DMZ and LAN SSL Trusts

Hi there,

We currently have a DMZ environment that was set up a long time ago, but we have been asked to make some changes to it so that it is more secure.  Here is what we have:

In the LAN:
- A Windows 2003 DC and Windows 2008 DC
- The domain is corporate.local

In the DMZ:
- A Windows 2008 DC
- The domain is dmz.local

Other notes:
- A Juniper firewall is configured between the LAN and DMZ

The current DMZ is not configured properly because some of the servers hosted in the DMZ are joined to the corporate.local domain.  We were asked to create a new DC and domain in the DMZ (dmz.local) so that servers in the DMZ would authenticate against the DMZ DC, not the LAN DC.  Creating the DMZ DC and joining servers to the DMZ Domain is not a problem, but allowing users to connect to the DMZ using their corporate.local account is the problem.  Originally, we were told that users could have a dmz.local domain account and that's what they would use to connect to servers in the DMZ, but it is not practical because we have a lot of applications that are configured to use the corporate.local domain to authenticate.  Changing this would be too hard.  So the other option we were given was to create a SSL trust between the dmz.local domain and the corporate.local domain, which would allow users/applications to continue using their corporate.local domain credentials and be able to access the DMZ servers.  We believe this includes creating a certificate authority on both the LAN DC and the DMZ DC, which would create a secure trust between the domains.  I am not very familiar with this so I'd like to get some help/tutorials on exactly how to do this.

Please ask any questions you may have to help me with this.

Thank you,
Christian PalaciosSenior IT Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You are demonstrating the worthlessness of DMZ.

By the time you do what you are attempting you are not better off (maybe arguably worse off) then what you are now to start with.

The only time the DMZ is worth anything is when the the Machines in the DMZ never have to interact in any way whatsoever wit the AD on the LAN.   But as soon as that needs to happen you have thrown away any reason for the DMZ to exist.  

It is just a "religion" that you have to have a DMZ to be secure anyway.  I have been in the business for well over a decade and I never use a DMZ,..ever.   You can be just as secure without one.  

If I were going to break into your LAN I would use whatever you "allow",...not what you "don't" allow,...meaning the DMZ isn't even an obstacle.  It is just simple common sense.
Paul MacDonaldDirector, Information SystemsCommented:
I respectfully disagree with [pwindell].  A DMZ can dramatically reduce your attack profile, especially for those machines you would normally hav e open many firewall ports for.  Even machines in the DMZ that need access to the LAN can have specific ports opened that allow communication only from that machine to the LAN.  While it's true machines in the DMZ can be compromised, you're no worse off (and perhaps several times better off) than if you didn't have a DMZ at all.  

That said, and in the interest of full disclosure, I do not operate a DMZ on my network.  

Here's some information on what you're trying to accomplish:

Good luck!
Christian PalaciosSenior IT Systems AdministratorAuthor Commented:
Thank you paulmacd.  I am not opposed to DMZ's because at the very least, they provide another level of security from a straight on attack.

The link you sent me doesn't mention anything about a certificate authority.  Do you know how to configure that on both domains?

IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Paul MacDonaldDirector, Information SystemsCommented:
You shouldn't need a CA to establish a trust (one-way or otherwise) between the two domains.
(alternately )
Christian PalaciosSenior IT Systems AdministratorAuthor Commented:
Thank you, but we have been told by our security team that we have to set up a CA in order to allow users in the corporate.local domain to access specific servers (RDP, UNC) on the dmz.local domain.  Can a CA be set up to set up a proper SSL connection between the two domains?

Paul MacDonaldDirector, Information SystemsCommented:
I should think, but if you set up a trust between the two domains, and the specific servers are in the trusting domain, the users in the trusted domain should be able to access them without certificates.  Otherwise you may just as well use local accounts on each machine or some such.
Christian PalaciosSenior IT Systems AdministratorAuthor Commented:
That was my initial thought as well but then they asked us to set up a SSL connection.  Have you ever heard of a CA being used in this scenario?
If you're talking about a SSL Ethernet connection between the two your firewall is going to get in the way of that because of the NAT.   SSL requires NAT-Traversal to get past the NAT.

The Firewall between the LAN and the DMZ is going to be what controls/limits the traffic,...running SSL on top of that is pretty much pointless. The SSL just prevent sniffing for the most part and there isn't going to be any sniffing with the person being physically in the DMZ with a laptop physically plugged into a switch after they have logged into the switch (which how would they do that) and setup the Monitored and Monitoring ports on the switch.

So the SSL is pointless,...but if you want it, then NAT-Traversal needs to be available.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.