Four ways to isolate sensitive servers

For more information Visit our Network Access Control Learning Guide and learn how to stop unauthorized users from infecting your network.

Isolating a server isn't an all-or-nothing proposition, however. There are degrees of isolation that can be performed on a system, from simple firewalling to total physical isolation. If you're nervous about the possible effects of having a system exposed to the outside world (or even to parts of your own organization), a partial lockdown may be every bit as effective as a total lockdown depending on your needs.

Firewalling

Firewalls are the simplest and most basic way to give a computer a degree of isolation, mostly as protection against direct attacks on the server. All versions of Windows ship with Microsoft's own basic but reasonably useful firewall product, which can be used to lock in everything that doesn't need to be accessed. It works both by port and by application, so it has that much more flexibility for incoming as well as outgoing traffic. However, it doesn't do anything to protect the traffic itself -- if someone sends plaintext to the server and it responds as plaintext, anyone who can capture those packets will know what's going on.

Virtual network segmentation/subnetting

Network segmentation or subnetting is another way to isolate a given computer: Give the computer in question and any clients that need access to it their own network segment. This makes it a little more difficult to get access to the computer in question, but it's still not impossible since it may still be connected to the same physical network segment. Someone running Snort, for instance, on the same physical network may be able to sniff traffic.

It's also possible to isolate the computer and any needed clients on their own wires, but this is often not very practical unless you already have space set aside for it. In one of my previous jobs, before wireless networking was feasible, we created a separate physical network for testing by running CAT5 cables up into the ceiling spaces and back and forth between offices. It worked, but it was inconvenient at best -- and once someone else found out what was up, we had to dismantle the whole thing.

IPsec

One very elegant way to secure Windows Server machines is by using IPsec, a strongly integrated network security mechanism that works at the packet level. Packets are encrypted and only exchanged between the server and trusted clients according to policies created on the server. IPsec's other big benefit, aside from encryption, is verification: Are the packets from the correct server?

Another particularly handy thing about IPsec is that it can use Windows' own built-in authentication scheme, Kerberos, so there's less fuss when you use it than you might think. Also, since it's integrated into Windows' own IP stack and not an adjunct to it (like a firewall), you can have a good deal of confidence in it. This allows you to exchange protected traffic with, for example, another domain controller in another subnet. For many people, IPSec may be one of the easiest ways to selectively isolate a server without actually removing it from the network entirely.

"Clean room" isolation

A "clean room" computer is a machine with no network connectivity at all -- it's an isolated PC, most likely hidden behind locked doors as well. The types of circumstances that require this degree of isolation are vanishingly few, but they do exist. For instance, a certification authority for internal use (such as code signing) could be hosted on such a system; certificate requests would have to be brought in and out by hand. Such a machine should have strict control over hardware and software -- it should not allow software to be installed, nor any new hardware devices, without administrative access. This will prevent someone from, for instance, installing a wireless USB networking device or plugging in a flash drive.

Even if you have no need in your organization for a totally isolated machine, you should at least set up policies and physical space so that you can physically isolate a machine if you have to. Having such methods and space available is always good if, for instance, you need to work with a PC that's been hit with a virus or some other calamity, or you need to check a PC for that occurrence.

About the author:
Serdar Yegulalp is editor of the Windows Power Users Newsletter.

This tip originally appeared on SearchWindowsSecurity.com

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Network Security: Tools, Products, Software,   Network Firewalls, Routers and Switches,   Enterprise Network Security,   IPsec VPN Security,   Secure VPN Setup and Configuration,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless acess points with Vistumbler How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Network Firewalls, Routers and Switches How to prepare for a secure network hardware upgrade Best Network Firewall Products What is the difference between static and dynamic network validation? Screencast: Smoothwall offers firewall defense in lean times New Cisco IOS bugs pose tempting targets, says Black Hat researcher How to implement virtual firewalls in a complex network infrastructure How to manage network bandwidth with distributed ISP bandwidth Firewall rule management best practices Should enterprises be running multiple firewalls? What are the disadvantages of proxy-based firewalls? IPsec VPN Security Best Remote Access Products How to set up a split-tunnel VPN in Windows Vista What is the difference between a VPN and remote control? A short enterprise VPN deployment guide From the ground up: Creating secure WLANs Can S/MIME, XML and IPsec operate in one protocol layer? How to create a secure network through a shared Internet connection What firewall controls should be placed on the VPN? VoIP tools, attacks could increase threat Best practices for processing financial data through remote servers IPsec VPN Security Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bastion host  (SearchSecurity.com) firewall  (SearchSecurity.com) Firewall Builder  (SearchSecurity.com) screened subnet  (SearchSecurity.com) virus  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.