[clue-tech] Best practice network design?
David Anselmi
anselmi at anselmi.us
Wed Jan 5 21:30:23 MST 2005
Hani Duwaik wrote:
> It doesn't surprise me that Windows doesn't have a secure method of
> distributing authentication.
Well, that depends on what you mean by secure. Allowing machines to
talk to each other isn't secure if you don't trust them, but thats the
case for Apache and OpenSSH as well. The authentication data Windows
passes (using kerberos) isn't terribly insecure. And you can use ipsec
for authentication connections easily enough.
> However, I came across this website/doc:
Yes! Finally, that's the one I was looking for.
> A quick look at the doc seems to indicate that there are a few
> categories for authentication (ie: User Login and Authentication,
> Computer Login and Authentication, Establishing an Explicit Trust
> Between Domains, etc.) with differing port requirements for each.
Looks like you could put a DC in the DMZ and make an inter-forest trust
between it and your internal DC. One-way shouldn't be too bad for
security. Or you could authenticate (users and computers) directly to
an internal DC (which wouldn't have to be the same forest as your
internal network and could also have a trust).
Authentication to an internal DC seems better as you don't have to open
port 135, the net logon service, or RPC. Of course there's still 445 to
worry about. I'd say those two are more vulnerable than LDAP, Kerberos,
and DNS, but I don't have any CVE data to back that up.
Dave
More information about the clue-tech
mailing list