Server and domain isolation using IPsec and group Policy

-By Rashmi S. Thakur

CS772

Introduction

Early days , companies had to work with mainframes --- network access security was not much an issue since the only way to access the network was to enter a large, data center and sit down in front of a terminal to do anything.

Not more prone to attacks and untrusted access…..

Present Scenario…

No more mainframes. Anyone can access the network from

anywhere Large organizations needed security to

protect their internal network from external attacks and access

They also needed segments of internal networks i.e restricted access from one part of the network to the other...

Solution!

Use of firewalls! Firewalls could protect internal networks from

outside attacks. They could also be used to separate

segments of internal networks by setting rules for the firewall.

Then why study server and domain isolation? It has been found out that using firewalls for

internal network segmentation doesn't always work smoothly.

Also internal attacks i.e attacks might come from malicious employees who can can subvert other protective measures--including firewalls--to get to the center of the network.

compromised PCs might have spyware or malware.

Goal of Logical Isolation

The goal of logical isolation is to allow the internal network to be segmented and isolated to support a higher level of security without requiring hard physical boundaries

Should not be too tight such that it is hard to do even daily business tasks.

Should be manageable and scalable.

People, Policies, and ProcessPeople, Policies, and Process

Physical securityPhysical security

PerimeterPerimeter

Internal networkInternal network

HostHost

ApplicationApplication

DataData

Isolation

Server and Domain Isolation Components Trusted Hosts – The hosts with minimum

security requirements. running a secure and managed operating system, antivirus software current application and operating system updates

Host Authentication IPsec The 802.1X Protocol

Host Authorization – Using Group policies to allow/deny access to servers.

Steps in detail STEP 1:

User logins to a client on the internal network( which is within the logical isolation)

Client computer attempts to connect to the trusted host using the file sharing protocol.

The client has IPsec policy assigned as part of the solution. The outbound TCP connection request triggers an IKE negotiation to the server. The client IKE obtains a Kerberos ticket to authenticate to the server.

STEPS 2 to 4: IKE main mode negotiation. After the server

receives the initial IKE communication request from the client computer, the server authenticates the Kerberos ticket.

Step 4 contd…

If the user account has the required user right assignment, the process completes, and the user logon token is created. After this process is complete, the logical isolation solution has finished conducting its security checks.

What remains now is the access rights of the file, the user is trying to access.

Step 5

Share and file access permissions checked. Finally, the standard Windows share and file access permissions are checked by the server to ensure that the user is a member of a group that has the required permissions to access the data that the user requested.

Grouping…

Till now we dealt with isolation achieved on a host-by-host basis

If an organization contains a lot of hosts , then doing a host-by-host might be too costly!

Solution: Group hosts into a groups and give acess

group-by-group This is much cheaper.

Implimenting Isolation Identify Foundational(basic) Isolation Groups.

Eg: Isolation Domain :The hosts in this group are trusted and use IPsec policy to control the communications that are allowed to and from themselves.

Eg: Boundary Isolation GroupThis group contains trusted hosts that will be allowed to communicate with untrusted systems. These hosts will be exposed to a higher level of risk because they are able to receive incoming communications directly from untrusted computers.

Why do we need Boundary Isolation Group Since in almost all organizations, there will be a number

of workstations, or servers, that are unable to communicate using IPsec although they are genuine hosts.

Exemptions Lists Key infrastructure servers such as domain

controllers, DNS servers, and Dynamic Host Configuration Protocol (DHCP) servers or others which are usually available to all systems on the internal network do not use IPSec but are widely used.

Allowing them only through Boundary Isolation Group might result in decreasing performance of the organization due to heavy requests.

