Domain Isolation Planning Guide for IT Managers

Transcription

1 Domain Isolation Planning Guide for IT Managers Microsoft Corporation Published: March 28, 2005 Author: James R. Morey Editor: Rosanne Newland Abstract Designed for enterprise IT managers who are investigating using IPsec in Microsoft Windows to deploy domain isolation, this white paper will help you and your IT staff to gather the information required to develop a domain isolation deployment plan and to design your IPsec polices. It includes an overview of the deployment process, a step-bystep guide to the planning process, and links to resources that you can use to plan and design your deployment. It does not explain how to deploy domain isolation.

2 This is a preliminary document and may be changed substantially. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place, or event is intended or should be inferred Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

3

4

5 Contents Domain Isolation Planning Guide for IT Managers... 7 Terminology Used in This Guide... 7 IT Roles Used in This Guide... 8 Introduction to Deployment Planning Phases Collect Information About Your IT Environment Determine Your Domain Isolation Needs Design Your IPsec Policies Deploy the Policies in a Test Environment Refine Policies Create a Deployment Schedule Prepare for User and Infrastructure Support Inform Team Members About IPsec Phase 1: Collect IT Environment Information Collect Computer Information Collect Network Device Information Collect Active Directory/Domain Information Collect Regulation and Other External Constraint Information Collect Security Information Collect Service Level Agreement Information Collect User and Partner Connectivity Information Collect Interoperability Information Phase 2: Determine Your Domain Isolation Needs Business Needs Regulation Needs Security Needs Service Level Agreement Needs IPsec Technology Needs User and Partner Needs Interoperability Needs Phase 3: Design Your IPsec Policies Review IPsec Policy Design Documentation Create a Naming Convention Create an IPsec Policy Management Process Review Example IPsec Policies Design IPsec Filter s... 27

6 Design IPsec Filters and Filter Lists Design IPsec Policy Rules Design IPsec Policies Phase 4: Deploy the Policies in a Test Environment Determine the Appropriate Test Environment Deploy the Policies to the Test Environment Phase 5: Refine Policies Phase 6: Create a Deployment Schedule Phase 7: Prepare for User and Infrastructure Support Other Resources... 34

7 Domain Isolation Planning Guide for IT Managers 7 Domain Isolation Planning Guide for IT Managers This document is intended for IT professionals who are investigating using IPsec in Microsoft Windows to deploy domain isolation in their environments. This guide is designed to help you work with your IT staff to gather the necessary information, design your IPsec polices, and to create a deployment plan. This guide includes an overview of the deployment process, a step-by-step guide to the planning process, and links to other resources that you can use in the planning and design process. The material in this guide covers the planning of the deployment and not the actual deployment process itself. This guide provides material relevant only to Windows-based computers and is not intended as a guide for deploying domain isolation on operating systems other than Windows. This guide does not provide background information about IPsec and related technologies. Note: This is preliminary documentation and subject to change. Terminology Used in This Guide These terms are defined so that you can more clearly understand how they are used in this guide: Domain isolation - This is the use of network security technology to protect domain member computer assets from unknown or unauthorized computers that exist outside of, or in, your managed IT environment. You can use IPsec to create an authentication and/or encryption boundary around and/or within your domain that protects your Windows-based computers from being accessed by these unknown or unauthorized computers. Managed computer - This is any computer that is granted access to other computers according to your IPsec policies. These are typically members of the domain or domains, but can also include roaming computers, such as laptops, and computers outside of the domain.

