Re: AD in DMZ
- From: "Deus, Attonbitus" <Thor@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 10 Jul 2003 14:03:25 -0700
At 01:37 PM 7/10/2003, you wrote:
http://www.ISAserver.org
Nono...I wanted the trust the other way....DMZ trusts internal...not the
other way around.
Oh, I knew that is what you meant, but one of the issues is that when you
manage a DMZ resource from using trusted internal network accounts
(depending what you are doing) those credential can be cached or sometimes
stored in the protected storage of the DMZ asset. I own that box and get
LSA secrets or use a protected storage viewer, and I've got a credential
that can be used on your internal network.
I guess a separate managed domain would be entirely more secure. Im
mostly concerned with the web servers that have to access the internal SQL
systems.
I share your pain, and that is one of my issues as well. It almost
dictates that you must use Mixed Mode authentication (ug) or trust the user
context on the external box if you maintain that connection.
Though more expensive, I have chosen to configure a separate DMZ SQL box
which is indeed set for mixed mode. I have scheduled jobs that make one
way (internal to 1433) calls to run DTS packages to update the data; this
DTS package uses the DMZ SQL boxes creds. This does 2 things- obviates the
need for the trust to the internal box, and it also protects my
infrastructure in case I do something stupid and introduce some sort of SQL
injection in my dev cycle.
The DMZ box can't hit my internal net, no trusts are used, and if they own
the box, my internal net is still isolated. Downside is expense and admin.
More importantly how could you setup rule based access through ISA server
without a trust? (perhaps im missing something)
If you want to use group based restrictions, then the internal facing ISA
box in the DMZ is gonna have to be a member. If the ISA box gets owned,
you're toast. But, even if it were stand alone and you use IP based
restrictions and he gets owned, you're toast anyway.
My DMZ designs make the primary assumption that the firewall does NOT get
owned.
t
Other related posts: