Security Basics mailing list archives
Re: AD in the DMZ . . . OK?
From: Oleg K.Artemjev <olli () rbauto ru>
Date: Thu, 29 Jul 2004 09:31:07 +0400
On Wed, 28 Jul 2004 11:49:12 +0100 karl <opium () runningriver co uk> wrote:
One of the developers I work with has come up with a wild and crazy notion to write a .NET app that sits on a DMZ Web server but gets user information from the Active Directory on the other side of the firewall.. I'm inexperienced with this, so did some research and found that this kind of thing is possible (plenty of articles on putting Exchange servers in the DMZ), but found myself wondering if this ever happens,
If AD can be accessed via TCP/IP (guess it can), then the only question is a list of firewall rules that 'll allow such connections from DMZ to internal network AD provider(s).
i.e. do people actually have their networks set up this way? Do folk expose/replicate AD to the DMZ in practice? It's all very well that this stuff is possible, but if it's perceived as insecure and not implementable in the real world . . . . . . .
You should just ask them - is accessing to the AD data from entire internet is a security treat or not? If it's not a treat and if you prefer to ignore potential risk of getting control over mashine in internal network via AD interface from the internet - then you may implement it (w/ restricting access for AD-related ports to only a some mashine(s)). I'd give a chance for this only if it's not a treat to publish just full AD data on the net and the access from the DMZ is guaranted as a readonly (by guaranty I mean only hard conditions, like 'this protocol is not intended for write access and cannot be used so' ). The main (IMO) purpose of DMZ is to defend internal network (LAN) from DMZ hosts that have to interact w/ the internet. DMZ interact w/ internet directly (even being filtered - packets that are allowed and thus not filtered establish direct connection). Thus, if a good hack arrive - the DMZ host(s) 'll be controlled from the internet. Since DMZ interacts w/ LAN - each interaction method avaliable then will be used as a possible road into LAN from the internet via DMZ. -- Bye.Olli. http://olli.digger.org.ru --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- AD in the DMZ . . . OK? karl (Jul 28)
- Re: AD in the DMZ . . . OK? Pierre A. Cadieux (Jul 29)
- Re: AD in the DMZ . . . OK? Oleg K . Artemjev (Jul 29)
- Re: AD in the DMZ . . . OK? Tomasz Onyszko (Jul 29)
- <Possible follow-ups>
- RE: AD in the DMZ . . . OK? Roger A. Grimes (Jul 29)
- Re: AD in the DMZ . . . OK? Ivan Coric (Jul 30)
- RE: AD in the DMZ . . . OK? Dieter Sarrazyn (Jul 30)
- Re: AD in the DMZ . . . OK? Ansgar -59cobalt- Wiechers (Jul 31)
- Re: AD in the DMZ . . . OK? Peter Van Eeckhoutte (Jul 31)
- RE: AD in the DMZ . . . OK? Handy, Mark (IT) (Jul 30)
- RE: AD in the DMZ . . . OK? Ferino Mardo (Jul 30)