Re: To domain or not to domain? :-)

From: Patrik Birgersson (patrik.birgersson@aiasec.com)
Date: 02/27/02


Date: Wed, 27 Feb 2002 00:47:09 +0100 (CET)
From: Patrik Birgersson <patrik.birgersson@aiasec.com>
To: "Gegerfelt, Michael" <ver4@ver4.com>

On Mon, 25 Feb 2002, Gegerfelt, Michael stated:

> Hi all
>
> I have a question regarding topology in a DMZ zone. How does you guys put
> up a network with the following design?
>
> (It is a customer to us and I want to implement the best solution)
>
> Today they have three domains (One for their internal site, one for their
> "external site" - the DMZ and one for their sister company.
> (Sorry for my limited vocabulary and my spelling)
>
> They have one NT domain for their internal (lets say that one is called
> internal), they also have an NT4 domain called (lets say external, great
> imagination huh.. ). Is it even recommended to have a separate domain for
> the DMZ? I have heard from some guys that they prefer to put their NT
> boxes as Stand Alone instead...
>
> Any pros and cons for different topologies?
>
>
> Yours sincerely
>
> -------------------------------
> Michael Gegerfelt
>
>

Well, I suppose that you are only using the term "domain" as in WinNT
domain and not Internet domain here..

The reason for using NT domains is to use the "single logon" feature,
whcich means that you will only have to authenticate once to access
resources in that domain (or trusted domains).

I case of the DMZ...

I suppose that this DMZ will _not_ have any servers posing as file, print
or logon servers - right? In that case, I don't see any reason why those
boxes should be in the same domain.

If I remember correctly (was a while ago I poked around with NT), the NT
domain authentication model relies upon NetBIOS, which there is not reason
to have accessible (or even running) on an Internet connected (and
reachable) machine.

Disable NetBIOS over TCP/IP, Microsoft Share and Printing (or whatever
it's called) and block ports 135-139 at your firewall (the firewall should
not let anything throughh except for traffic bound to ports offering
"public" services in your DMZ).

Do as your NT friends told you... run those servers as stand alone
machines (don't forget patching - if NT4 they'll certainly need it ;).

Patrik Birgersson