[clue-tech] Best practice network design?
Chris Schock
black at clapthreetimes.com
Thu Jan 6 07:48:50 MST 2005
> Looks like you could put a DC in the DMZ and make an inter-forest trust
> between it and your internal DC. One-way shouldn't be too bad for
> security. Or you could authenticate (users and computers) directly to
> an internal DC (which wouldn't have to be the same forest as your
> internal network and could also have a trust).
This option and the ISA server were the two we were looking at. I prefer
this to the ISA server, but the app side of the house likes the ISA
solution.
I still don't see how ISA really buys me much.
> Authentication to an internal DC seems better as you don't have to open
> port 135, the net logon service, or RPC. Of course there's still 445 to
> worry about. I'd say those two are more vulnerable than LDAP, Kerberos,
> and DNS, but I don't have any CVE data to back that up.
Point noted! However, if the DC is in the internal network and I have 10
servers needing to authenticate in the DMZ, then I have to open 10 sets of
identical holes to that internal DC.
By leaving the DC in the DMZ, I only have to open one set of holes to the
internal network. Even though we'd have to open a couple more ports up
front, it seems more scalable.
More information about the clue-tech
mailing list