Re: Forest Trust between Production & DMZ
From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: 06/06/04
- Next message: Laura A. Robinson [MVP]: "Re: disabled administrator account"
- Previous message: Steve Riley [MSFT]: "Re: Lockout administrator account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 5 Jun 2004 21:14:20 -0700
Yup, the declaration is done. It'll be on the DVD. I'll have additional DMZ
funerals at TechEds in Europe, Australia, New Zealand, Hong Kong, Japan, and
Malaysia. :)
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:#cHSZznOEHA.2636@TK2MSFTNGP10.phx.gbl...
>> But what of the visibility that the trust enables ? Since the
>> internal does not want to trust the less-securable, or at least
>> more vulnerable, external, then we are speaking of the trust
>> being such that the external, if subverted, would potentially
>> be able to inquire about the internal accounts structure.
>> This combined with the swiss-chess effect on the firewall
>> are more than compensated by the inhanced quality control,
>> unified management and monitoring, etc. . . .
>> Is that basically the position ?? I.e. that with sufficient
>> monitoring of the traffic on the allowed holes for the trust
>> to operate, there is a net gain in security, that the risks can
>> be effectively managed ?
Yes, Roger.
I can't think of any actual attacks that succeed or become easier because
you have a (putatively) lower security zone trusting a higher security zone.
If your DMZ gets whacked, it's all over anyway.
To avoid the Swiss-cheese affect on the firewall, you could carry the trust
traffic inside IPsec. Or you could just eliminate that internal firewall,
get a smarter external firewall that can inspect at the application layer,
implement other technologies to perform strong authentication, effective
configuration validation, thorough auditing, and encryption when necessary.
-- Steve steriley@microsoft.com "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message news:eSiLX7%23OEHA.1340@TK2MSFTNGP12.phx.gbl... > Network segregation was a good thing at times when Internet Protocol was > new > and highly unknown, and open systems only started to replace the > mainframe, > and systems management didn't exist. As a result of implementing all the > systems using the great concept of DMZ, some organisations ended up with > tens of DMZs - still with standalone systems in there. Numer of interfaces > on the firewall became a real problem. Some systems were not covered by > the > systems management, more or less fogotten - just sat there, using firewall > as the sole protection, waiting to be compromised. When the organisations > had to deal with incidents and support time increased beyond acceptable, > turning to directory services was a logical step. Yes, you have to poke > holes in the firewall, making it a swiss cheese - but the risk is like > that: > somebody compromises a system, she can logon to Windows. Or to NDS. That's > the level of visibility. Not talking about imaginary organisations. > Separation still exists, but that's multiple forests/trees, not multiple > DMZs. > > Talking of technical details, trust relationship requires much less than a > client logging on to AD or replication. I didn't conduct proper testing, > but > when you think about compatibility with UNIX Kerberos - my guess will be > that you'll need ports 88 and perhaps another one for password change. So > the intruder will have very narrow window of opportunity. > > Finally, that point: "less-securable, or at least more vulnerable, > external". Being in academic environment, you know better than me that > internal is more dangerous space. For e-commerce environments, an intruder > doesn't need to hop to internal network if the perimeter server is > compromised: one can collect sensitive information right at the point of > entry to the network. Financial implications: usually worse than total > DoS. > I've seen internet operations stopped for weeks to drain the network, in a > bank. > > At the TechEd, Steve Riley will declare the death of DMZ. Not knowing > anything about the details, I feel the same: enough is enough. Security > has > changed, the concepts should be different. Enterprise firewalls will > follow. > > Sorry, this is a bit spontaneousspeach: I just had to do work on the > environment that had problems caused partially by a set of router ACLs ;) > > -- > Svyatoslav Pidgorny, MVP, MCSE > -= F1 is the key =- > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:#cHSZznOEHA.2636@TK2MSFTNGP10.phx.gbl... >> So, playing devil's advocate here Slav, is it far to say >> your position is that, even in a highly sensitive environment, >> like say the banking industry, allowing a trust to "breach" >> or lessen the strength of the network separation (firewall) >> between internal and DMZ _can_ be a net gain as it will >> enable more effective management, monitoring, detection, >> OS level quality control, etc..? >> But what of the visibility that the trust enables ? Since the >> internal does not want to trust the less-securable, or at least >> more vulnerable, external, then we are speaking of the trust >> being such that the external, if subverted, would potentially >> be able to inquire about the internal accounts structure. >> This combined with the swiss-chess effect on the firewall >> are more than compensated by the inhanced quality control, >> unified management and monitoring, etc. . . . >> Is that basically the position ?? I.e. that with sufficient >> monitoring of the traffic on the allowed holes for the trust >> to operate, there is a net gain in security, that the risks can >> be effectively managed ? >> >> -- >> Roger Abell >> Microsoft MVP (Windows Server System: Security) >> MCSE (W2k3,W2k,Nt4) MCDBA >> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message >> news:OaIrZQiOEHA.4044@TK2MSFTNGP10.phx.gbl... >> > I probably have to. Integration into directory services gives >> > foundation >> for >> > better systems management; the better systems management is, the better >> > security will be. For example, 500 stand-alone systems are sysadmin's >> hell: >> > they are 500 separate entities to manage logon credentials, patches, >> > content, you name it. One AD per DMZ? The overhead is high. Single >> directory >> > service? Ideal. Can change service accounts. Can use MBSA and alikes. > Log >> > consolidation makes sense, as we excpect logons from domain accounts > only. >> > Etc. etc. >> > >> > -- >> > Svyatoslav Pidgorny, MVP, MCSE >> > -= F1 is the key =- >> > >> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message >> > news:#WY4DMbOEHA.3924@TK2MSFTNGP09.phx.gbl... >> > > Hi Slav, >> > > >> > > You might need to expand on that comment >> > > "Integration is good for security." >> > > as most people would, supplying their own >> > > context, not take that as being generally so. >> > > >> > > -- >> > > Roger Abell >> > > Microsoft MVP (Windows Server System: Security) >> > > MCSE (W2k3,W2k,Nt4) MCDBA >> > > "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message >> > > news:%23DBWjHZOEHA.620@TK2MSFTNGP10.phx.gbl... >> > > > Yes. We pay special attention to the Microsoft security bulletin > with >> > the >> > > > view of potential penetration through the firewall complex, and >> > implement >> > > > IDS between DMZ and corporate network for additional security > control. >> > > > Integration is good for security. >> > > > >> > > > -- >> > > > Svyatoslav Pidgorny, MVP, MCSE >> > > > -= F1 is the key =- >> > > > >> > > > >> > > > "Jim Mulvey" <jmulvey@ix.netcom.com> wrote in message >> > > > news:d1e3cb86.0405131156.187108c8@posting.google.com... >> > > > > Microsoft does a lot of talking about how a company could enable >> > > > > internal users to authenticate to DMZ resources through the use >> > > > > of > a >> > > > > Forest Trust.... but is anyone actually doing this? >> > > > > >> > > > > This link: >> > > > > >> > > > >> > > >> > >> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/fedffin2.mspx#XSLTsection125121120120 >> > > > > >> > > > > shows that Microsoft feels it safe to use as a link to the > perimeter >> > > > > network, but has anyone gone through a security analysis of this >> > > > > methodology before? >> > > > >> > > > >> > > >> > > >> > >> > >> >> > >
- Next message: Laura A. Robinson [MVP]: "Re: disabled administrator account"
- Previous message: Steve Riley [MSFT]: "Re: Lockout administrator account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
Loading
