IPSec  Internet Protocol Security (IPSec) ver 4


Resource: Microsoft > TechNet Home > TechNet Security > Topics

Winteacher.com > Part2 > IPSEC > Chapter 2:  Understanding Server and Domain Isolation  GO

Understanding Server and Domain Isolation

استفاده از LAN در IT  نیازمند این است که دارای امنیت بالا باشد و این امنیت در لایه های متفاوت شبکه باید

ایجاد شود . این امنیت با تکنولوژی های متفاوتی امکان پذیر می باشد در لایه Transport Layer و Network Layer یعنی لایه 3و4 ازجمله آنها

می توان به مواردی همچون IPV6 و 802.1x و Network Switches و VLAN و در آخر IPSEC اشاره کرد در این بخش ما سعی بر این داریم که تفاوتهای

IPSEC را بادیگر تکنولوژها و نیز چگونگی اعمال آن بر روی شبکه از طریق GPO را بررسی کنیم .

واینکه چگونه می توان رابطه یک Computer یا Host را با یک Host دیگر را Isolate کرد یا با یک Network دیگر و...


On This Page

1.Chapter Prerequisites
2.Who Should Read This Chapter
3.Business Requirements
4.Identifying Trusted Computers
5.How Does Server and Domain Isolation Fit into My Overall Network Security Strategy?
6.Terminology Refresher
7.How Can Server and Domain Isolation Be Achieved?
8.What Does Server and Domain Isolation Protect Us From?
9.How Can We Deploy Server and Domain Isolation?
Chapter Prerequisites

قبل از شروع این بخش شما باید با مواردی که در زیر شرح داده شده کاملا آشنا باشید .در واقع این موارد نیازمندیهای این فصل قبل شروع می باشند.

Knowledge Prerequisites

Familiarity with Microsoft® Windows Server™ 2003 is required in the following areas:

Active Directory® directory service concepts (including Active Directory structure and tools; manipulating users, groups, and other Active Directory objects; and use of Group Policy).

Authentication concepts including use of the Kerberos version 5 protocol and public key infrastructure (PKI).

Microsoft Windows® system security; security concepts such as users, groups, auditing, and access control lists (ACL); the use of security templates; mutual authentication concepts; standard name resolution methods and concepts such as Domain Name System (DNS) and Windows Internet Naming Service (WINS); standard Windows diagnosis tools and troubleshooting concepts; and using Group Policy or command-line tools to apply security templates.

Knowledge of TCP/IP concepts, including subnet layout, network masking, and routing. Also, knowledge of low-level functionality, protocols, and terms such as Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP), and Maximum Transmission Unit (MTU).

Knowledge of security risk management principles.

Note: Chapter 6, "Deploying IPsec," of the Windows Server 2003 Deployment Kit discusses certain scenarios for IPsec transport mode that were not recommended at the time. However, the work that Microsoft has done for its own internal deployment of IPsec, along with the availability of additional guidance, means that the recommendation can now be changed.
While multicast and broadcast traffic still cannot use IPsec, all types of unicast IP traffic should be able to be secured with IPsec. Each customer must evaluate the benefits of deploying IPsec in domain or server isolation scenarios against the costs, impact, and other tradeoffs. However, Microsoft now recommends and supports the wider use of IPsec on customer networks in accordance with this guidance.

Organizational Prerequisites

Planning the security for an organization is unlikely to be the responsibility of a single individual. The information that is necessary to determine the exact requirements for an organization will often come from a number of sources within the organization. You should consult with other people in your organization who may need to be involved in the isolation planning, including those people who perform the following roles:

Business sponsors

User group representatives

Security and audit personnel

Risk management group

Active Directory engineering, administration, and operations personnel

DNS, Web server, and network engineering, administration and operations personnel

Note: Depending on the structure of your IT organization, these roles may be filled by several different people, or fewer people may span several roles.

The scope of a server and domain isolation project requires a comprehensive team to understand the business requirements, technical issues, user impact, and the overall project process. It is often beneficial to have a high-profile individual who can act as the primary point of contact for this project when wider input is required, such as with the support staff or the users who will be affected during the deployment. Two leading causes of failure in complex projects are poor planning and poor communications. The project team must understand these potential risks and ensure that steps are taken to mitigate them.

Who Should Read This Chapter

این بخش طراحی شده برای افرادی که می توانند یک شبکه با IPSEC طراحی کنند و یا تصمیم به این کار دارند .

Business Requirements

It is important to understand that the business requirements of your organization should drive the solution. Isolation is defined as a logical or physical separation of one or more computers from network communication with other computers. Security restrictions will always have an impact on the day-to-day operations of employees within an organization. The changes introduced as part of the solution will alter the way that computers in the domain communicate with one another and with untrusted computers. This solution will require time for a project team to plan and investigate feasibility and will also require training of IT support staff and the provision of, at least, a minimal employee awareness program. The additional security services being provided for network traffic may also require additional server memory or hardware acceleration network cards in some cases. Also, other solutions may be available to accomplish the same or similar isolation goals. Therefore, it is important to assess the monetary value that the solution is intended to deliver to the business.

استفاده از این روش دارای مزایایی می باشد که باید از نظر اقتصادی نیز برای شما سودمند باشد این موارد را باید در نظر داشت .

شما باید تمامی هزینه هایی که این روش برای شرکت یا واحد شما در بردارد را محاصبه کنید سپس طراحی Infrastructure شبکه را شروع کنید.

Ensuring Regulatory Compliance

اطمینان از روش امنیتی که شما برای خود در نظر گرفته اید بسیار مهم می باشد هر کشوری طبق قوانینی این روش ها را به رسمیت شناخته و از آنها

استفاده می کنند .در آمریکا هر واحدی کاری باید بکی از قوانین با موارد زیر را رعایت کند :

Federal Information Security Management Act (FISMA)
Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act
Gramm-Leach-Bliley Financial Services Modernization Act (GLBA)
The Health Insurance Portability and Accountability Act (HIPAA)

سرویس IPSEC بر اساس قانون HIPAA که در زیر مشاهده می کنید سازمان دهی شده.

HIPAA has a security rule that specifies strict guidelines about how healthcare organizations must handle electronic personal healthcare information (ePHI). Although HIPAA does not mandate or recommend specific technology, it does specify what capabilities are required for compliance and how to mitigate risks to ePHI. You should evaluate the use of domain or server isolation with IPsec protection as a technical safeguard to help address requirements of the following HIPAA sections:

Access control 164.312(a)(1) by protecting inbound network access to trusted computers using Group Policy authorizations, and to use encryption to protect EPHI from disclosure in network traffic.

Audit controls 164.312(b) by auditing which computers communicate with one another.

Integrity 164.312(c)(1) by restricting inbound network access to computers that have ePHI to only a specific group of authorized and trusted computers and users. Also, by preventing alteration of ePHI during network transmission by providing integrity and authenticity for all network packets in application connections.

Person or entity authentication 164.312(d) by requiring authentication and authorization of trusted computers for inbound network access to other trusted computers.

Transmission security 164.312(e)(1) by providing authenticity, integrity, and encryption.

Frequently, you can meet these requirements by using Secure Sockets Layer (SSL) and Transport Layer Security (TLS). For example, applications can use Microsoft .NET technology with SSL/TLS to help meet HIPAA security regulations. See the white paper "Healthcare Without Boundaries: Integration
Technology for the New Healthcare Economy
" at www.microsoft.com/Resources/Healthcare/
HealthcareEconomy.aspx for more information.

However, application communications must properly integrate SSL/TLS usage and algorithm controls. The main advantages of an IPsec isolation solution are that it protects all applications as well as the host computer operating system and can provide network traffic security for existing applications without changing them. For more details, see the "Comparison of SSL/TLS and IPsec" section later in this chapter.

Compliance of This Solution with US Government Regulations

On December 16, 2003, the U.S. Office of Management and Budget (OMB) released a memorandum on the subject of "E-Authentication Guidance for Federal Agencies," which is available from http://www.whitehouse.gov/omb/memoranda/fy04/
m04-04.pdf. This memorandum specifies that the level of risk of an authentication compromise corresponds to the level at which electronic authentication (e-authentication) is required.

NIST Special Publication 800-63, "Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology," identifies the technical requirements of authentication levels 1-4. In many cases, strong levels (3 and 4) of user authentication require applications to be rewritten or replaced. If the overall security risks can be reduced, you can use a less costly level of user authentication for access to highly sensitive information. On the Windows platform, server and domain isolation solutions add an initial layer of trusted computer authentication, access controls, network traffic authentication, and encryption prior to user authentication at the application layer. Thus, using a server and domain isolation solution might reduce or delay the requirement for application changes and help comply with risk management mandates.

To enable compliance with government regulations for information assurance products, Microsoft is committed to several certification processes. Windows 2000 has been certified to meet the Common Criteria for IT Security Evaluation (ISO Standard 15408) evaluation assurance level 4 (EAL4) augmented with ALC_FLR.3 Systematic Flaw Remediation. This certification applies to both the operating system and sensitive data protection categories.

Note: At the time of writing, both the Windows XP and Windows Server 2003 platforms were undergoing certification.

Also, Windows 2000, Windows XP, and Windows Server 2003 IPsec cryptographic components were certified to meet FIPS 140-1 cryptographic requirements. Thus, server and domain isolation solutions can be used in military, government, and related IT environments. For more information, see the following links:

NSTISSP No. 11 Fact Sheet: National
Information Assurance Acquisition Policy
, at http://niap.nist.gov/cc-scheme/

Validated Products List (by Technology Type), at http://niap.nist.gov/cc-scheme/vpl/vpl_type.html

Overview: Windows 2000 Common Criteria Certification, at www.microsoft.com/technet/security/prodtech/Windows2000/

FIPS 140 Evaluation, at www.microsoft.com/technet/archive/security/topics/

The information that this section provides is specific to organizations operating in the United States. However, related regulation is emerging all over the world, as demonstrated by statutes such as the European Union Data Protection Directive of 1998 and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), both of which impose strict guidelines regarding identity management and data privacy.

خلاصه مطلب اینکه IPSEC از طرف مقامات دولتی و مقامات IT آمریکا از رتبه بندی امنیتی بین 1 تا 4 رتبه 4 دریافت کرده یعنی بالاترین امنیت .

Identifying Trusted Computers

همان طور که در Figure 2.1 مشاهده می کنید صرفنظز از اینکه یک Remote Computer چگونه یا یک سرور در بخش Logical Isolation ارتباط برقرار می کند بعنی

از طریق Wireless , LAN , Internet  باید توسط IPSEC Traffic این ارتباط را برقرار کند در لایه 3 شبکه این سرویس فعالیت می کند به همین دلیل شما سرور های خود را

در این لایه محافظت می کنید که فقط با سیستم های Trust ارتباط برقرار کنند و دوم اینکه فقط از طریق IPSEC Traffic که آنهم دارای Encryption می باشد .

