RE: Use of L2TP in isolated W2K3 AD

afreyman_at_dsw.net
Date: 06/08/04

  • Next message: James D. Stallard: "Doubleclick programs entry on start menu"
    To: puchta@cslab.felk.cvut.cz, focus-ms@securityfocus.com
    Date: Tue, 8 Jun 2004 14:43:40 -0700 
    
    

    Are you saying that all your computers have public IP addresses and most of
    them are accessible from the internet?

    If so, this is bad, but assuming that you can do nothing about it, try to at
    least get a hardware firewall in front of your DCs. You can filter IP
    ranges, but that doesn't necessarily protect you from IP spoofing, or
    someone exploiting a vulnerable client.

    L2TP is an option, but firstly I'd suggest that your harden your servers as
    much as possible, also consider using Kerberos on the network, which may
    give you an additional layer of security. Try running some IDS/IDP software
    on the DCs, or a least something resembling a personal
    firewall.....ZoneAlarm and BlackICE come to mind. Auditing is a must as
    well.

    Since you mentioned L2TP, that means you're probably going to run VPN on one
    of the Windows boxes. Maybe you can isolate that box in the DMZ and put
    everything else in a private LAN? Also, what services are the clients
    accessing on the servers? Just file and print?

    -----Original Message-----
    From: Milos Puchta [mailto:puchta@cslab.felk.cvut.cz]
    Sent: Monday, June 07, 2004 11:47 PM
    To: focus-ms@securityfocus.com
    Subject: Use of L2TP in isolated W2K3 AD

    1.
    Imagine a large network that is more or less opened to the Internet.
    I mean that there is packet filtering for some ports, one subnet
    is blocked from the access from the Internet but due to the routing
    between subnets all subnets are opened....

    2.
     I can do nothing as to the changes in the structure of LAN :-(((
     except asking for blocking direct access to the selected computers.
     (No private LAN for private range of ip, no blocking routing,... :-(( ...)

    3.
    There are various services and operating system on the LAN,
    including Windows, FreeBSD, Novell, SUN,VMS etc

    4.
    I "develop" and maintain Active Directory (Windows 2003 Server and Windows
    XP Professional) in this structure. Windows XP clients should reach
    data on various system (data and licenses on license servers).

    Because of security problems I consider the isolation of domain controllers
    behind
    internal ISA firewall and Windows clients would use L2TP protocol, as if
    they were
    accessing domain controllers and file servers from the Internet.
    Is this solution in my case?

    Thanks for your opinion and qualified guess.

    Regards,
    Milos

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: James D. Stallard: "Doubleclick programs entry on start menu"