8 Domain Isolation Planning Guide for IT Managers 8 Unmanaged computer - This is any computer that is not granted access to computers in a managed environment. This could include computers that do not belong to a domain or domain members that must be denied access for security or business reasons. Managed environment - A managed environment is any subset of the computers in your IT environment protected by an IPsec policy from computers without corresponding IPsec policies. The managed environment is typically equivalent to your domain, business division, or organizational unit. IPsec-enabled - This describes any computer or device that is configured to use the Microsoft Windows implementation of the IPsec standards specifically. IPsec-capable - This describes any computer or device that is configured to use some implementation of the IPsec standards. It does not necessarily mean that the computer or device is compatible with Microsoft's implementation of the IPsec standards. IPsec-incapable - This describes any computer or device that cannot be configured to use some implementation of the IPsec standards. IPsec-compatible - This describes any computer or device that does not necessarily implement IPsec but can be used with some implementation of the IPsec standards. IPsec-incompatible - This describes any computer or device that does not implement IPsec and cannot be used with any implementation of the IPsec standards. Boundary computers - A boundary computer is a managed computer that accepts unsecured communications with unmanaged computers. These might be special file servers that share files with business partners or regulatory agencies. Proxy computer - These are very similar to boundary computers, but differ in that they are specifically designed to function as proxy servers for connections between domains, segments, or your IT environment and the Internet. These computers might also be firewalls that allow only specific ports and protocol traffic in and out of domains. IT Roles Used in This Guide The IT roles used in this guide are generalizations derived from the IT industry and should closely approximate those in your IT structure. Your roles might differ from these, but they are offered to help you assign tasks to your staff members.

9 Domain Isolation Planning Guide for IT Managers 9 Role Team Member Primary Responsibilities IT Manager <add name> Coordinates the deployment effort and communicates status to upper management. Manages the IT staff responsible for the infrastructure, desktop and server deployment, and server administration and operations. Evaluates the impact of the technology solution on core business and IT resources. Uses this guide to assign tasks to staff members, collect and collate information, guide the overall process of planning, and make the major decisions. Systems Architect <add name> Provides information and assists in IPsec policy design. Responsible for designing the overall server infrastructure for all systems. Develops server deployment strategies and policies. Contributes to networking connectivity design. Ensures that deployment policies are followed. Provides overall architectural guidance and assists in designing the managed environments and policies for establishing these segments.

10 Domain Isolation Planning Guide for IT Managers 10 <add name> Provides information, assists in IPsec policy design, and assists IT Manager in planning. Responsible for determining and implementing server security policy. Evaluates new technology and its effects upon security and availability. Responsible for security issues and solutions. Is the primary source of information about what security levels are needed for segments, how segments might be designed around security needs, what current security policies and tools can be made obsolete by domain isolation, and what security concerns might arise in the design and implementation of domain isolation.

11 Domain Isolation Planning Guide for IT Managers 11 Windows Systems Administrator <add name> Provides information and implements polices on Windows-based computers. Responsible for determining and implementing server security policy. Evaluates new technology and its effects upon security and availability. Responsible for security issues and solutions. Is the primary source of information about what security levels are needed for segments, how segments might be designed around security needs, what current security policies and tools can be made obsolete by domain isolation, and what security concerns might arise in the design and implementation of domain isolation. UNIX Systems Administrator <add name> Provides information and assists Helpdesk and Security Managers in planning. Responsible for configuration and administration of UNIX servers, including upgrades, backups, capacity monitoring, and planning and interoperability issues with Windows systems. Is the primary source of information about IPsec interoperability between UNIX and Windows.

12 Domain Isolation Planning Guide for IT Managers 12 Network Administrator <add name> Provides information and assists in IPsec policy design and implementation. Responsible for overall connectivity for the entire network, including hardware. Manages connectivity between heterogeneous systems (Windows and UNIX). Troubleshoots all performance issues across the network. Provides significant input regarding how the network will influence the design of, or be affected by, IPsec policies. Database Administrator <add name> Provides information and assists in IPsec policy design. Also assists in the configuration and management of database solutions. Evaluates build images, deploys new databases and changes, and conducts server integration testing. Is the primary source of information about how domain isolation might affect database access and performance.

13 Domain Isolation Planning Guide for IT Managers 13 Desktop Configuration Manager <add name> Provides information and assists in IPsec policy design and implementation. Responsible for provisioning desktop PCs and deploying service packs and updates to these PCs. Involved in setting the strategic direction for the desktop operating system and applications. Is the primary source of information about how IPsec polices might affect desktop configuration. Helpdesk Manager <add name> Provides information and creates user education and notification materials. Responsible for all Helpdesk operations. Is the primary contact for information about how users might be affected, or respond to, access issues during or after deployment, and how user education can help mitigate any issues that might arise. Introduction to Deployment Planning Phases This section provides a brief overview of the different phases involved in the domain isolation planning process. This process is suggested as a way of making domain isolation deployment as effective and efficient as possible and to suggest how you can work with your IT team to gather the needed information, discuss domain isolation issues, create a deployment plan, design IPsec policies, and test/refine these polices to reduce any user and operations issues that might arise from domain isolation.

14 Collect Information About Your IT Environment Domain Isolation Planning Guide for IT Managers 14 You and your team will gather information about network topology, security policy and implementation, server operating systems and applications, service level agreements (SLAs), user types, any interoperability issues or concerns, and regulations or other external constraints. This information will be used along with other information, such as IT polices and guidelines and any business needs, to determine what domain isolation needs you have and then to design the IPsec policies that will be used to fulfill these domain isolation needs. Determine Your Domain Isolation Needs You and your team will use the collected information and determine what kind of isolation needs you have based upon business needs, regulatory influences, security requirements, Service Level Agreements, the IPsec technology, user needs, and other factors. Design Your IPsec Policies This is probably the most crucial of the phases and requires close attention to the details for designing IPsec filter lists, filter actions, rules, and policies for each segment. Carefully-designed policies will make the deployment process smooth and efficient, the isolation effective, the protection of your assets solid, and it will keep user problems to a minimum while still meeting all SLAs, regulatory requirements, and other criteria. Deploy the Policies in a Test Environment Your team can test the domain isolation deployment and discover any refinements that should be made to the IPsec policies and the deployment process before deploying to a large or business-critical segment. The test environment can be designed specifically for deployment testing, or it can be a small, non-business-critical domain environment. Refine Policies The test phase might highlight some connectivity, security, or administration issues that can be addressed by refinements to your IPsec policies, by adjustments in operations and administration, or by improvements in user education. This information is important for a smooth and effective deployment.

15 Create a Deployment Schedule Domain Isolation Planning Guide for IT Managers 15 Once you have your plans and IPsec policies completed, your team can discuss and solidify how, when, and where you will implement domain isolation. This phase is where you can discuss any potential problems with the schedule and agree on the best plan for actual deployment. Prepare for User and Infrastructure Support Before deployment you can develop plans, documents, and tools to assist your helpdesk staff to deal with pre-deployment notification and education, user issues during deployment, and any post-deployment issues that might arise as a result of domain isolation deployment. Inform Team Members About IPsec The planning and design of domain isolation will be more efficient and effective if your team has a good understanding of what IPsec is and how it can be used for domain isolation. The following table lists the type of IPsec information that might be useful before you begin the domain isolation planning phases. Review IPsec concepts. Review examples of domain isolation deployment. Review IPsec limitations. Review IPsec interoperability information. As needed IT Manager, Systems Architect, Security Manager IT Manager, Systems Architect, Security Manager, others as needed IT Manager, Systems Architect, Security Manager, others as needed

16 Domain Isolation Planning Guide for IT Managers 16 Phase 1: Collect IT Environment Information Collect Computer Information Because not all computers in your environment will implement IPsec the same way, you must document the operating systems and service pack versions on your computers, both servers and desktop computers. Identify IPsec-enabled Windows-based computers (Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server 2003). Identify IPsec-incapable Windows-based computers (Microsoft Windows 98, Microsoft Windows Millennium Edition, and Microsoft Windows NT 4.0). Identify IPsec-capable computers using operating systems other than Windows (UNIX, BSD Unix, Macintosh OS X, Linux, IBM OS390, Sun Microsystems Solaris 8, etc.). Identify IPsec-incapable computers that are not running Windows. Windows Systems Administrator Windows Systems Administrator, Desktop Configuration Manager UNIX Systems Administrator, Desktop Configuration Manager UNIX Systems Administrator, Desktop Configuration Manager Collect Network Device Information Network devices, such as routers or firewalls, are also involved in the domain isolation, and their IPsec capabilities must be documented to ensure that deployment planning takes them into account.

