Server and Domain Isolation Using IPsection - Network

This is a discussion on Server and Domain Isolation Using IPsection - Network ; Hi In our company we want to achieve that users that are connecting with their home laptops (if they bring their home laptops at work ) into our local network don't get any access to other computers, server, internet etc. ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Server and Domain Isolation Using IPsection

  1. Server and Domain Isolation Using IPsection

    Hi



    In our company we want to achieve that users that are connecting with their
    home laptops (if they bring their home laptops at work ) into our local
    network don't get any access to other computers, server, internet etc.

    We're thinking of implementing 'Server and Domain Isolation Using IPsec', so
    that only computers that are part of our domain and are controlled through
    GPO settings for IPsec have access, other computers that are not part of our
    local domain have access only if we manually set them IPSec parameters into
    their local GPO.



    I'm wondering if it is possible that users that don't have this settings
    set, and if they connects their laptops into our network (some of them are
    so clever that are able to set IP address on their home computers, so they
    could get connection to the internetJ)don't have any access based on this
    GPO (to other computers and servers) and also DON'T HAVE ACCESS TO THE
    INTERNET, that they are completely isolated?

    Any ideas or suggestions will be appreciated.

    Thank you in advance

    Regards

    Miha





  2. Re: Server and Domain Isolation Using IPsection

    I see a couple problems. First in a domain you probably want to use Kerberos
    for computer authentication for ipsec. If that is the case for you then you
    can not configure the local ipsec policy on a non domain computer to be able
    to access a domain computer. Otherwise to provide access you would need to
    use pre shared key or certificate authentication. I do not recommend pre
    shared key because PSK is not securely stored on domain computers and a user
    could find your PSK and compromise your ipsec security. Certificates could
    work but are more difficult to deploy and require the use of a Certificate
    Authority. You could also have different ipsec policies within the domain
    some that use Kerberos and some that use certificates. Also keep in mind
    that domain controllers can not use ipsec to protect traffic between domain
    computers [non DCs] and domain controllers that is used for authentication
    which is a lot of ports/protocols that need to be allowed and in general it
    is best to just not use ipsec on domain controllers for traffic between
    domain controllers and domain members.

    The other problem is denying users access to the internet. Usually all that
    is required to access the internet is a default gateway and unless that
    default gateway is something like ISA 2004 no user or computer
    authentication is required. If you do use ISA 2000/2004 then you can
    configure it to require user authentication to access the internet and I
    believe that you could have an ipsec require policy on the ISA server [not
    if a DC] that would not allow user authentication to work because the non
    domain computer could not use ipsec to communicate with the ISA server in
    order to authenticate the user.

    Beyond all that if you use managed switches on your network that can filter
    port access by mac address you may want to implement such in order to try to
    keep unauthorized computers from accessing your network. Of course mac
    addresses can be spoofed but you should have a computer use policy in force
    that prohibits such and take harsh disciplinary action for violators. Such
    policy should also ban non authorized computers from being connected to your
    network. When blaster worm came out many an admin found how serious it was
    to allow an unauthorized computer to connect to the network. I heard stories
    where networks with thousands of computers were shut down in a matter of
    minutes. Unathorized computers are also a hackers favorite back door. ---
    Steve



    "Miha" wrote in message
    news:u6rmSfYJGHA.3100@tk2msftngp13.phx.gbl...
    > Hi
    >
    >
    >
    > In our company we want to achieve that users that are connecting with
    > their home laptops (if they bring their home laptops at work ) into our
    > local network don't get any access to other computers, server, internet
    > etc.
    >
    > We're thinking of implementing 'Server and Domain Isolation Using IPsec',
    > so that only computers that are part of our domain and are controlled
    > through GPO settings for IPsec have access, other computers that are not
    > part of our local domain have access only if we manually set them IPSec
    > parameters into their local GPO.
    >
    >
    >
    > I'm wondering if it is possible that users that don't have this settings
    > set, and if they connects their laptops into our network (some of them are
    > so clever that are able to set IP address on their home computers, so they
    > could get connection to the internetJ)don't have any access based on this
    > GPO (to other computers and servers) and also DON'T HAVE ACCESS TO THE
    > INTERNET, that they are completely isolated?
    >
    > Any ideas or suggestions will be appreciated.
    >
    > Thank you in advance
    >
    > Regards
    >
    > Miha
    >
    >
    >
    >




  3. Re: Server and Domain Isolation Using IPsection

    Hi Steve. Thank you for the reply and information's !

    You said that if computers are non domain computers there would be problem
    accessing servers that require IPSec authentication, because of the
    Kerberos.

