Re: Is total domain Isolation possible?

Hello,

you can enforce ipsec to isolate your network..but for dc, they must also accept unencrypted traffic so new computer can join the domain (else how to join the ipsec network without ipsec?).
DHCP server can't enforce ipsec too.

Your printer server will have to be able to connect to non ipsec devices (printers), you may add an exclusion on the printer's IP range.

You may not encrypt the traffic, as that need cpu resource.

As always, the key to success is to prepare the JOB:
1/Test on lab
2/Test on lab
3/Deploy smoothly and IT computers first
4/Add ipsec debug procedure to your knowlede

Another easy way is to use the XP firewall. Do not forget that laptop may have to be able to communicate without ipsec (like a home user with it's adsl)

XP Firewall + windows defender is a good defense level too.


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


<zakkuto@xxxxxxxxx> wrote in message news:1187790398.800138.293790@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello

I am trying to enhance the security on our network by implementing an
"Domain Isolation" solution by using IPsec and group policies.

The enviroment looks like this:
- Small network, only one site.
- Active Directory, 1 domain
- 15 x Windows Server 2003 SP2
- 300 x Windows XP SP2
- 3rd party network attached devices like HP JetDirect

We simply want to isolate the domain totally, as in, all clients and
servers ONLY communicates with IPsec traffic. By doing this, we should
be able to avoid the threat of malicious software introduced by 3rd
party notebooks or unmanaged computers beeing plugged into our
network.

Artickel Q254949 says: "Currently, we do not support the use of IPSec
to encrypt network traffic from a domain client or member server to a
domain controller when you apply the IPSec policies by using Group
Policy or when you use the Kerberos version 5 protocol authentication
method"

I guess that means I will have to use "Request IPsec" instead of
"Require IPsec" on my Domain Controllers, and that means I cant call
it isolated anymore in my opinion.

Is it possible to run a totally isolated domain with 2003/xp or is
this one of those things I will have to wait for Vista/Longhorn to do?


.

Relevant Pages

  • Re: Green Admin - Brute Force Attack - Pls Help
    ... Ipsec configuration is very similar [if ... specifics on how to use ipsec "filtering" policy to protect computers. ... is managing a network - particularly one in a hostile environment. ...
    (microsoft.public.security)
  • Re: Isolate systems
    ... If you have access to the firewall, you might be able to configure what IP ... filtering policy on your computers which is a policy that uses rules with ... Ipsec policies are best when trying to configure for a subnet ... network layout you may be able to implement ...
    (microsoft.public.win2000.security)
  • Re: XP Firewall Quandry
    ... admin workstations if that would work and possibly even requiring an ipsec ... security association for those exceptions which would not allow computers ... Even the risk of having another network available can be ... enable the Windows Firewall in both domain and standard policy. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Anyone can browse my network
    ... You mention firewall but that will normally only prevent access from the ... internet unless the firewall is used to protect a network segment of your ... network infrastructure or possibly ipsec implementation on the domain. ... before an ipsec session can be created between two computers. ...
    (microsoft.public.security)
  • Re: Solaris and IPsec, non IPsec aware boxes on network.
    ... Greeting from Solaris IPsec development. ... >I have a Solaris box that is going to communicate with a bunch of computers ... Some have IPsec capabilities and some don't. ... The best advice I can offer is to paritition your network into two ...
    (comp.unix.solaris)