Server and domain isolation using IPsec and group Policy

1
Server and domain isolation using IPsec and group
Policy

• -By Rashmi S. Thakur
• CS772

2
Introduction

• Early days , companies had to work with
  mainframes --- network access security was not
  much an issue since the only way to access the
  network was to enter a large, data center and sit
  down in front of a terminal to do anything.
• Not more prone to attacks and untrusted access..

3
Present Scenario

• No more mainframes.
• Anyone can access the network from anywhere
• Large organizations needed security to protect
  their internal network from external attacks and
  access
• They also needed segments of internal networks
  i.e restricted access from one part of the
  network to the other...

4
Solution!

• Use of firewalls!
• Firewalls could protect internal networks from
  outside attacks.
• They could also be used to separate segments of
  internal networks by setting rules for the
  firewall.

5
Then why study server and domain isolation?

• It has been found out that using firewalls for
  internal network segmentation doesn't always work
  smoothly.
• Also internal attacks i.e attacks might come from
  malicious employees who can can subvert other
  protective measures--including firewalls--to get
  to the center of the network.
• compromised PCs might have spyware or malware.

6
(No Transcript)
7
Goal of Logical Isolation

• The goal of logical isolation is to allow the
  internal network to be segmented and isolated to
  support a higher level of security without
  requiring hard physical boundaries
• Should not be too tight such that it is hard to
  do even daily business tasks.
• Should be manageable and scalable.

8
People, Policies, and Process
Physical security
Data
Application
Host
Isolation
Internal network
Perimeter
9
Server and Domain Isolation Components

• Trusted Hosts The hosts with minimum security
  requirements.
• running a secure and managed operating system,
• antivirus software
• current application and operating system updates
• Host Authentication
• IPsec
• The 802.1X Protocol
• Host Authorization Using Group policies to
  allow/deny access to servers.

10
(No Transcript)
11
Steps in detail

• STEP 1
• User logins to a client on the internal network(
  which is within the logical isolation)
• Client computer attempts to connect to the
  trusted host using the file sharing protocol.
• The client has IPsec policy assigned as part of
  the solution. The outbound TCP connection request
  triggers an IKE negotiation to the server. The
  client IKE obtains a Kerberos ticket to
  authenticate to the server.

12

• STEPS 2 to 4
• IKE main mode negotiation. After the server
  receives the initial IKE communication request
  from the client computer, the server
  authenticates the Kerberos ticket.

13
(No Transcript)
14
(No Transcript)
15
Step 4 contd

• If the user account has the required user right
  assignment, the process completes, and the user
  logon token is created. After this process is
  complete, the logical isolation solution has
  finished conducting its security checks.
• What remains now is the access rights of the
  file, the user is trying to access.

16
Step 5

• Share and file access permissions checked.
  Finally, the standard Windows share and file
  access permissions are checked by the server to
  ensure that the user is a member of a group that
  has the required permissions to access the data
  that the user requested.

17
Grouping

• Till now we dealt with isolation achieved on a
  host-by-host basis
• If an organization contains a lot of hosts , then
  doing a host-by-host might be too costly!
• Solution
• Group hosts into a groups and give acess
  group-by-group
• This is much cheaper.

18
Implimenting Isolation

• Identify Foundational(basic) Isolation Groups.
• Eg Isolation Domain
• The hosts in this group are trusted and use
  IPsec policy to control the communications that
  are allowed to and from themselves.
• Eg Boundary Isolation Group
• This group contains trusted hosts that will be
  allowed to communicate with untrusted systems.
  These hosts will be exposed to a higher level of
  risk because they are able to receive incoming
  communications directly from untrusted computers.

19

• Why do we need Boundary Isolation Group
• Since in almost all organizations, there will
  be a number of workstations, or servers, that are
  unable to communicate using IPsec although they
  are genuine hosts.

20
(No Transcript)
21
Exemptions Lists

• Key infrastructure servers such as domain
  controllers, DNS servers, and Dynamic Host
  Configuration Protocol (DHCP) servers or others
  which are usually available to all systems on the
  internal network do not use IPSec but are widely
  used.
• Allowing them only through Boundary Isolation
  Group might result in decreasing performance of
  the organization due to heavy requests.
• Sol Create special lists to identify such
  servers. And allow direct access to them through
  any isolation group

22
Additonal Isolation Groups

• Could create more Isolation Groups apart from the
  foundational if we have different requirements
  for each group. Eg
• Encryption requirements
• Limited host or user access
• required at the network level
• Outgoing or incoming network
• traffic flow or protection
• requirements that
• from the isolation domain  

23
Planning Traffic Mapping -foundational
24
Planning Traffic Mapping - additional
25
Network access groups

• Consider group 1 is restricted access t group2.
  Only Exception is if a host in Group 1 is the
  Manager then he is not restricted to Group2. How
  do we state this explicit rule?
• NAGs are used to explicitly allow or deny access
  to a system through the network
• Names reflect function
• ANAG allow network access group
• DNAG deny network access group
• Can contain users, computers or groups
• Defined in domain local groups

26
Example Scenarios
Active Directory Domain Controller (exempted)
Domain Isolation Optional outbound authentication
Server Isolation
Un-trusted
Required authentication
X
X
Authenticating Host Firewalls
Unmanaged Devices
27
Domain Isolation
Domaincontroller
Userany type
Ping succeeds others fail
ClientUntrusted ornon-IPsec capable
Server domain isolationIPsec policy
Active (requires IPsec for all traffic except for
ICMP)
28
Domaincontroller
Userdomain member
Ping succeeds, others succeed over IPsec
ClientWindows XP SP2 Trusted machine
Server domain isolationIPsec policy
Active (requires IPsec for all traffic except for
ICMP)
29
Server Isolation
Domaincontroller
Authorization only forCLIENT1 in group
policy via Access this computerfrom network
right
Userdomain member
Ping succeeds others fail because IKE fails
ClientWindows XP SP2CLIENT2 Trusted machine
Server server isolationIPsec policy
Active (requires IPsec for all traffic except for
ICMP)
30
Domaincontroller
Authorization only forCLIENT1 and this userin
group policy via Access this computerfrom
network right
Userdomain member
Ping succeeds, other succeed over IPsec
ClientWindows XP SP2CLIENT1 Trusted machine
Server server isolationIPsec policy
Active (requires IPsec for all traffic except for
ICMP)
31
Bussiness benefits of this approach

• Additional security.
• Tighter control of who can access specific
  information.
• Lower cost.
• An increase in the number of managed computers.
• Improved levels of protection against malware
  attack
• A mechanism to encrypt network data.

32
Conclusion

• As organizations grow and business relationships
  change, and customers, vendors, and consultants
  need to connect to your network for valid
  business reasons, controlling physical access to
  a network can become impossible. By maintaining
  server and Domain isolation using IPSec and Group
  Policy one could provide flexibility and at the
  same time provide more security to the internal
  network.

33
References

• http//www.microsoft.com/technet/security/guidance
  /architectureanddesign/ipsec/ipsecch2.mspx
• http//www.windowsitpro.com/Article/ArticleID/4682
  6/46826.html
• download.microsoft.com/.../Domain20and20server2
  0isolation20Handouts20-20Jesper20Johansson.ppt