Re: Access from DMZ Was: AD in the DMZ . . . OK?

• Previous message: LINKCRAFT: "RE: Network spyware detection"
• Next in thread: Depp, Dennis M.: "RE: Access from DMZ Was: AD in the DMZ . . . OK?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 2 Aug 2004 17:23:46 +0200
To: security-basics@securityfocus.com

On 2004-08-02 Depp, Dennis M. wrote:
> On 2004-07-30 Ansgar -59cobalt- Wiechers wrote:
>> If I'm reading you correctly that would still require access from the
>> DMZ to the DC, thus still violating the DMZ. No host in the DMZ
>> should ever be able to access any service inside the internal
>> network.
>
> I've often wondered if this is really possible. In today's
> environment, we have to provide some access to our internal networks
> either from the DMZ or from the internet. (VPN for example.) Is it
> possible to continue to stay with this phillosophy and still not have
> direct Internet connections into you secure network (even VPN
> connections).

I would say that VPNs can be considered a special case since hosts
connected through a VPN are actually part of the internal network.

There *may* be reasons to violate a DMZ, however, these reasons should
be very well evaluated and I fail to see that simplified user management
for a web application should be reason enough.

Regards
Ansgar Wiechers

-- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: LINKCRAFT: "RE: Network spyware detection"
• Next in thread: Depp, Dennis M.: "RE: Access from DMZ Was: AD in the DMZ . . . OK?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Lets talk about firewalls - what do we as a group think a firewall should be/have? ... NAT, and the DMZ, since it's already secured, is a good place to tack ... If the "company" is not offering services to the Internet, ... and connections to the internal LAN should ... be by means of a second interface on the server. ... (comp.security.firewalls) Re: Where to place the DMZ zone? ... hypothetically lets say you have no DMZ hosting an email bridgehead ... If a hacker were to compromise one of your email or web servers (they are ... That is, the Internet accessible servers ... that can be compromised are on your internal network, ... (microsoft.public.isa) Re: Prividing Intranet Website Access To External Users ... I really wouldnt like to be having my company intranet on the ... I would probably integrate the ldap/dc as a security server on the ... >> The web server will be in the DMZ, and only port 443 will be ... >> intranets to the internet in a secure manner. ... (Security-Basics) Re: Forest Trust between Production & DMZ ... >> more vulnerable, external, then we are speaking of the trust ... If your DMZ gets whacked, ... To avoid the Swiss-cheese affect on the firewall, ... > Network segregation was a good thing at times when Internet Protocol was ... (microsoft.public.windows.server.security) Re: AD in the DMZ - Any thoughts on this scenario? ... forest in a DMZ, not one that spans the DMZ and internal network. ... > in our internet facing DMZ. ... (microsoft.public.win2000.active_directory)