Re: How I spent my Christmas vacation - Email found in subject

Hi Danny,

We'll have to agree to disagree. As long as you allow LDAP traffic from
an anonymous access DMZ to your DC, you're asking for bad things to
happen and people like me with ready and willing fingers to point at

My design is much more secure, hands-on. The NDR issue is a problem with
my relay's platform. RFC or not ( and you haven't mentioned which RFC
you're referring to) I'm using security best practices by isolating my
low security zone hosts from my highest security zone hosts.


Thomas W Shinder, M.D.
MVP -- ISA Firewalls
**Who is John Galt?**


> -----Original Message-----
> From: Danny [mailto:nocmonkey@xxxxxxxxx] 
> Sent: Tuesday, January 03, 2006 4:44 PM
> To: [ Discussion List]
> Subject: [isalist] Re: How I spent my Christmas vacation - 
> Email found in subject
> On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> > Hi Danny,
> >
> > So, you allow LDAP queries from hosts on an anonymous access DMZ.
> No - my SMTP server has an up-to-date (on demand or scheduled every X
> minutes) list of valid recipients.  There are no anonymously initiated
> LDAP connections.
> > How do you mitigate the security issues involved with that.
> Firewall is default deny, but allows 1) SMTP traffic from the MX
> gateway to the Exchange server 2) Allows LDAP traffic during schedule
> intervals or on demand.
> > Yes, I know the convention wisdom in some circles say don't 
> accept mail to non-
> > existing accounts, but then you have to allow LDAP from a 
> very low security
> > zone.
> If you mean RFC's when you refer to "some circles say", then I guess
> can translate your lingo, however, there are no anonymous LDAP queries
> occurring.
> > A very poor compromise.
> No compromises; only the essentials.
> ...D
> ------------------------------------------------------
> List Archives:
> ISA Server Newsletter:
> ISA Server FAQ:
> ------------------------------------------------------
> Visit for more information about our other sites:
> ------------------------------------------------------
> You are currently subscribed to this Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts: