LOOK BEHIND THE SCENES: WINDOWS SERVER 2012 FIREWALL AT VOLKSWAGEN AG Ulf Seifert // Senior Consultant AGENDA WINDOWS FIREWALL //1 What it does and what it is used for? //2 Administrative Concepts //3 Strategies //4 Management Scenarios Implementation considerations at VW 2 1 21.11.2013
WINDOWS FIREWALL WHAT IT DOES AND WHAT IT IS USED FOR. THE WINDOWS FIREWALL a port-based firewall a stateful packet filter an application firewall freely available (part of the OS Windows Filter platform) switched on by default highly suitable IPv6 compatible 3 WINDOWS FIREWALL WHAT IT DOES AND WHAT IT IS USED FOR. THE WINDOWS FIREWALL HOW IT WORKS. Outgoing traffic is enabled by a default rule. Incoming traffic is examined and proofed against a list of the permitted traffics. If the package fits to the permitted traffic, it will be authorized to be further processed. If the package doesn t fit to the permitted traffic, it will be rejected. If the logging is configured, an entry will be created in the firewall logfile. 4 2 21.11.2013
WINDOWS FIREWALL WHAT IT DOES AND WHAT IT IS USED FOR. RULE TYPES Program Port Predefined Custom Allows traffic for a particular program Allows traffic on a particular TCP or UDP port or list of ports Groups of rules that allow Windows functionality on the network (for instance: file and printer sharing, network discovery, remote assistance, remote service administration, Windows collaboration, others) All the knobs and dials, switches and buttons 5 WINDOWS FIREWALL WHAT IT DOES AND WHAT IT IS USED FOR. THE FIREWALL RULE DO Action = {By-pass Allow Block} IF: Protocol = X AND Direction = {In Out} AND Local TCP/UDP port is in {Port list} AND Remote TCP/UDP port is in {Port list} AND ICMP type code is in {ICMP type-code list} AND Interface NIC is in {Interface ID list} AND Interface type is in {Interface types list} AND Local address is found in {Address list} AND Remote address is found in {Address list} AND Application = <Path> AND Service SID = <Service Short Name> AND Require authentication = {TRUE FALSE} AND Require encryption = {TRUE FALSE} AND Remote user has access in {SDDL} AND Remote computer has access in {SDDL} AND OS version is in {Platform List} 6 3 21.11.2013
WINDOWS FIREWALL WHAT IT DOES AND WHAT IT IS USED FOR. RULE MERGING AND EVALUATION ORDER Highest Service restrictions Connection rules Authenticated bypass Block rules Allow rules Restricts connections that services can establish; OS services already configured appropriately Restricts connections from particular computers; uses IPsec to require authentication and authorization Allows specified authenticated computers to bypass other rules Explicitly blocks specified incoming or outgoing traffic Explicitly allows specified incoming or outgoing traffic Lowest Default rules Default behavior for a connection 7 WINDOWS FIREWALL WHAT IT DOES AND WHAT IT IS USED FOR. NETWORK PROFILES Allow different firewall rules to be applied in different environments Domain Corporate Environment domain-joined Private Trusted/home network Public Coffee Shops, Airport, etc. Up to Windows 7 you can have multiple active profiles NLA detects network changes Identifies characteristics, assigns a GUID Network profile service creates profile upon connection Interfaces, DC, authenticated machine, gateway MAC NPS notifies firewall whenever NLA detects change Firewall changes category within 200ms More info: http://blogs.technet.com/b/networking/archive/2010/09/ 08/network-location-awareness-nla-and-how-it-relatesto-windows-firewall-profiles.aspx If not domain, user is queried for public or private Must be local administrator to define a private network 8 4 21.11.2013
