• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 337
  • Last Modified:

Automate IPSEC Domain/Network Isolation implementation in a blended environment

Thank you for taking time to review this post.
We have been tasked to implement Domain Isolation using IPSEC to secure the departmental server resources. The environment is a large campus area network. Picture a large college campus, hospital, or other enterprise network with multiple departments on the same "network".
 
Number of servers: ~75
Number of users: ~1200
The environment has the following OS(s):
XP, WIN7, WIN8, W2K3, W2K8, W2K8R2, W2K12, W2K12R2, OSX (mac)

My colleague's question: Is there a way to incorporate Mac, XP, Win7, various server OS(s) all together for an automated deployment? Realizing the >Vista machines can be deployed by GPO, we are struggling with how to do so with the XP and MACs.

My colleague and I have spent quite some time researching this to no avail.

I appreciate any guidance.

Regards,
Bob
0
Bob Avritt MCSE:Security
Asked:
Bob Avritt MCSE:Security
  • 2
2 Solutions
 
Rich RumbleSecurity SamuraiCommented:
I don't know of a more central way beyond AD, and as for Mac's I have no idea how well they play with IPSEC in windows. The Windows IPSEC is built on standards, mostly, but it does have some proprietariness that may cause issues.
I do remember that there are some limitations in Vista and 2008, but not win7/win8, when it comes to NAT+IPSEC
http://support.microsoft.com/kb/926179

I have configured Linux/Unix hosts to talk to windows IPSEC host's using certificates and preshared keys, but I don't think it worked when we tried to use kerberos tickets.
http://msdn.microsoft.com/en-us/library/dd314176%28v=ws.10%29.aspx
-rich
0
 
Bob Avritt MCSE:SecurityAuthor Commented:
Rich,
Thanks for the reply. I am unfortunately hindered by the fact that I am coming into this late in the game and am not the principal in this initiative. With that said...

I am pretty sure that OS 10.9 can be managed directly by AD (from what I have read). Again not being the principal in this I have now way of testing to verify the solution.

There are 3rd party AD plugins which claim to integrate the MACs. Perhaps that will be the solution.

Again thanks for the reply.

Regards,

Bob
0
 
Rich RumbleSecurity SamuraiCommented:
I know you can use Centrify and other 3rd parties, but I don't have any exp in Mac+AD integration. I do use and deploy IPSEC, and if Linux can do it, I know a mac could, but again I'm not sure what program is best for all OS's to manage the IPSEC portions. We use scripts for linux and GPO's for AD (M$).
-rich
0
 
serialbandCommented:
Macs can already join AD, but they only get the benefit of having the ability to use the same password.  Group policy doesn't work without additional 3rd party software like Centrify or PowerBroker Enterprise.  You could also join LDAP or OpenDirectory at the same time and manage other aspects of the Mac from there, but you'd have to manage both AD and LDAP or OpenDirectory.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now