Security Basics mailing list archives

Re: Something new?

From: "James Lee Gromoll" <jgromoll () hotmail com>
Date: Tue, 22 Apr 2003 12:40:41 -0700

I am little confused on this one? If the users are internal and allreadyvalidating on an internal server, why do you want another level ofauthorization? If the stations and servers physically connect via the samewire/hub, how is them validating on another device help increase yousecurity. What is the threat? If you want to isolate and bottleneck yourtraffic through a single device, then you could set up win2K RRAS as arouter and physically tie traffic from internal users to one side and theservers on the other. In theory you are suppose to be able to run that win2Kserver as a DC in its own domain and you could have a seperate domain forthe other servers. Unfortunately running as a RRAS and a DC in the same boxdoesn't work real well. I think the RRAS server can pass authentication onto another server so you could stay with the same domain structure and usethe current servers to authenticate.

You could just use a regular router, or you could use a firewall typedevice. Sounds like you want to treat your internal users as a RED orRestricted zone and your servers as your safe zone. That's sort of abackwards firewall. A firewall might be cheaper than a win2k server package.


This is what I see

Internet----Firewall----Servers----Firewall----Clients
Red Zone----------------Green Zone------------Red Zone

If the big concern is to protect the Web Servers and other internet exposedServers from the users then You need to set up a DMZ.

From: Steve S <jbodisks () yahoo com>
To: security-basics () securityfocus com
Subject: Re: Something new? Date: Tue, 22 Apr 2003 08:11:46 -0700 (PDT)

Thanks for the responses so far but I need to clarify
that this would be for users accessing NT/2000 servers
from inside the company not users connecting from over
the internet.  The user is physically inside the
company sitting at a workstation.  They would have one
point of entry only.

Typical setup - user authenticates to DC
Internet -- Firewall -- Servers -- Users

Proposed setup - gateway authenticates user to DC
??? = gateway/authentication server
Internet -- Firewall -- Servers -- ??? -- Users


--- Steve S <jbodisks () yahoo com> wrote:
> Trying to figure out if anyone has seen or heard of
> some type of gateway or method for setting up an OS
> to
> be a gateway to authenticate all users before they
> have access into a NT/2000 network.  The thinking
> behind this would be the end-user would only be able
> to connect to the internal network through this
> gateway (i.e. access to all servers and associated
> ports on the internal network would be blocked until
> authentication occurred and then you would be
> restricted by your personal access level).  Looking
> to
> expose only a single point internally instead of a
> myriad of servers.
>
> __________________________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo
> http://search.yahoo.com
>



__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------



_________________________________________________________________

Add photos to your messages with MSN 8. Get 2 months FREE*.http://join.msn.com/?page=features/featuredemail



---------------------------------------------------------------------------

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, theworld's premier event for IT and network security experts. The two-dayTraining features 6 hand-on courses on May 12-13 taught by professionals.The two-day Briefings on May 14-15 features 24 top speakers with no vendorsales pitches. Deadline for the best rates is April 25. Register today toensure your place. http://www.securityfocus.com/BlackHat-security-basics----------------------------------------------------------------------------

Current thread:

Re: Something new?, (continued)
- Re: Something new? Julien Royère (Apr 22)
- Re: Something new? stefmit (Apr 22)
- Re: Something new? Juan Carlos (Apr 23)
  - RE: Something new? Fred Dirkse - OIC Group, Inc. (Apr 24)
- Re: Something new? qtrang (Apr 22)
- RE: Something new? Cabrera, Nestor (Contractor) (Apr 22)
- RE: Something new? Trevor Cushen (Apr 22)
- Re: Something new? Steve S (Apr 22)
- RE: Something new? Gwydion Mine (Apr 22)
- RE: Something new? Trevor Cushen (Apr 22)
- Re: Something new? James Lee Gromoll (Apr 23)
- RE: Something new? Trevor Cushen (Apr 23)
- Re: FW: Something new? crawford charles (Apr 23)