Presentation is loading. Please wait.

Presentation is loading. Please wait.

Server and domain isolation using IPsec and group Policy

Published by Modified over 10 years ago

Similar presentations

Presentation on theme: "Server and domain isolation using IPsec and group Policy"— Presentation transcript:

1 Server and domain isolation using IPsec and group Policy
-By Rashmi S. Thakur CS772

2 Introduction Early days , companies had to work with mainframes --- network access security was not much an issue since the only way to access the network was to enter a large, data center and sit down in front of a terminal to do anything. Not more prone to attacks and untrusted access…..

3 Present Scenario… No more mainframes.
Anyone can access the network from anywhere Large organizations needed security to protect their internal network from external attacks and access They also needed segments of internal networks i.e restricted access from one part of the network to the other...

4 Solution! Use of firewalls!
Firewalls could protect internal networks from outside attacks. They could also be used to separate segments of internal networks by setting rules for the firewall.

5 Then why study server and domain isolation?
It has been found out that using firewalls for internal network segmentation doesn't always work smoothly. Also internal attacks i.e attacks might come from malicious employees who can can subvert other protective measures--including firewalls--to get to the center of the network. compromised PCs might have spyware or malware.

6

7 Goal of Logical Isolation
The goal of logical isolation is to allow the internal network to be segmented and isolated to support a higher level of security without requiring hard physical boundaries Should not be too tight such that it is hard to do even daily business tasks. Should be manageable and scalable.

8 People, Policies, and Process
Physical security Data Application Host Isolation Internal network Perimeter

9 Server and Domain Isolation Components
Trusted Hosts – The hosts with minimum security requirements. running a secure and managed operating system, antivirus software current application and operating system updates Host Authentication IPsec The 802.1X Protocol Host Authorization – Using Group policies to allow/deny access to servers.

10

11 Steps in detail STEP 1: User logins to a client on the internal network( which is within the logical isolation) Client computer attempts to connect to the trusted host using the file sharing protocol. The client has IPsec policy assigned as part of the solution. The outbound TCP connection request triggers an IKE negotiation to the server. The client IKE obtains a Kerberos ticket to authenticate to the server.

12 STEPS 2 to 4: IKE main mode negotiation. After the server receives the initial IKE communication request from the client computer, the server authenticates the Kerberos ticket.

13

14

15 Step 4 contd… If the user account has the required user right assignment, the process completes, and the user logon token is created. After this process is complete, the logical isolation solution has finished conducting its security checks. What remains now is the access rights of the file, the user is trying to access.

16 Step 5 Share and file access permissions checked. Finally, the standard Windows share and file access permissions are checked by the server to ensure that the user is a member of a group that has the required permissions to access the data that the user requested.

17 Grouping… Till now we dealt with isolation achieved on a host-by-host basis If an organization contains a lot of hosts , then doing a host-by-host might be too costly! Solution: Group hosts into a groups and give acess group-by-group This is much cheaper.

18 Implimenting Isolation
Identify Foundational(basic) Isolation Groups. Eg: Isolation Domain : The hosts in this group are trusted and use IPsec policy to control the communications that are allowed to and from themselves. Eg: Boundary Isolation Group This group contains trusted hosts that will be allowed to communicate with untrusted systems. These hosts will be exposed to a higher level of risk because they are able to receive incoming communications directly from untrusted computers.

19 Why do we need Boundary Isolation Group
Since in almost all organizations, there will be a number of workstations, or servers, that are unable to communicate using IPsec although they are genuine hosts.

20

21 Exemptions Lists Key infrastructure servers such as domain controllers, DNS servers, and Dynamic Host Configuration Protocol (DHCP) servers or others which are usually available to all systems on the internal network do not use IPSec but are widely used. Allowing them only through Boundary Isolation Group might result in decreasing performance of the organization due to heavy requests. Sol: Create special lists to identify such servers. And allow direct access to them through any isolation group

22 Additonal Isolation Groups
Could create more Isolation Groups apart from the foundational if we have different requirements for each group. Eg: Encryption requirements Limited host or user access required at the network level Outgoing or incoming network traffic flow or protection requirements that from the isolation domain  

23 Planning Traffic Mapping -foundational
ID From To Bidirectional IPsec Fallback Encrypt 1 Ex Yes No 2 BO 3 UN 4 EX 5 6 7

24 Planning Traffic Mapping - additional
ID From To Bidirectional IPsec Fallback Encrypt 8 EN EX Yes No 9 10 NF 11 BO 12 13 14

25 Network access groups Consider group 1 is restricted access t group2. Only Exception is if a host in Group 1 is the Manager then he is not restricted to Group2. How do we state this explicit rule? NAGs are used to explicitly allow or deny access to a system through the network Names reflect function— ANAG: allow network access group DNAG: deny network access group Can contain users, computers or groups Defined in domain local groups

26 Active Directory Domain Controller
Example Scenarios Active Directory Domain Controller (exempted) Domain Isolation Optional outbound authentication Server Isolation Un-trusted Required authentication X X Authenticating Host Firewalls Unmanaged Devices

27 Domain Isolation User: any type Ping succeeds others fail
Domain controller User: any type Ping succeeds others fail Client: Untrusted or non-IPsec capable Server: domain isolation IPsec policy Active (requires IPsec for all traffic except for ICMP)

28 others succeed over IPsec Client: Windows XP SP2 Trusted machine
Domain controller User: domain member Ping succeeds, others succeed over IPsec Client: Windows XP SP2 Trusted machine Server: domain isolation IPsec policy Active (requires IPsec for all traffic except for ICMP)

29 Server Isolation User: domain member Ping succeeds
Domain controller Authorization only for CLIENT1 in group policy via “Access this computer from network” right User: domain member Ping succeeds others fail because IKE fails Client: Windows XP SP2 “CLIENT2” Trusted machine Server: server isolation IPsec policy Active (requires IPsec for all traffic except for ICMP)

30 Ping succeeds, other succeed over IPsec
Domain controller Authorization only for CLIENT1 and this user in group policy via “Access this computer from network” right User: domain member Ping succeeds, other succeed over IPsec Client: Windows XP SP2 “CLIENT1” Trusted machine Server: server isolation IPsec policy Active (requires IPsec for all traffic except for ICMP)

31 Bussiness benefits of this approach
Additional security. Tighter control of who can access specific information. Lower cost. An increase in the number of managed computers. Improved levels of protection against malware attack A mechanism to encrypt network data.

32 Conclusion As organizations grow and business relationships change, and customers, vendors, and consultants need to connect to your network for valid business reasons, controlling physical access to a network can become impossible. By maintaining server and Domain isolation using IPSec and Group Policy one could provide flexibility and at the same time provide more security to the internal network.

33 References download.microsoft.com/.../Domain%20and%20server%20isolation%20Handouts%20-%20Jesper%20Johansson.ppt –

Download ppt "Server and domain isolation using IPsec and group Policy"

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.
Understanding Active Directory

Understanding Active Directory
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.

4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.

Similar presentations

Ads by Google