Re: AD in DMZ

  • From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 10 Jul 2003 23:49:07 +0200

Only one comment: never buy a Dell, seriously! :)

        -----Original Message-----
        From: Edward Sullivan [mailto:esullivan@xxxxxxx] 
        Sent: Thursday, July 10, 2003 11:16 PM
        To: [ISAserver.org Discussion List]
        Subject: [isalist] Re: AD in DMZ
        
        
        http://www.ISAserver.org
        
        
        Any additional expense? Dell's refurb servers carry the same
warranty as new, and are very cheap:
         
        
http://outlet.us.dell.com/Dispatcher?target=InventoryPage&action=filter&;
lob=POWER&unique=1057871438843&sessionID=1NWM3j6P!-2069891079!-701670513
!1057871372498&tgtSeg=B
         
        Hope this helps, although no budget means no budget, no matter
how good the price. I know that one well....
         
        Ed ("No, I don't work for Dell") Sullivan 
        Director of Information Technology 
        esullivan@xxxxxxx <mailto:esullivan@xxxxxxx
<mailto:esullivan@xxxxxxx> > 
        KMA Direct Communications 
        Confidential and Proprietary 

                -----Original Message-----
                From: Rogers, Brian [mailto:RogersB@xxxxxxxxxxxxxx]
                Sent: Thursday, July 10, 2003 4:03 PM
                To: [ISAserver.org Discussion List]
                Subject: [isalist] Re: AD in DMZ
                
                
                http://www.ISAserver.org
                
                

                Well..the ISA box is currently in its own domain (and is
a 3homed setup..so it's a virtual DMZ :) ) 

                Id like to keep that setup....and accept the risks
associated with it.  

                We just cant justify the additional expense of placing
additional SQL systems there. 


                -----Original Message----- 
                From: Deus, Attonbitus [mailto:Thor@xxxxxxxxxxxxxxx] 
                Sent: Thursday, July 10, 2003 5:03 PM 
                To: [ISAserver.org Discussion List] 
                Subject: [isalist] Re: AD in DMZ 

                http://www.ISAserver.org 


                At 01:37 PM 7/10/2003, you wrote: 
                >http://www.ISAserver.org 
                > 
                >Nono...I wanted the trust the other way....DMZ trusts
internal...not the 
                >other way around. 

                Oh, I knew that is what you meant, but one of the issues
is that when you 
                manage a DMZ resource from using trusted internal
network accounts 
                (depending what you are doing) those credential can be
cached or sometimes 
                stored in the protected storage of the DMZ asset.  I own
that box and get 
                LSA secrets or use a protected storage viewer, and I've
got a credential 
                that can be used on your internal network. 


                >I guess a separate managed domain would be entirely
more secure.  Im 
                >mostly concerned with the web servers that have to
access the internal SQL 
                >systems. 

                I share your pain, and that is one of my issues as well.
It almost 
                dictates that you must use Mixed Mode authentication
(ug) or trust the user 
                context on the external box if you maintain that
connection. 

                Though more expensive, I have chosen to configure a
separate DMZ SQL box 
                which is indeed set for mixed mode.  I have scheduled
jobs that make one 
                way (internal to 1433) calls to run DTS packages to
update the data; this 
                DTS package uses the DMZ SQL boxes creds.  This does 2
things- obviates the 
                need for the trust to the internal box, and it also
protects my 
                infrastructure in case I do something stupid and
introduce some sort of SQL 
                injection in my dev cycle. 

                The DMZ box can't hit my internal net, no trusts are
used, and if they own 
                the box, my internal net is still isolated.  Downside is
expense and admin. 


                >More importantly how could you setup rule based access
through ISA server 
                >without a trust?  (perhaps im missing something) 

                If you want to use group based restrictions, then the
internal facing ISA 
                box in the DMZ is gonna have to be a member.  If the ISA
box gets owned, 
                you're toast.  But, even if it were stand alone and you
use IP based 
                restrictions and he gets owned, you're toast anyway. 

                My DMZ designs make the primary assumption that the
firewall does NOT get 
                owned. 

                t 




                ------------------------------------------------------ 
                List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist 
                ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp 
                ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ 
                ------------------------------------------------------ 
                Other Internet Software Marketing Sites: 
                Leading Network Software Directory:
http://www.serverfiles.com 
                No.1 Exchange Server Resource Site:
http://www.msexchange.org 
                Windows Security Resource Site:
http://www.windowsecurity.com/ 
                Network Security Library: http://www.secinf.net/ 
                Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com 
                ------------------------------------------------------ 
                You are currently subscribed to this ISAserver.org
Discussion List as: rogersb@xxxxxxxxxxxxxx 
                To unsubscribe send a blank email to
$subst('Email.Unsub') 

                ------------------------------------------------------
                List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
                ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
                ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
                ------------------------------------------------------
                Other Internet Software Marketing Sites:
                Leading Network Software Directory:
http://www.serverfiles.com
                No.1 Exchange Server Resource Site:
http://www.msexchange.org
                Windows Security Resource Site:
http://www.windowsecurity.com/
                Network Security Library: http://www.secinf.net/
                Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
                ------------------------------------------------------
                You are currently subscribed to this ISAserver.org
Discussion List as: esullivan@xxxxxxx
                To unsubscribe send a blank email to
$subst('Email.Unsub') 

        ------------------------------------------------------
        List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
        ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
        ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Other Internet Software Marketing Sites:
        Leading Network Software Directory: http://www.serverfiles.com
        No.1 Exchange Server Resource Site: http://www.msexchange.org
        Windows Security Resource Site: http://www.windowsecurity.com/
        Network Security Library: http://www.secinf.net/
        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        ------------------------------------------------------
        You are currently subscribed to this ISAserver.org Discussion
List as: m.hippenstiel@xxxxxxxxxxxx
        To unsubscribe send a blank email to
$subst('Email.Unsub') 

Other related posts: