You’ve probably faced this situation at one time or another—users want unrestricted access to the network and the Internet while at the same time you need to maintain a high level of security. To meet these often conflicting demands, you can use domain isolation and IPsec to create isolated networks that are secure, without having to make expensive hardware or software changes.
To use domain isolation on Windows Server 2003, make sure you’re familiar with IPsec. For an introduction to IPsec, see “Use IPsec to Encrypt Data” (http://www.securityprovip.com/Articles/ArticleID/96508/96508.html). Before we talk about how to configure domain isolation, let’s look at the myths of domain isolation and some of its limitations. Then we’ll examine a simple scenario in which we use Group Policy to push out a simple IPsec policy to enable domain isolation.
What Is Domain Isolation?
Domain isolation is the ability to protect a group of computers—for instance, those that belong to a Windows Active Directory (AD) domain—from those that don’t have domain membership. An example of how domain isolation might be useful is when a visitor to your office plugs a laptop into a network port for Internet access or some other reason. No matter how diligent you are at ensuring your patches and antivirus definitions are up-to-date, your efforts might be in vain if an infected machine were to connect to your network. IPsec domain isolation creates a barrier to protect the domain at the network layer, which means traffic can transparently traverse routers, switches, and hubs. One advantage of IPsec over the Windows Firewall in Windows XP is that IPsec can provide outbound as well as inbound filtering. . . .
Register
