RE: DMZ and AD Authentication

From: Shawn Jackson (sjackson_at_horizonusa.com)
Date: 12/17/03

  • Next message: Ronish Mehta: "Wi-Fi Security - setup of AirSnarf"
    Date: Tue, 16 Dec 2003 16:37:01 -0800
    To: "Rademacher Sgt Roger P" <RademacherRP@manpower.usmc.mil>, <security-basics@securityfocus.com>
    
    

            The thing is IPSEC is a secure communications channel which is
    relevant only if you are worried about somebody sniffing/capturing your
    traffic between the r-proxy and the web server. Now, the exception to
    this is if the program itself is setting up and using the channel from
    within the application which means compromising the system doesn't give
    the hacker access to the subverted communication channel.

            What you want to avoid, at all costs IMHO, direct/indirect
    access from an external accessible host to any important/secure
    resource. That can include, LDAP, DNS, Email, etc. Roger, I would
    suggest you fortify your topology with Net and Host IDS and a secure
    syslog server. Constantly parse the logs and have it generate a report
    for you. Run your proxy services in a chroot jail or with no
    permissions. Because your web server is Internal if that's compromised
    then it's endgame. SSL protects the data in-lieu and is not an access
    device. All an attacker has to do is perform the handshake with the
    server to get access to the encrypted channel.

            In my case, if they penetrate my WWW server in the DMZ they
    can't get access to anything. Each of my other DMZ hosts are firewalled
    against access from other DMZ hosts and the firewall doesn't allow
    originating traffic from the DMZ. Now this is now always possible I've
    gone though great lengths to limit my DMZ->LAN communication, but for me
    security is never a afterthought.

    Shawn Jackson
    Systems Administrator
    Horizon USA
    1190 Trademark Dr #107
    Reno NV 89521
    www.horizonusa.com
     
    Email: sjackson@horizonusa.com
    Phone: (775) 858-2338
           (800) 325-1199 x338

    -----Original Message-----
    From: Rademacher Sgt Roger P [mailto:RademacherRP@manpower.usmc.mil]
    Sent: Tuesday, December 16, 2003 1:07 PM
    To: security-basics@securityfocus.com
    Subject: RE: DMZ and AD Authentication

    Hi,
    I have a similar config being setup in my environment.
    We have an Apache server in the DMZ that is reverse proxying two
    connection inside to an oracle WebCache server (www and login). The
    WebCache server splits the request based on url and forwards to the
    appropriate server.
    The firewall allows external access to the DMZ machine and from the dmz
    machine to the internal WebCache server all on https/443. If the
    reverse proxy is compromised they can see the internal WebCache server
    but not the LDAP being stored on the login server. Both the reverse
    proxy and the WebCache server would need to be compromised for the LDAP
    to be accessed directly.
    Is this a viable option or should I fight for another communication
    setup such as an IPSec connection from the DMZ machine inside to the
    WebCache server?
    Rog

    -----Original Message-----
    From: jamesworld@intelligencia.com [mailto:jamesworld@intelligencia.com]
    Sent: Monday, December 15, 2003 9:57 PM
    To: Geoff.Shatz@pchelps.com
    Cc: security-basics@securityfocus.com
    Subject: RE: DMZ and AD Authentication

    Geoff,

    I second what Shawn said. If you can avoid it...don't do it.

    If however, you are stuck with an order from up high.

    Connect to the AD box thru the firewall via IPSEC.

    If you use NIDS, however, this will blind it to any attack's that might
    come thru is the web server was compromised.

    I would recommend using the Cisco Security Agent (formerly Okena) on the

    web server.

    The other thing you could do is use a Cisco ACS server to front end the
    AD
    authentication and have the web server authenticate to the ACS via
    RADIUS
    or TACACS. You will need to code the RADIUS integration (unless you can

    find it somewhere :-)

    HTH,

    -James

    At 11:25 12/12/2003, Shawn Jackson wrote:

    > All you need LDAP access (TCP 389) to your Catalogue server.
    >Even if you lock down your connection to the AD box, if someone
    >compromises your IIS server they can gain a lot of information from
    your
    >server. When we used this method with C# .Net we needed to have LDAP
    and
    >Microsoft-DS (TCP 445) open to the server.
    >
    > Honestly, I would advise against placing a server in the DMZ
    >that will access any part of your AD infrastructure; it's just not
    >secure enough. If you absolutely had to authenticate with AD I'd
    suggest
    >creating a simple program (Webpage (ASP, CGI, and CF) or .Net
    >Service/Remote App that would take two parameters (Username and
    >Password) and return a value, then just parse that value to get your
    >logon result. Place that app on a 'non-critical' server and it will be
    >far more secure then accessing AD directly.
    >
    > I can give you the code I use to access AD in C# and suggested
    >implementation if you wish.
    >
    >Shawn Jackson
    >Systems Administrator
    >Horizon USA
    >1190 Trademark Dr #107
    >Reno NV 89521
    >www.horizonusa.com
    >
    >Email: sjackson@horizonusa.com
    >Phone: (775) 858-2338
    > (800) 325-1199 x338
    >
    >-----Original Message-----
    >From: Geoff.Shatz@pchelps.com [mailto:Geoff.Shatz@pchelps.com]
    >Sent: Friday, December 12, 2003 7:33 AM
    >To: security-basics@securityfocus.com
    >Subject: DMZ and AD Authentication
    >
    >We are in a situation where we are currently planning the move of our
    >web server from an externally hosted solution to hosting the web server
    >in house. As part of this move we will be implementing a new internal
    >application that will run on the web server that will require
    >authentication based on Active Directory account info. Obviously this
    >will require that the web server has the ability to communicate with
    the
    >AD domain controllers. That being the case will it still be possible to
    >place this web server on a DMZ or will the amount of open ports
    required
    >between the DMZ and LAN for the required authentication process
    severely
    >mitigate the benefits of placing the server in the DMZ in the first
    >place? Any and all suggestions and or strategies to accomplish this in
    >the most secure fashion are welcome and appreciated. Thanks!
    >
    >Geoff
    >
    >-----------------------------------------------------------------------
    -
    >---
    >-----------------------------------------------------------------------
    -
    >----
    >
    >
    >-----------------------------------------------------------------------

    ----
    >-----------------------------------------------------------------------
    -----
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Ronish Mehta: "Wi-Fi Security - setup of AirSnarf"

    Relevant Pages

    • Re: DMZ and file sharing
      ... Never ever use DMZ, a) its an open unlocked door with a big sign saying your ... save/retreive files to/from a restricted area on the LAN. ... and only server. ... You need to consider the safety of the LAN when the web server gets ...
      (microsoft.public.windows.server.sbs)
    • Re: Thumbnail security problem?
      ... have written or maybe you don't understand the HTTP 1.0 Basic Authentication ... will receive a 401 response from the web server. ... Ok, now that you see the basics, the problem we are seeing is as follows: ...
      (microsoft.public.security)
    • IIS6 - Integrated Authentication Probs
      ... server to a UNC share on another server ... It seems that when I use "integrated authentication" that the credentials ... Hence - this is a general problem with the way the web server is using my ...
      (microsoft.public.inetserver.iis.security)
    • Configuring PIX 515 for OWA in DMZ
      ... Currently I have just a web server and a Linux mail ... I want to move the web server and mail server into the DMZ for more ... access-group 110 in interface outside ...
      (comp.security.firewalls)
    • Configuring PIX 515 for OWA in DMZ
      ... Currently I have just a web server and a Linux mail ... I want to move the web server and mail server into the DMZ for more ... access-group 110 in interface outside ...
      (comp.security.firewalls)