active directory in a dmz

Discussion in 'Cisco' started by paul blitz, Jan 5, 2004.

  1. paul blitz

    paul blitz Guest

    The relevance here is that it's all done via a PIX.......

    Scenario: we want to have a set of public facing servers (ie they need to go
    into the DMZ) but those servers need access to the Active Directory Domain
    Controllers on the corporate network (eg Citrix MSAM login authentication)

    What is the "standard" way to do this?

    One thought is to place a (non-public) DC in the DMZ and create specific
    "holes" between it and the DC's on the corporate lan.

    Another is to not bother with that DC on the DMZ, but instead let each
    server on the DMZ have a "hole" to the DC's on the corporate lan.

    I'm sure there are other ways too.... but what is the "correct" / "safest" /
    etc way to do this?


    Paul Blitz
    paul blitz, Jan 5, 2004
    #1
    1. Advertising

  2. In article <3ff99ec8$0$13343$>,
    paul blitz <> wrote:
    :The relevance here is that it's all done via a PIX.......

    :Scenario: we want to have a set of public facing servers (ie they need to go
    :into the DMZ) but those servers need access to the Active Directory Domain
    :Controllers on the corporate network (eg Citrix MSAM login authentication)

    :What is the "standard" way to do this?

    :One thought is to place a (non-public) DC in the DMZ and create specific
    :"holes" between it and the DC's on the corporate lan.

    :Another is to not bother with that DC on the DMZ, but instead let each
    :server on the DMZ have a "hole" to the DC's on the corporate lan.

    If you do the later, then compromising any one of those DMZ servers
    would allow you to attack through the trusted channel to the corporate
    lan. If you use the first approach, then provided the DC is not available
    to the outside, to attack the inside would require first compromising
    a DMZ server, then using it to compromise the DC, and then use the
    DC to compromise the internal machines -- an additional layer of
    protection.
    --
    Are we *there* yet??
    Walter Roberson, Jan 6, 2004
    #2
    1. Advertising

  3. paul blitz

    Ivan Ostres Guest

    In article <3ff99ec8$0$13343$>,
    says...
    > The relevance here is that it's all done via a PIX.......
    >
    > Scenario: we want to have a set of public facing servers (ie they need to go
    > into the DMZ) but those servers need access to the Active Directory Domain
    > Controllers on the corporate network (eg Citrix MSAM login authentication)
    >
    > What is the "standard" way to do this?
    >
    > One thought is to place a (non-public) DC in the DMZ and create specific
    > "holes" between it and the DC's on the corporate lan.
    >
    > Another is to not bother with that DC on the DMZ, but instead let each
    > server on the DMZ have a "hole" to the DC's on the corporate lan.
    >
    > I'm sure there are other ways too.... but what is the "correct" / "safest" /
    > etc way to do this?
    >


    There's no "correct"/"safest" way to do that. Spreading the windows
    domain to (semi)public network segment like DMZ is not safe in any case.
    Safer solution would be using LDAP if possible. Safer, but not safe.

    --
    Ivan
    Ivan Ostres, Jan 7, 2004
    #3
  4. Then what is commonly done?

    For example if a company has a dmz in which they host an intranet site /
    mail server, the site uses ssl and basic authentication (to the domain).
    Should the use the internal active directory or have it's own (and own
    accounts/passwords/etc) ?

    What do people recommend?

    Erik


    "Ivan Ostres" <> wrote in message
    news:btggjj$66ds7$-berlin.de...
    > In article <3ff99ec8$0$13343$>,
    > says...
    > > The relevance here is that it's all done via a PIX.......
    > >
    > > Scenario: we want to have a set of public facing servers (ie they need

    to go
    > > into the DMZ) but those servers need access to the Active Directory

    Domain
    > > Controllers on the corporate network (eg Citrix MSAM login

    authentication)
    > >
    > > What is the "standard" way to do this?
    > >
    > > One thought is to place a (non-public) DC in the DMZ and create specific
    > > "holes" between it and the DC's on the corporate lan.
    > >
    > > Another is to not bother with that DC on the DMZ, but instead let each
    > > server on the DMZ have a "hole" to the DC's on the corporate lan.
    > >
    > > I'm sure there are other ways too.... but what is the "correct" /

    "safest" /
    > > etc way to do this?
    > >

    >
    > There's no "correct"/"safest" way to do that. Spreading the windows
    > domain to (semi)public network segment like DMZ is not safe in any case.
    > Safer solution would be using LDAP if possible. Safer, but not safe.
    >
    > --
    > Ivan
    Erik Tamminga, Jan 10, 2004
    #4
  5. paul blitz

    paul blitz Guest

    We have decided to NOT use a DC in the DMZ, but to let each machine talk to
    the DC on the main lan.

    We have defined a range of addresses (within the DMZ) that are allowed to
    access the 2 DCs. Here's the conduits we used (yeah, I know that you
    shouldn't use conduits, but that's how the pix was set up ages ago, and you
    can't mix...) as defined by a couple of bits of Microsoft documentation:

    conduit permit udp host 10.44.200.1 eq netbios-ns 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq netbios-dgm 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq domain 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq domain 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq 88 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 88 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq 123 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 135 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq 135 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 139 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq 389 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq 445 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 445 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 636 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 49152 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 3268 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 3269 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 range 5000 5019 10.1.1.64
    255.255.255.192

    (the RPC will normally use a DYNAMIC port <ouch> but you CAN lock it down...
    we're using port 49152 = 0x0000c000).