    Are there any other ways to give access to these computers? We have
    computers in call center that are not a domain computers, and they need to
    access resources on some servers, that we're planning to secure them with
    IPsec.Could we made extra rules to this servers, that they disallow access
    to all non-domain computers except this ones, besides the existing rule to
    allow only ipsec avtentications.

    Regarding firewall, we don't have ISA, we use Netscreen, so as far as I see
    for now, there is no way to block access to the internet for non-ipsec
    computers? Or are there any other possibilities?

    You also mentioned that we could use extra policy to ban non-authorized
    computers from being connected to our network. Can this be done based on
    IPSec policy with GPO?

    Thank's again for all the help.

    Regards

    Miha



    "Steven L Umbach" wrote in message
    news:eMvZAshJGHA.516@TK2MSFTNGP15.phx.gbl...
    >I see a couple problems. First in a domain you probably want to use
    >Kerberos for computer authentication for ipsec. If that is the case for you
    >then you can not configure the local ipsec policy on a non domain computer
    >to be able to access a domain computer. Otherwise to provide access you
    >would need to use pre shared key or certificate authentication. I do not
    >recommend pre shared key because PSK is not securely stored on domain
    >computers and a user could find your PSK and compromise your ipsec
    >security. Certificates could work but are more difficult to deploy and
    >require the use of a Certificate Authority. You could also have different
    >ipsec policies within the domain some that use Kerberos and some that use
    >certificates. Also keep in mind that domain controllers can not use ipsec
    >to protect traffic between domain computers [non DCs] and domain
    >controllers that is used for authentication which is a lot of
    >ports/protocols that need to be allowed and in general it is best to just
    >not use ipsec on domain controllers for traffic between domain controllers
    >and domain members.
    >
    > The other problem is denying users access to the internet. Usually all
    > that is required to access the internet is a default gateway and unless
    > that default gateway is something like ISA 2004 no user or computer
    > authentication is required. If you do use ISA 2000/2004 then you can
    > configure it to require user authentication to access the internet and I
    > believe that you could have an ipsec require policy on the ISA server [not
    > if a DC] that would not allow user authentication to work because the non
    > domain computer could not use ipsec to communicate with the ISA server in
    > order to authenticate the user.
    >
    > Beyond all that if you use managed switches on your network that can
    > filter port access by mac address you may want to implement such in order
    > to try to keep unauthorized computers from accessing your network. Of
    > course mac addresses can be spoofed but you should have a computer use
    > policy in force that prohibits such and take harsh disciplinary action for
    > violators. Such policy should also ban non authorized computers from being
    > connected to your network. When blaster worm came out many an admin found
    > how serious it was to allow an unauthorized computer to connect to the
    > network. I heard stories where networks with thousands of computers were
    > shut down in a matter of minutes. Unathorized computers are also a hackers
    > favorite back door. --- Steve
    >
    >
    >
    > "Miha" wrote in message
    > news:u6rmSfYJGHA.3100@tk2msftngp13.phx.gbl...
    >> Hi
    >>
    >>
    >>
    >> In our company we want to achieve that users that are connecting with
    >> their home laptops (if they bring their home laptops at work ) into our
    >> local network don't get any access to other computers, server, internet
    >> etc.
    >>
    >> We're thinking of implementing 'Server and Domain Isolation Using IPsec',
    >> so that only computers that are part of our domain and are controlled
    >> through GPO settings for IPsec have access, other computers that are not
    >> part of our local domain have access only if we manually set them IPSec
    >> parameters into their local GPO.
    >>
    >>
    >>
    >> I'm wondering if it is possible that users that don't have this settings
    >> set, and if they connects their laptops into our network (some of them
    >> are so clever that are able to set IP address on their home computers, so
    >> they could get connection to the internetJ)don't have any access based on
    >> this GPO (to other computers and servers) and also DON'T HAVE ACCESS TO
    >> THE INTERNET, that they are completely isolated?
    >>
    >> Any ideas or suggestions will be appreciated.
    >>
    >> Thank you in advance
    >>
    >> Regards
    >>
    >> Miha
    >>
    >>
    >>
    >>

    >
    >




  4. Re: Server and Domain Isolation Using IPsection

    Hi Miha.

    There may be a way but you need to test it out thoroughly first. The least
    secure way is to create a rule with a permit filter action for the IP
    addresses of the non domain authorized computers but that poses the risk
    that is someone with a non authorized computer configured their computer
    with an authorized IP address they could be allowed access. Also such
    traffic would not be encrypted.

