Home page logo
/

basics logo Security Basics mailing list archives

RE: DMZ and AD Authentication
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Tue, 16 Dec 2003 16:37:01 -0800


        The thing is IPSEC is a secure communications channel which is
relevant only if you are worried about somebody sniffing/capturing your
traffic between the r-proxy and the web server. Now, the exception to
this is if the program itself is setting up and using the channel from
within the application which means compromising the system doesn't give
the hacker access to the subverted communication channel.

        What you want to avoid, at all costs IMHO, direct/indirect
access from an external accessible host to any important/secure
resource. That can include, LDAP, DNS, Email, etc. Roger, I would
suggest you fortify your topology with Net and Host IDS and a secure
syslog server. Constantly parse the logs and have it generate a report
for you. Run your proxy services in a chroot jail or with no
permissions. Because your web server is Internal if that's compromised
then it's endgame. SSL protects the data in-lieu and is not an access
device. All an attacker has to do is perform the handshake with the
server to get access to the encrypted channel.

        In my case, if they penetrate my WWW server in the DMZ they
can't get access to anything. Each of my other DMZ hosts are firewalled
against access from other DMZ hosts and the firewall doesn't allow
originating traffic from the DMZ. Now this is now always possible I've
gone though great lengths to limit my DMZ->LAN communication, but for me
security is never a afterthought. 


Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Rademacher Sgt Roger P [mailto:RademacherRP () manpower usmc mil] 
Sent: Tuesday, December 16, 2003 1:07 PM
To: security-basics () securityfocus com
Subject: RE: DMZ and AD Authentication

Hi,
I have a similar config being setup in my environment.
We have an Apache server in the DMZ that is reverse proxying two
connection inside to an oracle WebCache server (www and login).  The
WebCache server splits the request based on url and forwards to the
appropriate server.
The firewall allows external access to the DMZ machine and from the dmz
machine to the internal WebCache server all on https/443.  If the
reverse proxy is compromised they can see the internal WebCache server
but not the LDAP being stored on the login server.  Both the reverse
proxy and the WebCache server would need to be compromised for the LDAP
to be accessed directly.
Is this a viable option or should I fight for another communication
setup such as an IPSec connection from the DMZ machine inside to the
WebCache server?
Rog

-----Original Message-----
From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com]
Sent: Monday, December 15, 2003 9:57 PM
To: Geoff.Shatz () pchelps com
Cc: security-basics () securityfocus com
Subject: RE: DMZ and AD Authentication


Geoff,

I second what Shawn said.  If you can avoid it...don't do it.

If however, you are stuck with an order from up high.

Connect to the AD box thru the firewall via IPSEC.

If you use NIDS, however, this will blind it to any attack's that might 
come thru is the web server was compromised.

I would recommend using the Cisco Security Agent (formerly Okena) on the

web server.

The other thing you could do is use a Cisco ACS server to front end the
AD 
authentication and have the web server authenticate to the ACS via
RADIUS 
or TACACS.  You will need to code the RADIUS integration (unless you can

find it somewhere :-)

HTH,

-James

At 11:25 12/12/2003, Shawn Jackson wrote:

        All you need LDAP access (TCP 389) to your Catalogue server.
Even if you lock down your connection to the AD box, if someone
compromises your IIS server they can gain a lot of information from
your
server. When we used this method with C# .Net we needed to have LDAP
and
Microsoft-DS (TCP 445) open to the server.

        Honestly, I would advise against placing a server in the DMZ
that will access any part of your AD infrastructure; it's just not
secure enough. If you absolutely had to authenticate with AD I'd
suggest
creating a simple program (Webpage (ASP, CGI, and CF) or .Net
Service/Remote App that would take two parameters (Username and
Password) and return a value, then just parse that value to get your
logon result. Place that app on a 'non-critical' server and it will be
far more secure then accessing AD directly.

        I can give you the code I use to access AD in C# and suggested
implementation if you wish.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com

Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Geoff.Shatz () pchelps com [mailto:Geoff.Shatz () pchelps com]
Sent: Friday, December 12, 2003 7:33 AM
To: security-basics () securityfocus com
Subject: DMZ and AD Authentication

We are in a situation where we are currently planning the move of our
web server from an externally hosted solution to hosting the web server
in house. As part of this move we will be implementing a new internal
application that will run on the web server that will require
authentication based on Active Directory account info. Obviously this
will require that the web server has the ability to communicate with
the
AD domain controllers. That being the case will it still be possible to
place this web server on a DMZ or will the amount of open ports
required
between the DMZ and LAN for the required authentication process
severely
mitigate the benefits of placing the server in the DMZ in the first
place? Any and all suggestions and or strategies to accomplish this in
the most secure fashion are welcome and appreciated. Thanks!

Geoff

-----------------------------------------------------------------------
-
---
-----------------------------------------------------------------------
-
----


-----------------------------------------------------------------------
----
-----------------------------------------------------------------------
-----


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----

---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]