17 Domain Isolation Planning Guide for IT Managers 17 Identify IPsec-compatible network devices (Cisco IOS, Lucent VPN Firewall Bricks, Lucent Access Point IP services routers, 3Com SuperStack 3 Firewall, Nortel VPN Gateways, etc.). Identify IPsec-incompatible network devices - these devices cannot allow IPsec-protected packets to traverse the network. Network Administrator Network Administrator, Systems Architect, UNIX Systems Administrator Collect Active Directory/Domain Information Your IPsec policy design will be strongly influenced by your domain structure. Document your domain structure to identify organizational and business units that might require different levels of security and other information. Document your domain structure. Document your organizational units (OUs). Document your global security groups. Systems Architect Systems Architect, IT Manager Collect Regulation and Other External Constraint Information Your organization might be affected by regulations that require enhanced security, access to information, or other actions. By being aware of these impacts during the IPsec policy design, you can ensure compliance or plan for compliance issues. Identify any government regulations that might affect planning and design. IT Manager,

18 Domain Isolation Planning Guide for IT Managers 18 Identify any business partner regulatory requirements that might affect planning and design. Identify any international regulatory requirements that might affect planning and design. Identify any company policies that might affect planning and design. IT Manager IT Manager IT Manager Collect Security Information Your IPsec policy design will be strongly influenced by your current security policies and practices, such as firewall configurations. IPsec policies will also affect and expand your security policies. Document your firewall configurations. Document your software update policies and processes. Document your application deployment policies. Document your security response plan. Collect Service Level Agreement Information Your domain isolation planning process must be designed and deployed in a way that complies with your SLAs. By being aware of these SLAs during the planning and design process, you can ensure compliance or make plans for mitigating and dealing with any compliance problems.

19 Domain Isolation Planning Guide for IT Managers 19 Identify any internal/direct SLA requirements that might affect planning and design. Identify any business partner SLA requirements that might affect planning and design. Identify any international SLA requirements that might affect planning and design. IT Manager, UNIX Systems Administrator, Database Administrator, Desktop Configuration Manager, Network Administrator IT Manager IT Manager Collect User and Partner Connectivity Information You need to consider how domain isolation will affect user connectivity during and after the deployment. This information can guide you in designing and deploying IPsec policies or in training staff and informing users before and after deployment. Identify IT administrative staff that must have uninterrupted connectivity. Identify knowledge workers. Identify Helpdesk personnel that require detailed knowledge of the deployment. Identify internal or external partners that require uninterrupted connectivity. Document any applications that require uninterrupted connectivity. Identify security personnel that must monitor security during the deployment. IT Manager Desktop Configuration Manager Helpdesk Manager IT Manager Desktop Configuration Manager, Windows System Administrator, Database Administrator

20 Collect Interoperability Information Domain Isolation Planning Guide for IT Managers 20 Understanding how your IPsec policy design and deployment might affect IPsecincompatible computers and computers with other implementations of IPsec will help you to plan the security for these computers and to determine how they will connect to IPsecenabled computers. Identify any servers that are incompatible with Microsoft's implementation of IPsec but must access resources on Windows servers. Identify any Windows servers that are incompatible with servers configured for a non-microsoft implementation of IPsec but must access resources on these servers. Identify any applications that might require IPsec policy exemptions for business reasons. UNIX Systems Administrator, Desktop Configuration Manager Windows System Administrator Desktop Configuration Manager, Windows System Administrator Phase 2: Determine Your Domain Isolation Needs Business Needs Your IPsec policies must also take into account your business needs and the financial impact that the deployment might have. Identify which business applications will need to be added to the default exemptions., Systems Architect