    The other way is to try and configure two computer authentication methods in
    your ipsec policy on the server with the top of the list being Kerberos and
    then the second in the list being certificates. Your non domain computer and
    the server would need ipsec certificates and to trust the issuing CA. It is
    possible to issue non domain computer ipsec certificates by enabling the
    offline ipsec certificate template and having them use web enrollment to
    request and install the ipsec offline certificate. I believe this may work
    but am not 100 percent sure. You can use pre shared keys in place of
    certificates as the second authentication method but I recommend that you do
    that for testing purposes only to see if two computer authentication methods
    will work well or not.

    I can't think of a way other than using something like ISA to accomplish
    your goal of restricting internet access to non domain computers unless you
    would consider mac filtering at the switch ports. The extra policy was a non
    technical solution that the user would need to read and sign and keep a copy
    for their records similar to policies that state you can not "borrow"
    company equipment or sleep on the job. --- Steve

    "Miha" wrote in message
    news:%23BoVVomJGHA.1288@TK2MSFTNGP09.phx.gbl...
    > Hi Steve. Thank you for the reply and information's !
    >
    > You said that if computers are non domain computers there would be problem
    > accessing servers that require IPSec authentication, because of the
    > Kerberos.
    >
    > Are there any other ways to give access to these computers? We have
    > computers in call center that are not a domain computers, and they need to
    > access resources on some servers, that we're planning to secure them with
    > IPsec.Could we made extra rules to this servers, that they disallow access
    > to all non-domain computers except this ones, besides the existing rule to
    > allow only ipsec avtentications.
    >
    > Regarding firewall, we don't have ISA, we use Netscreen, so as far as I
    > see for now, there is no way to block access to the internet for non-ipsec
    > computers? Or are there any other possibilities?
    >
    > You also mentioned that we could use extra policy to ban non-authorized
    > computers from being connected to our network. Can this be done based on
    > IPSec policy with GPO?
    >
    > Thank's again for all the help.
    >
    > Regards
    >
    > Miha
    >
    >
    >
    > "Steven L Umbach" wrote in message
    > news:eMvZAshJGHA.516@TK2MSFTNGP15.phx.gbl...
    >>I see a couple problems. First in a domain you probably want to use
    >>Kerberos for computer authentication for ipsec. If that is the case for
    >>you then you can not configure the local ipsec policy on a non domain
    >>computer to be able to access a domain computer. Otherwise to provide
    >>access you would need to use pre shared key or certificate authentication.
    >>I do not recommend pre shared key because PSK is not securely stored on
    >>domain computers and a user could find your PSK and compromise your ipsec
    >>security. Certificates could work but are more difficult to deploy and
    >>require the use of a Certificate Authority. You could also have different
    >>ipsec policies within the domain some that use Kerberos and some that use
    >>certificates. Also keep in mind that domain controllers can not use ipsec
    >>to protect traffic between domain computers [non DCs] and domain
    >>controllers that is used for authentication which is a lot of
    >>ports/protocols that need to be allowed and in general it is best to just
    >>not use ipsec on domain controllers for traffic between domain controllers
    >>and domain members.
    >>
    >> The other problem is denying users access to the internet. Usually all
    >> that is required to access the internet is a default gateway and unless
    >> that default gateway is something like ISA 2004 no user or computer
    >> authentication is required. If you do use ISA 2000/2004 then you can
    >> configure it to require user authentication to access the internet and I
    >> believe that you could have an ipsec require policy on the ISA server
    >> [not if a DC] that would not allow user authentication to work because
    >> the non domain computer could not use ipsec to communicate with the ISA
    >> server in order to authenticate the user.
    >>
    >> Beyond all that if you use managed switches on your network that can
    >> filter port access by mac address you may want to implement such in order
    >> to try to keep unauthorized computers from accessing your network. Of
    >> course mac addresses can be spoofed but you should have a computer use
    >> policy in force that prohibits such and take harsh disciplinary action
    >> for violators. Such policy should also ban non authorized computers from
    >> being connected to your network. When blaster worm came out many an admin
    >> found how serious it was to allow an unauthorized computer to connect to
    >> the network. I heard stories where networks with thousands of computers
    >> were shut down in a matter of minutes. Unathorized computers are also a
    >> hackers favorite back door. --- Steve
    >>
    >>
    >>
    >> "Miha" wrote in message
    >> news:u6rmSfYJGHA.3100@tk2msftngp13.phx.gbl...
    >>> Hi
    >>>
    >>>
    >>>
    >>> In our company we want to achieve that users that are connecting with
    >>> their home laptops (if they bring their home laptops at work ) into our
    >>> local network don't get any access to other computers, server, internet
    >>> etc.
    >>>
    >>> We're thinking of implementing 'Server and Domain Isolation Using
    >>> IPsec', so that only computers that are part of our domain and are
    >>> controlled through GPO settings for IPsec have access, other computers
    >>> that are not part of our local domain have access only if we manually
    >>> set them IPSec parameters into their local GPO.
    >>>
    >>>
    >>>
    >>> I'm wondering if it is possible that users that don't have this settings
    >>> set, and if they connects their laptops into our network (some of them
    >>> are so clever that are able to set IP address on their home computers,
    >>> so they could get connection to the internetJ)don't have any access
    >>> based on this GPO (to other computers and servers) and also DON'T HAVE
    >>> ACCESS TO THE INTERNET, that they are completely isolated?
    >>>
    >>> Any ideas or suggestions will be appreciated.
    >>>
    >>> Thank you in advance
    >>>
    >>> Regards
    >>>
    >>> Miha
    >>>
    >>>
    >>>
    >>>

    >>
    >>

    >
    >




  5. Re: Server and Domain Isolation Using IPsection

    Thanks again for the informations.
    We'll try as you have said to set up two computer authentication method to
    see how it will work.
    Regards
    Miha

    "Steven L Umbach" wrote in message
    news:OazYEFoJGHA.2708@tk2msftngp13.phx.gbl...
    > Hi Miha.
    >
    > There may be a way but you need to test it out thoroughly first. The least
    > secure way is to create a rule with a permit filter action for the IP
    > addresses of the non domain authorized computers but that poses the risk
    > that is someone with a non authorized computer configured their computer
    > with an authorized IP address they could be allowed access. Also such
    > traffic would not be encrypted.
    >
    > The other way is to try and configure two computer authentication methods
    > in your ipsec policy on the server with the top of the list being Kerberos
    > and then the second in the list being certificates. Your non domain
    > computer and the server would need ipsec certificates and to trust the
    > issuing CA. It is possible to issue non domain computer ipsec certificates
    > by enabling the offline ipsec certificate template and having them use web
    > enrollment to request and install the ipsec offline certificate. I believe
    > this may work but am not 100 percent sure. You can use pre shared keys in
    > place of certificates as the second authentication method but I recommend
    > that you do that for testing purposes only to see if two computer
    > authentication methods will work well or not.
    >
    > I can't think of a way other than using something like ISA to accomplish
    > your goal of restricting internet access to non domain computers unless
    > you would consider mac filtering at the switch ports. The extra policy was
    > a non technical solution that the user would need to read and sign and
    > keep a copy for their records similar to policies that state you can not
    > "borrow" company equipment or sleep on the job. --- Steve
    >
    > "Miha" wrote in message
    > news:%23BoVVomJGHA.1288@TK2MSFTNGP09.phx.gbl...
    >> Hi Steve. Thank you for the reply and information's !
    >>
    >> You said that if computers are non domain computers there would be
    >> problem accessing servers that require IPSec authentication, because of
    >> the Kerberos.
    >>
    >> Are there any other ways to give access to these computers? We have
    >> computers in call center that are not a domain computers, and they need
    >> to access resources on some servers, that we're planning to secure them
    >> with IPsec.Could we made extra rules to this servers, that they disallow
    >> access to all non-domain computers except this ones, besides the existing
    >> rule to allow only ipsec avtentications.
    >>
    >> Regarding firewall, we don't have ISA, we use Netscreen, so as far as I
    >> see for now, there is no way to block access to the internet for
    >> non-ipsec computers? Or are there any other possibilities?
    >>
    >> You also mentioned that we could use extra policy to ban non-authorized
    >> computers from being connected to our network. Can this be done based on
    >> IPSec policy with GPO?
    >>
    >> Thank's again for all the help.
    >>
    >> Regards
    >>
    >> Miha
    >>
    >>
    >>
    >> "Steven L Umbach" wrote in message
    >> news:eMvZAshJGHA.516@TK2MSFTNGP15.phx.gbl...
    >>>I see a couple problems. First in a domain you probably want to use
    >>>Kerberos for computer authentication for ipsec. If that is the case for
    >>>you then you can not configure the local ipsec policy on a non domain
    >>>computer to be able to access a domain computer. Otherwise to provide
    >>>access you would need to use pre shared key or certificate
    >>>authentication. I do not recommend pre shared key because PSK is not
    >>>securely stored on domain computers and a user could find your PSK and
    >>>compromise your ipsec security. Certificates could work but are more
    >>>difficult to deploy and require the use of a Certificate Authority. You
    >>>could also have different ipsec policies within the domain some that use
    >>>Kerberos and some that use certificates. Also keep in mind that domain
    >>>controllers can not use ipsec to protect traffic between domain computers
    >>>[non DCs] and domain controllers that is used for authentication which is
    >>>a lot of ports/protocols that need to be allowed and in general it is
    >>>best to just not use ipsec on domain controllers for traffic between
    >>>domain controllers and domain members.
    >>>
    >>> The other problem is denying users access to the internet. Usually all
    >>> that is required to access the internet is a default gateway and unless
    >>> that default gateway is something like ISA 2004 no user or computer
    >>> authentication is required. If you do use ISA 2000/2004 then you can
    >>> configure it to require user authentication to access the internet and I
    >>> believe that you could have an ipsec require policy on the ISA server
    >>> [not if a DC] that would not allow user authentication to work because
    >>> the non domain computer could not use ipsec to communicate with the ISA
    >>> server in order to authenticate the user.
    >>>
    >>> Beyond all that if you use managed switches on your network that can
    >>> filter port access by mac address you may want to implement such in
    >>> order to try to keep unauthorized computers from accessing your network.
    >>> Of course mac addresses can be spoofed but you should have a computer
    >>> use policy in force that prohibits such and take harsh disciplinary
    >>> action for violators. Such policy should also ban non authorized
    >>> computers from being connected to your network. When blaster worm came
    >>> out many an admin found how serious it was to allow an unauthorized
    >>> computer to connect to the network. I heard stories where networks with
    >>> thousands of computers were shut down in a matter of minutes.
    >>> Unathorized computers are also a hackers favorite back door. --- Steve
    >>>
    >>>
    >>>
    >>> "Miha" wrote in message
    >>> news:u6rmSfYJGHA.3100@tk2msftngp13.phx.gbl...
    >>>> Hi
    >>>>
    >>>>
    >>>>
    >>>> In our company we want to achieve that users that are connecting with
    >>>> their home laptops (if they bring their home laptops at work ) into our
    >>>> local network don't get any access to other computers, server, internet
    >>>> etc.
    >>>>
    >>>> We're thinking of implementing 'Server and Domain Isolation Using
    >>>> IPsec', so that only computers that are part of our domain and are
    >>>> controlled through GPO settings for IPsec have access, other computers
    >>>> that are not part of our local domain have access only if we manually
    >>>> set them IPSec parameters into their local GPO.
    >>>>
    >>>>
    >>>>
    >>>> I'm wondering if it is possible that users that don't have this
    >>>> settings set, and if they connects their laptops into our network (some
    >>>> of them are so clever that are able to set IP address on their home
    >>>> computers, so they could get connection to the internetJ)don't have any
    >>>> access based on this GPO (to other computers and servers) and also
    >>>> DON'T HAVE ACCESS TO THE INTERNET, that they are completely isolated?
    >>>>
    >>>> Any ideas or suggestions will be appreciated.
    >>>>
    >>>> Thank you in advance
    >>>>
    >>>> Regards
    >>>>
    >>>> Miha
    >>>>
    >>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >




