Chapter 12. Server and Domain Isolation
Quite possibly the most powerful security measure in recent memory is something Microsoft calls Server and Domain Isolation (SDI). SDI has, in fact, become a marketing rallying cry for Microsoft, although it really started as a purely technical measure for restricting avenues of attack. Perhaps the first widely published use of the technique was Microsoft's winning entry in eWeek's OpenHack IV, in 2002, which predated the marketing term by several years. The principle of the defensive method used in OpenHack IV was simple: enumerate all necessary communications patterns in the network and allow those, and only those. This is effectively what Microsoft now calls Server Isolation. In this chapter, we describe the basics of SDI, and look at how the way you deploy it has changed in Windows Vista.
Server and Domain Isolation Overview
SDI is essentially about one thing: allowing only the traffic that needs to be allowed in your network. Fortunately, there is a way to put a security mechanism right between the network and the host layer. In essence, it is a network-layer security mechanism that is implemented on each host — to protect them from the network. There are several ways to think of SDI. One is in terms of deployment phases. Another is by looking at the different isolation mechanisms. The deployment phases are really just two:
Analyze your network.
Build IPsec rules to enforce the necessary and desired communications patterns.
The network analysis ...