Firewall Wizards mailing list archives
RE: safety of unidirectional NT trusts
From: Jeroen Veeren <j.veeren () pointnet nl>
Date: Thu, 17 Jan 2002 11:26:11 +0100
Hi,
I have been tasked with permitting M$ networking access between an NT server on the DMZ an other Windows machines behind the firewall. My plan is to not let the DMZ machine initiate any connections to the
internal
machines, but they can initiate connections to the DMZ machine.
Ok, if i read this correct your inside lan needs this access to the dmz server only so if you're Firewall is statefull, you are making 1 rule that allows just that. internal ---> server dmz service:137,138,139.
The DMZ machine should be set up to trust the internal machine, but the internal machine should not trust the DMZ machine; I know I can't control this on the firewall.
You lost me here. Are you talking about authentication for the networking access you must provide? Why should any machine trust another machine?
I don't know much about M$ networking, I don't get to make decisions, I just implement firewall rules whether I like them or not.
Then only implement the first mentioned rule.
My main question is: is this unidirectional connection initiation and trust help much more secure than bidirectional? Given that I have to allow
this network traffic, can I do any better on the firewall rules?
Don't let the server in you're dmz talk to you're internal network, certainly NOT to you're PDC. If they persist on setting up authentication between the server and the domain accounts use Radius or whatever in yet another isolated dmz to get it done. My guess: for the few accounts that will need this kind of access, you might as well use local accounts on the server in the dmz to authenticate the M$ networking. Jeroen. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: safety of unidirectional NT trusts Henry Sieff (Jan 16)
- <Possible follow-ups>
- RE: safety of unidirectional NT trusts Jeroen Veeren (Jan 17)
- Re: safety of unidirectional NT trusts Jeff Boles (Jan 17)
- Re: safety of unidirectional NT trusts Bill_Royds (Jan 18)