troubleshooting Keywords: Windows Firewall Log, IP addresses, IPSec events Key Message: Troubleshooting for Windows Firewall and IPSec is improved. Slide Builds: 0 Slide Script: The log can be useful for troubleshooting or for detecting possible hackers. You must enable logging to view the log file. Monitoring of the Windows Firewall can be done in the Advanced Security MMC snap-in. The monitoring link provides information about incoming and outgoing traffic, as well as the current actions performed. You can also view security associations in either a main mode or quick mode filter. There is a command-line version of the monitoring functions. There are also new performance counters available with Windows Firewall. In addition, Windows Server "Longhorn" and Windows Vista include 15 new IPSec audit-specific events, and the text of 25 existing events has been updated with more useful information. These improvements will help you troubleshoot failed IPSec negotiations without having to enable the advanced Oakley logging capability. Windows Server "Longhorn" and Windows Vista also include IPSec performance counters to help identify performance and networking issues with IPSec-protected traffic. For IPSec, there is also Network Diagnostics Framework support. The Network Diagnostics Framework is an architecture that helps users recover from and troubleshoot problems with network connections. For a failed IPSec negotiation, the Network Diagnostics Framework will prompt a user with an option to identify and correct the problem. IPSec support for the Network Diagnostics Framework then attempts to discover the source of the failed connection and either automatically corrects the problem or, depending on security considerations, prompts the user to make the appropriate configuration change. Slide Transition: There are some steps to enable logging for Windows Firewall. Slide Comment: Additional Information:

18 DEMO 3 Demo Solucionar problemas del Firewall
Slide Title: Demonstration: Troubleshooting the Firewall Keywords: Demonstration Key Message: Demonstration Slide Builds: 0 Slide Script: In this demonstration, we will show how to enable firewall logging and how to use the monitoring node in the Windows Firewall with Advanced Security snap-in. Slide Transition: Now that we have discussed how Windows Firewall and IPSec polices work with Windows Vista, you may wonder how this will work in your organization. Slide Comment: Additional Information: Solucionar problemas del Firewall

19 Entornos Mixtos Slide Title: Mixed Environments
Keywords: Mixed Environments, Windows Firewall Key Message: Windows Vista client understands current Windows Firewall and IPSec policies. Slide Builds: 0 Slide Script: One of the benefits of the Windows Vista client is that it understands previous Windows Firewall and IPSec policies. Configuration can be done through the Windows Firewall Administrative Template or netsh firewall. IPSec can be configured using the IP Security Policies snap-in or netsh ipsec. Troubleshooting can be done through the IP Security Monitor or Netsh ipsec. Policies authored with Windows Firewall with Advanced Security console or netsh advfirewall apply only to Windows Vista and Windows Server “Longhorn.” Slide Transition: We’re going to finish up this session by discussing the integration of IPSec for additional security. Slide Comment: Additional Information:

20 Agenda Windows Vista Firewall Configuración y solución de problemas
Integración del Firewall con IPSec Slide Title: Agenda: Integrating Firewall and IPSec Keywords: Agenda Key Message: Agenda Slide Builds: 0 Slide Script: IPSec is now configured using the same interface as the Windows Firewall, which is huge security improvement in Windows Vista over previous versions of Windows. Slide Transition: IP Security, commonly called IPSec, is a suite of IP protocols used to provide secure communication. Slide Comment: Additional Information:

