Join Lisa Bock for an in-depth discussion in this video Providing server and domain isolation, part of IT Security Foundations: Network Security.
- Server and Domain Isolation provides an additional layer of protection by requiring IPSec authentication and encryption for communication within the domain. Computers within the domain can communicate with one another, but computers outside of the domain, cannot initiate communication within the domain. Requests for communication from computers that are not part of the isolated network, are ignored. Server and domain isolation can defend against hackers, prevent malware attacks, and provide a means to encrypt data between computers, which can satisfy regulatory requirements.
Key players in isolation include, IPSec or Internet Protocol Security, Active Directory, and Kerberos. Internet Protocol is a best effort, connectionless protocol, used to connect networks by routing and addressing each packet. IPSec or Internet Protocol Security, can provide a policy-based IP security mechanism, that provides peer authentication. IPSec is a framework that provides a set of security processes, and has three main functions.
Authentication Header provides support for data integrity and authentication of IP packets using a message authentication code, and can provide assurance that a neighbor advertisement comes from an authorized router. The two parties must share a secret key. Encapsulating Security Payload is a combination encryption and authentication protocol. And Key management. IPSec manages the keys to ensure that they are not intercepted or used by unauthorized parties, using Internet Key Exchange.
Authentication is accomplished through a common trust model. In this case, membership in an Active Directory domain. Active Directory is a directory service that is part of the Windows server operating systems. Active Directory provides authentication and authorization to systems and services on a network. Active Directory has a Hierarchal structure. Objects are placed in containers. The largest container in Active Directory is known as a domain. The Forest is the highest level in an active directory.
A Tree contains one or more domains that are in a common relationship. The domain is the primary container within Active Directory. Organizational Units are related users, groups, and computers within a domain. When a computer joins the domain, the domain controller creates an account with a set of credentials. Kerberos is a protocol developed at MIT, and was named for the three-headed dog from Greek mythology. Kerberos is the protocol built within Active Directory that provides strong authentication, and is built on symmetric key encryption.
Kerberos, Version 5, is used by IPSec for Internet Key Exchange authentication. I'm here in the server manager, in server 2008. (clicking) I'm going to go to Windows firewall with advanced security. I'm going to go to Authenticate communications between computers, and I'm going to select Connection Security Rules.
I'm going to ask for a New Rule, and here we have some choices. I'm going to select Isolation, but here you can see we can select Server to server. IPSec can be used to encrypt traffic between two servers. An example of this is, Outlook Web Access and Exchange. I've selected Isolation, and I'm going to select Next. Which type of authentication? I'm going to Request authentication for inbound and outbound connections.
The type of authentication method I would like to use is Computer and user (Kerberos V5). I'll keep the defaults and select Next. I'll name it Domain Isolation, or whatever you feel is appropriate for your organization.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Implementing secure content management (SCM)
- Implementing unified threat management (UTM)
- Introducing VLANs
- NAT addressing
- Network sniffing
- Understanding common attack methods, such as password attacks
- Protecting clients with antivirus software
- Implementing physical security