Re: AD in the DMZ . . . OK?
From: Oleg K.Artemjev (olli_at_rbauto.ru)
Date: 07/29/04
- Previous message: Tucker, Jason: "RE: Network spyware detection"
- In reply to: karl: "AD in the DMZ . . . OK?"
- Next in thread: Roger A. Grimes: "RE: AD in the DMZ . . . OK?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Jul 2004 09:31:07 +0400 To: karl <opium@runningriver.co.uk>
On Wed, 28 Jul 2004 11:49:12 +0100
karl <opium@runningriver.co.uk> wrote:
> One of the developers I work with has come up with a wild and crazy
> notion to write a .NET app that sits on a DMZ Web server but gets user
> information from the Active Directory on the other side of the firewall..
> I'm inexperienced with this, so did some research and found that this
> kind of thing is possible (plenty of articles on putting Exchange
> servers in the DMZ), but found myself wondering if this ever happens,
If AD can be accessed via TCP/IP (guess it can), then the only question is
a list of firewall rules that 'll allow such connections from DMZ to internal
network AD provider(s).
> i.e. do people actually have their networks set up this way? Do folk
> expose/replicate AD to the DMZ in practice?
> It's all very well that this stuff is possible, but if it's perceived as
> insecure and not implementable in the real world . . . . . . .
You should just ask them - is accessing to the AD data from entire internet
is a security treat or not? If it's not a treat and if you prefer to ignore
potential risk of getting control over mashine in internal network via AD
interface from the internet - then you may implement it (w/ restricting access for
AD-related ports to only a some mashine(s)). I'd give a chance for this only if
it's not a treat to publish just full AD data on the net and the access from the
DMZ is guaranted as a readonly (by guaranty I mean only hard conditions, like
'this protocol is not intended for write access and cannot be used so' ).
The main (IMO) purpose of DMZ is to defend internal network (LAN) from DMZ hosts that have
to interact w/ the internet. DMZ interact w/ internet directly (even being filtered - packets
that are allowed and thus not filtered establish direct connection). Thus, if a good hack
arrive - the DMZ host(s) 'll be controlled from the internet. Since DMZ interacts w/ LAN -
each interaction method avaliable then will be used as a possible road into LAN from the
internet via DMZ.
-- Bye.Olli. http://olli.digger.org.ru --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
- Previous message: Tucker, Jason: "RE: Network spyware detection"
- In reply to: karl: "AD in the DMZ . . . OK?"
- Next in thread: Roger A. Grimes: "RE: AD in the DMZ . . . OK?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
