active directory in a dmz

Discussion in 'Cisco' started by paul blitz, Jan 5, 2004.

  1. paul blitz

    paul blitz Guest

    The relevance here is that it's all done via a PIX.......

    Scenario: we want to have a set of public facing servers (ie they need to go
    into the DMZ) but those servers need access to the Active Directory Domain
    Controllers on the corporate network (eg Citrix MSAM login authentication)

    What is the "standard" way to do this?

    One thought is to place a (non-public) DC in the DMZ and create specific
    "holes" between it and the DC's on the corporate lan.

    Another is to not bother with that DC on the DMZ, but instead let each
    server on the DMZ have a "hole" to the DC's on the corporate lan.

    I'm sure there are other ways too.... but what is the "correct" / "safest" /
    etc way to do this?


    Paul Blitz
     
    paul blitz, Jan 5, 2004
    #1
    1. Advertisements

  2. :Scenario: we want to have a set of public facing servers (ie they need to go
    :into the DMZ) but those servers need access to the Active Directory Domain
    :Controllers on the corporate network (eg Citrix MSAM login authentication)

    :What is the "standard" way to do this?

    :One thought is to place a (non-public) DC in the DMZ and create specific
    :"holes" between it and the DC's on the corporate lan.

    :Another is to not bother with that DC on the DMZ, but instead let each
    :server on the DMZ have a "hole" to the DC's on the corporate lan.

    If you do the later, then compromising any one of those DMZ servers
    would allow you to attack through the trusted channel to the corporate
    lan. If you use the first approach, then provided the DC is not available
    to the outside, to attack the inside would require first compromising
    a DMZ server, then using it to compromise the DC, and then use the
    DC to compromise the internal machines -- an additional layer of
    protection.
     
    Walter Roberson, Jan 6, 2004
    #2
    1. Advertisements

  3. paul blitz

    Ivan Ostres Guest

    There's no "correct"/"safest" way to do that. Spreading the windows
    domain to (semi)public network segment like DMZ is not safe in any case.
    Safer solution would be using LDAP if possible. Safer, but not safe.
     
    Ivan Ostres, Jan 7, 2004
    #3
  4. Then what is commonly done?

    For example if a company has a dmz in which they host an intranet site /
    mail server, the site uses ssl and basic authentication (to the domain).
    Should the use the internal active directory or have it's own (and own
    accounts/passwords/etc) ?

    What do people recommend?

    Erik
     
    Erik Tamminga, Jan 10, 2004
    #4
  5. paul blitz

    paul blitz Guest

    We have decided to NOT use a DC in the DMZ, but to let each machine talk to
    the DC on the main lan.

    We have defined a range of addresses (within the DMZ) that are allowed to
    access the 2 DCs. Here's the conduits we used (yeah, I know that you
    shouldn't use conduits, but that's how the pix was set up ages ago, and you
    can't mix...) as defined by a couple of bits of Microsoft documentation:

    conduit permit udp host 10.44.200.1 eq netbios-ns 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq netbios-dgm 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq domain 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq domain 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq 88 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 88 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq 123 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 135 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq 135 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 139 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq 389 10.1.1.64 255.255.255.192
    conduit permit udp host 10.44.200.1 eq 445 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 445 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 636 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 49152 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 3268 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 eq 3269 10.1.1.64 255.255.255.192
    conduit permit tcp host 10.44.200.1 range 5000 5019 10.1.1.64
    255.255.255.192

    (the RPC will normally use a DYNAMIC port <ouch> but you CAN lock it down...
    we're using port 49152 = 0x0000c000).

    We watched a domain login, and it used quite a few of those just for that.


    Paul
     
    paul blitz, Jan 13, 2004
    #5
  6. paul blitz

    Ivan Ostres Guest

    That's just a little bit too much open ports, doesn't it?

    Do I hear word "security"????
     
    Ivan Ostres, Jan 13, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.