General discussion

Locked

Deploying domain controllers in a DMZ

By dave ·
Elias Khnaser wrote this whitepaper, I found on here back in July 2004. Its called "Deploying a domain controllers in a DMZ", and I have a question for him, or anyone else who can answer it.

In his paper he talks about setting up an IPsec connection from the internal to the DMZ, yet his explain uses 2 private IP addresses, rather than a public and a private (Natted) IP.

I want to know what changes need to be made to those in order for both sides to setup the tunnel and talk with each other.

Currently I have it setup and when I ping the other server from the first I get "Negogiating Security Policy" Even several hours or days later.

Anyone with any ideas?

Thanks

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Deploying domain controll ...

Microsoft has a technical article on placing Active Directory domain controllers in a DMZ.

I highly suggest that you DO NOT expose your organizations AD to a DMZ. I've yet to hear a godo reason for it, but perhaps you will suprise me.

Microsoft's advice on the subject is here:
http://www.microsoft.com/technet/archive/community/columns/security/askus/auas0301.mspx

Step-by-step guide to Ipsec:
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

Collapse -

by dave In reply to

Poster rated this answer.

Collapse -

by razz2 In reply to Deploying domain controll ...

I agree with BFilmFan on this one. Regardless of a secure
communication between DMZ and LAN, The network is exposed
if AD is in the DMZ. Even if it is a well done DMZ setup, any
compromise and AD is at risk. Why an AD controller instead of a
member server?

razz

Collapse -

by dave In reply to

Poster rated this answer.

Collapse -

by dave In reply to Deploying domain controll ...

Thank you both for your help, let me put this out here for your comments as well.

What about a member server? - Execlent Questions! What about it? If I have an Internal AD, is it wise to open the ports on a firewall and "join" the DMZ servers to the inside AD? Not by my readings, and research. But I am open to the idea if it can be made secure.

Why AD in the DMZ? Well I hear a lot of people say forget it, but I have a client who does web-based software development, and they often ask their clients to connect to a server for testing and previewing. Several projects at once may make it hard to just "port forward" to an inside server. So my plan is to place an AD in the DMZ with tight rules, and a software filewall (configured to only allow DMZ servers to access it). Somehow connect it via a trust to the Inside forest and domain, and allow the groups inside access with their account to the resources on the other servers. The problem they have right now is different logins for the inside and the outside servers, and no way to keep them in sync.

I am open to design ideas, security recommendations, and in general thoughts here, please challenge my views, and show me a better way or a flaw in my thinking.

Thanks

Collapse -

by razz2 In reply to Deploying domain controll ...

Hey Dave, great question yourself.

OK, here we go... I think we are discussing two different areas of
'port forwarding'. First, Im my opinion there is no reason for AD
in a DMZ. OK, there must is one, but have yet to see, touch, or
smell it.

A firewall with a DMZ is much like a trangle.

Public / WAN
/\
/ \
/ \
/ \
/ \
/ \
/ \
---------------
Trusted/LAN DMZ

In this design the required services can be allowed between
Trusted and DMZ.

Example:

Outgoing from TRUSTED to WAN from any host to any

Outgoing from TRUSTED to DMZ from any host to specific host(s
) on a specific service port

Outgoing from DMZ to WAN from any host to any

Outgoing from DMZ to TRUSTED specific host(s) to specific
host(s) on a specific service port

Incoming from WAN to TRUSTED NONE

Incoming from DMZ to TRUSTED from specific host(s) to specific
host(s ) on a specific service port

Incoming from WAN to DMZ Limited services such as HTTP NAT
redirected / Port forwarded to specific hosts

Incoming from TRUSTED to DMZ from any to specific host(s) on
a specific service port

This way the DMZ can communicate with AD but does not host
any AD info locally.

Collapse -

by razz2 In reply to

"If I have an internal AD, is it wise to open the ports on the
firewall and 'join' the DMZ servers to the inside AD?"

The port forwarding or One-to-one NAT happens from PUBLIC/
WAN to the DMZ. The number of projects does not make it
harder this way. When they setup a web server (virtual or
otherwise) they simply at that time setup an ip to ip NAT or a
port forward to the new server. The DMZ is still behind a firewall
to help with DOS attacks etc too. The DMZ connecting to the
trusted is tightly restricted to which hosts can communicate with
which hosts. This is far better than putting it in a DMZ where
basic services are wide open. You commented that an AD server
in the DMZ would have a software firewall configured to only
allow certain servers. That is the point of a trusted and DMZ
interface. The difference in your plan is any hack will make it
into the DMZ and to the AD server NIC before the firewall on that
drive tries to stop/validate them. Why let them ever get that
close to your data? If they make it into the DMZ which they will
by design at least on port 80 (http), Why not have another wall
between them and the AD, but not software and not on the AD
server.

Good Luck,

razz

Also, I noticed the triangle failed to appear correctly. so picture
a triangle with WAN at one point, LAN at another, and DMZ at
the third.

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums