Security Basics mailing list archives

Re: AD in the DMZ . . . OK?

From: Oleg K.Artemjev <olli () rbauto ru>
Date: Thu, 29 Jul 2004 09:31:07 +0400

On Wed, 28 Jul 2004 11:49:12 +0100
karl <opium () runningriver co uk> wrote:

One of the developers I work with has come up with a wild and crazy 
notion to write a .NET app that sits on a DMZ Web server but gets user 
information from the Active Directory on the other side of the firewall..
I'm inexperienced with this, so did some research and found that this 
kind of thing is possible (plenty of articles on putting Exchange 
servers in the DMZ), but found myself wondering if this ever happens,

If AD can be accessed via TCP/IP (guess it can), then the only question is
a list of firewall rules that 'll allow such connections from DMZ to internal
network AD provider(s).

i.e. do people actually have their networks set up this way?  Do folk 
expose/replicate AD to the DMZ in practice?
It's all very well that this stuff is possible, but if it's perceived as 
insecure and not implementable in the real world . . . . . . .

You should just ask them - is accessing to the AD data from entire internet
is a security treat or not? If it's not a treat and if you prefer to ignore
potential risk of getting control over mashine in internal network via AD
interface from the internet - then you may implement it (w/ restricting access for
AD-related ports to only a some mashine(s)). I'd give a chance for this only if
it's not a treat to publish just full AD data on the net and the access from the
DMZ is guaranted as a readonly (by guaranty I mean only hard conditions, like
'this protocol is not intended for write access and cannot be used so' ).

The main (IMO) purpose of DMZ is to defend internal network (LAN) from DMZ hosts that have
to interact w/ the internet. DMZ interact w/ internet directly (even being filtered - packets
that are allowed and thus not filtered establish direct connection). Thus, if a good hack
arrive - the DMZ host(s) 'll be controlled from the internet. Since DMZ interacts w/ LAN -
each interaction method avaliable then will be used as a possible road into LAN from the
internet via DMZ.

--
Bye.Olli. http://olli.digger.org.ru

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

AD in the DMZ . . . OK? karl (Jul 28)
- Re: AD in the DMZ . . . OK? Pierre A. Cadieux (Jul 29)
- Re: AD in the DMZ . . . OK? Oleg K . Artemjev (Jul 29)
- Re: AD in the DMZ . . . OK? Tomasz Onyszko (Jul 29)
- <Possible follow-ups>
- RE: AD in the DMZ . . . OK? Roger A. Grimes (Jul 29)
- Re: AD in the DMZ . . . OK? Ivan Coric (Jul 30)
- RE: AD in the DMZ . . . OK? Dieter Sarrazyn (Jul 30)
  - Re: AD in the DMZ . . . OK? Ansgar -59cobalt- Wiechers (Jul 31)
  - Re: AD in the DMZ . . . OK? Peter Van Eeckhoutte (Jul 31)
- RE: AD in the DMZ . . . OK? Handy, Mark (IT) (Jul 30)
- RE: AD in the DMZ . . . OK? Ferino Mardo (Jul 30)