    We watched a domain login, and it used quite a few of those just for that.


    Paul


    "Erik Tamminga" <> wrote in message
    news:btold8$hko$1.nb.home.nl...
    > Then what is commonly done?
    >
    > For example if a company has a dmz in which they host an intranet site /
    > mail server, the site uses ssl and basic authentication (to the domain).
    > Should the use the internal active directory or have it's own (and own
    > accounts/passwords/etc) ?
    >
    > What do people recommend?
    >
    > Erik
    >
    >
    > "Ivan Ostres" <> wrote in message
    > news:btggjj$66ds7$-berlin.de...
    > > In article <3ff99ec8$0$13343$>,
    > > says...
    > > > The relevance here is that it's all done via a PIX.......
    > > >
    > > > Scenario: we want to have a set of public facing servers (ie they need

    > to go
    > > > into the DMZ) but those servers need access to the Active Directory

    > Domain
    > > > Controllers on the corporate network (eg Citrix MSAM login

    > authentication)
    > > >
    > > > What is the "standard" way to do this?
    > > >
    > > > One thought is to place a (non-public) DC in the DMZ and create

    specific
    > > > "holes" between it and the DC's on the corporate lan.
    > > >
    > > > Another is to not bother with that DC on the DMZ, but instead let each
    > > > server on the DMZ have a "hole" to the DC's on the corporate lan.
    > > >
    > > > I'm sure there are other ways too.... but what is the "correct" /

    > "safest" /
    > > > etc way to do this?
    > > >

    > >
    > > There's no "correct"/"safest" way to do that. Spreading the windows
    > > domain to (semi)public network segment like DMZ is not safe in any case.
    > > Safer solution would be using LDAP if possible. Safer, but not safe.
    > >
    > > --
    > > Ivan

    >
    >
    paul blitz, Jan 13, 2004
    #5
  6. paul blitz

    Ivan Ostres Guest

    In article <4003ccf8$0$13345$>,
    says...
    > We have decided to NOT use a DC in the DMZ, but to let each machine talk to
    > the DC on the main lan.
    >
    > We have defined a range of addresses (within the DMZ) that are allowed to
    > access the 2 DCs. Here's the conduits we used (yeah, I know that you
    > shouldn't use conduits, but that's how the pix was set up ages ago, and you
    > can't mix...) as defined by a couple of bits of Microsoft documentation:
    >
    > conduit permit udp host 10.44.200.1 eq netbios-ns 10.1.1.64 255.255.255.192
    > conduit permit udp host 10.44.200.1 eq netbios-dgm 10.1.1.64 255.255.255.192
    > conduit permit udp host 10.44.200.1 eq domain 10.1.1.64 255.255.255.192
    > conduit permit tcp host 10.44.200.1 eq domain 10.1.1.64 255.255.255.192
    > conduit permit udp host 10.44.200.1 eq 88 10.1.1.64 255.255.255.192
    > conduit permit tcp host 10.44.200.1 eq 88 10.1.1.64 255.255.255.192
    > conduit permit udp host 10.44.200.1 eq 123 10.1.1.64 255.255.255.192
    > conduit permit tcp host 10.44.200.1 eq 135 10.1.1.64 255.255.255.192
    > conduit permit udp host 10.44.200.1 eq 135 10.1.1.64 255.255.255.192
    > conduit permit tcp host 10.44.200.1 eq 139 10.1.1.64 255.255.255.192
    > conduit permit udp host 10.44.200.1 eq 389 10.1.1.64 255.255.255.192
    > conduit permit udp host 10.44.200.1 eq 445 10.1.1.64 255.255.255.192
    > conduit permit tcp host 10.44.200.1 eq 445 10.1.1.64 255.255.255.192
    > conduit permit tcp host 10.44.200.1 eq 636 10.1.1.64 255.255.255.192
    > conduit permit tcp host 10.44.200.1 eq 49152 10.1.1.64 255.255.255.192
    > conduit permit tcp host 10.44.200.1 eq 3268 10.1.1.64 255.255.255.192
    > conduit permit tcp host 10.44.200.1 eq 3269 10.1.1.64 255.255.255.192
    > conduit permit tcp host 10.44.200.1 range 5000 5019 10.1.1.64
    > 255.255.255.192
    >
    >
    >


    That's just a little bit too much open ports, doesn't it?

    Do I hear word "security"????

    --
    Ivan
    Ivan Ostres, Jan 13, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnC
    Replies:
    9
    Views:
    830
    Walter Roberson
    Dec 7, 2004
  2. Brian
    Replies:
    0
    Views:
    2,399
    Brian
    Jan 28, 2005
  3. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,863
    Walter Roberson
    Sep 25, 2005
  4. morten
    Replies:
    4
    Views:
    1,173
    Tilman Schmidt
    Sep 4, 2007
  5. Jack
    Replies:
    0
    Views:
    653
Loading...

Share This Page