WINDOWS FIREWALL WHAT IT DOES AND WHAT IT IS USED FOR. WHAT IF MULTIPLE INTERFACES? Examine all connected nets Is an interface connected to a net classified private? No Is an interface connected to a net classified public? No Yes Set category to private All interfaces see domain controller? Host authenticate? Yes No Yes Set category to domain Set category to public 9 ADMINISTRATIVE CONCEPTS TOOLS Group Policy Management Console (GPMC) Group Policy Editor (GPEdit) NetSH (bis 2012 ) Powershell 10 5 21.11.2013
ADMINISTRATIVE CONCEPTS MANAGING FIREWALL GPOS SOME CONCEPTS GPO Processing Order Local GPO Site Domain OU (Top to Bottom) 11 ADMINISTRATIVE CONCEPTS LOCAL GPO AND LOCAL SETTINGS If you don t block these, Domain GPO firewall rules and local settings are cumulative. If you want to prevent Domain GPOs from being overridden, then you have to block local settings and local GPO processing. Warning: This significantly impacts the number of rules required in Domain GPOs. 12 6 21.11.2013
ADMINISTRATIVE CONCEPTS FILTERING Computer Group only certain groups have permissions to apply the GPO WMI - If the filter evaluates to true the GPO applies Examples Certain OS versions SELECT Version FROM Win32_OperatingSystem WHERE Version >= "6" Certain Server Features installed SELECT Name FROM Win32_ServerFeature WHERE Name = "Web Server (IIS) Certain Program Installed SELECT Name FROM Win32_Product WHERE Name = "Cisco AnyConnect VPN Client" 13 STRATEGY Level Of Control 14 7 21.11.2013
STRATEGIES SERVER CATEGORIZATION allow role-specific firewall rules f. e.: web server, database server, domain controller etc. Support tools from Microsoft: Security and Compliance Manager 15 STRATEGIES 16 8 21.11.2013
STRATEGY Level Of Security 17 STRATEGIES IT S A BALANCE? Security requirements tend to drive the need for restricting traffic with firewall rules. Software requirements drive the need allow traffic through the firewall. 18 9 21.11.2013
STRATEGIES WHO MANAGES THE RULES? Typically those who have admin permissions are likely the group that installs software. Often the owner, (not necessarily the user of the computer), determines who has admin rights, and who controls firewall rules. Security office implements policy that often dictates rules. Auditors may need to audit rules on occasion. 19 STRATEGIES DEFAULT SECURITY Inbound Default rule: Block Outbound Default rule: Allow Only Inbound exceptions must be defined. 20 10 21.11.2013
STRATEGIES HIGH SECURITY / HIGH MAINTENANCE Inbound Default Rule: Block Outbound Default rule: Block All exceptions must be defined. 21 MANAGEMENT SCENARIOS Level Of Trust 22 11 21.11.2013
MANAGEMENT SCENARIOS LOOSE MANAGEMENT SCENARIO Environment End user has admin rights to the computer. End user often installs software. Software installs often open up rules in the process of installing. IT only might add a few rules through GPO. 23 MANAGEMENT SCENARIOS STRICT MANAGEMENT SCENARIO 1 Environment Users don t have admin permissions. IT controls local firewall settings. IT controls local gpo settings. Users request software not firewall settings. IT might use GPOs or just manage settings locally. 24 12 21.11.2013
MANAGEMENT SCENARIOS STRICT MANAGEMENT SCENARIO 2 Environment Users have admin permissions. IT wants to manage firewall rules centrally. Users need to request firewall rules. IT must use GPOs in this situation. Disable local firewall settings Disable local GPO processing 25 QUESTIONS & ANSWERS 26 13 21.11.2013
MANY THANKS FOR YOUR ATTENTION Ulf Seifert // Senior Consultant PHONE // FAX // E-MAIL // +49 (341) 24051-139 +49 341 24051-199 ulf.seifert@softline-group.com SOFTLINE SOLUTIONS GMBH GUTENBERG-GALERIE GUTENBERGPLATZ 1 04103 LEIPZIG PHONE // +49 341 24051-0, FAX // +49 341 24051-199, E-MAIL // LEIPZIG@SOFTLINE-GROUP.COM 14 21.11.2013