21 Domain Isolation Planning Guide for IT Managers 21 Document how knowledge workers, internal customers, and partners will be affected by domain isolation deployment and the business impact of this. Document how the operations infrastructure will be affected by domain isolation deployment and the business impact of this. Helpdesk Manager, Desktop Configuration Administrator,, Systems Architect, IT Manager Regulation Needs Government and international regulations might influence your IPsec policy designs. You should enumerate the regulations and restrictions you must comply with and take these into account during the design phase. Document the regulations you must comply with. Determine the time-frame you have to comply. Determine how you can use domain isolation to comply with these regulations. IT Manager, IT Manager IT Manager,, Systems Architect Security Needs You might have sensitive data or servers that require additional security in your environment. You should enumerate these and take into account what levels and types of security you want domain isolation to provide. Document any effects of deploying domain isolation upon current security polices. Identify whether any additional security administration will be required., Desktop Configuration Manager, IT Manager

22 Domain Isolation Planning Guide for IT Managers 22 Determine whether any of your current security technologies are incompatible with domain isolation. Identify any places where you will need boundary computers., Network Administrator, Systems Architect, Network Administrator, UNIX Systems Administrator Service Level Agreement Needs During the planning process, determine whether the deployment will negatively affect your SLAs. Determine how domain isolation will affect deployment and administration of SLAs. Document how this effect will be measured. Document how this effect will be mitigated or corrected. Determine how any effects upon SLAs will be communicated with the appropriate parties. IT Manager IT Manager IT Manager, IT Manager, Helpdesk Manager IPsec Technology Needs Some of the policy design decisions are based on the IPsec technology itself and how it secures traffic and data.

23 Domain Isolation Planning Guide for IT Managers 23 Document which of the four IPsecnegotiated security modes will be used, where they will be used, and why. The four modes are: Request Mode. A host responds to both IPsec and unauthenticated (non- IPsec) requests. It initiates communications with IPsec and, if that fails, allows unauthenticated communications. Secure Request Mode. A host responds to requests secured by IPsec and ignores unauthenticated requests. It initiates communications with IPsec and, if that fails, returns to unauthenticated communication. Secure Require Mode. A host requires IPsec-secured communications for both incoming and outgoing requests. Default Response. A host responds to IPsec requests, but never initiates IPsec. Identify where IPsec tunnel mode will be needed. Identify where data integrity using Authenticated Header (AH) will be needed. Identify where data integrity and encryption (using ESP) will be needed. Document which forms of encryption will be used and where. Document which forms of authentication will be used and where., Systems Architect

24 Domain Isolation Planning Guide for IT Managers 24 Identify which ports/protocols will need to be opened in firewalls for IPsec. Identify where no IPsec protection will be needed., Network Administrator, Network Administrator, UNIX Systems Administrator, Desktop Configuration Manager User and Partner Needs Your domain isolation design and deployment plans should also take into account how the process might affect the ability of users and partners to access information on your network. Determine how users might be affected by the deployment. Determine what user education steps can be taken to prepare users for the deployment and any possible issues resulting from it. Determine how partners might be affected by the deployment. Determine what steps can be taken to prepare partners for the deployment and any possible issues resulting from it. Helpdesk Manager Helpdesk Manager IT Manager IT Manager, Helpdesk Manager Interoperability Needs If your environment includes computers that either cannot implement IPsec or whose implementation of IPsec is not the same as Microsoft's implementation, then you need to determine how, or even if, you will allow these computers to communicate with IPsecenabled computers.

