Home page logo
/

basics logo Security Basics mailing list archives

RE: suggestions on a good firewall
From: "David Ellis" <David.Ellis () unicam com>
Date: Tue, 27 May 2003 15:30:00 -0400

Yes, I Know that active directory is ldap. But having a firewall product
into your domain structure is just a bad idea. A firewall should just be
a firewall and not implement into a domain structure and if you want to
use ldap, use a different ldap server than active directory. If you
don't Then you are running a Microsoft product ontop of a Microsoft
product in a Microsoft domain.
Let me ask this, what is the name of the company who has not been able
to secure their own software?
Microsoft have pretty good OS's etc. But they are far from a security
company.
And also they have ports open by default on their firewall like port 88
for Kerberos. Just throw netcat into the mix listening on port 88 and
forwarding to port 139. Good bye network!
That is why there are so many 3rd party wendors who sell security
products for Microsoft networks

-----Original Message-----
From: David Moisan [mailto:dmoisan () davidmoisan org] 
Sent: Monday, May 26, 2003 1:27 PM
To: security-basics () securityfocus com

At 08:23 PM 5/24/2003 -0400, David Ellis wrote:
Let me ask a question here? Why would anyone want tight active
directory
integration on a firewall which by all means constitutes a security
flaw?

The AD features in ISA are used to control outbound access, as in "Jane 
User can only surf non-company sites during lunch hour" sort of thing.

AD --which is just LDAP & proprietary extensions--is not exposed to the 
outside on my ISA server.   Can you describe a scenario where AD is 
compromised?  I don't like using the term "vulnerability" unless I can 
imagine roughly where such a thing might happen.

Take care,

Dave

David Moisan, N1KGH   ARES/SKYWARN             dmoisan () davidmoisan org
Invisible Disability:
http://www.davidmoisan.org/invisible_disability.html
ATS-909 FAQ:  http://www.davidmoisan.org/radio/sangean/ats909faq.html


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----




**************************************************************************************************
** eSafe-portsmouth scanned this email for viruses, vandals and malicious content **
**************************************************************************************************


---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault