Embracing Microsoft Vista for Enhanced Network Security Effective Implementation of Server & Domain Isolation Requires Complete Network Visibility throughout the OS Migration Process For questions on this report or for more information about how Lumeta can help you secure your network in the face of change, please call +1.732.357.3500 or visit our Web site at www.lumeta.com
EMBRACING MICROSOFT VISTA FOR ENHANCED NETWORK SECURITY 1 Executive Summary Windows Vista and Windows Server Longhorn enable organizations to reduce risk by implementing network security as a key component of the operating system. Large enterprises and government agencies can more rapidly define, implement and manage security policies through the use of new Vista security features and functionality, such as native IPsec-based group policy definition and management using Active Directory. Management and enforcement of security policies in Vista can become even more effective and efficient through the use of server and domain isolation (SD&I), a technique that identifies groups of trusted computers and defines the rules for communicating with untrusted computers in the enterprise and beyond.the effective use of SD&I, however, requires that organizations have a full view of the current network infrastructure and the flow of connectivity across the organization. Without an accurate, comprehensive view of the current network architecture, connectivity and security policies, any attempt to adopt SD&I will result in poor definitions and faulty configurations for security policies and exemptions, which will ultimately create unacceptable security risks and insufficient connectivity. Furthermore, a lack of understanding of the physical infrastructure will introduce significant delays, costs, and risks into the Vista migration process itself. Previously unknown machines, devices and technical constraints will cause significant headaches unless they are uncovered before the migration gets underway. Lumeta s Vista Migration Planning Service harnesses the company s flagship IPsonar product to give organizations the global network visibility they need for a successful Vista Migration. The Lumeta solution builds this global network view by creating a baseline for every device on the network, including previously unknown devices, and then maps the flow of network traffic, enabling organizations to address both policy definition and network discovery requirements. IPsonar identifies a network s assets, interconnections and IP addressing, and validates assumptions throughout the network to provide complete visibility into baselining efforts. This network infrastructure and connectivity baseline can be used to define isolation policies and identify needed changes to the network infrastructure. By running IPsonar throughout the migration process, organizations can determine how the implementation is progressing relative to initial requirements.
EMBRACING MICROSOFT VISTA FOR ENHANCED NETWORK SECURITY 2 Building Network Security into the Fabric of the Operating System Microsoft Vista offers tremendous opportunity for organizations seeking to improve network security by limiting access at the operating system level. With native support for the IPsec protocol and new facilities for creating IPsec-based group policies within Active Directory, Microsoft has made network security an integral part of the operating system. Thanks to these new capabilities, organizations can now employ server and domain isolation (SD&I), a powerful security technique that logically separates computers to ensure that only trusted computers can communicate. Through SD&I, IT executives and security managers can establish security policy management at the operating system level through the authentication and, optional encryption of client-to-client, client-to-server and server-to-server communications. SD&I allows organizations to mitigate threats to the perimeter and the core by limiting access according to user affinity and role, not just one s physical location on the network. Thus, SD&I represents an important complement to existing network defenses in the enterprise. The new policy management add-on to Active Directory in Vista provides organizations with a highly centralized and efficient way to define and manage these groups or domains over time, which will potentially limit risk by requiring fewer changes within the enterprise to enforce policies. Organizations will also be less vulnerable to configuration errors on disparate network devices. Challenges to Vista Adoption However, powerful as it is, SD&I does not fully eliminate the risks created by gaps between policy and configuration, nor does the operating system provide a way to validate that policy and configurations are functioning effectively. Essentially, each computer in a domain has a personal firewall embedded in the operating system that enforces IPsec-based policy. A great deal of automation exists in Vista for management of these policies; nevertheless, there is potential for error, particularly when it comes to the configuratoin of border machines which connect a trusted domain to untrusted domains within the enterprise and beyond. Since most organizations are heterogeneous in nature,windows machines need to communicate with machines running other operating systems. Just as firewalls, IPS systems or routers function to enforce policy on a physical network, border machines sit at the edge of a domain and enforce the exemptions to the established isolation policies that determine whether a computer may connect to the outside world. Improper implementation of these exemptions will result in one of two outcomes: All of the computers residing in a domain become vulnerable or Connectivity limitations that constrain IT s ability to support critical requirements for a collaboration across the enterprise or beyond. The ultimate success of an SD&I solution built on Vista and Longhorn requires careful planning before, during, and after the migration process to ensure that policies are well defined and properly configured.
EMBRACING MICROSOFT VISTA FOR ENHANCED NETWORK SECURITY 3 The Importance of Network Visibility to Project Success Organizations implementing SD&I in Vista should begin by creating an accurate picture of both the devices on their network and how traffic flows from domain to domain and from a domain to the Internet.This picture enables network and security managers to measure the effectiveness of current policies, as well as the connectivity requirements for the business. According to the Microsoft Solutions for Security and Compliance Group 1, when planning a system migration: The very first step, even before beginning the design process, is to ensure that you have an up-to-date and accurate picture of the current state of your organization's network that includes workstation and server configurations as well as communication paths. It is not possible to develop an effective logical isolation solution without knowing exactly what the solution is expected to protect. Since business requirements will continue to evolve at a frenetic pace, organizations must have a way to understand the impact of change over time to group policies and exceptions on risk and compliance. Establishing a baseline of connectivity is the first step.this baseline can be used before, during and after implementation to validate group policy. Building a baseline is no simple task. It requires the ability to visualize the flow of traffic on the network quickly in order to discover unauthorized connectivity between trusted and untrusted networks a critical capability because IPsec Group Policies are very explicit in defining which Vista and Longhorn machines can talk to each other in terms of the network, using IP addresses, CIDRs and protocols.without a thorough understanding of these items, it is unlikely that IPsec group policy will be implemented correctly, or that they will be resilient to change in a manner necessary to support the business. Obtaining this information, particularly the connectivity piece, is extremely difficult to do manually or with traditional discovery tools. Microsoft offers the following advice for customers considering an SD&I deployment: The real technology challenge with logical isolation is implementing it in a manner that is both manageable and scalable for your organization. Producing a design that is so complex and restrictive that it impairs users' abilities to perform necessary business tasks could be worse than having no isolation solution at all. It is essential that you complete appropriate planning and testing both before and during the solution deployment. 2 While SD&I is ultimately about implementing security based on a logical view of connectivity, a Vista successful migration is highly reliant on the network itself. Once again, a complete understanding of the physical infrastructure is essential for determining the potential impact of the network on the project. Microsoft elaborates on the importance of understanding the current physical infrastructure to the success of an SD&I project: The process of obtaining and maintaining a reliable record of an organization's computers, software, and network devices is a classic IT challenge. A successful project will depend on the information obtained from such a process. Before starting the planning process for a server and domain isolation project, you need to collect and analyze up-to-date information about the computers, the network, and the directory services that are already deployed in the organization. This information will allow you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can arise when devices and computers that were not considered during the planning phase are encountered during implementation. 3 Meeting this challenge requires the use of a comprehensive discovery solution for network devices and segmentation, traffic and hosts. 1 Microsoft Solutions for Security and Compliance (MSSC), Server and Domain Isolation using IPSec and Group Policy. Microsoft Corporation. p.52. 2 Microsoft Solutions for Security and Compliance (MSSC), Server and Domain Isolation using IPSec and Group Policy. Microsoft Corporation. p.6. 3 Microsoft Solutions for Security and Compliance (MSSC), Server and Domain Isolation using IPSec and Group Policy. Microsoft Corporation. p.45.