21 IPSec Overview Métodos de Intercambio de claves (IKE) Politicas IPSec
Slide Title: IPSec Overview Keywords: IPSec, IKE, Authentication, Encryption Key Message: IP Security is a suite of IP protocols used to provide secure communication. IPSec policies and filters distributed by Group Policy provide authorization for authenticated users and computers. IPSec provides the ability to protect communication between workgroups, local area network computers, domain clients and servers, branch offices, extranets, and roming clients. Although IPSec has encryption capability, it is mostly used for end-to-end authentication. [BUILD1] An IPSec policy is a set of rules that specifies authentication methods. IPSec in Windows Server 2003 and Windows XP supports the Internet Key Exchange, IKE, and three authentication methods during main mode negotiations: Kerberos, digital certificates, and preshared keys. For all of these authentication methods, the authentication process is validating the identity and trustworthiness of a computer, rather than the user of the computer. IKE only attempts a single authentication using a single authentication method. Windows Vista introduces greater capabilities for IPSec authentication. There is now the ability to require that IPSec peers authenticate with a health certificate. A health certificate server issues a health certificate when a Network Access Protection client proves that its health state complies with current health policy. IPSec in Windows Vista also defines a new negotiation mode known as extended mode, in which an additional level of authentication is provided. The credentials used during the extended mode authentication can be based on the following: Kerberos credentials of the logged-on user account, NTLM v2 credentials of the logged-on user account, a user certificate, or a computer health certificate. Extended mode authentication can be with or without main mode authentication. For example, you can use main mode authentication and Kerberos credentials to authenticate the computer and then extended mode authentication and a health certificate to validate the computer's health state. In Windows Server 2003 and Windows XP, although you can select multiple authentication methods in a preference order for main mode IPSec authentication, only one authentication method is used for authentication. If the authentication process for the negotiated authentication method fails, main mode fails and IPSec protection cannot be performed. When you select multiple authentication methods for computers running Windows Vista, IPSec will attempt multiple authentication attempts in an effort to perform mutual authentication. For example, if you specify that you want to authenticate using Kerberos and computer certificates with a specific certification authority, the IPSec peer can fail the Kerberos authentication and then attempt certificate authentication. [BUILD2] Each rule associates a filter list with an action. The filter list contains a set of filters. [BUILD3] A filter describes a pattern of traffic to match, by IP address, subnet, port, and protocol for both ends of a connection. [BUILD4] An action designates what to do with traffic, and matches a filter. Filter actions can be configured to permit, block, or use a customizable negotiate security action. For the negotiate security filter action, the negotiation data contains one or more security methods that are used during IKE negotiations and other IPSec settings. Each security method determines the security protocol, the specific cryptographic and hashing algorithms, and session key regeneration settings used. One of the main strengths of IPSec is that all administration occurs at the edges of the network on each host. With IPSec, traffic is authenticated from end-to-end, regardless of the routers, hubs, and networks in between the hosts. In addition, all packets are verified to make sure they have not been changed in transit. Slide Transition: Although support for IPSec is built into Windows 2000 and later, in Windows XP and Windows Server 2003, Windows Firewall and IPSec are configured separately. Slide Comment: Reglas Metodos de Autenticación(Kerberos, Certificados, Claves compartidas) Lista de Filtros Métodos de Seguridad (Cifrado, Hashing, tiempo uso claves) Acción Filtros

22 Firewall con IPSec IPSec Slide Title: Firewall and IPSec
Keywords: Windows Firewall, IPSec Key Message: Windows Firewall and IPSec are integrated in Windows Vista. Although the purpose of Windows Firewall was to block or allow incoming traffic, IPSec could also be configured to block or allow incoming traffic. Because block and allow traffic behavior for incoming traffic could be configured through two different and separate services, it was possible to have duplicated or contradictory settings. In addition, Windows Firewall and IPSec supported different configuration options for specifying allowed incoming traffic. For example, Windows Firewall allowed rules by specifying the application name, but IPSec did not. IPSec allowed rules based on an IP protocol number, and Windows Firewall did not. BUILD1] In Windows Vista, the Windows Firewall and IPSec have been combined into a single configurable tool with the new Windows Firewall with Advanced Security snap-in, which now controls blocking and allowing of inbound and outbound traffic, in addition to protecting traffic with IPSec. Also, commands within the netsh advfirewall context can be used for command-line configuration of both firewall and IPSec behavior. The integration of Windows Firewall with IPSec provides computers running Windows Vista with an authenticating firewall. Another benefit to the integration of firewall and IPSec settings is that configuration of IPSec settings is highly simplified. In Windows Server 2003 and Windows XP, IPSec policy configuration in scenarios such as server isolation and domain isolation consisted of a set of rules to protect most of the traffic on the network and another set of rules for protected traffic rules. Rules are needed for unprotected communication with network infrastructure servers such as DHCP and DNS servers and domain controllers. IPSec in Windows Vista provides an optional behavior when negotiating IPSec protection. With the new configuration options, the sending node will be able to discover whether the receiving node is capable of communicating with IPSec, which simplifies IPSec policy configuration. This new negotiation behavior also improves the performance of unprotected connections to hosts. If an IPSec node running Windows Server 2003 or Windows XP is configured to request protected communications but allow unprotected communications, a behavior known as falling back to clear, it would send the negotiation messages and then wait for a response. The initiating node would wait up to 3 seconds before falling back to the clear and attempting unprotected communications. With Windows Vista, the 3-second delay is eliminated because communications in the clear are already in progress while the initiating node is waiting for a response. Slide Transition: In addition to the integration of IPSec with Windows Firewall, there have been several other improvements to IPSec in Windows Vista. IPSec