25 Domain Isolation Planning Guide for IT Managers 25 Determine how IPsec-capable computers, IPsec-incompatible servers, and Macintosh clients will communicate. Determine how IPsec-capable computers will communicate with IPsec-incapable Windows clients. Document how any effects of denied communications will be mitigated or corrected. Determine which Windows services cannot be used with higher levels of IPsec protection. Determine whether there are any current IPsec policies (local or global) that might conflict with ones being designed. UNIX Systems Administrator, Security Manager Desktop Configuration Administrator, UNIX Systems Administrator, Desktop Configuration Administrator, Security Manager, Windows Systems Administrator Phase 3: Design Your IPsec Policies Review IPsec Policy Design Documentation Designing IPsec Policies Default IPsec Policies Determining Your IPsec Needs Special IPsec Considerations Weighing IPsec Tradeoffs Establishing an IPsec Security Plan, Systems Architect, Systems Architect, Systems Architect, Systems Architect, Systems Architect

26 Create a Naming Convention Domain Isolation Planning Guide for IT Managers 26 You can create a naming convention for policies, filter lists, and filter actions. A naming convention can make backing up, restoring, and managing changes to policies, much easier. Policy names should include the managed environment and the date issued, for example, "Accounting_ " Filter list names should describe the type of network traffic they match, for example, "All ICMP Traffic." Filter action names should describe the level of security they provide and the type of negotiation they use, for example, "Request Security." Determine a naming convention for policies. Determine a naming convention for filter lists. Determine a naming convention for filter actions., Systems Architect, Systems Architect, Systems Architect Create an IPsec Policy Management Process A policy management process can reduce confusion and make backing up, restoring, and managing changes to policies much easier. If you plan to create policies for a Windows Server 2003-based computer, you should keep in mind that Windows Server 2003 incorporates some new features that are not available in Windows XP or Windows For more information, see "IPsec Policy Compatibility Considerations" in Using Microsoft Windows IPsec to Help Secure an Internal Corporate Network Server. Document how policies will be created. Systems Architect Document where policies will be backed up. Systems Architect Document how policies will be backed up. Systems Architect

27 Domain Isolation Planning Guide for IT Managers 27 Document how policies will be changed, adjusted, and deployed. Determine how changes and backups will be documented. Determine how policies will be secured. Systems Architect Systems Architect Review Example IPsec Policies Microsoft provides default IPsec policies with Windows, and also in the Windows Server 2003 Security Guide, that you might be able to use, with modifications, in your environment. These can also be used as examples in your policy design process. Review the default policies. Determine whether any of these policies can be used with modifications for your environment. Review the policies provided in the Windows Server 2003 Security Guide. Determine whether any of these policies can be used with modifications for your environment. Design IPsec Filter s If the intranet traffic is to be secured, filter actions specify an ordered set of security methods (which integrity and encryption methods are used) and other settings. A combination of a filter action and a filter list make up a rule in an IPsec policy. Try to create the fewest filter actions that meet your needs. For example, Microsoft IT was able to use only three for its environment. Your environment might be more diverse and might require more.

28 Domain Isolation Planning Guide for IT Managers 28 Determine where encryption of packet contents is required. If encryption is used, determine which encryption algorithm is appropriate. If encryption is not being used, determine whether packet integrity (signing) is necessary or desired. Determine whether the correct action is to block, permit, or negotiate security. Determine whether the negotiation allows unsecured connections with IPsecincapable computers or IPsec-capable computers with which IPsec negotiations fail., Systems Architect, Systems Architect Design IPsec Filters and Filter Lists IP filters define matching criteria for a computer or a group of computers by specifying source and destination IP addresses, IP protocols, and source/destination TCP or UDP ports. Filter lists are a collection of one or more IP filters that logically belong together as a unit and that should have only one filter action associated with them. A rule combines a filter list with a filter action. As a best practice use the Any IP address setting rather than the My IP address setting to mitigate problems with DHCP changing IP addresses. Determine which IP addresses or subnets should be included in the filter lists. Determine which protocol/port combinations belong in the filter lists. Determine where the filters within the filter lists should be and should not be mirrored. Systems Architect, Systems Architect, Systems Architect,

