Network Security with IPSEC - Network

This is a discussion on Network Security with IPSEC - Network ; Hi all I hope somebody can help me with the following scenario: I run a small LAN of about 50 XP / 2000 Workstations, 2 Windows 2003 Servers and 1 2000 Server. All these computers are part of a domain ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Network Security with IPSEC

  1. Network Security with IPSEC

    Hi all

    I hope somebody can help me with the following scenario:

    I run a small LAN of about 50 XP / 2000 Workstations, 2 Windows 2003
    Servers and 1 2000 Server. All these computers are part of a domain and have
    various group policies applied to them.

    These computers also sit on a private address range with a NAT gateway
    running FreeBSD which then routes into a DMZ running various other FreeBSD
    machines which front the internet. For example, POSTFIX mailserver operating
    as a relay collecting and sending mail on behalf of my exchange 2003 server.

    OK, here's my problem:

    I am concerned that various laptop users (which are not part of my domain)
    are connecting their devices directly into my Ethernet and using the
    internet facility. When they do this, the windows DHCP gives them the
    appropriate IP and their away using the net for what ever they want. This
    generally has not been a problem until recently when I found a users laptop
    that was so infested with virus and spyware that it brought my bandwidth to
    its knees.

    It is very important that users continue to have access to the internet from
    none domain computers so I have been trying to find ways of controlling who
    has access.

    My solution is to use IPSEC across my entire network, this would have the
    added security levels which will soon be demanded my our head company as
    well as stopping none domain computers accessing the LAN unless I personally
    issued them with a digital certificate.

    Unfortunately I don't know that much about Windows 2003 IPSEC and so far
    have been unsuccessful in finding data to help me configure IPSEC in the
    above manner. I would therefore be grateful if somebody would give me some
    pointers or direct me to some step by step documents on the net or even
    recommend a good reference book.

    Your help would be appreciated.



    Regards
    NM





  2. Re: Network Security with IPSEC

    Hi,

    This whitepaper should help you out...

    Server and Domain Isolation Using IPsec and Group Policy
    http://www.microsoft.com/technet/sec...c/default.mspx

    --
    Mike
    Microsoft MVP - Windows Security

    "NM" wrote in message
    news:1JOdnfsJGvlCLL7YRVnygw@pipex.net...
    > Hi all
    >
    > I hope somebody can help me with the following scenario:
    >
    > I run a small LAN of about 50 XP / 2000 Workstations, 2 Windows 2003
    > Servers and 1 2000 Server. All these computers are part of a domain and
    > have various group policies applied to them.
    >
    > These computers also sit on a private address range with a NAT gateway
    > running FreeBSD which then routes into a DMZ running various other FreeBSD
    > machines which front the internet. For example, POSTFIX mailserver
    > operating as a relay collecting and sending mail on behalf of my exchange
    > 2003 server.
    >
    > OK, here's my problem:
    >
    > I am concerned that various laptop users (which are not part of my domain)
    > are connecting their devices directly into my Ethernet and using the
    > internet facility. When they do this, the windows DHCP gives them the
    > appropriate IP and their away using the net for what ever they want. This
    > generally has not been a problem until recently when I found a users
    > laptop that was so infested with virus and spyware that it brought my
    > bandwidth to its knees.
    >
    > It is very important that users continue to have access to the internet
    > from none domain computers so I have been trying to find ways of
    > controlling who has access.
    >
    > My solution is to use IPSEC across my entire network, this would have the
    > added security levels which will soon be demanded my our head company as
    > well as stopping none domain computers accessing the LAN unless I
    > personally issued them with a digital certificate.
    >
    > Unfortunately I don't know that much about Windows 2003 IPSEC and so far
    > have been unsuccessful in finding data to help me configure IPSEC in the
    > above manner. I would therefore be grateful if somebody would give me some
    > pointers or direct me to some step by step documents on the net or even
    > recommend a good reference book.
    >
    > Your help would be appreciated.
    >
    >
    >
    > Regards
    > NM
    >
    >
    >
    >




