General discussion


how secure is this?

By Im IT 4 them ·
Here is what I plan to do, please tell me what you think as far as how secure it is.

2 domain network.
net1.local 172.17.1.X

net2.local 172.17.2.X

net1.local users need access to the net2.local domain resources (i.e printers, exchange server etc.).

NO one net2.local users can have access to net1.local resources. There is very confidential information being stored in domain net1.local.

how can i break the transitive trust and set up a one way trust?

how will the AD replicate??
Where wil i find the net1.local AD users in the net2.local AD?

Will The exchange 03 server have any problem with this set up??

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

First things first

by dwdino In reply to how secure is this?

Your choice of IP information is inaccurate from what you propose.

First of change your subnet mask to 24 ( this will require data from 128.27.1.X to be routed to 128.27.2.X and vice versa.

Then install a firewall betweent the networks. Set routes and rules to allow only needed traffic from 128.27.1.X to 128.27.2.X and deny 128.27.2.X from reaching 128.27.1.X.

Now you can start construct the AD security.

Collapse -

Actually his/her addressing is fine as it is..

by TomSal In reply to First things first

Actually the address scheme the original poster listed is perfectly legit for privating address and will work fine.

The poster wrote:

2 domain network.
net1.local 172.17.1.X

net2.local 172.17.2.X is the valid subnet for a class b address. 172.17.x.x is class b. The poster only "filled in" the 3rd octlet (the "1" and the "2") to signify what they are trying to do.

But I agree the best/quickest way of controlling what data stream goes to what network --- depending on how fancy your routing equipment is versus how complex or large your network is --set up rules in your router to deny traffic coming from one subnet to another and vice versa as it fits your schemea.

On our cisco router this is relatively painless to do.

Of course you could also use a switch to do the same, you'd want a L3 switch though.

Collapse -

Ok Ok

by dwdino In reply to Actually his/her addressi ...

I was not stating that a 16 mask was not correct for class B. I was trying to show a simple solution by masking 24.

We have a couple of HP 2650s that we do this very thing with. I love these inexpensive gems.

Related Discussions

Related Forums