23 Segmentación Dinámica basada en Políticas
Slide Title: Policy-Based Dynamic Segmentation Keywords: policy-based dynamic segmentation, IPSec, server isolation, domain isolation Key Message: A Server and Domain Isolation solution based on IPSec and Active Directory enables administrators to dynamically segment their Windows environment into more secure and isolated logical networks based on policy. Administrators are continually faced with the challenge of providing accessibility to authorized computers and users while maintaining security. A Server and Domain Isolation solution based on IPSec and Active Directory enables administrators to dynamically segment their Windows environment into more secure and isolated logical networks based on policy, and without costly changes to their network infrastructure or applications. This creates an additional layer of policy-driven protection and helps better protect against costly network attacks, and helps prevent unauthorized access to trusted networked resources, achieve regulatory compliance, and reduce operational costs. The first step in creating the policy-based dynamic segmentation is to define logical isolation boundaries in Active Directory. Using domain and server isolation with Active Directory will separate trusted and untrusted resources in the network. Server isolation involves specifying high-value servers and placing them in a more secure, logically isolated network. Domain isolation involves isolating managed computers from unmanaged or rogue computers and users. Next, you will need to distribute credentials to devices. This is where IPSec provides authentication. By using domain isolation, traffic sent between domain member computers is secured so that the receiving computer can verify that an authenticated computer sent the packet and that the packet was not modified in transit. The traffic between domain member computers can be encrypted, providing protection from malicious users on your organization network who attempt to capture and interpret network traffic. In addition, inbound connections are blocked from untrusted sources. Domain member computers use their domain credentials to authenticate communication attempts and network policy settings to secure traffic with each other. Since, non-domain-member computers do not have domain credentials, they can’t authenticate communication attempts with domain member computers. Finally, the policy-based dynamic segmentation provides tiered-access to sensitive resources. You can also use group-specific server isolation with domain isolation so that all traffic between all domain members is secured. Then, some servers in the domain can allow secure communications only from domain member computers that are members of specific security groups. In Windows Server 2003 and Windows XP, IPSec policy configuration for dynamic segmentation consists of a set of rules to protect most of the traffic on the network and another set of rules for protected traffic rules. Rules are needed for unprotected communication with network infrastructure servers such as DHCP and DNS servers and domain controllers. Other rules are needed for communication with network nodes that are not IPSec-capable. In some cases, there are dozens, or even hundreds, of rules, which makes it more difficult to deploy IPSec protection on a private network and to maintain it over time. Slide Transition: IPSec behavior with Windows Vista has been improved to simplify administration. Slide Comment: Additional Information:

24 Comportamiento en la negociación IPSec
Slide Title: Simplified IPSec policy configuration Keywords: fallback to clear, communications, IPSec policy, configuration Key Message: Windows Server Longhorn and Windows Vista include the following improvements to Internet Protocol security configuration. IPSec in Windows Server "Longhorn" and Windows Vista introduces an optional behavior for IPSec negotiation. When this behavior is enabled, an IPSec node running Windows Vista or Windows Server “Longhorn” will initiate communication with another network node by attempting to communicate in the clear and with protected communication at the same time. When a node is configured to request protected communications but allow unprotected communications, the behavior is known as “fallback to clear.” [BUILD1] The recommended configuration for IPSec is to require protection for incoming communications and to request protection for outgoing initiated communications. With this configuration and the new IPSec behavior, the initiating node discovers whether the node it is communicating with is capable of IPSec and behaves accordingly, greatly simplifying IPSec policy configuration. For example, the initiating node does not need a set of predefined IPSec filters for rules for the set of hosts that either should not or cannot protect network traffic with IPSec. If the initiating IPSec peer receives a response, the communication in the clear is halted until the negotiation can be completed. [BUILD2] If the initiating IPSec peer does not receive a response to the initial negotiation attempt, the communication continues in the clear. This new negotiation behavior also improves the performance of unprotected connections to hosts. An IPSec node running Windows Server 2003 or Windows XP that is configured to fallback to clear would send the negotiation messages and then wait for a response. The initiating node would wait up to 3 seconds before falling back to clear and attempting unprotected communications. With Windows Server "Longhorn" and Windows Vista, there is no longer a 3-second delay when falling back to clear because communications in the clear are already in progress while the initiating node is waiting for a response. Slide Transition: In Windows Server 2003 and Windows XP, the current recommendation from Microsoft is to not use IPSec protection to protect traffic between domain controllers and member computers.

25 Protección IPSec Cliente -a- DC
Se puede requerir trafico protegido para los DC Mejora el balanceo de carga y el soporte para cluster La política IPSec en un dominio puede solicitar trafico protegido pero no requerirlo No necesitas configurar reglas para los DC IPSec policy configuration can become quite complex because of the different types of traffic sent between domain members and domain controllers, which is why it is not recommended. In addition, if a domain controller requires IPSec-protected traffic from computers that must provide domain-based credentials for authentication, a computer that is not a member of the domain cannot contact a domain controller to join the domain. [BUILD1] Windows Server Longhorn and Windows Vista allow you to secure traffic between domain members and domain controllers in several ways. First, you don’t have to configure rules for domain controllers because of the new negotiation behavior. This simplifies IPSec policy and deployment of IPSec protection in a domain. [BUILD2] You can also configure IPSec policy in the domain to request protected traffic but not require it. With this configuration, domain controllers will protect most traffic with domain members but allow clear text for domain joins and other types of traffic. [BUILD3] In addition, you can configure IPSec policy to require protected traffic for domain controllers. When a computer running Windows Longhorn Server or Windows Vista attempts to join the domain, the user is prompted for the user name and password of a domain user account. IPSec with the domain controller is negotiated with Windows NT/LAN Manager version 2 (NTLM v2) user credentials for a protected domain join. This new behavior is only available for domain member computers running Windows Vista or Windows Server “Longhorn” and for domain controllers running Windows Server “Longhorn.” [BUILD4] Finally, with Windows Vista and Windows Server “Longhorn,” there is improved load balancing and clustering server support. Although IPSec in Windows Server 2003 supports load balancing and cluster servers, failover times to re-establish IPSec connectivity to a cluster virtual IP address can be lengthy. The failover time is around 3 to 6 seconds for administrative moves of clustered resources. When a cluster node suddenly becomes unavailable or another sudden loss of connectivity occurs, the failover time can take up to 2 minutes. In Windows Server Longhorn and Windows Vista, the timeout for a cluster node failure is substantially reduced because IPSec is more integrated into the Next Generation TCP/IP stack. So, instead of relying on IPSec idle timeouts to detect a cluster node failure, IPSec in Windows Server “Longhorn” and Windows Vista monitors TCP connections for established SAs, or Security Associations. If the TCP connection for an established SA begins retransmitting segments, IPSec will renegotiate the SAs. Therefore, the failover to a new cluster node happens quickly, usually in time to keep the application from failing.

26 Autentificación IPSec mejorada
Servidor de Certificados de Salud Certificado de Salud Credenciales Kerberos para el usuario que tiene sesión Credenciales NTLM v2 del usuario que tiene la sesión Un Certificado de usuario Un certificado de Salud del equipo Modo Extendido Métodos de Autenticación Multiples Slide Title: Improved IPSec authentication Keywords: authentication, health certification, Network Access Protection, NAP, Extended Mode First, an IPSec node can authenticate with a health certificate. With Windows Vista, you can enable Network Access Protection, or NAP. With NAP, an administrator can set certain health requirements for a computer to connect to the network. For example, an administrator can say that only computers that have Windows Firewall enabled are allowed to connect to the network. In this scenario, a health certificate server would issue a health certificate when the NAP client demonstrates that it has Windows Firewall enabled. [BUILD1] IPSec in Windows Server “Longhorn” and Windows Vista defines a new negotiation mode known as extended mode. During extended mode, you can specify user-based or health-based authentication, which can perform an additional level of authentication. [BUILD2] The credentials used during the extended mode authentication can be based on the following: Kerberos credentials of the logged-on user account, NTLM v2 credentials of the logged-on user account, a user certificate, or a computer health certificate. Extended mode authentication can be with or without main mode authentication. For example, you can use main mode authentication and Kerberos credentials to authenticate the computer and then extended mode authentication and a health certificate to validate the computer's health state. [BUILD3] Finally, with Windows Vista, multiple authentication methods are tried during IPSec authentication. When you select multiple authentication methods for computers running Windows Server Longhorn or Windows Vista, IPSec will attempt multiple authentication attempts in an effort to perform mutual authentication. For example, if you specify that you want to authenticate using Kerberos and computer certificates with a specific certification authority, the IPSec peer can fail the Kerberos authentication and then attempt certificate authentication. Slide Transition: There are a few key points to take away from today’s session. Slide Comment: Additional Information:

27 Resumen Mejores Opciones de configuración
Solución de problemas mas sencilla Mejor integración de IPSec con Windows Firewall Slide Title: Summary Keywords: Summary Key Message: Summary Slide Builds: 2 Slide Script: Additional configuration options with Windows Firewall with Windows Vista provide better administrative control over incoming and outgoing network traffic. Rules can be created based on more parameters, which allows only the traffic you want to enter or leave your network. [BUILD1] Troubleshooting with Windows Firewall has been simplified with the addition of the Windows Firewall Log. This log can also help you identify potential hackers and other security risks. In addition, monitoring capabilities are integrated with the new Advanced Security MMC snap-in. [BUILD2] With Windows XP and Windows 2003, IPSec and Windows Firewall had to be configured separately. Because both technologies applied rules to incoming traffic, this could potentially cause conflicts. With Windows Vista, these two technologies are integrated and configured in the same console. This allows collaboration and better network security. Slide Transition: To get more information on the products and technologies we have covered today, we have some online resources available that can help. Slide Comment: Additional Information:

28 Donde conseguir mas ayuda?
WebCast News Groups Comunidad Slide Title: Community Help Keywords: Community Key Message: Where to get more help Slide Builds: 0 Slide Script: There are a number of free community resources available on TechNet. You can attend a regular chat with members of the product groups or technology specialists from Microsoft, or you can attend a webcast, where you can see sessions like this one, but presented live and with the ability to ask questions as you go. You can also read or post questions in public newsgroups. The Newsgroup page lists the available groups and provides an interface from which you can read and post messages. TechNet Plus subscribers can use these groups to post questions, and through their subscription ID, are guaranteed a response from Microsoft Support Professionals and IT experts by the next business day. The main community site provides a comprehensive list of resources available—more than we can cover here—and the page has some dynamic features with continually updated content. The Events page provides dates and details regarding live TechNet events. These events take place around the world and provide the opportunity for you to talk to Microsoft specialists face-to-face. Finally, the TechNet columns provide information on a variety of topics written by industry authors. Slide Transition: [Thank the audience for attending and sign off.] Slide Comment: Additional Information:

29 © 2006 Microsoft Corporation. All rights reserved.
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.