  6. Re: Server and Domain Isolation Using IPsection

    Sounds good Miha. If it works as you want and you implement certificate
    authentication be sure to tightly control which users, via read/enroll
    permissions, can request ipsec offline security certificate which you can do
    in the properties of the security template and when installing it to train
    the user to not select the option to be able to export the private key for
    it if that option is available. --- Steve



    "Miha" wrote in message
    news:%23q6JVKxJGHA.916@TK2MSFTNGP10.phx.gbl...
    > Thanks again for the informations.
    > We'll try as you have said to set up two computer authentication method to
    > see how it will work.
    > Regards
    > Miha
    >
    > "Steven L Umbach" wrote in message
    > news:OazYEFoJGHA.2708@tk2msftngp13.phx.gbl...
    >> Hi Miha.
    >>
    >> There may be a way but you need to test it out thoroughly first. The
    >> least secure way is to create a rule with a permit filter action for the
    >> IP addresses of the non domain authorized computers but that poses the
    >> risk that is someone with a non authorized computer configured their
    >> computer with an authorized IP address they could be allowed access. Also
    >> such traffic would not be encrypted.
    >>
    >> The other way is to try and configure two computer authentication methods
    >> in your ipsec policy on the server with the top of the list being
    >> Kerberos and then the second in the list being certificates. Your non
    >> domain computer and the server would need ipsec certificates and to trust
    >> the issuing CA. It is possible to issue non domain computer ipsec
    >> certificates by enabling the offline ipsec certificate template and
    >> having them use web enrollment to request and install the ipsec offline
    >> certificate. I believe this may work but am not 100 percent sure. You can
    >> use pre shared keys in place of certificates as the second authentication
    >> method but I recommend that you do that for testing purposes only to see
    >> if two computer authentication methods will work well or not.
    >>
    >> I can't think of a way other than using something like ISA to accomplish
    >> your goal of restricting internet access to non domain computers unless
    >> you would consider mac filtering at the switch ports. The extra policy
    >> was a non technical solution that the user would need to read and sign
    >> and keep a copy for their records similar to policies that state you can
    >> not "borrow" company equipment or sleep on the job. --- Steve
    >>
    >> "Miha" wrote in message
    >> news:%23BoVVomJGHA.1288@TK2MSFTNGP09.phx.gbl...
    >>> Hi Steve. Thank you for the reply and information's !
    >>>
    >>> You said that if computers are non domain computers there would be
    >>> problem accessing servers that require IPSec authentication, because of
    >>> the Kerberos.
    >>>
    >>> Are there any other ways to give access to these computers? We have
    >>> computers in call center that are not a domain computers, and they need
    >>> to access resources on some servers, that we're planning to secure them
    >>> with IPsec.Could we made extra rules to this servers, that they disallow
    >>> access to all non-domain computers except this ones, besides the
    >>> existing rule to allow only ipsec avtentications.
    >>>
    >>> Regarding firewall, we don't have ISA, we use Netscreen, so as far as I
    >>> see for now, there is no way to block access to the internet for
    >>> non-ipsec computers? Or are there any other possibilities?
    >>>
    >>> You also mentioned that we could use extra policy to ban non-authorized
    >>> computers from being connected to our network. Can this be done based on
    >>> IPSec policy with GPO?
    >>>
    >>> Thank's again for all the help.
    >>>
    >>> Regards
    >>>
    >>> Miha
    >>>
    >>>
    >>>
    >>> "Steven L Umbach" wrote in message
    >>> news:eMvZAshJGHA.516@TK2MSFTNGP15.phx.gbl...
    >>>>I see a couple problems. First in a domain you probably want to use
    >>>>Kerberos for computer authentication for ipsec. If that is the case for
