Re: AD in DMZ
- From: "Rogers, Brian" <RogersB@xxxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 10 Jul 2003 17:03:25 -0400
Well..the ISA box is currently in its own domain (and is a 3homed setup..so
it's a virtual DMZ :) )
Id like to keep that setup....and accept the risks associated with it.
We just cant justify the additional expense of placing additional SQL
systems there.
-----Original Message-----
From: Deus, Attonbitus [mailto:Thor@xxxxxxxxxxxxxxx]
Sent: Thursday, July 10, 2003 5:03 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: AD in DMZ
http://www.ISAserver.org
At 01:37 PM 7/10/2003, you wrote:
>http://www.ISAserver.org
>
>Nono...I wanted the trust the other way....DMZ trusts internal...not the
>other way around.
Oh, I knew that is what you meant, but one of the issues is that when you
manage a DMZ resource from using trusted internal network accounts
(depending what you are doing) those credential can be cached or sometimes
stored in the protected storage of the DMZ asset. I own that box and get
LSA secrets or use a protected storage viewer, and I've got a credential
that can be used on your internal network.
>I guess a separate managed domain would be entirely more secure. Im
>mostly concerned with the web servers that have to access the internal SQL
>systems.
I share your pain, and that is one of my issues as well. It almost
dictates that you must use Mixed Mode authentication (ug) or trust the user
context on the external box if you maintain that connection.
Though more expensive, I have chosen to configure a separate DMZ SQL box
which is indeed set for mixed mode. I have scheduled jobs that make one
way (internal to 1433) calls to run DTS packages to update the data; this
DTS package uses the DMZ SQL boxes creds. This does 2 things- obviates the
need for the trust to the internal box, and it also protects my
infrastructure in case I do something stupid and introduce some sort of SQL
injection in my dev cycle.
The DMZ box can't hit my internal net, no trusts are used, and if they own
the box, my internal net is still isolated. Downside is expense and admin.
>More importantly how could you setup rule based access through ISA server
>without a trust? (perhaps im missing something)
If you want to use group based restrictions, then the internal facing ISA
box in the DMZ is gonna have to be a member. If the ISA box gets owned,
you're toast. But, even if it were stand alone and you use IP based
restrictions and he gets owned, you're toast anyway.
My DMZ designs make the primary assumption that the firewall does NOT get
owned.
t
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rogersb@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
