Re: To domain or not to domain? :-)

From: Patrik Birgersson (patrik.birgersson@aiasec.com)
Date: 02/27/02


Date: Wed, 27 Feb 2002 00:47:09 +0100 (CET)
From: Patrik Birgersson <patrik.birgersson@aiasec.com>
To: "Gegerfelt, Michael" <ver4@ver4.com>

On Mon, 25 Feb 2002, Gegerfelt, Michael stated:

> Hi all
>
> I have a question regarding topology in a DMZ zone. How does you guys put
> up a network with the following design?
>
> (It is a customer to us and I want to implement the best solution)
>
> Today they have three domains (One for their internal site, one for their
> "external site" - the DMZ and one for their sister company.
> (Sorry for my limited vocabulary and my spelling)
>
> They have one NT domain for their internal (lets say that one is called
> internal), they also have an NT4 domain called (lets say external, great
> imagination huh.. ). Is it even recommended to have a separate domain for
> the DMZ? I have heard from some guys that they prefer to put their NT
> boxes as Stand Alone instead...
>
> Any pros and cons for different topologies?
>
>
> Yours sincerely
>
> -------------------------------
> Michael Gegerfelt
>
>

Well, I suppose that you are only using the term "domain" as in WinNT
domain and not Internet domain here..

The reason for using NT domains is to use the "single logon" feature,
whcich means that you will only have to authenticate once to access
resources in that domain (or trusted domains).

I case of the DMZ...

I suppose that this DMZ will _not_ have any servers posing as file, print
or logon servers - right? In that case, I don't see any reason why those
boxes should be in the same domain.

If I remember correctly (was a while ago I poked around with NT), the NT
domain authentication model relies upon NetBIOS, which there is not reason
to have accessible (or even running) on an Internet connected (and
reachable) machine.

Disable NetBIOS over TCP/IP, Microsoft Share and Printing (or whatever
it's called) and block ports 135-139 at your firewall (the firewall should
not let anything throughh except for traffic bound to ports offering
"public" services in your DMZ).

Do as your NT friends told you... run those servers as stand alone
machines (don't forget patching - if NT4 they'll certainly need it ;).

Patrik Birgersson



Relevant Pages

  • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
    ... NAT, and the DMZ, since it's already secured, is a good place to tack ... If the "company" is not offering services to the Internet, ... and connections to the internal LAN should ... be by means of a second interface on the server. ...
    (comp.security.firewalls)
  • Re: Where to place the DMZ zone?
    ... hypothetically lets say you have no DMZ hosting an email bridgehead ... If a hacker were to compromise one of your email or web servers (they are ... That is, the Internet accessible servers ... that can be compromised are on your internal network, ...
    (microsoft.public.isa)
  • Re: Prividing Intranet Website Access To External Users
    ... I really wouldnt like to be having my company intranet on the ... I would probably integrate the ldap/dc as a security server on the ... >> The web server will be in the DMZ, and only port 443 will be ... >> intranets to the internet in a secure manner. ...
    (Security-Basics)
  • Re: Forest Trust between Production & DMZ
    ... >> more vulnerable, external, then we are speaking of the trust ... If your DMZ gets whacked, ... To avoid the Swiss-cheese affect on the firewall, ... > Network segregation was a good thing at times when Internet Protocol was ...
    (microsoft.public.windows.server.security)
  • Re: SBS2000 and a DMZ
    ... the mission critical network. ... The remote/mobile users can trapse all over the internet and collect all ... > appropriate registry entries on the clients, the ability for the DMZ ... >> The W2K3 server is a recent addition and wanted it for storage of the ...
    (microsoft.public.backoffice.smallbiz2000)