Network Security with IPSEC

Hi all

I hope somebody can help me with the following scenario:

I run a small LAN of about 50 XP / 2000 Workstations, 2 Windows 2003
Servers and 1 2000 Server. All these computers are part of a domain and have
various group policies applied to them.

These computers also sit on a private address range with a NAT gateway
running FreeBSD which then routes into a DMZ running various other FreeBSD
machines which front the internet. For example, POSTFIX mailserver operating
as a relay collecting and sending mail on behalf of my exchange 2003 server.

OK, here's my problem:

I am concerned that various laptop users (which are not part of my domain)
are connecting their devices directly into my Ethernet and using the
internet facility. When they do this, the windows DHCP gives them the
appropriate IP and their away using the net for what ever they want. This
generally has not been a problem until recently when I found a users laptop
that was so infested with virus and spyware that it brought my bandwidth to
its knees.

It is very important that users continue to have access to the internet from
none domain computers so I have been trying to find ways of controlling who
has access.

My solution is to use IPSEC across my entire network, this would have the
added security levels which will soon be demanded my our head company as
well as stopping none domain computers accessing the LAN unless I personally
issued them with a digital certificate.

Unfortunately I don't know that much about Windows 2003 IPSEC and so far
have been unsuccessful in finding data to help me configure IPSEC in the
above manner. I would therefore be grateful if somebody would give me some
pointers or direct me to some step by step documents on the net or even
recommend a good reference book.

Your help would be appreciated.



Regards
NM

Hi,

This whitepaper should help you out...

Server and Domain Isolation Using IPsec and Group Policy
http://www.microsoft.com/technet/sec...c/default.mspx

--
Mike
Microsoft MVP - Windows Security

"NM" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi all
>
> I hope somebody can help me with the following scenario:
>
> I run a small LAN of about 50 XP / 2000 Workstations, 2 Windows 2003
> Servers and 1 2000 Server. All these computers are part of a domain and
> have various group policies applied to them.
>
> These computers also sit on a private address range with a NAT gateway
> running FreeBSD which then routes into a DMZ running various other FreeBSD
> machines which front the internet. For example, POSTFIX mailserver
> operating as a relay collecting and sending mail on behalf of my exchange
> 2003 server.
>
> OK, here's my problem:
>
> I am concerned that various laptop users (which are not part of my domain)
> are connecting their devices directly into my Ethernet and using the
> internet facility. When they do this, the windows DHCP gives them the
> appropriate IP and their away using the net for what ever they want. This
> generally has not been a problem until recently when I found a users
> laptop that was so infested with virus and spyware that it brought my
> bandwidth to its knees.
>
> It is very important that users continue to have access to the internet
> from none domain computers so I have been trying to find ways of
> controlling who has access.
>
> My solution is to use IPSEC across my entire network, this would have the
> added security levels which will soon be demanded my our head company as
> well as stopping none domain computers accessing the LAN unless I
> personally issued them with a digital certificate.
>
> Unfortunately I don't know that much about Windows 2003 IPSEC and so far
> have been unsuccessful in finding data to help me configure IPSEC in the
> above manner. I would therefore be grateful if somebody would give me some
> pointers or direct me to some step by step documents on the net or even
> recommend a good reference book.
>
> Your help would be appreciated.
>
>
>
> Regards
> NM
>
>
>
>

http://microsoft.com/ipsec

However, IPsec in and of itself alone is not the technology
which satisfies all of your requirements (i.e. would not block
access to gate out to internet unless that is proxied by server
that requires IPsec binding)


"NM" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi all
>
> I hope somebody can help me with the following scenario:
>
> I run a small LAN of about 50 XP / 2000 Workstations, 2 Windows 2003
> Servers and 1 2000 Server. All these computers are part of a domain and
> have various group policies applied to them.
>
> These computers also sit on a private address range with a NAT gateway
> running FreeBSD which then routes into a DMZ running various other FreeBSD
> machines which front the internet. For example, POSTFIX mailserver
> operating as a relay collecting and sending mail on behalf of my exchange
> 2003 server.
>
> OK, here's my problem:
>
> I am concerned that various laptop users (which are not part of my domain)
> are connecting their devices directly into my Ethernet and using the
> internet facility. When they do this, the windows DHCP gives them the
> appropriate IP and their away using the net for what ever they want. This
> generally has not been a problem until recently when I found a users
> laptop that was so infested with virus and spyware that it brought my
> bandwidth to its knees.
>
> It is very important that users continue to have access to the internet
> from none domain computers so I have been trying to find ways of
> controlling who has access.
>
> My solution is to use IPSEC across my entire network, this would have the
> added security levels which will soon be demanded my our head company as
> well as stopping none domain computers accessing the LAN unless I
> personally issued them with a digital certificate.
>
> Unfortunately I don't know that much about Windows 2003 IPSEC and so far
> have been unsuccessful in finding data to help me configure IPSEC in the
> above manner. I would therefore be grateful if somebody would give me some
> pointers or direct me to some step by step documents on the net or even
> recommend a good reference book.
>
> Your help would be appreciated.
>
>
>
> Regards
> NM
>
>
>
>

Think about implementing port security on the switch. You should also think
about setting up separate lan for the non domain users in the dmz, that way
they are isolated from your network. Setup one of your bsd servers to assign
ip address to that subnet.

Pete

"NM" wrote:

> Hi all
>
> I hope somebody can help me with the following scenario:
>
> I run a small LAN of about 50 XP / 2000 Workstations, 2 Windows 2003
> Servers and 1 2000 Server. All these computers are part of a domain and have
> various group policies applied to them.
>
> These computers also sit on a private address range with a NAT gateway
> running FreeBSD which then routes into a DMZ running various other FreeBSD
> machines which front the internet. For example, POSTFIX mailserver operating
> as a relay collecting and sending mail on behalf of my exchange 2003 server.
>
> OK, here's my problem:
>
> I am concerned that various laptop users (which are not part of my domain)
> are connecting their devices directly into my Ethernet and using the
> internet facility. When they do this, the windows DHCP gives them the
> appropriate IP and their away using the net for what ever they want. This
> generally has not been a problem until recently when I found a users laptop
> that was so infested with virus and spyware that it brought my bandwidth to
> its knees.
>
> It is very important that users continue to have access to the internet from
> none domain computers so I have been trying to find ways of controlling who
> has access.
>
> My solution is to use IPSEC across my entire network, this would have the
> added security levels which will soon be demanded my our head company as
> well as stopping none domain computers accessing the LAN unless I personally
> issued them with a digital certificate.
>
> Unfortunately I don't know that much about Windows 2003 IPSEC and so far
> have been unsuccessful in finding data to help me configure IPSEC in the
> above manner. I would therefore be grateful if somebody would give me some
> pointers or direct me to some step by step documents on the net or even
> recommend a good reference book.
>
> Your help would be appreciated.
>
>
>
> Regards
> NM
>
>
>
>
>