Figure 2.1 Logical Isolation & Protection in Layer 3 (OSI: Network layer)

Figure 2.1 Logical Isolation & Protection in Layer 3 (OSI: Network layer)

این کار موجب می شود که یک لایه جدید دفاعی ایجاد کنید بصورت Logical  که بسیار بسیار مفید می باشد .این لایه امنیتی که می دهد

به سرور ها و Client های آنها بصورت End-to-End با هم ارتباط برقرار می کنند .این لایه امنیتی اضافه شده را دیگر Technology های موجود قادر به ایجاد آن

نمی باشند مانند VPN,802.1x,802.11,WEP.این لایه دفاعی همچنین از دزدی اطلاعات در مسیر جلوگیری می کند .

برای مطمئن شدن از امنیت Full و کامل Client ها و سرورها در واحد خود می توانید از یک سرور WSUS استفاده کنید .که بصورت مداوم Patch ها و Hotfix های

سیستم های Microsoft را بصورن Online از سایت Download کرده و بر روی Client ها نصب کند تا شما از Update بودن سیستم های شبکه خود مطمئن باشید.

Untrusted computers are computers that cannot be assured of meeting these security requirements. In general, a computer is considered untrusted if it is either unmanaged or unsecured.

The purpose of the server and domain isolation solution is to mitigate the risk posed to trusted resources by implementing tools, technologies, and processes that will safeguard the organization's assets. The solution ensures that:

Only those computers that are considered trusted (those that meet specific security requirements) can access trusted resources.
Computers that are untrusted are denied access to trusted resources unless a specific business reason is identified to justify the risk.

You should allow trusted resources, by default, network-level access only from other trusted resources. In addition, control access at the network layer by using permit or deny permissions and ACLs for specific users and computers within the trusted environment.

By creating this trusted environment and restricting the permitted communications inside and outside of this environment, the business can reduce the overall risk to its data assets. Additional business benefits may include:

A high level of understanding of data flow across specific areas of the network.
Improved adoption of security programs that are used to obtain "trusted" status.
Creation of an up-to-date host and network device inventory.
Untrusted computers

سیستم هایی که توانایی برقراری ارتباط Encrypt شده با سرور ها را ندارند در واقع همان Untrusted Computers می باشند این

سیستم ها حتی اگر از ترافیک IPSEC برای برقراری ارتباط با سرور ها برقرار کنند نمی توانند رابطه را برقرار کنند  چون در زمان Authentication آنها

به رسمیت شناخته نمی شوند از جانب سرورها فقط سیستم های مشخص شده GPO می توانند این رابطه را برقرار کنند و به رسمیت شناخته می شوند .

چون شما برای Resource ها در لایه 3 شبکه درواقع محدودیت ایجاد کرده اید یا همان Permission تعریف کرده اید دیگر ACL مربوط به Resource ها که در لایه Application معنی

می دهد در اینجا تعیین کننده نمی باشد بلکه این IPSEC می باشد که ارتباط را برای استفاده از منابع برقرارمی کند و یا جلوگیری می کند .

Unmanaged computers

به کلیله سیستم هایی که در اختیار ما نمی باشند و رابطه Secure را از طریق IPSec نمی توانند برقرار کنند Unmanaged Computers گفته می شود

که Untrusted Computers نیز جزو این گروه می باشد .

UnSecured computers

این گروه از سیستم ها یا IPSec را پشتیبانی نمی کنند و یا  تراقیک آنها با  سرویس IPSec  ردوبدل نمی شود .

این گروه به چهار بخش که در زیر مشاهده می کنید تقسیم می شوند.

Goals Directly Achievable Using Server and Domain Isolation

هدف اصلی از Server and Domain Isolation این می باشد که تاحد امکان دسترسی غیره مجاز را به Trusted Computers و Resource ها آنها را محدود کرد.

این کار خطرهایی را که یک سرور یا Domain را تحدید می کند بسیار کاهش می دهد و درصد آن را به صفر می رساند .

در زمان Authentication سرویس IKE در IPSEC وظیفه شناسایی وAuthentication را برعهده می گیرد .البته در حالت Inbound منظور می باشد .

نقطه قوت این Protocol یا سرویس این می باشد که Negotiation آن بصورت Secure می باشد .

در این حالت User Authentication اول توسط IPSEC انجام می شود یعنی در لایه 3 شبکه پس نتیجه می گیریم که IPSec از لایه های بالای خود نیز

محافظت می کند .پس یادمان باشد که IPSec در لایه 3 محافظت می کند از Authentication و نیازی نیست نگران Application Layer باشید.

در نتیجه این عمل شما به هدفهای زیر خواهید رسید که بسیار مهم می باشند :

Isolate trusted domain member computers from untrusted devices at the network level.
Ensure that inbound network access to a trusted domain member on the internal network requires the use of another trusted domain member.
Allow trusted domain members to restrict inbound network access to a specific group of domain member computers.
Focus network attack risks on a smaller number of hosts, which provides a boundary to the trusted domain, where maximum risk mitigation strategies (such as logging, monitoring, and intrusion detection) can be applied more effectively.
Focus and prioritize proactive monitoring and compliance efforts prior to an attack.
Focus and accelerate remediation and recovery efforts before, during, and after an attack.
Improve security by adding strong per-packet mutual authentication, integrity, anti-replay and encryption, without the need to change applications and upper layer protocols (such as server message block [SMB] or NetBT).

Server and domain Isolation محافظت می کند از تمامی سرویس های شبکه در برابر دسترسی و حمله سیستم های Untrusted Computers/Networks به آنها .

Server and domain Isolation کمک می کند به شما در کم کردن آسیب پذیری  سیستم های شبکه و نیز کاهش آسیب پذیری شبکه به دلیل روشهای امنیتی ضعیف جاری شبکه شما و...

