Re: AD in the DMZ . . . OK?

["Peter Van Eeckhoutte" <peter.ve () telenet be>]

But you could create a second (non-public) DMZ as well; and host your DC in
that separate zone
Keep in mind that in certain cases, you will need to allow traffic from your
DMZ to 'internal' networks- (which could be another non-public DMZ) : Think
about mailservers : how in earth are you going to send and retrieve emails
if they are not allowed to access your internal mailserver ?
Think about webservers using back-end databases....   and so on

I think the right approach is to deny all; but sometimes you need to be a
bit pragmatic (and allow certain things; in a controlled environment)
The trick is to find the right balance between security and functionality...

Imho, I would seriously consider using a separate internal DMZ... it would
still work; and does not require you to allow access to your internal
network





----- Original Message ----- 
From: "Ansgar -59cobalt- Wiechers" <bugtraq () planetcobalt net>
To: <security-basics () securityfocus com>
Sent: Friday, July 30, 2004 8:53 PM
Subject: Re: AD in the DMZ . . . OK?


> On 2004-07-30 Dieter Sarrazyn wrote:
> > Wouldn't using LDAP be a solution here? Every AD system is in fact
> > also an ldap server.
> >
> > If the only thing needed is authentication with userid/password, then
> > this is fairly simple to do. A special group could be created
> > containing all users that are allowed to use this type of
> > authentication. Using a "ldap-read" user which has only read access to
> > this group is pretty secure I guess.
>
> If I'm reading you correctly that would still require access from the
> DMZ to the DC, thus still violating the DMZ. No host in the DMZ should
> ever be able to access any service inside the internal network.
>
> Regards
> Ansgar Wiechers
> -- 
> "Those who would give up liberty for a little temporary safety
> deserve neither liberty nor safety, and will lose both."
> --Benjamin Franklin
>
> --------------------------------------------------------------------------
-
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------