RE: safety of unidirectional NT trusts

[Jeroen Veeren <j.veeren () pointnet nl>]

Hi,

> I have been tasked with permitting M$ networking access between an NT 
> server on the DMZ an other Windows machines behind the firewall.  
> My plan is to not let the DMZ machine initiate any connections to the
internal 
> machines, but they can initiate connections to the DMZ machine. 

Ok, if i read this correct your inside lan needs this access to the dmz
server only so if you're Firewall is statefull, you are making 1 rule that
allows just that.
internal ---> server dmz  service:137,138,139. 

> The DMZ 
> machine should be set up to trust the internal machine, but the internal 
> machine should not trust the DMZ machine; I know I can't control this on 
> the firewall.  

You lost me here. Are you talking about authentication for the networking
access you must provide?
Why should any machine trust another machine?

> I don't know much about M$ networking, I don't get to make 
> decisions, I just implement firewall rules whether I like them or not.

Then only implement the first mentioned rule.

> My main question is:  is this unidirectional connection initiation and 
> trust help much more secure than bidirectional?  Given that I have to allow

> this network traffic, can I do any better on the firewall rules?

Don't let the server in you're dmz talk to you're internal network,
certainly NOT to you're PDC.
If they persist on setting up authentication between the server and the
domain accounts use Radius or whatever in yet another isolated dmz to get it
done. My guess: for the few accounts that will need this kind of access, you
might as well use local accounts on the server in the dmz to authenticate
the M$ networking.

Jeroen.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards