Security Basics mailing list archives
Re: Something new?
From: "James Lee Gromoll" <jgromoll () hotmail com>
Date: Tue, 22 Apr 2003 12:40:41 -0700
I am little confused on this one? If the users are internal and allready validating on an internal server, why do you want another level of authorization? If the stations and servers physically connect via the same wire/hub, how is them validating on another device help increase you security. What is the threat? If you want to isolate and bottleneck your traffic through a single device, then you could set up win2K RRAS as a router and physically tie traffic from internal users to one side and the servers on the other. In theory you are suppose to be able to run that win2K server as a DC in its own domain and you could have a seperate domain for the other servers. Unfortunately running as a RRAS and a DC in the same box doesn't work real well. I think the RRAS server can pass authentication on to another server so you could stay with the same domain structure and use the current servers to authenticate.
You could just use a regular router, or you could use a firewall type device. Sounds like you want to treat your internal users as a RED or Restricted zone and your servers as your safe zone. That's sort of a backwards firewall. A firewall might be cheaper than a win2k server package.
This is what I see Internet----Firewall----Servers----Firewall----Clients Red Zone----------------Green Zone------------Red ZoneIf the big concern is to protect the Web Servers and other internet exposed Servers from the users then You need to set up a DMZ.
From: Steve S <jbodisks () yahoo com> To: security-basics () securityfocus com Subject: Re: Something new? Date: Tue, 22 Apr 2003 08:11:46 -0700 (PDT) Thanks for the responses so far but I need to clarify that this would be for users accessing NT/2000 servers from inside the company not users connecting from over the internet. The user is physically inside the company sitting at a workstation. They would have one point of entry only. Typical setup - user authenticates to DC Internet -- Firewall -- Servers -- Users Proposed setup - gateway authenticates user to DC ??? = gateway/authentication server Internet -- Firewall -- Servers -- ??? -- Users --- Steve S <jbodisks () yahoo com> wrote: > Trying to figure out if anyone has seen or heard of > some type of gateway or method for setting up an OS > to > be a gateway to authenticate all users before they > have access into a NT/2000 network. The thinking > behind this would be the end-user would only be able > to connect to the internal network through this > gateway (i.e. access to all servers and associated > ports on the internal network would be blocked until > authentication occurred and then you would be > restricted by your personal access level). Looking > to > expose only a single point internally instead of a > myriad of servers. > > __________________________________________________ > Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo > http://search.yahoo.com > __________________________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
_________________________________________________________________Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
---------------------------------------------------------------------------Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- Re: Something new?, (continued)
- Re: Something new? Julien Royère (Apr 22)
- Re: Something new? stefmit (Apr 22)
- Re: Something new? Juan Carlos (Apr 23)
- RE: Something new? Fred Dirkse - OIC Group, Inc. (Apr 24)
- Re: Something new? qtrang (Apr 22)
- RE: Something new? Cabrera, Nestor (Contractor) (Apr 22)
- RE: Something new? Trevor Cushen (Apr 22)
- Re: Something new? Steve S (Apr 22)
- RE: Something new? Gwydion Mine (Apr 22)
- RE: Something new? Trevor Cushen (Apr 22)
- Re: Something new? James Lee Gromoll (Apr 23)
- RE: Something new? Trevor Cushen (Apr 23)
- Re: FW: Something new? crawford charles (Apr 23)