Share via


Domain Isolation - IPSEC

Domain isolation is to

mitigate the threat posed by unauthorized access to a trusted computer by an untrusted computer. Domain isolation provides better security when it comes to unauthorized access. IPSEC (Internet Protocol Security) protocol is the best one to be used in this scenario, making your Domain and Domain member servers communicate to the computers you trust. Using IPSec we can filter the traffic to our domain controller and thus making it more secure. IPSEC uses the encryption algorithms like DES or 3DES and integrity algorithms like MD5 or SHA-1.

Traffic from servers like RADIUS server to domain server should be IPSEC in order to protect the communication between them. Since, RADIUS server is used to authenticate the DIAL-IN users against the Active Directory making it more prone to Sniffing attacks. IPSEC allows to encrypt the communication between RADIUS server and Domain making it hard for someone to easily understand the packets being traffered.

Few Things to consider:

1. Ensure that inbound network access to a trusted domain member on the internal network requires the use of another trusted domain member.
2. Allow trusted domain members to restrict inbound network access to a specific group of domain member computers.
3. Focus network attack risks on a smaller number of hosts, which provides a boundary to the trusted domain, where maximum risk mitigation strategies (such as logging, monitoring, and intrusion detection) can be applied more effectively.
4. Focus and prioritize proactive monitoring and compliance efforts prior to an attack.
5. Focus and accelerate remediation and recovery efforts before, during, and after an attack.
6. Improve security by adding strong per-packet mutual authentication, integrity, anti-replay and encryption.

IPSEC is one of best options when it comes to securing communication between two computers / servers.

Comments