29 Design IPsec Policy Rules Domain Isolation Planning Guide for IT Managers 29 An IPsec policy rule combines a filter list with a filter action. If the filter action requires security, then the rule also specifies authentication methods, tunnel mode settings, and the types of interfaces to which this rule applies. Pair the filter lists with the appropriate filter actions to define the set of rules for the IPsec policy. Determine if the default response rule needs to be enabled or disabled. For rules requiring security, determine which authentication methods the rule uses to establish trust. Systems Architect, Systems Architect, Systems Architect, Design IPsec Policies IPsec policies are a collection of one or more rules. Policies should group together all the rules that are appropriate for distribution to an OU, domain, or security group of the Active Directory directory service. Each segment will typically have an associated IPsec policy. The same policy might apply to many segments. Each computer can have only one policy assigned (active) at a time. Determine where the policy will be deployed. Determine which rules need to added to the policy. Determine which computers or subnets will need to be added to an exemption list., Systems Architect, Systems Architect, Systems Architect

30 Domain Isolation Planning Guide for IT Managers 30 Phase 4: Deploy the Policies in a Test Environment Determine the Appropriate Test Environment The test environment will help you find and resolve any issues that could arise from your domain isolation deployment. The more closely the test environment represents your actual IT environment, the more effective this testing will be. Determine whether the current test environment is appropriate for testing domain isolation. If the test environment is not appropriate, determine what changes need to be made to the test environment to properly test policy design and deployment. Determine the cost/benefit of making changes to the test environment. Determine whether testing can be accomplished in a smaller, non-critical domain or subdomain., Systems Architect, Network Administrator, Systems Architect, Network Administrator IT Manager,, Systems Architect, Network Administrator IT Manager,, Systems Architect, Network Administrator Deploy the Policies to the Test Environment You should deploy the policies using the plan you have created. If you are also deploying non-microsoft IPsec solutions, such as those for UNIX or Apple Macintosh computers, you should deploy the one with the largest operating base first and refine and stabilize it before deploying the other solutions. If you are using these solutions, be sure to test them all together before deploying to your IT environment. Deploy the least restrictive policy.

31 Domain Isolation Planning Guide for IT Managers 31 Monitor the communications in this segment for failures, etc. Correct any policy design issues (see "Refine Policies" below) Continue to deploy, monitor, and correct until the deployment is successful. Deploy other policies in order of increasing restriction. Network Administrator, Systems Architect, Network Administrator, Systems Architect, Network Administrator, Systems Architect, Network Administrator Phase 5: Refine Policies During your test deployment, you might have issues that require a change to existing policies or the addition of new policies. The testing and refining process might require more than one cycle to find all the issues and redesign your policies to fit your environment. For more information about troubleshooting IPsec issues, see "Testing and Monitoring Successful IPsec Operation" in Using Microsoft Windows IPsec to Help Secure an Internal Corporate Network Server. Determine whether any computers that should be able to connect are blocked. Determine whether any computers that should be blocked can connect. Determine whether any computer's performance is significantly affected by the policies. Determine whether any computers already have a conflicting IPsec policy implemented. Network Administrator, Windows Systems Administrator, Desktop Configuration Administrator Network Administrator, Network Administrator, Database Administrator, Windows Systems Administrator Network Administrator,, Windows Systems Administrator, Desktop Configuration Administrator

32 Domain Isolation Planning Guide for IT Managers 32 Determine whether any computers need to be updated so they can implement IPsec properly (for example, computers running Windows 2000, Windows XP with no service packs installed, and Windows XP with Service Pack 1 need to be updated for IPsec NAT-T support). Determine whether any computers or network devices that were thought to be IPsec-capable are not. Determine whether any computers that can use IPsec must have policies changed to work correctly (for example, any VPN servers that are not domain members, and therefore cannot use Kerberos v5 authentication, must use a certificate or preshared key). Determine where VPN or other remote connections do not work with IPsec. Determine whether there are any features or configurations that will not work with IPsec. Network Administrator,, Windows Systems Administrator, Desktop Configuration Administrator Network Administrator, Network Administrator, Network Administrator, Network Administrator, Phase 6: Create a Deployment Schedule The policy testing and refinement processes will provide you with valuable information about how the deployment is best implemented for a given segment. You can also use the answers to the planning questions earlier to help you determine the best sequence of, and time frame for, IPsec deployment to your environment. Information based on the actions listed below might help you determine your deployment schedule. As a best practice, Microsoft IT found that it worked for them to deploy to smaller, noncritical domains first, then to larger domains, and finally to mission-critical domains. They also deployed "Request Mode" first and then "Secure Mode."

