Microsoft recognizes that large organizations face increasing challenges in securing the perimeter of their networks. As organizations grow and business relationships change, controlling physical access to a network can become impossible. Customers, vendors, and consultants may need to connect mobile devices to your network for valid business reasons. The advent of wireless networks and wireless connection technologies has made network access easier than ever. This increased connectivity means that domain members on the internal network are increasingly exposed to significant risks from other computers on the internal network, in addition to breaches in perimeter security.
The concept of logical isolation presented in this guide embodies two solutions — server isolation to ensure that a server accepts network connections only from trusted domain members or a specific group of domain members, and domain isolation to isolate domain members from untrusted connections. These solutions can be used separately or together as part of an overall logical isolation solution.
At its core, server and domain isolation allows IT administrators to restrict TCP/IP communications of domain members that are trusted computers. These trusted computers can be configured to allow only incoming connections from other trusted computers or a specific group of trusted computers. The access controls are centrally managed by using Microsoft® Active Directory® Group Policy to control network logon rights. Nearly all TCP/IP network connections are able to be secured without application changes, because IPsec works at the network layer below the application layer to provide authentication and per-packet security, end-to-end between computers. Network traffic can be authenticated, or authenticated and encrypted, in a variety of customizable scenarios.
The Business Benefits
The benefits of introducing a logical isolation defense layer include the following:
- Additional security. A logical isolation defense layer provides additional security for all managed computers on the network.
- Tighter control of who can access specific information. By using this solution, computers will not automatically gain access to all network resources simply by connecting to the network.
- Lower cost. This solution is typically far less expensive to implement than a physical isolation solution.
- Increase in the number of managed computers. If an organization's information is only available to managed computers, all devices will have to become managed systems to provide access to their users.
- Improved levels of protection against malware attacks. The isolation solution will significantly restrict the ability of an untrusted computer to access trusted resources. For this reason, a malware attack from an untrusted computer will fail because the connection will not be allowed, even if the attacker obtains a valid user name and password.
- A mechanism to encrypt network data. Logical isolation makes it possible to require encryption of all network traffic between selected computers.
- Rapid emergency isolation. This solution provides a mechanism to quickly and efficiently isolate specific resources inside your network in the event of an attack.
- Improved auditing. This solution provides a way to log and audit network access by managed resources.
Who Should Read This Guide
This guide is designed to support a server and domain isolation solution through all stages of the IT lifecycle, starting at the initial evaluation and approval phase and continuing through to deployment, testing, and management of the completed implementation. For this reason, the various chapters that comprise this guide have been written to meet the needs of a variety of readers.
Chapter 1 is designed primarily for the business decision maker who is trying to determine whether their organization will benefit from a server and domain isolation project. Understanding the contents of this chapter requires no specific technical knowledge beyond the comprehension of an organization's business and security needs.
The planning chapters of this guide (Chapters 2, 3, and 4) are intended to be most helpful to the technical architects and IT professionals who will be responsible for designing a customized solution for an organization. A good level of technical understanding of both the technologies involved and the organization's current infrastructure is required to get the most benefit from these chapters.
Chapter 5 and the appendices are designed for the support staff that is responsible for creating the deployment plans for the organization's solution. Included in this guidance are a number of recommendations about the process of completing a successful solution deployment as well as practical implementation steps to create the test lab environment.
Chapter 6 of the guide is intended as a reference for the staff that is responsible for the day-to-day operations of the solution after it is implemented and fully operational. A number of operating processes and procedures highlighted in this chapter should be built into the organization's operations framework.
Chapter 7 provides information about troubleshooting a server and domain isolation deployment. Because IPsec fundamentally affects network communications, troubleshooting information and techniques can significantly help organizations that implement IPsec as part of this solution.
Read the rest of the article on the Microsoft TechNet site:
- Chapter 1: Introduction to Server and Domain Isolation
- Chapter 2: Understanding Server and Domain Isolation
- Chapter 3: Determining the Current State of Your IT Infrastructure
- Chapter 4: Designing and Planning Isolation Groups
- Chapter 5: Creating IPsec Policies for Isolation Groups
- Chapter 6: Managing a Server and Domain Isolation Environment
- Chapter 7: Troubleshooting IPsec
- Appendix A: Overview of IPsec Policy Concepts
- Appendix B: IPsec Policy Summary
- Appendix C: Lab Build Guide
- Appendix D: IT Threat Categories
- Acknowledgements