Re: FTP for internal users and external customers.

Hi Svyatoslav,

thanks for your reply.

In the meanwhile I came throguh some readings of
Microsoft_Identity_and_Access_Management_Series_v1.4

It looks like the basic level of security wants a separate AD forest for
external authentication with a trust relationship to the corporate AD forest
to preserve users' SSO experience.

Because of ports to be opened on the firewall to allow trust relationship
between DMZ and Intranet, another way to achieve authentication is shadowing
corporate identities to the external AD forest by the use of MIIS, or in some
cases, if application are claims-aware, with the deployment of ADFS to
federate identities of the 2 forests (ADFS proxy in the DMZ). This second
option does not require an AD trust relationship.

An external forest can even allow mapping of digital certificates to improve
authenticaion security (SSL/TLS) without requiring password to be replicated
to shadowed accounts.

According to this vision, the DMZ should be layered:
- the reverse-proxy to be placed in the DMZ (let's call it "outer DMZ")
- the external AD forest and SFTP server to be placed in the "production
zone" (let's call it "inner DMZ)
- the internal AD forest obviously to be placed in the Internal Zone (aka
"Intranet")

Of course I am talking about an authentication framework that will be used
not only for FTP services, but ready to host additional application servers
to be shared with external users.

What's your opinion?

Thanks,
Gabriele


"S. Pidgorny <MVP>" wrote:

1) Internal network is better; and
2) No. It's overengineering, thus the answer to 1.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Gabriel/TFI" <GabrielTFI@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0BE705A4-30C0-46E5-A191-25306C1D4DB2@xxxxxxxxxxxxxxxx
We need to implement a SFTP server that will be used by internal users and
external customers to exchange files.
As a coporate policy, any connections coming from the internet has to be
accepted and managed by a reverse proxy in DMZ.

Questions:
1) is it better to place the SFTP server in the Trusted Internal Network
or
in the DMZ?
2) the SFTP server supports Active Directory. Is it a good choice to
create
a DMZ-Extranet Forest and create a one-way trust to the internal AD?

Ideas? Suggestions?

Regards,
Gabriele



.

Relevant Pages

  • Re: DMZ Services, Best Balance Between Security and Functionality, Comments?
    ... It depends where your DMZ is --- between what and what? ... If it's between your intranet and the Internet, ... > internal forest. ... All external users accounts in external ...
    (microsoft.public.win2000.security)
  • Re: AD in the DMZ - Any thoughts on this scenario?
    ... forest in a DMZ, not one that spans the DMZ and internal network. ... > in our internet facing DMZ. ...
    (microsoft.public.win2000.active_directory)
  • Re: AD in the DMZ - Any thoughts on this scenario?
    ... > and AD in our internet facing DMZ. ... > domain controllers, ... > I would have thought a completely separate DMZ forest with possibly a ...
    (microsoft.public.win2000.active_directory)
  • Re: FTP for internal users and external customers.
    ... Secure network architecture and authentication, ... the security boundary in AD is the forest ... Yet there's one thing that's not justified: putting the external user in DMZ ... any connections coming from the internet has to ...
    (microsoft.public.security)
  • AD in the DMZ - Any thoughts on this scenario?
    ... in our internet facing DMZ. ... DMZ subnets and the domain controllers located on the internal network. ... should he/she manage to comprise one of the internet facing member servers. ... I would have thought a completely separate DMZ forest with possibly a one ...
    (microsoft.public.win2000.active_directory)