What is Domain Isolation
Domain Isolation separates members of a domain from those who don’t have domain credentials. This is achieved through the use of Active Directory and IPsec. These policies are enforced onto Domain member computers and prevents computers outside of the domain from communicating with those within. Though they are isolated on the network they still will be connected to the same physical network segment as the rest of the network. This method beneficial as it’s a logical set up which adds an extra layer of security to the domain.
What is a VLAN
A VLAN or Virtual Local Area Network is essentially a simulated LAN. It allows a network to be segmented logically whilst still remaining the same physical switched network. This separation adds to performance whilst avoiding having to purchase expensive routers. From the performance side the separation is useful as it allows your to split up larger Broadcast Domains into smaller networks. This helps cut down on the number as collisions as you are able to space out the network. One way to look at it would be if an office has a big open room with everyone yelling to each other at the same time that would be a loud mess. Though it you move groups(departments) of people into smaller rooms it allows those who need to communicate with one another to do so without the extra chatter.
Security Benefits of Domain Isolation
One of the main security benefits from Domain Isolation is in the name. Isolation from those outside the domain for secured systems adds an extra layer of security between the unsecure systems.This makes for a more secure environment for these systems to operate on as without the credentials one cannot join into the protected environment. When connected Domain Isolation makes good use of the IPsec suite which modifies the TCP/IP packet to secure communications by adding encryption and authentication. The encryption methods that can be used are DES as well as 3DES. The default authentication method is Kerberos V5, which Microsoft recommends for Domain Isolation. This authentication is what proves to other members of the Domain that the request/reply is from another member of the authorized domain.
Domain Isolation instead of a VLAN
Having the Domain still within the same network allows for, given that a proxy server has been setup, allows one to take advantage of the resources on the network. The main benefit to Domain Isolation over VLANs is the ability for authorized communication. Though having a VLAN setup for security purposes would have those systems separated on the network those who couldn’t find their way onto would have the access to communicate with the “secured” devices.