Server and domain Isolation در دو جبهه عمل می کند اول در لایه 3 شبکه Encryption ایجاد کرده در ترافیک داخل Switch و دوم Access Control خود را دارد و مقدم برهمه

ACL ها می باشد چون در لایه 3 شبکه فعال است البته در زمان Inbound عمل می کند این امر موجب می شود که حالت End-to-End را دارا باشد هیچ یک از تکنولوژی های موجود

این دو جبهه را برای دفاع ایجاد نمی کنند .

End-to-End یعنی فقط  User مشخص شده از Inbound PC شما می تواند استفاده کند و یا فقط Trusted Computer مشخص می تواند از Inbound سیستم یا Host شما

استفاده کند .اما خطرهایی نیز شبکه شما را در زمان استفاده از این روش تحدید می کند که در زیر مشاهده می کنید .

The risk of trusted users stealing or disclosing sensitive data. Although the isolation solution can control where computers communicate within the internal network, administrative users can subvert these controls. It is not possible for this solution to eliminate the risk of trusted users inappropriately copying or disseminating sensitive data.
The risk of compromise of trusted user credentials. Although an administrator can choose to encrypt most traffic with IPsec to protect network logon information, IPsec protection of user logon traffic to domain controllers is not supported. Server and domain isolation can force an attacker to use a trusted host to attack other trusted hosts. An attacker may also attack trusted hosts by using compromised credentials from hosts that are exempted from using IPsec with trusted hosts (for example, domain controllers and DNS servers), or hosts that accept inbound connections from untrusted computers. Although an administrator can control whether trusted hosts communicate outbound to untrusted hosts, this solution cannot mitigate the risk of trusted users losing their credentials to an attacker who tricks them to reveal their passwords.
Rogue users. Legitimate users who abuse their access also fall into this category. For example, this solution cannot mitigate the risk of a disgruntled employee deciding to steal information using trusted hosts to which they have access because of their job role. Physical access to a trusted host computer can enable an attacker to gain unauthorized and administrative access to it. Because administrators can disable server and domain isolation protection, it is vital to limit the default scope of access and the number of administrators (including enterprise administrators, domain administrators, and local administrators on workstations or member servers).
The risk of untrusted computers accessing other untrusted computers. This solution cannot mitigate the risk of untrusted computers being used by an attacker to attack other untrusted computers.
The risk of untrusted computers attacking certain trusted computers. Server and domain isolation solutions are designed to protect trusted hosts. However, as a practical deployment matter, this solution identifies trusted domain members that for various reasons do not use IPsec to negotiate trusted access to other trusted hosts. These trusted, but non-IPsec enabled, computers are members of an exemption list (for example, domain controllers). Also, this solution identifies certain trusted hosts to be accessed by untrusted computers to provide boundary services for the isolation domain. An attacker who gains control of an exempted or boundary host can then attack all other trusted hosts inside the isolation domain.
Assuring security compliance of trusted hosts. This solution suggests how trusted hosts might be defined and in particular requires that they be members of a Windows 2000 or Windows Server 2003 domain. This solution depends only upon successful IPsec IKE domain-based (Kerberos) authentication to establish trust and thus IPsec-protected connectivity. Over time trusted hosts may for various reasons not meet the full criteria of being a trusted host yet still be able to authenticate successfully as a domain member. It is the responsibility of the organization's IT management systems and processes to ensure that domain members comply with the definition of trusted hosts.

To address these issues, the recommended security hardening configurations and templates were applied to all systems in the Woodgrove lab environment. For more information about Windows platform security technologies and management procedures, see the TechNet Security Resource Center Web site at www.microsoft.com/technet/security/.

How Does Server and Domain Isolation Fit into My Overall Network Security Strategy?

استفاده از Server/domain Isolation بدین منظور می باشد که یک لایه دفاعی در برار دسترسی ها به Device های شبکه شما ایجاد کند

منظور از Device ها همان Computer های شبکه می باشد .

چون امنیت باید چندلایه ای باشد درنتیجه دفاع شما نیز باید در چند لایه باشد .این کمک می کند به شما دفاع عمیقی در برابر انواع حمله ها داشته باشید.

دفاع چند لایه بسیار قدرتمند می کند شبکه شما از نظر امنیتی برای مثال زمانی که یکی از لایه های دفاعی شما به دلایلی از کار افتاد و یا خراب شد حالا ممکن است

به دلیل پیکربندی اشتباه Admin و یا به دلیل حمله Hacker و ... این مشکل رخ دهد لایه بعدی دفاعی شما باید از ادامه حمله و Attack جلوگیری گند .

Defense in Depth

دفاع در عمق بهترین روش می باشد که آن هم در لایه های مختلف شبکه باید باشد یعنی در چند لایه .

برای دفاع در برابر دشمن باید از روش هایی که آن برای حمله استفاده می کند مطلع بود تا روش های مختلف به یک TCPIP Base Network را ندانید نمی توانید

از آن به خوبی دفاع کنید .

A more detailed discussion of this subject can be found in the U.S. National Security Agency's "Defense in Depth" white paper at http://www.nsa.gov/snac/support/defenseindepth.pdf.

For information and practical design examples for this process, see the Enterprise Design chapter of the Windows Server System Reference Architecture guidance on TechNet at www.microsoft.com/technet/itsolutions/wssra/raguide/ArchitectureBlueprints/rbabsa_2.mspx.

در شکل Figure2.2 شما می توانید Defense in Depth ایجاد شده توسط Logical Isolation را مشاهده کنید و بهتر درک کنید .

