Re: FTP for internal users and external customers.

Svyatoslav, thanks for your comments.

Secure network architecture and authentication, expecially when secure
external access is needed, is a big head-ache for me, due to my limited
knowledge of this matter and to many conflicting literature I find on the
Internet.
Very confusing.

I even gave a look at IBM's vision of Enterprise Security Architecture.
http://www.redbooks.ibm.com/redbooks/pdfs/sg246014.pdf
Although firewall zone is said to be obsolete by many sides, as you stated
too, IBM concept of network architecture still relies on firewall zones.

My will to have separate ADs for internal and external users come from my
concerns about:
1) the security boundary in AD is the forest
2) regulatory standards such as Sarbox or best-practice standards such as
CoBIT, do all of these allow external users to be profiled in the corporate
directory?

As you can understand I am confused and lost! :-(

Thanks for your support.

Regards,
Gabriele





"S. Pidgorny <MVP>" wrote:

That is a reasonable architecture by Microsoft. As more radical in my own
views, I'd prefer using single domain. There are enough means to segregate
different types of users within the domain. On the other hand, separate
domains give different account policies, admin authority and replication
boundry, which is more useful in big organisations.

Yet there's one thing that's not justified: putting the external user in DMZ
and using a firewall to separate it from internal space. You have provided
reasons for that - and there are some more. Thinking of different domains
and identity management is the right thing to do; thinking in terms of
firewall zones is now obsolete.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Gabriel/TFI" <GabrielTFI@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9D114E85-5A4D-4C3B-9964-C7BE03A27E8B@xxxxxxxxxxxxxxxx
Hi Svyatoslav,

thanks for your reply.

In the meanwhile I came throguh some readings of
Microsoft_Identity_and_Access_Management_Series_v1.4

It looks like the basic level of security wants a separate AD forest for
external authentication with a trust relationship to the corporate AD
forest
to preserve users' SSO experience.

Because of ports to be opened on the firewall to allow trust relationship
between DMZ and Intranet, another way to achieve authentication is
shadowing
corporate identities to the external AD forest by the use of MIIS, or in
some
cases, if application are claims-aware, with the deployment of ADFS to
federate identities of the 2 forests (ADFS proxy in the DMZ). This second
option does not require an AD trust relationship.

An external forest can even allow mapping of digital certificates to
improve
authenticaion security (SSL/TLS) without requiring password to be
replicated
to shadowed accounts.

According to this vision, the DMZ should be layered:
- the reverse-proxy to be placed in the DMZ (let's call it "outer DMZ")
- the external AD forest and SFTP server to be placed in the "production
zone" (let's call it "inner DMZ)
- the internal AD forest obviously to be placed in the Internal Zone (aka
"Intranet")

Of course I am talking about an authentication framework that will be used
not only for FTP services, but ready to host additional application
servers
to be shared with external users.

What's your opinion?

Thanks,
Gabriele


"S. Pidgorny <MVP>" wrote:

1) Internal network is better; and
2) No. It's overengineering, thus the answer to 1.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Gabriel/TFI" <GabrielTFI@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0BE705A4-30C0-46E5-A191-25306C1D4DB2@xxxxxxxxxxxxxxxx
We need to implement a SFTP server that will be used by internal users
and
external customers to exchange files.
As a coporate policy, any connections coming from the internet has to
be
accepted and managed by a reverse proxy in DMZ.

Questions:
1) is it better to place the SFTP server in the Trusted Internal
Network
or
in the DMZ?
2) the SFTP server supports Active Directory. Is it a good choice to
create
a DMZ-Extranet Forest and create a one-way trust to the internal AD?

Ideas? Suggestions?

Regards,
Gabriele






.

Relevant Pages