windowsserver20xx防火墙高级安全设计指导(编辑修改稿)

windowsserver20xx防火墙高级安全设计指导(编辑修改稿)内容摘要：

detection systems, virtual private working (VPN), IEEE authentication for wireless and wired connections, and IPsec connection security rules. To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Firewall with Advanced Security, and how to deliver configuration settings to your managed puters by using Group Policy in Active Directory. You can use the deployment goals to form one of these Windows Firewall with Advanced Security designs, or a custom design that bines elements from those presented here:  Basic firewall policy design. Restricts work traffic in and out of your puters to only that which is needed and authorized.  Domain isolation policy design. Prevents puters that are domain members from receiving unsolicited work traffic from puters that are not domain members. Additional zones can be established to support the special requirements of some puters, such as:  A boundary zone for puters that must be able to receive requests from nonisolated puters.  An encryption zone for puters that store sensitive data that must be protected during work transmission.  Server isolation policy design. Restricts access to a server to only a limited group of authorized users and puters. Commonly configured as a zone in a domain isolation design, but can also be configured as a standalone design, providing many of the benefits of domain isolation to a small set of puters.  Certificatebased isolation policy design. This design is a plement to either of the previous two designs, and supports any of their capabilities. It uses cryptographic certificates that are deployed to clients and servers for authentication, instead of the Kerberos V5 authentication used by default in Active Directory. This enables puters that are not part of an Active Directory domain, such as puters running operating systems other than Windows, to participate in your isolation solution. In addition to descriptions and example for each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your anization39。 s requirements, you have the information that you need to begin deploying Windows Firewall with Advanced Security using the guidance in the Windows Firewall with Advanced Security Deployment Guide. You can find the Windows Firewall with Advanced Security Deployment Guide at these locations:  (Web page) 7  (Downloadable Word document) Terminology used in this guide The following table identifies and defines terms used throughout this guide. Term Definition Active Directory domain A group of puters and users managed by an administrator by using Active Directory Domain Services (AD DS). Computers in a domain share a mon directory database and security policies. Multiple domains can coexist in a forest, with trust relationships that establish the forest as the security boundary. Authentication A process that enables the sender of a message to prove its identity to the receiver. For connection security in Windows, authentication is implemented by the IPsec protocol suite. Boundary zone A subset of the puters in an isolated domain that must be able to receive unsolicited and nonauthenticated work traffic from puters that are not members of the isolated domain. Computers in the boundary zone request but do not require authentication. They use IPsec to municate with other puters in the isolated domain. Connection security rule A rule in Windows Firewall with Advanced Security that contains a set of conditions and an action to be applied to work packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this was called an IPsec rule. Certificatebased isolation A way to add puters that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every puter in the isolated domain and the puters that cannot use Kerberos V5 are provided with a puter certificate that can be used to authenticate with 8 Term Definition each other. Certificatebased isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a mercial certificate provider). Domain isolation A technique for helping protect the puters in an anization by requiring that the puters authenticate each other39。 s identity before exchanging information, and refusing connection requests from puters that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see Isolated domain in this table. Encryption zone A subset of the puters in an isolated domain that process sensitive data. Computers that are part of the encryption zone have all work traffic encrypted to prevent viewing by nonauthorized users. Computers that are part of the encryption zone also typically are subject to the access control restrictions of server isolation. Firewall rule A rule in Windows Firewall with Advanced Security that contains a set of conditions used to determine whether a work packet is allowed to pass through the firewall. By default, the firewall rules in Windows Vista and Windows Server 2020 block unsolicited inbound work traffic. Likewise, by default, all outbound work traffic is allowed. The firewall included in previous versions of Windows only filtered inbound work traffic. Inter Protocol security (IPsec) A set of industrystandard, cryptographybased。