Figure 2.2 Defense in depth with logical isolation
One important point to understand from this figure is that the logical isolation layer of security is aimed directly at securing the host computer through controlling network communications. This role is most similar to that of a host – based firewall. However, instead of the host firewall providing permit and block services for ports, IPsec provides permit and block services and negotiates trusted network access services. After access is granted, IPsec can secure all packets between the two computers. As defined within the context of this solution, a "logical isolation" solution such as server and domain isolation:
Does not secure network devices, such as routers.
Does not provide physical network access control, such as specifying which computer is allowed to establish a remote access VPN connection, or provide protections supplied by network-based firewalls.
Does not secure network links, such as 802.1x for access control and 802.11 WEP encryption for wireless links. However, IPsec does provide protection end-to-end across all network links in the path between source and destination Internet Protocol (IP) address.
Does not provide security for all hosts on the network—only those participating in the isolation solution.
Does not secure application level paths, such as the end-to-end path through which e-mail and .NET messaging flows, and Hypertext Transmission Protocol (HTTP) requests that can be proxied several times between the client and the Web server destination.

You should consider security at each layer as part of IT security risk mitigation analysis. For example, if a certain computer is not allowed access to a server at the logical isolation layer, it does not matter which user logs on at that computer. Any users—even an administrator—will be denied access to the server.

Figure 2.2 Defense in depth with logical isolation

یک مورد مهم در این شکل Figure 2.2 وجود دارد که باید متوجه آن شد و آنهم این می باشد که Logical Isolation لایه امنیتی ایجاد می کند که

مستقیما ارتباطات Computer را در بر می گیرد و آن را کنترل می کند همان Incoming های سیستم ها می باشد .این کار را Firewall نیز انجام می دهد اما

یک Firewall  برای امنیت سیستم Permit یا Block می کند سرویسها و Port های سیستم را در صورتی که IPSEC ابن کار را انجام می دهد بعلاوه دسترسی های سیستم ها

و رابطه برقرار کردن درواقع همان Connection ها را نیز کنترل می کند .و در اخز بعد از برقراری Connection بین دو Computer ترافیک Packet های بین آن دو را Encrypt می کند

توسط ESP , AH Protocols.

Comparison of SSL/TLS and IPsec

هدف IPSEC این نمی باشد که در لایه Application از سیستم ها دفاع کند مانند SSL/TLS Protocols و خوب این منفعت IPSec می باشد که

در لایه 3 شبکه محافظت می کند از ترافیک شبکه .شما می توانید ترافیک دو Application که از طریق دو Computer با هم ارتباط برقرار کرده اند را

توسط IPSEC محافظت کنید جالب اینجا می باشد که این دو Computer همزمان می توانند از SSL/TLS نیز استفاده کنند .

Using IPsec in environments in which applications use SSL/TLS can provide the following benefits:
Help protect all applications and the operating system against network attacks by untrusted computers and other devices.
Establish a defense-in-depth approach against potential improper or non compliant use of SSL/TLS (for example, if all eHPI data is not encrypted and authenticated).
Help prevent user credentials from being entered into untrusted computers — because users are not prompted to log on to an internal SSL/TLS Web site until IPsec establishes mutual trust between client and server.
Provide security when you cannot use Windows registry settings to select regulatory compliant SSL/TLS algorithms. Windows 2000, Windows XP, and Windows Server 2003 provide registry key controls for SSL/TLS algorithms, which Microsoft Knowledge Base article 245030, "How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll," describes, at http://support.microsoft.com/?kbid=245030.
Provide security where certificates are not available.

IPsec secures traffic between source and destination IP addresses. SSL/TLS can secure traffic through the entire application path (for example, from a Web browser through a Web proxy to a Web server).

The National Institute for Standards and Technology (NIST) is developing guidance on using TLS. Special Publication 800-52, "Guidelines on the Selection and Use of Transport Layer Security," is a guideline for implementing TLS in the federal government. For more information about this guidance, see the NIST Computer Security Division Web site at http://csrc.nist.gov/publications/index.html. Similar guidelines do not exist for the use of IPsec. However, the U.S. National Security Agency has released guides for using Windows 2000 IPsec. These guides are available from the NSA Web site at http://nsa2.www.conxion.com/win2k/download.htm. Organizations that need to meet NSA guidelines should evaluate the design of this solution in addition to the NSA guides.

IPsec with certificate authentication provides protection that is similar to SSL/TLS, but there are some differences. Windows IPsec supports a small subset of the cryptographic algorithms supported by TLS and recommended by NIST 800-52 (for example, 3DES, SHA-1, and 1024-bit ephemeral Diffie-Hellman). The solution presented in this guide uses Kerberos protocol signatures for IKE authentication between domain members instead of certificate-based signatures. Windows IPsec IKE negotiation establishes mutual trust between computers using the Kerberos protocol and certificate-based authentication. Because IKE is not integrated with applications, it cannot verify that the destination computer name is the one to which the application is expected to connect, thereby allowing a sophisticated man-in-the-middle attack from another trusted host. But because the application integrates with SSL/TLS, the destination name is not only authenticated (trusted), the name can also be verified against the name that was expected.

در این حالت اول ارتباط دوطرفه بین Source و Destination توسط IPSEC باید برقرار شود سپس SSL/TLS سروع به فعالیت می کنند چون در لایه بالاتر یعنی Application فعالیت

می کنند .

Terminology Refresher

در اینجا یک سری اصطلاحات فنی مربوط به این Chapter و فصل های بعدی را مرور می کنیم برای ادامه کار باید با این اصطلاحات کاملا آشنا باشید .

به دقت هر یک را مطالعه کنید.

How Can Server and Domain Isolation Be Achieved?

استفاده از Isolation هیچ Risk ندارد .استفاده از تکنولوژی Firewall بدین صورت می باشد که از کنترل دسترسی ها ACL و Filtering توسط Router

بهره می برد و Segmeting نیز فقط یک لایه کم قدرت برای جدا سازی ترافیک می باشد و نه بیشتر .