EMBRACING MICROSOFT VISTA FOR ENHANCED NETWORK SECURITY 4 From a network discovery standpoint, an accurate inventory of devices that can technically support IPsec is critical. It is important to know which network devices will need to be upgraded for cost estimation purposes, but it is just as important for implementation, since in many cases IPsec will break access control lists (ACL s) on devices that do not support it. Sometimes the device hardware footprint will not allow a device to function properly under peak loads in a network running IPsec, so identifying network hardware that can receive a RAM upgrade is important. Understanding how traffic flows at different times can help identify potential weaknesses in the infrastructure that will cause significant bottlenecks once IPsec traffic begins to flow through a particular device. An effective network discovery solution will show where all of the devices and ACLs on the network are located, report on their configurations and profiles, and show how traffic flows through them. From a host point of view, understanding which devices are connected to the network and gathering basic information about their operating system, services, and configuration is crucial to success. Having this information allows network managers to understand to understand which version of the operating system is running on Windows servers and desktops for upgrade planning purposes, but this information is also necessary to understand the basic profiles for non-windows machines, since these machines represent the bulk of the untrusted network. IPsec creates a great deal of overhead that could cause performance problems for any machine in the infrastructure that lacks the performance capabilities to run IPsec. The challenge is to pinpoint these machines, since in a large network, hosts tend to disappear from management. Finding and managing these unknown and untrusted hosts is perhaps the greatest single factor in reducing the risk profile of an SD&I migration. Creating Visibility through Network Discovery Clearly, enterprises need strong network discovery capabilities to create the visibility needed to plan, execute and manage a WindowsVista SD&I project. And though there are a number of approaches one can take to obtain this discovery competency, most are either unfeasible or too prone to mistakes. Manual discovery, for example, would prove too time consuming and, in any case, the inevitable human errors would significantly increase delays and costs for any migration project. Automated discovery using traditional network management auditing tools can play a role in the ultimate solution; however, these tools are insufficient by themselves. Most of these traditional solutions only respond to requests based on a single protocol, and will return responses for assets that respond to whatever management protocol is being used. SMS, for example will only find hosts in Windows domains. While Microsoft recommends the use of automated discovery tools, it acknowledges their weaknesses: One problem with automated systems, however, is that hosts that are offline, unplugged, or otherwise physically (or logically) unable to respond to queries for information will not show up in the final database. Even the most automated systems require an element of manual management to ensure that the hosts are accessible and accounted for correctly 4. A multi-protocol discovery tool will fill in many of these gaps, particularly for the untrusted portion of the network, limiting the amount of manual discovery network staff must perform. Standardizing on a discovery solution that shows connectivity in addition to asset inventory will find weaknesses in the infrastructure and in security policy throughout the life of the migration project. 4 Microsoft Solutions for Security and Compliance (MSSC), Server and Domain Isolation using IPSec and Group Policy. Microsoft Corporation. p.45..
EMBRACING MICROSOFT VISTA FOR ENHANCED NETWORK SECURITY 5 Removing the Blindspots: The Lumeta Migration Solution Lumeta provides organizations with a Vista Migration Service that addresses the substantial discovery requirements that Microsoft deems critical to the success of an SD&I project.the Lumeta service leverages the company s flagship IPsonar network assurance product to develop a baseline of the network infrastructure and connectivity that can be used to define isolation policies and identify needed changes to the network infrastructure. Organizations can use this baseline of network data throughout the migration project to help organizations measure progress, validate policies, and limit project risk from unknown devices and hosts. Unlike traditional discovery capabilities provided by network management tools, Lumeta s technology employs multi-protocol discovery to find unknown and unmanaged devices and hosts, all while enabling network and security staff to understand the flow of application connectivity across the enterprise. Lumeta s Migration service leverages IPsonar s visual analytics capabilities to allow network and security staff to evaluate policy by comparing connectivity with ACLs to identify unauthorized connectivity. No other solution on the market enables on the market supports this type of analysis. Finally, IPsonar s fingerprinting capabilities help show which machines are running which versions of the Windows operating system (or any other major operating system), as well as a basic profile of different network and security devices connected to the network. For more information about Lumeta s Vista Migration Service, please visit www.lumeta.com/vista. Conclusion The network security features inherent in Microsoft Windows Vista represent a tremendous opportunity for organizations to improve their enterprise security posture. However, like most systems, group IPsec policy enforcement in WindowsVista is only as good as its weakest link. Implementing policies as part of an SD&I scenario is potentially a risky proposition in a large heterogeneous enterprise, if the proper planning steps aren t taken. Building a comprehensive view of the network infrastructure and enterprise connectivity is a critical success factor for planning and implementing SD&I. Traditional discovery tools will not provide the necessary visibility to minimize risk to a Vista migration project. Lumeta s Vista Migration Service addresses critical gaps in network knowledge to reduce the time, cost and risk of adopting Vista. For more information about how Lumeta can help you secure your network in the face of change, please email info@lumeta.com or call +1.732.357.3500 About Lumeta Corporation Lumeta provides large enterprises and government agencies with the global visibility needed to quantify network risk and measure the impact of network change. Our network assurance solutions enable IT organizations to deploy new business services, maintain existing service levels, and minimize network security risk to ensure compliant operations. Lumeta s flagship product, IPsonar, is the industry s only solution that allows agencies to measure risk from a global network perspective. IPsonar maps every asset on a network including assets not currently under management visualizes the connectivity between assets and networks to uncover risk patterns and policy weaknesses, and enables network and security teams to bring unknown assets under management while deploying security technology more effectively to mitigate risk. For more information, visit the Lumeta Web site at www.lumeta.com. www.lumeta.com/vista