RE: DMZ and AD Authentication

jamesworld_at_intelligencia.com
Date: 12/17/03

  • Next message: Shawn Jackson: "RE: HTTPS vs encrypted frames in HTTP"
    Date: Wed, 17 Dec 2003 11:39:09 -0600
    To: Rademacher Sgt Roger P <RademacherRP@manpower.usmc.mil>
    
    

    Roger,

    Having dealt with a compromised web server in a DMZ that was allowing all
    things to happen as they were (nothing obviously wrong). It was found to
    have a sniffer that was grabbing transaction data. It was also grabbing
    the communication through the dmz to the internal hosts. IPSEC would have
    made that futile.
    I configured it to IPSEC VPN to the firewall and then dump the clear
    traffic out on the internal network where the NIDS could watch it for funny
    stuff.

    That in combination with the Cisco Security Agent (former Okena) protects
    and makes it pretty much bulletproof. Obviously the CSA must be tuned
    properly for that level of assurance though.

    -James

    At 15:06 12/16/2003, Rademacher Sgt Roger P wrote:
    >Hi,
    >I have a similar config being setup in my environment.
    >We have an Apache server in the DMZ that is reverse proxying two
    >connection inside to an oracle WebCache server (www and login). The
    >WebCache server splits the request based on url and forwards to the
    >appropriate server.
    >The firewall allows external access to the DMZ machine and from the dmz
    >machine to the internal WebCache server all on https/443. If the
    >reverse proxy is compromised they can see the internal WebCache server
    >but not the LDAP being stored on the login server. Both the reverse
    >proxy and the WebCache server would need to be compromised for the LDAP
    >to be accessed directly.
    >Is this a viable option or should I fight for another communication
    >setup such as an IPSec connection from the DMZ machine inside to the
    >WebCache server?
    >Rog
    >
    >-----Original Message-----
    >From: jamesworld@intelligencia.com [mailto:jamesworld@intelligencia.com]
    >Sent: Monday, December 15, 2003 9:57 PM
    >To: Geoff.Shatz@pchelps.com
    >Cc: security-basics@securityfocus.com
    >Subject: RE: DMZ and AD Authentication
    >
    >
    >Geoff,
    >
    >I second what Shawn said. If you can avoid it...don't do it.
    >
    >If however, you are stuck with an order from up high.
    >
    >Connect to the AD box thru the firewall via IPSEC.
    >
    >If you use NIDS, however, this will blind it to any attack's that might
    >come thru is the web server was compromised.
    >
    >I would recommend using the Cisco Security Agent (formerly Okena) on the
    >
    >web server.
    >
    >The other thing you could do is use a Cisco ACS server to front end the
    >AD
    >authentication and have the web server authenticate to the ACS via
    >RADIUS
    >or TACACS. You will need to code the RADIUS integration (unless you can
    >
    >find it somewhere :-)
    >
    >HTH,
    >
    >-James
    >
    >At 11:25 12/12/2003, Shawn Jackson wrote:
    >
    > > All you need LDAP access (TCP 389) to your Catalogue server.
    > >Even if you lock down your connection to the AD box, if someone
    > >compromises your IIS server they can gain a lot of information from
    >your
    > >server. When we used this method with C# .Net we needed to have LDAP
    >and
    > >Microsoft-DS (TCP 445) open to the server.
    > >
    > > Honestly, I would advise against placing a server in the DMZ
    > >that will access any part of your AD infrastructure; it's just not
    > >secure enough. If you absolutely had to authenticate with AD I'd
    >suggest
    > >creating a simple program (Webpage (ASP, CGI, and CF) or .Net
    > >Service/Remote App that would take two parameters (Username and
    > >Password) and return a value, then just parse that value to get your
    > >logon result. Place that app on a 'non-critical' server and it will be
    > >far more secure then accessing AD directly.
    > >
    > > I can give you the code I use to access AD in C# and suggested
    > >implementation if you wish.
    > >
    > >Shawn Jackson
    > >Systems Administrator
    > >Horizon USA
    > >1190 Trademark Dr #107
    > >Reno NV 89521
    > >www.horizonusa.com
    > >
    > >Email: sjackson@horizonusa.com
    > >Phone: (775) 858-2338
    > > (800) 325-1199 x338
    > >
    > >-----Original Message-----
    > >From: Geoff.Shatz@pchelps.com [mailto:Geoff.Shatz@pchelps.com]
    > >Sent: Friday, December 12, 2003 7:33 AM
    > >To: security-basics@securityfocus.com
    > >Subject: DMZ and AD Authentication
    > >
    > >We are in a situation where we are currently planning the move of our
    > >web server from an externally hosted solution to hosting the web server
    > >in house. As part of this move we will be implementing a new internal
    > >application that will run on the web server that will require
    > >authentication based on Active Directory account info. Obviously this
    > >will require that the web server has the ability to communicate with
    >the
    > >AD domain controllers. That being the case will it still be possible to
    > >place this web server on a DMZ or will the amount of open ports
    >required
    > >between the DMZ and LAN for the required authentication process
    >severely
    > >mitigate the benefits of placing the server in the DMZ in the first
    > >place? Any and all suggestions and or strategies to accomplish this in
    > >the most secure fashion are welcome and appreciated. Thanks!
    > >
    > >Geoff
    > >
    > >-----------------------------------------------------------------------
    >-
    > >---
    > >-----------------------------------------------------------------------
    >-
    > >----
    > >
    > >
    > >-----------------------------------------------------------------------
    >----
    > >-----------------------------------------------------------------------
    >-----
    >
    >
    >------------------------------------------------------------------------
    >---
    >------------------------------------------------------------------------
    >----

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Shawn Jackson: "RE: HTTPS vs encrypted frames in HTTP"

    Relevant Pages

    • Re: DMZ and file sharing
      ... Never ever use DMZ, a) its an open unlocked door with a big sign saying your ... save/retreive files to/from a restricted area on the LAN. ... and only server. ... You need to consider the safety of the LAN when the web server gets ...
      (microsoft.public.windows.server.sbs)
    • Configuring PIX 515 for OWA in DMZ
      ... Currently I have just a web server and a Linux mail ... I want to move the web server and mail server into the DMZ for more ... access-group 110 in interface outside ...
      (comp.security.firewalls)
    • Configuring PIX 515 for OWA in DMZ
      ... Currently I have just a web server and a Linux mail ... I want to move the web server and mail server into the DMZ for more ... access-group 110 in interface outside ...
      (comp.security.firewalls)
    • Re: [opensuse] Web Server in DMZ accessing Database in Internal Network
      ... At the moment I have an Intranet web server with Apache2. ... configured for the WS in the DMZ that has the NFS 4 mount for the Data ... I meant two separate HW boxes each with SuSEfirewall2 ...
      (SuSE)
    • Re: [fw-wiz] Securing www server w/Oracle back end.
      ... setup in the DMZ - passing back the requests into the internal web ... server, which - also internally - would pass on requests to the database ... The Linux is setup with the latest and greatest patches ... ... internal users (who would still access the "real" web server). ...
      (Firewall-Wizards)