RE: Access from DMZ Was: AD in the DMZ . . . OK?

["Depp, Dennis M." <deppdm () ornl gov>]

This statement I can agree with.  We need to recognize there are
exceptions but in this case, there are better ways to achieve the goal.

Dennis 

-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] 
Sent: Monday, August 02, 2004 11:24 AM
To: security-basics () securityfocus com
Subject: Re: Access from DMZ Was: AD in the DMZ . . . OK?

On 2004-08-02 Depp, Dennis M. wrote:
> On 2004-07-30 Ansgar -59cobalt- Wiechers wrote:
> > If I'm reading you correctly that would still require access from the
> > DMZ to the DC, thus still violating the DMZ. No host in the DMZ
> > should ever be able to access any service inside the internal
> > network.
>
> I've often wondered if this is really possible.  In today's
> environment, we have to provide some access to our internal networks
> either from the DMZ or from the internet.  (VPN for example.)  Is it
> possible to continue to stay with this phillosophy and still not have
> direct Internet connections into you secure network (even VPN
> connections). 

I would say that VPNs can be considered a special case since hosts
connected through a VPN are actually part of the internal network.

There *may* be reasons to violate a DMZ, however, these reasons should
be very well evaluated and I fail to see that simplified user management
for a web application should be reason enough.

Regards
Ansgar Wiechers
-- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin

------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------