RE: AD across both DMZ & LAN

• Previous message: AragonX: "Re: securing linux webserver?"
• Maybe in reply to: Leon North: "AD across both DMZ & LAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: 'Leon North' <leon_nc@linuxmail.org>, security-basics@securityfocus.com
Date: Wed, 2 Mar 2005 07:22:46 +0100 

Hello Leon,

wouldn't it be better to use a proxy server? We have an proxy server in our
LAN who authenticates the users and an other one in the DMZ which just
forwards the Requests to the Internet and scans the traffic for viruses.
Or use the Bluecoat Appliance, you can put this device in the DMZ and have
to open just one port to the internal LAN for user authentication (NTLM with
a special service installed on a member server).

Best regards,
Thomas

-----Original Message-----
From: Leon North [mailto:leon_nc@linuxmail.org]
Sent: Dienstag, 1. März 2005 16:20
To: security-basics@securityfocus.com
Subject: AD across both DMZ & LAN

Hi,

We currently have an NT4 domain in the DMZ and an unrelated NT4 domain
internally. The DMZ domain contains a server running citrix, and is used for
internet web browsing/email, so that we only have to allow the citrix
connection through the FW to the LAN & no internal users can directly access
the internet from their PC's.

As part of an upgrade to Active Directory (both domains Win2k3), we would
like to get the DMZ to trust the internal domain, so that we only have one
set of user accounts to manage. But I am not sure about a couple of things
with this setup-

1. Will this work like this, so that we only need 1 user account per user
instead of a seperate one externally to internally? (excuse the vagueness of
the question)

2. If so, is that (not ideal I know but) an acceptable approach security
wise, when the DMZ DC can access the accounts on the internal domain?

3. Can we configure it somehow so that the user gets a different profile
when logging in to the DMZ only? I ask that because one potential issue I
see is getting a virus infection into user profile while logged into the
DMZ, then logging into an internal server.

Thanks for any help.

Leon

-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze

• Previous message: AragonX: "Re: securing linux webserver?"
• Maybe in reply to: Leon North: "AD across both DMZ & LAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Firewall Rule Set not allowing access to DNS servers? ... > My LAN is configured with static IP addresses, ... > I have full connectivity with the internet from every machine on my ... > # Allow out access to my ISP's Domain name server. ... > # Interrogate packets originating from the public internet ... (freebsd-questions) Re: Web portal security ... win2003 standard server with IIS, SSL enabled and will be placed on ... So I will be fwding port 443 in firewall to my DMZ port. ... Well, assuming you are going to use teh SQL database from SBS, you can ... subnet than my LAN and map one to one from firewall to dmz. ... (microsoft.public.windows.server.sbs) Re: Lets talk about firewalls - what do we as a group think a firewall should be/have? ... NAT, and the DMZ, since it's already secured, is a good place to tack ... If the "company" is not offering services to the Internet, ... and connections to the internal LAN should ... be by means of a second interface on the server. ... (comp.security.firewalls) Re: 2 NICs Configuration Problem ... Servers on the DMZ are public, ... provides NAT for the LAN machines, allowing them to reach the Internet ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ... (microsoft.public.windows.server.networking) Re: Where to put the server ... Put the 2003 IIS Server in the DMZ. ... SBS box or another LAN server. ... (microsoft.public.backoffice.smallbiz2000)