The Value of Domain Isoaltion (Part 1)

  • Article

====================== DISCLAIMER ====================
This posting is provided "AS IS" with no warranties, and confers no rights.
====================================================

Perhaps you are a seasoned, battle-hardened IT veteran or perhaps you’re someone who was late to the meeting where they were assigning someone to be the “IT guy” and you, my friend, were the scapegoat lucky individual. Maybe your IT environment is a dozen or some servers and a handful of desktops or perhaps it is 10,000 servers and 100,000 desktops. Your staff might be you and your iPod or it might be over 30 people. It’s tough work - not for the timid. But you are part of the few, the proud, the elite, the nerd patrol. You are an “IT guy (or gal)” and proud of it - pocket-protector jokes aside.

You struggle constantly to maintain a fine and delicate balance between meeting SLAs, keeping expenses down, hiring and retaining the best people, reducing TCO, and not getting busted by diligently and happily conforming to HIPPA, SOX or some other regulation… oh, yea, and maintaining our sanity and hopefully getting to go home and see your family before your two-year old graduates from college.

So you have to weigh carefully each and every script, option, tool, product, process and change that comes down the pike (unless of course the powers-that-be have “reduced your decision-making overhead”). So amidst this storm of challenge and option, what is the value to you, your staff, your IT environment and the bottom line, of domain isolation?

Better Security
In these days, we are all looking for better ways to keep out the bad guys, whether at home while using IM or at work, guarding a multi-million dollar network. We put up firewalls, specially configure routers, tweak ACLs, create and enforce stringent policies, etc. “Defense in Depth” is the slogan of this new world and you are constantly looking for ways to batten down the hatches. There is good news in al of this - domain and server isolation can help… a lot.

A good deal of the threat out there is unknown computers connecting to and “leveraging” your IT computers. Domain isolation provides a rather simple and inexpensive way to mitigate this threat. Computers must authenticate themselves and be able to negotiate successfully before connecting to computers in your domain(s).

Lower TCO
Total Cost of Owning Stuff (the “S” is silent) reduction is all the rage in these days of shrinking IT budgets. “Do more with less” is the battle cry. How about “Do more with nothing”? To quote the “Introduction to Server and Domain Isolation with Microsoft Windows” paper again:

Everything that you need to create an isolated network is already available on computers running the Microsoft® Windows® XP, Microsoft® Windows Server™ 2003, and Microsoft® Windows® 2000 Server operating systems. All that you need to do is to ensure that computers are members of your domain and to configure the appropriate Group Policy settings to require authentication for incoming communication attempts, to secure data traffic, and optionally, to encrypt data traffic. After you have applied the appropriate Group Policy settings, you add a new computer to the isolated network by making it a member of the Active Directory domain. No new hardware is required.

So, the initial cost of domain isolation is.. well $0 (unless you have to upgrade some servers or desktops). Good so far, but TCO isn’t just about initial cost, the real metric is what between when you hit the Finish button and you retire the software in favor of something better - or you retire in favor of something better. How about maintaining, changing, adapting, and fixing domain isolation? Huh, what about that, huh?

The cool thing about domain isolation is that Active Directory does the heavy lifting (it even has one of those special belts). Need to change an IPsec policy or two? Let AD distribute them using GPO. Need to add the policies to new desktops, again send errand-boy AD.

Flexibility and Power
Domain isolation, as documented in the white papers mentioned the other day, is relatively simple to design, deploy and maintain. But what if my IT environment requires more complex policy than that? What if I have to allow communications between IPsec and non-IPsec computers? What if I have network hardware/software that doesn’t “like” IPsec (like NAT devices)?

There is more good news - domain isolation is simple and flexible. You can apadpt your IPsec policies and have AD manage them for you. In some situations, you can also create local policies. But IPsec can handle it.

Resources For More Complex Deployments (in order of ascending nerd-factor)
"Interoperability Considerations for IPsec Server and Domain Isolation"
This paper describes interoperability between IPsec-secured hosts running Windows Server 2003, Windows XP with Service Pack 2 (SP2), and Windows 2000 Server with Service Pack 4 (SP4) in a domain or server isolation scenario and hosts that cannot use IPsec, including computers running earlier versions of Windows or non-Microsoft operating systems. It is intended for IT professionals in organizations that are investigating using IPsec in Microsoft Windows to deploy server and domain isolation.
https://www.microsoft.com/downloads/details.aspx?FamilyId=10359569-EF11-499A-9E1F-85DA3FCA608C&displaylang=en

"Improving Security with Domain Isolation"
This is a rather detailed write-up of how Microsoft IT deployed domain and server isolation. There is a lot of good advice and best practices in here from the folks who not only know IT but also have some rather close connections with the folks who actually wrote the code in Windows (wink).
https://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx

Using Microsoft Windows IPSec to Help Secure an Internal Corporate Network Server
This is a huge whitepaper from the folks at Foundstone (www.foundstone.com) and Microsoft that goes into glorious detail and scope all about IPsec including conceptual all the way to step-by-step.
Note - This is a serious, lift-with-your-legs white paper and not for the timid. IF you are relatively new to IPsec, I would strongly suggest you start with the domain isolation introduction paper I mentioned the other day.
https://www.microsoft.com/downloads/details.aspx?FamilyID=a774012a-ac25-4a1d-8851-b7a09e3f1dc9&displaylang=en

Server and Domain Isolation Using IPsec and Group Policy
This is a PDF document that uses the fictitious Woodgrove Bank as a platform to document server and domain isolation is the type of detail and scope that inspires shock and awe, or at least awe. The “The Business Benefits” section on page 12 is a good one to look at and I promise I didn’t steal anything from there (wink). The doc also comes with installable tools and templates. The readme.txt file has a list of the files.
Note - This is a serious, lift-with-your-legs white paper and not for the timid. IF you are relatively new to IPsec, I would strongly suggest you start with the domain isolation introduction paper I mentioned the other day.
Another Note - you have to register with Microsoft to get this whitepaper and you must have a Passport account to do so.
https://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en