  3. Re: Network Security with IPSEC

    http://microsoft.com/ipsec

    However, IPsec in and of itself alone is not the technology
    which satisfies all of your requirements (i.e. would not block
    access to gate out to internet unless that is proxied by server
    that requires IPsec binding)


    "NM" wrote in message
    news:1JOdnfsJGvlCLL7YRVnygw@pipex.net...
    > Hi all
    >
    > I hope somebody can help me with the following scenario:
    >
    > I run a small LAN of about 50 XP / 2000 Workstations, 2 Windows 2003
    > Servers and 1 2000 Server. All these computers are part of a domain and
    > have various group policies applied to them.
    >
    > These computers also sit on a private address range with a NAT gateway
    > running FreeBSD which then routes into a DMZ running various other FreeBSD
    > machines which front the internet. For example, POSTFIX mailserver
    > operating as a relay collecting and sending mail on behalf of my exchange
    > 2003 server.
    >
    > OK, here's my problem:
    >
    > I am concerned that various laptop users (which are not part of my domain)
    > are connecting their devices directly into my Ethernet and using the
    > internet facility. When they do this, the windows DHCP gives them the
    > appropriate IP and their away using the net for what ever they want. This
    > generally has not been a problem until recently when I found a users
    > laptop that was so infested with virus and spyware that it brought my
    > bandwidth to its knees.
    >
    > It is very important that users continue to have access to the internet
    > from none domain computers so I have been trying to find ways of
    > controlling who has access.
    >
    > My solution is to use IPSEC across my entire network, this would have the
    > added security levels which will soon be demanded my our head company as
    > well as stopping none domain computers accessing the LAN unless I
    > personally issued them with a digital certificate.
    >
    > Unfortunately I don't know that much about Windows 2003 IPSEC and so far
    > have been unsuccessful in finding data to help me configure IPSEC in the
    > above manner. I would therefore be grateful if somebody would give me some
    > pointers or direct me to some step by step documents on the net or even
    > recommend a good reference book.
    >
    > Your help would be appreciated.
    >
    >
    >
    > Regards
    > NM
    >
    >
    >
    >




  4. RE: Network Security with IPSEC

    Think about implementing port security on the switch. You should also think
    about setting up separate lan for the non domain users in the dmz, that way
    they are isolated from your network. Setup one of your bsd servers to assign
    ip address to that subnet.

    Pete

    "NM" wrote:

    > Hi all
    >
    > I hope somebody can help me with the following scenario:
    >
    > I run a small LAN of about 50 XP / 2000 Workstations, 2 Windows 2003
    > Servers and 1 2000 Server. All these computers are part of a domain and have
    > various group policies applied to them.
    >
    > These computers also sit on a private address range with a NAT gateway
    > running FreeBSD which then routes into a DMZ running various other FreeBSD
    > machines which front the internet. For example, POSTFIX mailserver operating
    > as a relay collecting and sending mail on behalf of my exchange 2003 server.
    >
    > OK, here's my problem:
    >
    > I am concerned that various laptop users (which are not part of my domain)
    > are connecting their devices directly into my Ethernet and using the
    > internet facility. When they do this, the windows DHCP gives them the
    > appropriate IP and their away using the net for what ever they want. This
    > generally has not been a problem until recently when I found a users laptop
    > that was so infested with virus and spyware that it brought my bandwidth to
    > its knees.
    >
    > It is very important that users continue to have access to the internet from
    > none domain computers so I have been trying to find ways of controlling who
    > has access.
    >
    > My solution is to use IPSEC across my entire network, this would have the
    > added security levels which will soon be demanded my our head company as
    > well as stopping none domain computers accessing the LAN unless I personally
    > issued them with a digital certificate.
    >
    > Unfortunately I don't know that much about Windows 2003 IPSEC and so far
    > have been unsuccessful in finding data to help me configure IPSEC in the
    > above manner. I would therefore be grateful if somebody would give me some
    > pointers or direct me to some step by step documents on the net or even
    > recommend a good reference book.
    >
    > Your help would be appreciated.
    >
    >
    >
    > Regards
    > NM
    >
    >
    >
    >
    >


+ Reply to Thread