در اینجا ما می آموزیم که چگونه از شبکه موجود با امکانات موجودش بهره برداری کنیم برای استفاده از IPsec و Isolation .

وجود مواردی همچون VLAN و Network Segmentation  و  IDS موجب این نمی شود که شما نتوانید از این تکنولوژی استفاده نکنید و استفاده از

آن موجب می شود که یک لایه دفاعی دیگر بجز موارد گفته شده به شبکه شما اضافه شود بدون هیچ تغییری در Device ها البته شما برای این روش باید از

Windows 2000 و Windows های XP,2003 استفاده کنید این تنها تغییر می باشد .

Server and Domain Isolation Components

برای ایجاد یک Isolation موارد زیر را باید در نظر گرفت .

Trusted Hosts

این سیستم ها  تنها مد نظر ما می باشند برای محافظت و نیز استفاده از ترافیک Secure.

Host Authentication

در این زمان می باشد که IPSEC تشخیص می دهد فرد یا سیستمی که می خواهد ارتباط برقرار کند دارای اطلاعات شناسایی معتبر می باشد و قانونی می باشد

یا خیر.در این قسمت از یه نوع Kerberos V5 و Certificate و Preshared Key می تواند استفاده کرد برای شناسایی .

The Kerberos version 5 authentication protocol
X.509 digital certificate with corresponding public and private Rivest, Shamir, & Adleman (RSA) key pair
A preshared key (a passphrase, not exactly a password)

در زمان Authentication سیستم این عمل را بر عهده IPSEC  قرار می دهد .در اینجا IPSEC از یکی از یه مورد بالا استفاده می کند به کمک IKE این عمل را با

امنیت بالا و ترافیک Secure بین دو سیستم انجام می دهد .

Internet Key Exchange(IKE)

Windows IKE نقش مهمی در رابطه بین سیستم ها دارد و امنیت ارتباطات بین سیستم های Trust را ایجاد می کند .

مهمترین کار IKE استفاده از AH , ESP برای کنترل و Secure کردن ترافیک بین سیستم های می باشد با این کار از Packet ها نیز محافظت می شود.

در ESP Encapsulation Security Payload به دلیل وجود Encryption در Packet ها Router ها و Firewall ها و IDS ها نمی توانند محتویات Packet ها را بازبینی کنند

و به همین دلیل متوجه نمی شوند که چه اطلاعاتی مربوط به کدام سرویس می باشد به همین دلیل باید در IPSEC تک تکPort  های مربوط به آنها را مشخص کرد برای

مثال 80 برای Web و 25 برای Email و ...

با این روش شما دیگر نمی توانید Packet های شبکه را Monitor کنید پس استفاده از ESP موجب این مورد می شود که برای HACKER ها مشکل جدی می باشد .

در این روش نرم افزار های Monitoring قوی هم نمی توانند TCP/UDP Packet ها را به دام بی اندازند و معمولا ESP Packet های Encrypt شده را نمایش می دهند .

در شکل زیر یک ارتباط میان Win2000 server با یک Win XP بر قرار شده برقراری ارتباط  در اینجا بر عهده IKE می باشد

در زمان کار IKE یک SA security Associations ایجاد می شود که ما متوجه می شویم کهIKE شروع به کار کرده .

Figure 2.3 Logical Isolation  &  SA - Background ProcessSA - Background Process

Figure 2.3 Logical Isolation  &  SA - Background Process

Initiator : Windows XP    &    Responder : Windows 2000 Server


SA دارای دو Mode می باشد Main Mode و Quick Mode می توانید شروع کار هر یک از این دو نوع را در IPSEC Monitor های زیر که در Windows 2000 ,XP می باشند

مشاهده کنید . در Figure 2.3 سیستم WINXP همان Initiator می باشد وWIN2K Server نیز همان Responder می باشد .

  • Main mode SA. These SAs are the first to be established during the IKE negotiation between the initiator and responder computers.

  • Quick mode SA. These SAs are negotiated after the main mode SA is established for each session of communication between the hosts.


Figure 2.4 Main / Quick Modes - IPSEC Monitor MMC - OS: XP

Figure 2.4 Main / Quick Modes - IPSEC Monitor MMC - OS: XP

IKE نیاز دارد به Mutual Authentication تا بتواند یک SA در حالت  Main Mode را راه اندازی کند این حالت در ابتدا رخ می دهد بعد این حالت Quick Mode شروع

به فعالیت می کند .شما این ترتیب را می توانید بلافاصله بعد برقراری ارتباط در MMC بالا مشاهده کنید اول Main Mode سپس Quick Mode.

Figure 2.5 Main / Quick Modes - IPSEC Monitor Tools (IPSECMON.EXE)

Figure 2.5 Main / Quick Modes - IPSEC Monitor Tools (IPSECMON.EXE)

The IKE negotiation establishes a main mode SA (also called the ISAKMP SA) and a pair of quick mode SAs (called IPsec SAs—one for inbound traffic, the other for outbound traffic). IKE requires mutual authentication to establish the main mode SA.

Ensuring address integrity

IPSEC توسط AH Protocol  این توانایی را دارد که اجازه دسترسی به Packet را در طول مسیر به افراد ناشناس ندهد این امر موجب می شود که شما

از دست نخوردن Packet ها شبکه مطمئن شوید .انواع Attack ها که از این طریق می باشد بی اثر می شوند . با این کار Packet را در طول مسیر نمی توان

تغییر مسیر داد به غیر از مسیر مشخص شده در آن .این کار بیار مفید می باشد اما یا NAT مشکل دارد چون NAT کارش همین می باشد که مسیر مبدا و مقصد Packet

ها را تغییر دهد به همین دلیل AH با Device های NAT و سرویس آن مشکل دارند و سازگار نمی باشند .

