Pardon the delay in response-- I had to hike down to my mailbox on the
perimeter to place an envelope for postal pickup in the morning. Took a
while to make it back.
Responses inline:
GMT: Two or three or five factor auth would make it a better sell, agreed. But it is true that even the hosts on the auth'ed DMZ are Internet facing, >which makes them de facto, de jure, and Deus Attontibus part of a less trusted/secure/wholesome security zone that the "internal" hosts. So, you >could make an argument that you still need to filter between the auth'd DMZ and the "internal" Network. I've accounted for that in my schema, so I'm >good there.
I also agree that the traffic sourcing from the anonymous DMZ is not trusted at all, and some kind of inspection should be done between it and the >"internal" Network. That's why we have the Server Publishing Rule. I also agree that the traffic from the anonymous SMTP server is unauthenticated, >since its actually the "internal" mail server that's auth'ing -- but the auth'ing is just what we do to trigger the delivery "over an established" channel, >and that's where the security wankers get their jollies from, since a new connection is never established from the anonymous SMTP server to the >"internal" SMTP server. But you like pointed out, and like I pointed out in my Web boards posting, the actual, accrued benefits would be nominal, but >then you could fantasized situations where this would be advantageous, just as one would fantasize that the box would be completely own, and >hence not very advertageous. So we agree there again.
What would be Panglossian Solution would be to ATRN *and* have app inspection for that connection.
GMT: Flashbang to distract you.
Didn't work ;)
GMT: You sure about that? In my early testing "internal" DNS server is an Exchange 2003 server and the anonymous SMTP server is an IIS 6 SMTP >server. I've configured a user account on the IIS server for the Exchange Server to use, and I've enabled *only* Integrated authentication. So it >looks like this:
<capture snipped>
So, I don't think its in clear text, since it looks like GSSAPI is using NTLM and it doesn't look very clear texty to me :) So I win this one unless you can >show me where I'm wrong.
GMT: Well, I think it's a tie, depending on the "clear text" assessment of the authentication used in my ATRN configuration.
Tie my ass! You're pegged. Gimme my damn shirt!!!
t