Re: How to create a manageable DMZ architecture?



On Nov 20, 4:38 am, Leythos <v...@xxxxxxxxxxx> wrote:
In article <b742ef56-cc3a-4703-80e6-
579b081ce...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, clintpa...@xxxxxxxxx says...

My problem is that there are services on my internal LAN, such as
Kerberos, NTP, DNS queries & xfers, etc, that I need my servers on my
DMZs to access. I am thinking of building 2 DMZs; one for my web
servers and the other for my DB servers. After doing a little DMZ
design research I found two threads that make me wonder:

Is sounds like your web server is part of your windows active directory
or domain structure in the lan - BAD MOVE.

All of my servers and firewalls are running OpenBSD. There are no
Windows machines on the entire network, only some FreeBSD and Macs.
All use Kerberos for sign-on.

As for SQL - your application should be connecting over TCP 1433 using a
user/password connection, not a Windows Authentication connection.

I'm using Postgresql, which uses Kerberos as the authentication
mechanism. I guess I could use username/password.

NTP - no need to allow it to access the LAN, have it sync with the same
public NTP server as your main NTP server.

True.

DNS - again, you could open TCP 53 between the DMZ and LAN, but the web
server has no reason to know the name of any node in the lan, so you
don't need DNS.

You make a good point. I thought of that right after I hit send.

You appear to think that you can have a AD/Domain server in the DMZ and
still call it a DMZ - you can't.

I don't even know what this means. Are you saying that AD/Domain is
like Kerberos for Windows? If so, are you basically saying I should
not use Kerberos on my DMZ?

The server in the DMZ should be a stand alone server, not part of your
LAN network or AD.

Thanks Leythos, I'll make a note of that.
.



Relevant Pages

  • Re: NTP authentication using kerberos
    ... Is it possible to use kerberos in authentication with an ntp server? ... In the handbook regarding kerberos (and nearly every other ... And so far I have only found simple key authentication similar to dhcp ... if you have your own heirarchy of Stratum 1 and perhaps Stratum 2 servers and accurate timing really is critical for you. ...
    (freebsd-questions)
  • RE: NTP recommendations
    ... I then setup peer ntp on the chokepoint router to enable it to serve ntp to anyone requesting time. ... I only have the one hole in the firewall for the three destinations and DC active directory serves all clients, while the DMZ Router serves the rest. ... I am currently looking into configuring my company's time servers. ...
    (Security-Basics)
  • Re: kerberos and time zone
    ... issue lies in the fact that the servers are in different time-zone, ... machine (including the NTP service) is configured correctly. ... I neglected to mention this in my previous message, but the Kerberos ... national labs that have time standard setups have atomic clocks that ...
    (comp.protocols.kerberos)
  • RE: Help in NTP server
    ... I also have a question about NTP. ... > servers and is very Cisco ish. ... your S1 server should go inside the LAN. ... > In the DMZ, sync two DMZ ntp servers with each other and the S2 masters. ...
    (Security-Basics)
  • Re: Use ssh key to acquire TGT?
    ... process that takes a single password and gets multiple tickets from it. ... even if some of the servers don't use kerberos. ... keytab file to obtain AFS tickets automatically at sucessful login. ...
    (comp.protocols.kerberos)