1
00:00:00,740 --> 00:00:03,140
Connection Security Rules.

2
00:00:03,140 --> 00:00:07,860
When we're talking about Windows Defender Firewall connection security rules,

3
00:00:07,860 --> 00:00:12,890
we're talking about a principle that Microsoft calls domain isolation. So if

4
00:00:12,890 --> 00:00:17,800
you look on the topology diagram, I have it right. Now admittedly, that is an

5
00:00:17,800 --> 00:00:22,450
Azure virtual network infrastructure, but it just as well could be on‑premises

6
00:00:22,450 --> 00:00:28,200
VLANs, you see. The point I want to make is what if you had need to restrict

7
00:00:28,200 --> 00:00:35,300
traffic say to that sv08 virtual machine, that any traffic to that machine

8
00:00:35,300 --> 00:00:41,730
either had to be only from certain hosts, or if you'd made a connection to

9
00:00:41,730 --> 00:00:42,550
that machine,

10
00:00:42,550 --> 00:00:47,400
you would have to apply additional security to the network packet

11
00:00:47,400 --> 00:00:51,170
level? That's what we're talking about. Basically, a connection

12
00:00:51,170 --> 00:00:55,740
security rule brings in the Internet Protocol Security extensions

13
00:00:55,740 --> 00:00:58,240
to the IP, Internet Protocol.

14
00:00:58,240 --> 00:01:02,180
IPsec is the name of the technology. And it's simple

15
00:01:02,180 --> 00:01:04,500
as that. It allows us to use IPsec.

16
00:01:04,500 --> 00:01:06,980
Now IPsec operates in two different modes.

17
00:01:06,980 --> 00:01:11,300
There's tunnel mode that's used for virtual private network, or VPN,

18
00:01:11,300 --> 00:01:15,470
connections, but what we're talking about really for our exam success

19
00:01:15,470 --> 00:01:21,880
here in AZ‑801 today is transport mode. And this is where on a local area

20
00:01:21,880 --> 00:01:25,400
network or potentially frankly in a hybrid cloud if you're going from

21
00:01:25,400 --> 00:01:30,340
on‑prem into Azure over a site‑to‑site VPN or ExpressRoute tunnel, this

22
00:01:30,340 --> 00:01:38,030
enforces IPsec on the packet‑level basis between particular hosts. Going

23
00:01:38,030 --> 00:01:38,580
further,

24
00:01:38,580 --> 00:01:42,390
there are two components of Internet Protocol Security that do

25
00:01:42,390 --> 00:01:44,910
different things, but you can enable them together.

26
00:01:44,910 --> 00:01:49,160
One is Authentication Header. Another is Encapsulating Security

27
00:01:49,160 --> 00:01:53,560
Payload. ESP might be easier for a newcomer to understand.

28
00:01:53,560 --> 00:01:58,740
That's simply where you're encrypting the payload portion of the frame.

29
00:01:58,740 --> 00:02:02,170
Now, again, it gets more complex on how much of the frame is being

30
00:02:02,170 --> 00:02:05,390
encrypted and so on depending upon whether you're doing tunnel or

31
00:02:05,390 --> 00:02:09,080
transport mode, but for our purposes, we're just dealing with

32
00:02:09,080 --> 00:02:13,320
understanding that ESP provides your data confidentiality,

33
00:02:13,320 --> 00:02:17,800
that the payload or the data portion of those IP packets traveling

34
00:02:17,800 --> 00:02:22,280
between machines that are having connection security rules enforced will

35
00:02:22,280 --> 00:02:29,180
be encrypted and only the designated receiver system will be able to

36
00:02:29,180 --> 00:02:32,990
decrypt those ESP encrypted packets.

37
00:02:32,990 --> 00:02:37,380
Now Authentication Header is a different purpose. Authentication Header

38
00:02:37,380 --> 00:02:41,070
is about validation; it's about mutual authentication.

39
00:02:41,070 --> 00:02:46,540
AH is about preventing and mitigating man‑in‑the‑middle type attacks.

40
00:02:46,540 --> 00:02:49,660
In other words, you want to verify using checksums,

41
00:02:49,660 --> 00:02:52,910
you could use digital certificates, you can use Kerberos tickets.

42
00:02:52,910 --> 00:02:56,790
I'll show you more about this in our upcoming demo. But you can

43
00:02:56,790 --> 00:03:00,920
make sure that that connection security traffic between two hosts,

44
00:03:00,920 --> 00:03:04,950
that they're validating that the packets are in fact coming from

45
00:03:04,950 --> 00:03:09,840
that source and not from, again, a man‑in‑the‑middle attacker.

46
00:03:09,840 --> 00:03:14,280
So you can enable AH or ESP separately, or for maximum

47
00:03:14,280 --> 00:03:17,340
security, you can configure them together.

48
00:03:17,340 --> 00:03:23,060
So long story short, connection security rules provides line or media‑level

49
00:03:23,060 --> 00:03:29,820
encryption. You can do this in a VPN situation or just in a LAN Layer 2/Layer

50
00:03:29,820 --> 00:03:35,650
3 situation. And depending upon how you configure those policies, which we

51
00:03:35,650 --> 00:03:38,440
use Group Policy Object for typically,

52
00:03:38,440 --> 00:03:47,000
you can really granularly control that security to help support, for instance, your security compliance requirements.