Sol: Create special lists to identify such servers. And allow direct access to them through any isolation group

Additonal Isolation Groups Could create more Isolation Groups apart

from the foundational if we have different requirements for each group. Eg:

Encryption requirements Limited host or user access

required at the network level Outgoing or incoming network

traffic flow or protection

requirements that

from the isolation domain  

Planning Traffic Mapping -foundational

ID From To Bidirectional IPsec Fallback Encrypt

1 ID Ex Yes No No No

2 ID BO Yes Yes No No

3 ID UN No Yes Yes No

4 BO EX Yes Yes Yes No

5 BO UN No Yes Yes No

6 UN BO No No No No

7 UN EX Yes No No No

Planning Traffic Mapping - additionalID From To Bidirectional IPsec Fallback Encrypt

8 EN EX Yes No No No

9 EN ID Yes Yes No Yes

10 EN NF Yes Yes No Yes

11 EN BO No Yes No Yes

12 NF ID Yes Yes No No

13 NF EX Yes No No No

14 NF BO Yes Yes No No

Network access groups Consider group 1 is restricted access t

group2. Only Exception is if a host in Group 1 is the Manager then he is not restricted to Group2. How do we state this explicit rule?

NAGs are used to explicitly allow or deny access to a system through the network

Names reflect function— ANAG: allow network access group DNAG: deny network access group

Can contain users, computers or groups Defined in domain local groups

Example Scenarios

Un-trusted

Server Isolation

`

Unmanaged Devices

Active Directory Domain

Controller

(exempted)Domain IsolationOptional outbound authentication

Required authentication

X Authenticating Host Firewalls

X

Domain Isolation

DomainDomaincontrollercontroller

Server:Server:domain isolationdomain isolation

IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all

traffic except for traffic except for ICMP)ICMP)

Client:Client:Untrusted orUntrusted or

non-IPsec capablenon-IPsec capable

Ping succeedsPing succeedsothers failothers fail

User:User:any typeany type

DomainDomaincontrollercontroller

Server:Server:domain isolationdomain isolation

IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all

traffic except for traffic except for ICMP)ICMP)

Ping succeeds,Ping succeeds,others succeed others succeed

over IPsecover IPsec

Client:Client:Windows XP SP2Windows XP SP2Trusted machineTrusted machine

User:User:domain domain membermember

Server Isolation

DomainDomaincontrollercontroller

Server:Server:server isolationserver isolation

IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all

traffic except for traffic except for ICMP)ICMP)

Ping succeedsPing succeedsothers fail others fail

because IKE because IKE failsfails

Authorization only forAuthorization only forCLIENT1CLIENT1 in group policy in group policyvia “Access this computervia “Access this computerfrom network” rightfrom network” right

User:User:domain domain membermember

Client:Client:Windows XP SP2Windows XP SP2

““CLIENT2CLIENT2””Trusted machineTrusted machine

DomainDomaincontrollercontroller

Server:Server:server isolationserver isolation

IPsec policy ActiveIPsec policy Active(requires IPsec for all (requires IPsec for all

traffic except for traffic except for ICMP)ICMP)

Client:Client:Windows XP SP2Windows XP SP2

““CLIENT1CLIENT1””Trusted machineTrusted machine

User:User:domain domain membermember

Ping succeeds, Ping succeeds, other succeed other succeed

over IPsecover IPsec

Authorization only forAuthorization only forCLIENT1CLIENT1 andand this userthis userin group policyin group policyvia “Access this computervia “Access this computerfrom network” rightfrom network” right

Bussiness benefits of this approach Additional security. Tighter control of who can access specific

information. Lower cost. An increase in the number of managed

computers. Improved levels of protection against

malware attack A mechanism to encrypt network data.

Conclusion

As organizations grow and business relationships change, and customers, vendors, and consultants need to connect to your network for valid business reasons, controlling physical access to a network can become impossible. By maintaining server and Domain isolation using IPSec and Group Policy one could provide flexibility and at the same time provide more security to the internal network.

References

http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/ipsecch2.mspx

http://www.windowsitpro.com/Article/ArticleID/46826/46826.html

download.microsoft.com/.../Domain%20and%20server%20isolation%20Handouts%20-%20Jesper%20Johansson.ppt –