Home

Editor's Corner

Spotlight on Akibia
Monitored and Managed Firewall Support Services

Safeguard Your Critical Systems and Data

Case Study: SurfControl Helps St. Margaret's Health Ensure Business and Regulatory Compliance

Network Security Appliances for Mission Critical Applications

Rest Secured with PGP Whole Disk Encryption for Enterprises

Check Point Simplifies
Event Correlation

Akibia News

Akibia Partners

Contact Akibia

 

 

 

 

 

 

 bandwidth

Safeguard Your Critical Systems and Data
Server and Domain Isolation Using IPSEC
By Chris Lembo, SENIOR MICROSOFT CONSULTANT - AKIBIA, INC.

In this Isolation Scenario, Trusted systems communicate with Boundary systems and one another using IPSEC authentication, while communication between the Encryption systems is encrypted using IPSEC policies. The Untrusted systems can only initiate communication with the Boundary systems.


Without appropriate security measures in place, every network is susceptible to attacks. These attacks may occur internally or externally, but within this article we are going to focus on those originating within the network. Can you confidently say that you trust each and every device attached to every network port in your building? How about your branch offices - are you confident they are secured? And how about your domain members - are they all trusted equally?

If you answered no to any of the above questions, then there may be more you can do to protect your internal assets. Consider IPSEC as a means of securing communications within your network. Server and Domain Isolation using IPSEC is a mechanism to secure individual trusted systems or an entire Active Directory domain from communicating with untrusted devices.

Protect Your Data... It Might be the Law

For those organizations bound by governmental regulations, including HIPAA, Sarbanes-Oxley, PCI, and GLBA, securing data is vital. Not protecting customer, employee, or patient information can lead to financial or legal liabilities for an organization.

As an example, HIPAA states that an organization must implement access, authentication, and audit controls as well as provide integrity policies and transmission security for electronic protected health information (EPHI). However, you do not have to be governed by any regulations to adhere to these practices. The term EPHI can be universally replaced with what fits your line of business including credit card information, confidential HR information, or maybe a new patent that your firm is developing. In any case, every business has information to protect from untrusted systems, and by using IPSEC policies, each one of the above requirements can be met.

How Server and Domain Isolation Works

Server and Domain Isolation is a broad term to describe the process of securing and isolating any number of systems within your Active Directory infrastructure using IPSEC policies distributed through Group Policy. It uses domain member authentication to validate identities and to secure traffic between systems.

Although IPSEC can be used to encrypt data, its usage in this context is to authenticate each packet exchanged between two systems. If desired, encrypting the data is also an option within Group Policy.

In a typical Isolated environment, there are three primary groups of systems: Trusted, Untrusted, and Boundary. Trusted systems consist of domain members. They can be further subdivided to secure systems based on a specific need; for example, perhaps a subset of machines is trusted only by HR personnel systems. Untrusted systems are those not managed or trusted by the IT organization. These could be rogue systems on the network, consultant systems, or partner devices. They may also include those systems that do not support IPSEC. The third group of systems is known as Boundary or Exclusion systems; those that need to communicate with both Trusted and Untrusted systems. These can be networking servers (such as DNS or DHCP) or those that act as a proxy to Trusted systems for Untrusted systems (for example, an ISA server). A fourth group could also be created to further isolate particular systems; and perhaps enforce encryption policies.

The Benefits of Server and Domain Isolation

Introducing Server and Domain Isolation into an environment provides the following benefits.

  • Transparent to users - Users are unaware of IPSEC policy application; thus it requires no user training.
  • Built into Active Directory - By implementing an isolation policy in Active Directory, it is possible to isolate domain members from non-domain members. Domain members use their domain credentials to authenticate themselves to other systems. Untrusted systems will fail to communicate with Trusted systems.
  • Supplements other security measures - Isolation is not meant to replace existing security measures, but to complement them; giving a complete security solution.
  • Encourages domain membership - Because an isolation policy is based upon Active Directory credentials, systems that are not members of the domain will not be able to communicate with other Trusted systems. This encourages domain membership; which leads to increased manageability of desktops.
  • Protects traffic between trusted computers - Communications between two trusted systems is protected cryptographically. This allows the receiving computer to verify the contents of each packet and to ensure it came from a trusted host. In addition, the traffic can optionally be encrypted, further protecting the communications.
  • Flexible and affordable - Securing a network using Isolation within your Active Directory does not require the purchase of any additional hardware or software.

Defense in Depth

Securing servers and confidential data should be the number one priority on every IT to-do-list. In addition to the everyday rudimentary security measures, additional steps can be taken to secure the endpoint devices and the data they house on your network. By using IPSEC, systems are authenticated to one another prior to communicating and the authentication continues throughout the packet exchange. If the IPSEC policies allow the communications to occur, the conversation between the systems continues; if not, it is dropped. Adding Server and Domain Isolation to any security arsenal is practical and flexible and it provides an additional layer of protection for your systems that require data confidentiality.

To see how Server and Domain Isolation can fit into your defense in depth strategy and to see a sample design please contact your Akibia Sales representative.

About the Author

Since joining Akibia in 1996, Chris Lembo has assisted in developing a variety of security solution offerings focused on maximizing the value and effectiveness of Microsoft environments. Mr. Lembo has over ten years of experience in Microsoft Infrastructure and Security products, including Active Directory, Exchange, Systems Management Server (SMS), Operations Manager (MOM), and general MS security guidance. He has presented at Akibia's Chalk Talks and has authored a variety of Akibia publications. Mr. Lembo is a Microsoft Certified Systems Engineer (MCSE).