Freigeben über

IPSec

  • Artikel

I was presenting a TechNet session down in Cork & over in Galway this week - covering best practice use of AD, Group Policy, the Windows Firewall, IPSec and MOM.  There was a lot of interest in the IPSec session - most people present had the impression that implementing IPSec would be very hard and would introduce encryption to their network (and therefore have shied away from it).  As it turns out, IPSec is pretty easy to implement and doesn't have to use encryption - it can be used in a "authentication only" mode.  I demonstrated how easy it was to set up IPSec to isolate a domain (as in https://www.microsoft.com/technet/itsolutions/network/sdiso/default.mspx).  The benefits being that you allow only your machines to talk to each other (I can't plug my laptop into your network & introduce bad stuff of find your good stuff) and you also have the ability to restrict certain machines to have access to certain servers as an example.  My "cheat sheet" for my demo was 17 lines of poorly written notes on a single side of A5 - lots of people have asked for it (if I can implement domain issolation from one side of A5, it really can't be that difficult).  So here's my notes (typed for easy of use with comments added if necessary):

Filter Lists

  • DC1 - Permit - Any - 10.10.10.1 (IP address of the machine I want to permit)
  • Secure Subnet - Permit - Any - 10.10.10.0/24 (IP address of subnet)

Filter Actions

  • Isolate Domain - Integrity only (action to force machines to be authenticated)

New IPSec Policy

Domain Isolation

  • Secure Subnet -> Isolate Domain
  • DC1 -> Permit
  • ICMP -> Permit

New GPO

  • IPSec Domain Isolation
  • Assign "Domain Isolation" IPSec policy

Assign GPO to domain

Apply GPO to FS1 & XP1 (test machines)

  • gpupdate / force
  • net stop/start policy agent

 

That's it (only 17 lines).  Oh, and apologies for being a bit light on the blogging front this month - I need to work out how to fit it into by busy schedule..

Dave.