Four ways to isolate sensitive servers

Isolating a server isn't an all-or-nothing proposition, however. There are degrees of isolation that can be performed on a system, from simple firewalling to total physical isolation. If you're nervous about the possible effects of having a system exposed to the outside world (or even to parts of your own organization), a partial lockdown may be every bit as effective as a total lockdown depending on your needs.

Firewalling

Firewalls are the simplest and most basic way to give a computer a degree of isolation, mostly as protection against direct attacks on the server. All versions of Windows ship with Microsoft's own basic but reasonably useful firewall product, which can be used to lock in everything that doesn't need to be accessed. It works both by port and by application, so it has that much more flexibility for incoming as well as outgoing traffic. However, it doesn't do anything to protect the traffic itself -- if someone sends plaintext to the server and it responds as plaintext, anyone who can capture those packets will know what's going on.

Virtual network segmentation/subnetting

Network segmentation or subnetting is another way to isolate a given computer: Give the computer in question and any clients that need access to it their own network segment. This makes it a little more difficult to get access to the computer in question, but it's still not impossible since it may still be connected to the same physical network segment. Someone running Snort, for instance

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

It's also possible to isolate the computer and any needed clients on their own wires, but this is often not very practical unless you already have space set aside for it. In one of my previous jobs, before wireless networking was feasible, we created a separate physical network for testing by running CAT5 cables up into the ceiling spaces and back and forth between offices. It worked, but it was inconvenient at best -- and once someone else found out what was up, we had to dismantle the whole thing.

IPsec

One very elegant way to secure Windows Server machines is by using IPsec, a strongly integrated network security mechanism that works at the packet level. Packets are encrypted and only exchanged between the server and trusted clients according to policies created on the server. IPsec's other big benefit, aside from encryption, is verification: Are the packets from the correct server?

Another particularly handy thing about IPsec is that it can use Windows' own built-in authentication scheme, Kerberos, so there's less fuss when you use it than you might think. Also, since it's integrated into Windows' own IP stack and not an adjunct to it (like a firewall), you can have a good deal of confidence in it. This allows you to exchange protected traffic with, for example, another domain controller in another subnet. For many people, IPSec may be one of the easiest ways to selectively isolate a server without actually removing it from the network entirely.

"Clean room" isolation

A "clean room" computer is a machine with no network connectivity at all -- it's an isolated PC, most likely hidden behind locked doors as well. The types of circumstances that require this degree of isolation are vanishingly few, but they do exist. For instance, a certification authority for internal use (such as code signing) could be hosted on such a system; certificate requests would have to be brought in and out by hand. Such a machine should have strict control over hardware and software -- it should not allow software to be installed, nor any new hardware devices, without administrative access. This will prevent someone from, for instance, installing a wireless USB networking device or plugging in a flash drive.

Even if you have no need in your organization for a totally isolated machine, you should at least set up policies and physical space so that you can physically isolate a machine if you have to. Having such methods and space available is always good if, for instance, you need to work with a PC that's been hit with a virus or some other calamity, or you need to check a PC for that occurrence.

About the author:
Serdar Yegulalp is editor of the Windows Power Users Newsletter.

This tip originally appeared on SearchWindowsSecurity.com

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Network Security: Tools, Products, Software,   Network Firewalls, Routers and Switches,   Enterprise Network Security,   IPsec VPN Security,   Secure VPN Setup and Configuration,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: Samurai offers pen-testing nirvana Firewall rule management best practices Chained Exploits: How to prevent phishing attacks from corporate spies Rootkit Hunter demo: Detect and remove Linux rootkits Enterprise UTM security: The best threat management solution? Making the case for network security configuration management An inside look at security log management forensics investigations How to find sensitive information on the endpoint How to perform Microsoft Baseline Security Analyzer (MBSA) scans How to spot attacks through Apache Web server log analysis Network Firewalls, Routers and Switches Firewall rule management best practices Should enterprises be running multiple firewalls? What are the disadvantages of proxy-based firewalls? IT pros find corporate firewall rules tough to navigate PCI compliance requirement 1: Firewalls Comparing an application proxy firewall and a gateway server firewall Microsoft Threat Management Gateway has some drawbacks Rising Profile Front-end/back-end firewalls vs. chassis-based firewalls How to configure a firewall to communicate with an upstream router IPsec VPN Security What is the difference between a VPN and remote control? Can S/MIME, XML and IPsec operate in one protocol layer? How to create a secure network through a shared Internet connection What firewall controls should be placed on the VPN? VoIP tools, attacks could increase threat Best practices for processing financial data through remote servers What ports should be opened and closed when IPsec filters are used? DMVPN configuration: Should a firewall be between router and Internet? How would you meet PCI requirement 2.3 when it comes to terminal service or RDP sessions? How should the ipseccmd.exe tool be used in Windows Vista? IPsec VPN Security Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bastion host  (SearchSecurity.com) firewall  (SearchSecurity.com) Firewall Builder  (SearchSecurity.com) screened subnet  (SearchSecurity.com) virus  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.