Server and domain isolation using IPsec and group Policy -By Rashmi S. Thakur CS772
Dec 18, 2015
Server and domain isolation using IPsec and group Policy
-By Rashmi S. Thakur
CS772
Introduction
Early days , companies had to work with mainframes --- network access security was not much an issue since the only way to access the network was to enter a large, data center and sit down in front of a terminal to do anything.
Not more prone to attacks and untrusted access…..
Present Scenario…
No more mainframes. Anyone can access the network from
anywhere Large organizations needed security to
protect their internal network from external attacks and access
They also needed segments of internal networks i.e restricted access from one part of the network to the other...
Solution!
Use of firewalls! Firewalls could protect internal networks from
outside attacks. They could also be used to separate
segments of internal networks by setting rules for the firewall.
Then why study server and domain isolation? It has been found out that using firewalls for
internal network segmentation doesn't always work smoothly.
Also internal attacks i.e attacks might come from malicious employees who can can subvert other protective measures--including firewalls--to get to the center of the network.
compromised PCs might have spyware or malware.
Goal of Logical Isolation
The goal of logical isolation is to allow the internal network to be segmented and isolated to support a higher level of security without requiring hard physical boundaries
Should not be too tight such that it is hard to do even daily business tasks.
Should be manageable and scalable.
People, Policies, and ProcessPeople, Policies, and Process
Physical securityPhysical security
PerimeterPerimeter
Internal networkInternal network
HostHost
ApplicationApplication
DataData
Isolation
Server and Domain Isolation Components Trusted Hosts – The hosts with minimum
security requirements. running a secure and managed operating system, antivirus software current application and operating system updates
Host Authentication IPsec The 802.1X Protocol
Host Authorization – Using Group policies to allow/deny access to servers.
Steps in detail STEP 1:
User logins to a client on the internal network( which is within the logical isolation)
Client computer attempts to connect to the trusted host using the file sharing protocol.
The client has IPsec policy assigned as part of the solution. The outbound TCP connection request triggers an IKE negotiation to the server. The client IKE obtains a Kerberos ticket to authenticate to the server.
STEPS 2 to 4: IKE main mode negotiation. After the server
receives the initial IKE communication request from the client computer, the server authenticates the Kerberos ticket.
Step 4 contd…
If the user account has the required user right assignment, the process completes, and the user logon token is created. After this process is complete, the logical isolation solution has finished conducting its security checks.
What remains now is the access rights of the file, the user is trying to access.
Step 5
Share and file access permissions checked. Finally, the standard Windows share and file access permissions are checked by the server to ensure that the user is a member of a group that has the required permissions to access the data that the user requested.
Grouping…
Till now we dealt with isolation achieved on a host-by-host basis
If an organization contains a lot of hosts , then doing a host-by-host might be too costly!
Solution: Group hosts into a groups and give acess
group-by-group This is much cheaper.
Implimenting Isolation Identify Foundational(basic) Isolation Groups.
Eg: Isolation Domain :The hosts in this group are trusted and use IPsec policy to control the communications that are allowed to and from themselves.
Eg: Boundary Isolation GroupThis group contains trusted hosts that will be allowed to communicate with untrusted systems. These hosts will be exposed to a higher level of risk because they are able to receive incoming communications directly from untrusted computers.
Why do we need Boundary Isolation Group Since in almost all organizations, there will be a number
of workstations, or servers, that are unable to communicate using IPsec although they are genuine hosts.
Exemptions Lists Key infrastructure servers such as domain
controllers, DNS servers, and Dynamic Host Configuration Protocol (DHCP) servers or others which are usually available to all systems on the internal network do not use IPSec but are widely used.
Allowing them only through Boundary Isolation Group might result in decreasing performance of the organization due to heavy requests.
Sol: Create special lists to identify such servers. And allow direct access to them through any isolation group
Additonal Isolation Groups Could create more Isolation Groups apart
from the foundational if we have different requirements for each group. Eg:
Encryption requirements Limited host or user access
required at the network level Outgoing or incoming network
traffic flow or protection
requirements that
from the isolation domain
Planning Traffic Mapping -foundational
ID From To Bidirectional IPsec Fallback Encrypt
1 ID Ex Yes No No No
2 ID BO Yes Yes No No
3 ID UN No Yes Yes No
4 BO EX Yes Yes Yes No
5 BO UN No Yes Yes No
6 UN BO No No No No
7 UN EX Yes No No No
Planning Traffic Mapping - additionalID From To Bidirectional IPsec Fallback Encrypt
8 EN EX Yes No No No
9 EN ID Yes Yes No Yes
10 EN NF Yes Yes No Yes
11 EN BO No Yes No Yes
12 NF ID Yes Yes No No
13 NF EX Yes No No No
14 NF BO Yes Yes No No
Network access groups Consider group 1 is restricted access t
group2. Only Exception is if a host in Group 1 is the Manager then he is not restricted to Group2. How do we state this explicit rule?
NAGs are used to explicitly allow or deny access to a system through the network
Names reflect function— ANAG: allow network access group DNAG: deny network access group
Can contain users, computers or groups Defined in domain local groups
Example Scenarios
Un-trusted
Server Isolation
`
Unmanaged Devices
Active Directory Domain
Controller
(exempted)Domain IsolationOptional outbound authentication
Required authentication
X Authenticating Host Firewalls
X
Domain Isolation
DomainDomaincontrollercontroller
Server:Server:domain isolationdomain isolation
IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all
traffic except for traffic except for ICMP)ICMP)
Client:Client:Untrusted orUntrusted or
non-IPsec capablenon-IPsec capable
Ping succeedsPing succeedsothers failothers fail
User:User:any typeany type
DomainDomaincontrollercontroller
Server:Server:domain isolationdomain isolation
IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all
traffic except for traffic except for ICMP)ICMP)
Ping succeeds,Ping succeeds,others succeed others succeed
over IPsecover IPsec
Client:Client:Windows XP SP2Windows XP SP2Trusted machineTrusted machine
User:User:domain domain membermember
Server Isolation
DomainDomaincontrollercontroller
Server:Server:server isolationserver isolation
IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all
traffic except for traffic except for ICMP)ICMP)
Ping succeedsPing succeedsothers fail others fail
because IKE because IKE failsfails
Authorization only forAuthorization only forCLIENT1CLIENT1 in group policy in group policyvia “Access this computervia “Access this computerfrom network” rightfrom network” right
User:User:domain domain membermember
Client:Client:Windows XP SP2Windows XP SP2
““CLIENT2CLIENT2””Trusted machineTrusted machine
DomainDomaincontrollercontroller
Server:Server:server isolationserver isolation
IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all
traffic except for traffic except for ICMP)ICMP)
Client:Client:Windows XP SP2Windows XP SP2
““CLIENT1CLIENT1””Trusted machineTrusted machine
User:User:domain domain membermember
Ping succeeds, Ping succeeds, other succeed other succeed
over IPsecover IPsec
Authorization only forAuthorization only forCLIENT1CLIENT1 andand this userthis userin group policyin group policyvia “Access this computervia “Access this computerfrom network” rightfrom network” right
Bussiness benefits of this approach Additional security. Tighter control of who can access specific
information. Lower cost. An increase in the number of managed
computers. Improved levels of protection against
malware attack A mechanism to encrypt network data.
Conclusion
As organizations grow and business relationships change, and customers, vendors, and consultants need to connect to your network for valid business reasons, controlling physical access to a network can become impossible. By maintaining server and Domain isolation using IPSec and Group Policy one could provide flexibility and at the same time provide more security to the internal network.
References
http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/ipsecch2.mspx
http://www.windowsitpro.com/Article/ArticleID/46826/46826.html
download.microsoft.com/.../Domain%20and%20server%20isolation%20Handouts%20-%20Jesper%20Johansson.ppt –