33 Domain Isolation Planning Guide for IT Managers 33 Document the order in which the segments will be deployed. Document the best date and time for the deployment. Document how you will monitor the segment to make sure it is working properly. Document a contingency plan if connectivity is blocked. Document how you will back-out a change if something goes wrong. Determine when all parties should be informed of a pending change. Determine how you will know that the deployment is sound enough to be implemented on the next segment. Determine how you will know that the entire deployment is sound and the goals have been achieved. IT Manager, Systems Architect, Security Manager IT Manager, Systems Architect Systems Architect, Systems Architect, Systems Architect, Helpdesk Manager Systems Architect,, Helpdesk Manager IT Manager, Systems Architect, Security Manager, Helpdesk Manager Phase 7: Prepare for User and Infrastructure Support After you have finalized your deployment schedule, you can finalize when and how you will inform the operations staff, department heads, server owners, application owners, users, and partners of the pending changes. The actions listed below might help you determine your helpdesk needs.

34 Domain Isolation Planning Guide for IT Managers 34 Inform the helpdesk staff of the changes, what they need to do to prepare for them, what they can expect to experience, and who to contact in case of problems. Train helpdesk staff using simulation drills with problems that are likely to arise. Inform the helpdesk staff about IPsec and the deployment process, possible problems that might arise, resources for helping users with these problems, and who to escalate problems to. Inform the following groups of the changes, what they need to do to prepare for them, what they can expect to experience and who to contact in case of problems: Helpdesk Manager Helpdesk Manager Helpdesk Manager Helpdesk Manager, Windows Systems Administrator Department heads IT Operations staff IT Security staff Server owners Application owners Users Partners Document confirmation of compliance from all parties, signifying that they understand and have made all changes necessary for compliance. Helpdesk Manager, IT Manager Other Resources IPsec concepts and overview How IPSec Works

35 Domain Isolation Planning Guide for IT Managers 35 IPSec Concepts Examples of IPsec deployments Using Microsoft Windows IPsec to Help Secure an Internal Corporate Network Server (Foundstone whitepaper) Resources for understanding IPsec interoperability Description of the Microsoft L2TP/IPsec Virtual Private Networking Client for Earlier Clients - Microsoft Support Article "Soft Associations" Between IPsec-Enabled and Non-IPsec-Enabled Computers - Microsoft Support Article Resources for understanding IPsec limitations IPsec Default Exemptions Can Be Used to Bypass IPsec Protection in Some Scenarios (Windows 2000) - Microsoft Support Article Traffic That Can--and Cannot--Be Secured by IPsec (Windows 2000) - Microsoft Support Article Resources for designing IPsec policies Windows Server 2003 Security Guide (The downloaded guide is in PDF format. Sample scripts for building IPsec policies from the command line are available in the "Tools and Templates\Security Guide\Sample Scripts" folder of the downloaded guide.) Designing IPsec Policies Resources for understanding IPsec implementation details How To Use IPsec Deploying IPSec Resources for understanding IPsec testing Testing Your Policies in a Test Lab Testing Your Policies in a Pilot Project Resources for understanding IPsec troubleshooting How to Disable IPSEC for Clients That Are Running an Earlier Version of Windows - Microsoft Support Article

36 IPSec Troubleshooting Domain Isolation Planning Guide for IT Managers 36