[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Security doubt when replicating Active Directory over a firewall

Posted on 2007-10-11
4
Medium Priority
?
238 Views
Last Modified: 2010-04-11
Hi,

I have and Exchange Server placed in my DMZ that is also a DC for my domain. Demoting it to member server is not supported by Microsoft (http://support.microsoft.com/kb/822179) so I have to deal with AD replication through my FW.

I have followed this Microsoft document :
http://technet.microsoft.com/en-us/library/Bb727063.aspx#EDAA
that although written for Windows 2000 is valid for Windows 2003.

I have followed the (theoretically) most secure approach of encapsulating traffic between DMZ and Internal DCs through IPSec.

My question is this :

Which is the difference between doing this, most secure solution, and just full opening traffic between DMZ DC and Internal DCs (first option in the document) ?.

I realize that obviously, there are far less involved ports that I have to open in my firewall between servers (just IP 50 , 51 and udp 500), but anyway what I am doing is to encapsulate ALL traffic between DMZ DC and the rest of internal DCs, so if someone hacks my Exchange Server, he/she will have anyhow open access to my internal DCs through the IPSec channel (with the other option she/he will have just direct access through the "hole" in my FW).

I think I am missing something here ...

Thanks,

Pere


0
Comment
Question by:perehospital
  • 2
  • 2
4 Comments
 
LVL 18

Expert Comment

by:PowerIT
ID: 20057380
The difference is important when you have more then one server in your DMZ.
If you have a web server in there and it gets hacked, it would not be possible to eavesdrop your all import AD communication when using IPSEC.
Although I'm wondering why you have a DC in your DMZ. In general that's not a good idea. An exchange in DMZ should only be a front-end server without any domain info on it.

J.
0
 
LVL 1

Author Comment

by:perehospital
ID: 20057677
Hi J, thanks,

I can see the point in there. But this means that if the Exchange server gets hacked then i have a serious problem anyway.

And the Exchange Server is a DC because I "inherited" it like this. As I told, I thought about demoting it (cause I have 2 DCs in my internal network), but then I found that this was not possible/advisable.

And I think that it is better to have an Exchange Server (even if it is a DC) in the DMZ (protecting AD traffic), than place it in my internal network and DNAT SMTP internet connections to the Exchange Server in my internal network. Isn't it ?

Thanks,

Pere
0
 
LVL 18

Accepted Solution

by:
PowerIT earned 2000 total points
ID: 20057932
Not really, with everything you have to open between your DMZ and internal network, security wise it does not matter.
If you want to make it secure then your best option is destroying your inheritance and start from scratch.
If your firewall has an good IPS for SMTP and you environment are not in a high secure or highly regulated environment, then you can leave it as it is.

J.
0
 
LVL 1

Author Comment

by:perehospital
ID: 20058245
Thanks a lot J, very useful thoughts.

Pere
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question