Encrypting network traffic

اگر چه ESP همانند AH از نظر Integrity تک تک Packet ها را محافظت نمی کند اما با ایجاد Encryption در آنها موجب می شود که نتوان Packet ها

را خواند و یا Decode کرد و یا Monitor کرد و این موجب می شود که  محتویات Packet  بجز برای Source  و Destination برای افراد دیگر قابل Decode نباشد در طول مسیر .

اگر در شبکه از NAT استفاده می کنید منطقی ترین کار این می باشد که از ESP Protocol استفاده کنید چون با NAT مشکلی ندارد .

Transport Mode

دو حالت  Main/Quick Mode را در بالا متوجه شدیم اما یک حالت سومی وجود دارد که فقط در حالت P2P و Tunneling رخ می دهد که Transport Mode می نامند .

این مد یکجور حالت Dynamic دارد برای اینکه آدرس ها بصورت Dynamic ممکن می باشد که تغییر کند در حالت End-to-End مثلا در Internet .

زمانی که شما در Wizard خود در IPSEC حالت My IP Address را انتخاب می کنید این حالت را ایجاد کرده اید .

Issues with using IPsec transport mode include:
An initial delay. There is a 1-2 second initial delay required for IKE to start and complete the full successful negotiation. While continuous communication is happening, IKE attempts to refresh cryptographic keys that protect traffic automatically.
Predefined priority order for filters. IPsec policy filters can overlap and so have a predefined priority order, most specific first. This requires both sides in a communication to have a compatible set of IPsec transport mode filters for IKE negotiation. For example, this solution uses a more general filter for "all traffic" that negotiates IPsec security, in combination with a more specific filter to permit only ICMP traffic instead of securing that traffic with IPsec.
Computational expense. IPsec ESP transport mode encryption can be computationally expensive. CPU utilization may peak at 80-100 percent during encrypted file copies. Windows 2000, Windows XP, and Windows Server 2003 have interfaces for network cards to be able to accelerate IPsec cryptographic operations in hardware.
IPsec tunnel mode. IPsec tunnel mode is typically used for gateway-to-gateway VPN tunnels between static IP addresses of VPN gateways. Thus, tunnel mode creates a new IP header with an IPsec header. The original packet with original IP header is encapsulated entirely to form a tunnel packet. For server and domain isolation scenarios, tunnel mode could be used to secure traffic from a static IP server to an IPsec-capable router. This might be necessary if the destination host does not support IPsec. Woodgrove did not have a scenario in which tunnel mode was required.

For more information about the technical details of both transport mode and tunnel mode in IPsec, see the "Determining Your IPSec Needs" section of the Deploying IPsec chapter in the Deploying Network Services portion of the Windows Server 2003 Deployment Kit, at www.microsoft.com/resources/documentation/

Host Authorization

بعد از اینکه یک Host تصمیم گرفت به اینکه ارتباط برقرار کند با یک سیستم یا User معتبر که همان Source می باشد باید بررسی کند که آیا آن فرد یا Source

اجازه دسترسی به Resource های سیستم را دارد یا خیر این مورد بسیار مهم می باشد .

در اینجا مواردی را باید به آن دقت کرد Microsoft موارد گوناگونی را برای تعریف دسترسی ها به Resource های سیستم ایجاد کرده که آنها را بررسی می کنیم .

مواردی همچون ACL های موجود بر روی File Sharing و نیز Policy هایی مانند Deny Access to this Computer from Network  و Access this Computer From the Network و...

و یک لایه بالاتری وجود دارد که آنهم ADS می باشد و اجازه دسترسی ها که در Active Directory تعریف شده.

در Figure 2.6 این مراحل کاملا مشخص می باشد .

Figure 2.6 User and Host Authorization Process

Figure 2.6 User and Host Authorization Process

در شکل بالا 5 مرحله مشخص شده که در زیر می توانید ریز این مراحل را بررسی کنید :

(STEP 1) User attempts to access a share on a departmental server. A user that is logged on to the client computer attempts to access a share on a trusted host within the logical isolation solution. This action causes the client computer to attempt to connect to the trusted host using the file sharing protocol (Server Message Block protocol using TCP destination port 445, typically). The client has IPsec policy assigned as part of the solution. The outbound TCP connection request triggers an IKE negotiation to the server. The client IKE obtains a Kerberos ticket to authenticate to the server.
(STEP 2) IKE main mode negotiation. After the server receives the initial IKE communication request from the client computer, the server authenticates the Kerberos ticket. During the authentication process, IKE checks that the client computer has the required host access rights as assigned in the ALLOW or DENY users rights in the Group Policy. If the client computer has the required user right assignment, the IKE negotiation will complete, and an IPsec main mode SA will be established.
(STEP 3) IPsec security method negotiation. After the IKE main mode SA negotiation has completed, the security methods of the IPsec policy are checked to negotiate a connection by using security methods for IPsec SAs that are acceptable to both hosts.

The following flowchart illustrates the complete process from steps 2 and 3:

Figure 2.7 User and Host Authorization Process

Figure 2.7 User and Host Authorization Process

(STEP 4) User host access permissions checked for user. After IPsec-protected communication is established, the SMB protocol authenticates using the client user account. On the server, the user account is checked to see if it has the required host access permissions as assigned in the ALLOW and DENY user rights in the Group Policy for the trusted host. The following flowchart illustrates this process:

Figure 2.8 User Host Access Permissions Checking Process

Figure 2.8 User Host Access Permissions Checking Process

If the user account has the required user right assignment, the process completes, and the user logon token is created. After this process is complete, the logical isolation solution has finished conducting its security checks.

(STEP 5) Share and file access permissions checked. Finally, the standard Windows share and file access permissions are checked by the server to ensure that the user is a member of a group that has the required permissions to access the data that the user requested.

What Does Server and Domain Isolation Protect Us From?

دلیل مهم اینکه ما از Server/domain Isolation استفاده می کنیم چه می باشد این سوال بسیار جدی و مهم می باشد .

خطراتی وجود دارد در Network که آگاهی داشتن ازآنها به ما کمک می کند که در برابر آنها خوب دفاع کنیم IPSEC از بیشتر حمله ها جلوگیری می کند

که بصورت خلاصه در زیر شرح داده می شود در فصل بعدی کاملا با آنها آشنا می شویم .

در سال جدید تعداد حملات بسیار بالا رفته و همچنین نوع آنها بیشتر و قدرت آنها نیز بالا رفته این نشان دهنده این می باشد که دفاع را باید بسیار جدی گرفت .

اما قبل از آن باید با انواع آنها آشنا شد بطور خلاصه : STRIDE

S    spoofing

T    tampering

R    repudiation

I    information disclosure

D    denial-of-service

E    elevation-of-privilege

برای اطلاعات بیشتر درمورد Spoofing , DoS - Denial of Service به PART4 رجوع کنید

1. Secure Your Network - Language : FA       Click Here

  • Threats and Countermeasures

For an explanation of particular threats and attacks that server and domain isolation can help mitigate, see Appendix D, "IT Threat Categories," of this guide. For detailed discussions about threat models, see Chapter 2, "Defining the Security Landscape," in the Microsoft Solution for Securing Windows 2000 Server solution which can be downloaded at www.microsoft.com/technet/security/prodtech/win2000/secwin2k/02defsls.mspx.

How Can We Deploy Server and Domain Isolation?

بعد از آشنا شدن با انواع خطرات که در بالا بطور خلاصه نام برده شد شما باید یاد بگیرید که چگونه در مقابل آنها باید دفاع کرد و یا با راه های کاهش حملات آشنا شد .

Information Gathering

اولین راه و اولین قدم برای شروع این می باشد که قبل از شروع شما آگاهی کامل داشته باشید نسبت به کل واحد و شبکه آن .

و همچنین از تعداد Client ها و Server  ها و نیز نوع سرویس هایی که قرار است در آنجا فعالیت کند و همچنین مسیر آنها در شبکه .

بدون آگاهی از این اطلاعات اولیه شما نمی توانید Logical Isolation  را به درستی اجرا کنید .پس جمع آوری اطلاعات اولیه برای ما اولین قدم می باشد .

در Chapter 3 کاملا  موارد ریز نیز شرح داده شده در این مورد .

IPsec Deployment Process Overview

بعد از اینکه شما تصمیم به اجرای کار گرفتید مرحله بعدی این می باشد که شما طراحی را بصورتی انجام دهید که قابل اداره کردن باشد و مدیریت آن سخت نباشد و دوم

کمترین استفاده را از افراد در این طراحی خود داشته باشید.این بخش بسیار مهم است و شاید بیش از  50%  کل کار را همین طراحی و  برنامه ریزی تشکیل دهد .

این بخش بسیار بسیار مهم می باشد که در Chapter 4 شرح داده شده.

However, the basic process can be summarized as follows:

1. Test the design and IPsec polices in a proof-of-concept lab. You should test the proposed IPsec policies in an isolated, non-production environment to ensure that the design works as expected and to test any issues that might arise in the policy settings or deployment mechanisms.
2. Pilot the tested and approved design. When the team is confident that the design will work as expected in the lab environment, the next step in the process is to identify a limited number of computers to include in a pilot deployment of the solution into a production environment. The identified computers and users should be given proactive support to ensure that any issues that emerge during testing have minimal effect on users' abilities to perform their job roles.
3. Implement a phased roll out of the solution. The final step in the process is to have a plan that can be used to deploy the design to the rest of the organization. This is not a trivial process! You should take a great deal of care in the planning of this step. It is possible to engineer a design that can (with a single setting change in an IPsec policy) disable many computers' abilities to access network resources. You should test and organize your deployment plan to enable the changes that the solution introduces to be implemented in a way that will allow for a rapid return to a known good state in the event that a configuration or design error somehow remains undetected during the testing phase.

Chapter 4, "Designing and Planning Isolation Groups," provides detailed information on the isolation domain design process and presents options for a phased roll out approach to the solution.  


This chapter discussed the goals and processes behind the solution presented in this guide. Although IT professionals have well understood the benefits of IPsec for many years, the complex nature of the technology has led many people to avoid implementations. With IPsec implementation, potential exists for serious consequences if the solution does not have in place a solid design, a well-planned deployment, and a reliable test methodology.

The guidance in this chapter should convey that logical isolation is an additional layer of security that uses server and domain isolation techniques with the capabilities of the Windows platform, IPsec, Group Policy, and Active Directory to provide a manageable and scalable enterprise solution that can minimize the risk to which data assets are exposed.

The information presented in the remaining chapters focuses on the stages that are required to plan and implement this solution. Chapter 6, "Managing a Server and domain Isolation Environment," provides procedures that you can implement for the day-to-day running of an operational environment that is using server and domain isolation. Chapter 7, "Troubleshooting IPsec," provides supportability and troubleshooting information.

IPSec  Internet Protocol Security (IPSec) ver 4


Winteacher.com > Part2 > IPSEC > Chapter 2:  Understanding Server and Domain Isolation  GO