1 / 33

Server and domain isolation using IPsec and group Policy

Server and domain isolation using IPsec and group Policy. -By Rashmi S. Thakur CS772. Introduction.

sabin
Download Presentation

Server and domain isolation using IPsec and group Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Server and domain isolation using IPsec and group Policy -By Rashmi S. Thakur CS772

  2. Introduction • Early days , companies had to work with mainframes --- network access security was not much an issue since the only way to access the network was to enter a large, data center and sit down in front of a terminal to do anything. • Not more prone to attacks and untrusted access…..

  3. Present Scenario… • No more mainframes. • Anyone can access the network from anywhere • Large organizations needed security to protect their internal network from external attacks and access • They also needed segments of internal networks i.e restricted access from one part of the network to the other...

  4. Solution! • Use of firewalls! • Firewalls could protect internal networks from outside attacks. • They could also be used to separate segments of internal networks by setting rules for the firewall.

  5. Then why study server and domain isolation? • It has been found out that using firewalls for internal network segmentation doesn't always work smoothly. • Also internal attacks i.e attacks might come from malicious employees who can can subvert other protective measures--including firewalls--to get to the center of the network. • compromised PCs might have spyware or malware.

  6. Goal of Logical Isolation • The goal of logical isolation is to allow the internal network to be segmented and isolated to support a higher level of security without requiring hard physical boundaries • Should not be too tight such that it is hard to do even daily business tasks. • Should be manageable and scalable.

  7. People, Policies, and Process Physical security Data Application Host Isolation Internal network Perimeter

  8. Server and Domain Isolation Components • Trusted Hosts – The hosts with minimum security requirements. • running a secure and managed operating system, • antivirus software • current application and operating system updates • Host Authentication • IPsec • The 802.1X Protocol • Host Authorization – Using Group policies to allow/deny access to servers.

  9. Steps in detail • STEP 1: • User logins to a client on the internal network( which is within the logical isolation) • Client computer attempts to connect to the trusted host using the file sharing protocol. • The client has IPsec policy assigned as part of the solution. The outbound TCP connection request triggers an IKE negotiation to the server. The client IKE obtains a Kerberos ticket to authenticate to the server.

  10. STEPS 2 to 4: • IKE main mode negotiation. After the server receives the initial IKE communication request from the client computer, the server authenticates the Kerberos ticket.

  11. Step 4 contd… • If the user account has the required user right assignment, the process completes, and the user logon token is created. After this process is complete, the logical isolation solution has finished conducting its security checks. • What remains now is the access rights of the file, the user is trying to access.

  12. Step 5 • Share and file access permissions checked. Finally, the standard Windows share and file access permissions are checked by the server to ensure that the user is a member of a group that has the required permissions to access the data that the user requested.

  13. Grouping… • Till now we dealt with isolation achieved on a host-by-host basis • If an organization contains a lot of hosts , then doing a host-by-host might be too costly! Solution: • Group hosts into a groups and give acess group-by-group • This is much cheaper.

  14. Implimenting Isolation • Identify Foundational(basic) Isolation Groups. • Eg: Isolation Domain : The hosts in this group are trusted and use IPsec policy to control the communications that are allowed to and from themselves. • Eg: Boundary Isolation Group This group contains trusted hosts that will be allowed to communicate with untrusted systems. These hosts will be exposed to a higher level of risk because they are able to receive incoming communications directly from untrusted computers.

  15. Why do we need Boundary Isolation Group Since in almost all organizations, there will be a number of workstations, or servers, that are unable to communicate using IPsec although they are genuine hosts.

  16. Exemptions Lists • Key infrastructure servers such as domain controllers, DNS servers, and Dynamic Host Configuration Protocol (DHCP) servers or others which are usually available to all systems on the internal network do not use IPSec but are widely used. • Allowing them only through Boundary Isolation Group might result in decreasing performance of the organization due to heavy requests. • Sol: Create special lists to identify such servers. And allow direct access to them through any isolation group

  17. Additonal Isolation Groups • Could create more Isolation Groups apart from the foundational if we have different requirements for each group. Eg: • Encryption requirements • Limited host or user access required at the network level • Outgoing or incoming network traffic flow or protection requirements that from the isolation domain  

  18. Planning Traffic Mapping -foundational

  19. Planning Traffic Mapping - additional

  20. Network access groups • Consider group 1 is restricted access t group2. Only Exception is if a host in Group 1 is the Manager then he is not restricted to Group2. How do we state this explicit rule? • NAGs are used to explicitly allow or deny access to a system through the network • Names reflect function— • ANAG: allow network access group • DNAG: deny network access group • Can contain users, computers or groups • Defined in domain local groups

  21. Example Scenarios Active Directory Domain Controller (exempted) Domain Isolation Optional outbound authentication Server Isolation Un-trusted Required authentication X X Authenticating Host Firewalls Unmanaged Devices

  22. Domain Isolation Domaincontroller User:any type Ping succeeds others fail Client:Untrusted ornon-IPsec capable Server: domain isolationIPsec policy Active (requires IPsec for all traffic except for ICMP)

  23. Domaincontroller User:domain member Ping succeeds, others succeed over IPsec Client:Windows XP SP2 Trusted machine Server: domain isolationIPsec policy Active (requires IPsec for all traffic except for ICMP)

  24. Server Isolation Domaincontroller Authorization only forCLIENT1 in group policy via “Access this computerfrom network” right User:domain member Ping succeeds others fail because IKE fails Client:Windows XP SP2“CLIENT2” Trusted machine Server: server isolationIPsec policy Active (requires IPsec for all traffic except for ICMP)

  25. Domaincontroller Authorization only forCLIENT1andthis userin group policy via “Access this computerfrom network” right User:domain member Ping succeeds, other succeed over IPsec Client:Windows XP SP2“CLIENT1” Trusted machine Server: server isolationIPsec policy Active (requires IPsec for all traffic except for ICMP)

  26. Bussiness benefits of this approach • Additional security. • Tighter control of who can access specific information. • Lower cost. • An increase in the number of managed computers. • Improved levels of protection against malware attack • A mechanism to encrypt network data.

  27. Conclusion • As organizations grow and business relationships change, and customers, vendors, and consultants need to connect to your network for valid business reasons, controlling physical access to a network can become impossible. By maintaining server and Domain isolation using IPSec and Group Policy one could provide flexibility and at the same time provide more security to the internal network.

  28. References • http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/ipsecch2.mspx • http://www.windowsitpro.com/Article/ArticleID/46826/46826.html • download.microsoft.com/.../Domain%20and%20server%20isolation%20Handouts%20-%20Jesper%20Johansson.ppt –

More Related