    >>>>you then you can not configure the local ipsec policy on a non domain
    >>>>computer to be able to access a domain computer. Otherwise to provide
    >>>>access you would need to use pre shared key or certificate
    >>>>authentication. I do not recommend pre shared key because PSK is not
    >>>>securely stored on domain computers and a user could find your PSK and
    >>>>compromise your ipsec security. Certificates could work but are more
    >>>>difficult to deploy and require the use of a Certificate Authority. You
    >>>>could also have different ipsec policies within the domain some that use
    >>>>Kerberos and some that use certificates. Also keep in mind that domain
    >>>>controllers can not use ipsec to protect traffic between domain
    >>>>computers [non DCs] and domain controllers that is used for
    >>>>authentication which is a lot of ports/protocols that need to be allowed
    >>>>and in general it is best to just not use ipsec on domain controllers
    >>>>for traffic between domain controllers and domain members.
    >>>>
    >>>> The other problem is denying users access to the internet. Usually all
    >>>> that is required to access the internet is a default gateway and unless
    >>>> that default gateway is something like ISA 2004 no user or computer
    >>>> authentication is required. If you do use ISA 2000/2004 then you can
    >>>> configure it to require user authentication to access the internet and
    >>>> I believe that you could have an ipsec require policy on the ISA server
    >>>> [not if a DC] that would not allow user authentication to work because
    >>>> the non domain computer could not use ipsec to communicate with the ISA
    >>>> server in order to authenticate the user.
    >>>>
    >>>> Beyond all that if you use managed switches on your network that can
    >>>> filter port access by mac address you may want to implement such in
    >>>> order to try to keep unauthorized computers from accessing your
    >>>> network. Of course mac addresses can be spoofed but you should have a
    >>>> computer use policy in force that prohibits such and take harsh
    >>>> disciplinary action for violators. Such policy should also ban non
    >>>> authorized computers from being connected to your network. When blaster
    >>>> worm came out many an admin found how serious it was to allow an
    >>>> unauthorized computer to connect to the network. I heard stories where
    >>>> networks with thousands of computers were shut down in a matter of
    >>>> minutes. Unathorized computers are also a hackers favorite back
    >>>> door. --- Steve
    >>>>
    >>>>
    >>>>
    >>>> "Miha" wrote in message
    >>>> news:u6rmSfYJGHA.3100@tk2msftngp13.phx.gbl...
    >>>>> Hi
    >>>>>
    >>>>>
    >>>>>
    >>>>> In our company we want to achieve that users that are connecting with
    >>>>> their home laptops (if they bring their home laptops at work ) into
    >>>>> our local network don't get any access to other computers, server,
    >>>>> internet etc.
    >>>>>
    >>>>> We're thinking of implementing 'Server and Domain Isolation Using
    >>>>> IPsec', so that only computers that are part of our domain and are
    >>>>> controlled through GPO settings for IPsec have access, other computers
    >>>>> that are not part of our local domain have access only if we manually
    >>>>> set them IPSec parameters into their local GPO.
    >>>>>
    >>>>>
    >>>>>
    >>>>> I'm wondering if it is possible that users that don't have this
    >>>>> settings set, and if they connects their laptops into our network
    >>>>> (some of them are so clever that are able to set IP address on their
    >>>>> home computers, so they could get connection to the internetJ)don't
    >>>>> have any access based on this GPO (to other computers and servers) and
    >>>>> also DON'T HAVE ACCESS TO THE INTERNET, that they are completely
    >>>>> isolated?
    >>>>>
    >>>>> Any ideas or suggestions will be appreciated.
    >>>>>
    >>>>> Thank you in advance
    >>>>>
    >>>>> Regards
    >>>>>
    >>>>> Miha
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >




  7. Re: Server and Domain Isolation Using IPsection

    Yes you're right. Thanks again for help.
    Regards
    Mija

    "Steven L Umbach" je napisal v sporočilo
    news:Oq5%23$D0JGHA.2248@TK2MSFTNGP15.phx.gbl ...
    > Sounds good Miha. If it works as you want and you implement certificate
    > authentication be sure to tightly control which users, via read/enroll
    > permissions, can request ipsec offline security certificate which you can
    > do in the properties of the security template and when installing it to
    > train the user to not select the option to be able to export the private
    > key for it if that option is available. --- Steve
    >
    >
    >
    > "Miha" wrote in message
    > news:%23q6JVKxJGHA.916@TK2MSFTNGP10.phx.gbl...
    >> Thanks again for the informations.
    >> We'll try as you have said to set up two computer authentication method
    >> to see how it will work.
    >> Regards
    >> Miha
    >>
    >> "Steven L Umbach" wrote in message
    >> news:OazYEFoJGHA.2708@tk2msftngp13.phx.gbl...
    >>> Hi Miha.
    >>>
    >>> There may be a way but you need to test it out thoroughly first. The
    >>> least secure way is to create a rule with a permit filter action for the
    >>> IP addresses of the non domain authorized computers but that poses the
    >>> risk that is someone with a non authorized computer configured their
    >>> computer with an authorized IP address they could be allowed access.
    >>> Also such traffic would not be encrypted.
    >>>
    >>> The other way is to try and configure two computer authentication
    >>> methods in your ipsec policy on the server with the top of the list
    >>> being Kerberos and then the second in the list being certificates. Your
    >>> non domain computer and the server would need ipsec certificates and to
    >>> trust the issuing CA. It is possible to issue non domain computer ipsec
    >>> certificates by enabling the offline ipsec certificate template and
    >>> having them use web enrollment to request and install the ipsec offline
    >>> certificate. I believe this may work but am not 100 percent sure. You
    >>> can use pre shared keys in place of certificates as the second
    >>> authentication method but I recommend that you do that for testing
    >>> purposes only to see if two computer authentication methods will work
    >>> well or not.
    >>>
    >>> I can't think of a way other than using something like ISA to accomplish
    >>> your goal of restricting internet access to non domain computers unless
    >>> you would consider mac filtering at the switch ports. The extra policy
    >>> was a non technical solution that the user would need to read and sign
    >>> and keep a copy for their records similar to policies that state you can
    >>> not "borrow" company equipment or sleep on the job. --- Steve
    >>>
    >>> "Miha" wrote in message
    >>> news:%23BoVVomJGHA.1288@TK2MSFTNGP09.phx.gbl...
    >>>> Hi Steve. Thank you for the reply and information's !
    >>>>
    >>>> You said that if computers are non domain computers there would be
    >>>> problem accessing servers that require IPSec authentication, because of
    >>>> the Kerberos.
    >>>>
    >>>> Are there any other ways to give access to these computers? We have
    >>>> computers in call center that are not a domain computers, and they need
    >>>> to access resources on some servers, that we're planning to secure them
    >>>> with IPsec.Could we made extra rules to this servers, that they
    >>>> disallow access to all non-domain computers except this ones, besides
    >>>> the existing rule to allow only ipsec avtentications.
    >>>>
    >>>> Regarding firewall, we don't have ISA, we use Netscreen, so as far as I
    >>>> see for now, there is no way to block access to the internet for
    >>>> non-ipsec computers? Or are there any other possibilities?
    >>>>
    >>>> You also mentioned that we could use extra policy to ban non-authorized
    >>>> computers from being connected to our network. Can this be done based
    >>>> on IPSec policy with GPO?
    >>>>
    >>>> Thank's again for all the help.
    >>>>
    >>>> Regards
    >>>>
    >>>> Miha
    >>>>
    >>>>
    >>>>
    >>>> "Steven L Umbach" wrote in message
    >>>> news:eMvZAshJGHA.516@TK2MSFTNGP15.phx.gbl...
    >>>>>I see a couple problems. First in a domain you probably want to use
    >>>>>Kerberos for computer authentication for ipsec. If that is the case for
    >>>>>you then you can not configure the local ipsec policy on a non domain
    >>>>>computer to be able to access a domain computer. Otherwise to provide
    >>>>>access you would need to use pre shared key or certificate
    >>>>>authentication. I do not recommend pre shared key because PSK is not
    >>>>>securely stored on domain computers and a user could find your PSK and
    >>>>>compromise your ipsec security. Certificates could work but are more
    >>>>>difficult to deploy and require the use of a Certificate Authority. You
    >>>>>could also have different ipsec policies within the domain some that
    >>>>>use Kerberos and some that use certificates. Also keep in mind that
    >>>>>domain controllers can not use ipsec to protect traffic between domain
    >>>>>computers [non DCs] and domain controllers that is used for
    >>>>>authentication which is a lot of ports/protocols that need to be
    >>>>>allowed and in general it is best to just not use ipsec on domain
    >>>>>controllers for traffic between domain controllers and domain members.
    >>>>>
    >>>>> The other problem is denying users access to the internet. Usually all
    >>>>> that is required to access the internet is a default gateway and
    >>>>> unless that default gateway is something like ISA 2004 no user or
    >>>>> computer authentication is required. If you do use ISA 2000/2004 then
    >>>>> you can configure it to require user authentication to access the
    >>>>> internet and I believe that you could have an ipsec require policy on
    >>>>> the ISA server [not if a DC] that would not allow user authentication
    >>>>> to work because the non domain computer could not use ipsec to
    >>>>> communicate with the ISA server in order to authenticate the user.
    >>>>>
    >>>>> Beyond all that if you use managed switches on your network that can
    >>>>> filter port access by mac address you may want to implement such in
    >>>>> order to try to keep unauthorized computers from accessing your
    >>>>> network. Of course mac addresses can be spoofed but you should have a
    >>>>> computer use policy in force that prohibits such and take harsh
    >>>>> disciplinary action for violators. Such policy should also ban non
    >>>>> authorized computers from being connected to your network. When
    >>>>> blaster worm came out many an admin found how serious it was to allow
    >>>>> an unauthorized computer to connect to the network. I heard stories
    >>>>> where networks with thousands of computers were shut down in a matter
    >>>>> of minutes. Unathorized computers are also a hackers favorite back
    >>>>> door. --- Steve
    >>>>>
    >>>>>
    >>>>>
    >>>>> "Miha" wrote in message
    >>>>> news:u6rmSfYJGHA.3100@tk2msftngp13.phx.gbl...
    >>>>>> Hi
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> In our company we want to achieve that users that are connecting with
    >>>>>> their home laptops (if they bring their home laptops at work ) into
    >>>>>> our local network don't get any access to other computers, server,
    >>>>>> internet etc.
    >>>>>>
    >>>>>> We're thinking of implementing 'Server and Domain Isolation Using
    >>>>>> IPsec', so that only computers that are part of our domain and are
    >>>>>> controlled through GPO settings for IPsec have access, other
    >>>>>> computers that are not part of our local domain have access only if
    >>>>>> we manually set them IPSec parameters into their local GPO.
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> I'm wondering if it is possible that users that don't have this
    >>>>>> settings set, and if they connects their laptops into our network
    >>>>>> (some of them are so clever that are able to set IP address on their
    >>>>>> home computers, so they could get connection to the internetJ)don't
    >>>>>> have any access based on this GPO (to other computers and servers)
    >>>>>> and also DON'T HAVE ACCESS TO THE INTERNET, that they are completely
    >>>>>> isolated?
    >>>>>>
    >>>>>> Any ideas or suggestions will be appreciated.
    >>>>>>
    >>>>>> Thank you in advance
    >>>>>>
    >>>>>> Regards
    >>>>>>
    >>>>>> Miha
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >




+ Reply to Thread