Security Basics mailing list archives
RE: suggestions on a good firewall
From: "David Ellis" <David.Ellis () unicam com>
Date: Tue, 27 May 2003 15:30:00 -0400
Yes, I Know that active directory is ldap. But having a firewall product into your domain structure is just a bad idea. A firewall should just be a firewall and not implement into a domain structure and if you want to use ldap, use a different ldap server than active directory. If you don't Then you are running a Microsoft product ontop of a Microsoft product in a Microsoft domain. Let me ask this, what is the name of the company who has not been able to secure their own software? Microsoft have pretty good OS's etc. But they are far from a security company. And also they have ports open by default on their firewall like port 88 for Kerberos. Just throw netcat into the mix listening on port 88 and forwarding to port 139. Good bye network! That is why there are so many 3rd party wendors who sell security products for Microsoft networks -----Original Message----- From: David Moisan [mailto:dmoisan () davidmoisan org] Sent: Monday, May 26, 2003 1:27 PM To: security-basics () securityfocus com At 08:23 PM 5/24/2003 -0400, David Ellis wrote:
Let me ask a question here? Why would anyone want tight active
directory
integration on a firewall which by all means constitutes a security flaw?
The AD features in ISA are used to control outbound access, as in "Jane User can only surf non-company sites during lunch hour" sort of thing. AD --which is just LDAP & proprietary extensions--is not exposed to the outside on my ISA server. Can you describe a scenario where AD is compromised? I don't like using the term "vulnerability" unless I can imagine roughly where such a thing might happen. Take care, Dave David Moisan, N1KGH ARES/SKYWARN dmoisan () davidmoisan org Invisible Disability: http://www.davidmoisan.org/invisible_disability.html ATS-909 FAQ: http://www.davidmoisan.org/radio/sangean/ats909faq.html ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ************************************************************************************************** ** eSafe-portsmouth scanned this email for viruses, vandals and malicious content ** ************************************************************************************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: suggestions on a good firewall, (continued)
- RE: suggestions on a good firewall Des Ward (May 26)
- RE: Re[4]: suggestions on a good firewall Christopher Harrington (May 26)
- RE: suggestions on a good firewall David Ellis (May 26)
- RE: suggestions on a good firewall David Moisan (May 27)
- RE: suggestions on a good firewall David Ellis (May 26)
- RE: suggestions on a good firewall Christopher Harrington (May 26)
- Re: RE: suggestions on a good firewall Spencer Hall (May 27)
- RE: suggestions on a good firewall Chris Berry (May 27)
- RE: RE: suggestions on a good firewall DeGennaro, Gregory (May 28)
- RE: suggestions on a good firewall Christopher Harrington (May 28)
- RE: suggestions on a good firewall David Ellis (May 28)
- RE: suggestions on a good firewall David Moisan (May 28)
- RE: suggestions on a good firewall Jon Pastore (May 30)
- RE: suggestions on a good firewall David Moisan (May 28)