Re: AD in DMZ

  • From: "Deus, Attonbitus" <Thor@xxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 10 Jul 2003 14:03:25 -0700

At 01:37 PM 7/10/2003, you wrote:

http://www.ISAserver.org

Nono...I wanted the trust the other way....DMZ trusts internal...not the other way around.

Oh, I knew that is what you meant, but one of the issues is that when you manage a DMZ resource from using trusted internal network accounts (depending what you are doing) those credential can be cached or sometimes stored in the protected storage of the DMZ asset. I own that box and get LSA secrets or use a protected storage viewer, and I've got a credential that can be used on your internal network.



I guess a separate managed domain would be entirely more secure. Im mostly concerned with the web servers that have to access the internal SQL systems.

I share your pain, and that is one of my issues as well. It almost dictates that you must use Mixed Mode authentication (ug) or trust the user context on the external box if you maintain that connection.


Though more expensive, I have chosen to configure a separate DMZ SQL box which is indeed set for mixed mode. I have scheduled jobs that make one way (internal to 1433) calls to run DTS packages to update the data; this DTS package uses the DMZ SQL boxes creds. This does 2 things- obviates the need for the trust to the internal box, and it also protects my infrastructure in case I do something stupid and introduce some sort of SQL injection in my dev cycle.

The DMZ box can't hit my internal net, no trusts are used, and if they own the box, my internal net is still isolated. Downside is expense and admin.


More importantly how could you setup rule based access through ISA server without a trust? (perhaps im missing something)

If you want to use group based restrictions, then the internal facing ISA box in the DMZ is gonna have to be a member. If the ISA box gets owned, you're toast. But, even if it were stand alone and you use IP based restrictions and he gets owned, you're toast anyway.


My DMZ designs make the primary assumption that the firewall does NOT get owned.

t





Other related posts: