DMZ and LAN SSL Trusts
Hi there,
We currently have a DMZ environment that was set up a long time ago, but we have been asked to make some changes to it so that it is more secure. Here is what we have:
In the LAN:
- A Windows 2003 DC and Windows 2008 DC
- The domain is corporate.local
In the DMZ:
- A Windows 2008 DC
- The domain is dmz.local
Other notes:
- A Juniper firewall is configured between the LAN and DMZ
The current DMZ is not configured properly because some of the servers hosted in the DMZ are joined to the corporate.local domain. We were asked to create a new DC and domain in the DMZ (dmz.local) so that servers in the DMZ would authenticate against the DMZ DC, not the LAN DC. Creating the DMZ DC and joining servers to the DMZ Domain is not a problem, but allowing users to connect to the DMZ using their corporate.local account is the problem. Originally, we were told that users could have a dmz.local domain account and that's what they would use to connect to servers in the DMZ, but it is not practical because we have a lot of applications that are configured to use the corporate.local domain to authenticate. Changing this would be too hard. So the other option we were given was to create a SSL trust between the dmz.local domain and the corporate.local domain, which would allow users/applications to continue using their corporate.local domain credentials and be able to access the DMZ servers. We believe this includes creating a certificate authority on both the LAN DC and the DMZ DC, which would create a secure trust between the domains. I am not very familiar with this so I'd like to get some help/tutorials on exactly how to do this.
Please ask any questions you may have to help me with this.
Thank you,
Christian
We currently have a DMZ environment that was set up a long time ago, but we have been asked to make some changes to it so that it is more secure. Here is what we have:
In the LAN:
- A Windows 2003 DC and Windows 2008 DC
- The domain is corporate.local
In the DMZ:
- A Windows 2008 DC
- The domain is dmz.local
Other notes:
- A Juniper firewall is configured between the LAN and DMZ
The current DMZ is not configured properly because some of the servers hosted in the DMZ are joined to the corporate.local domain. We were asked to create a new DC and domain in the DMZ (dmz.local) so that servers in the DMZ would authenticate against the DMZ DC, not the LAN DC. Creating the DMZ DC and joining servers to the DMZ Domain is not a problem, but allowing users to connect to the DMZ using their corporate.local account is the problem. Originally, we were told that users could have a dmz.local domain account and that's what they would use to connect to servers in the DMZ, but it is not practical because we have a lot of applications that are configured to use the corporate.local domain to authenticate. Changing this would be too hard. So the other option we were given was to create a SSL trust between the dmz.local domain and the corporate.local domain, which would allow users/applications to continue using their corporate.local domain credentials and be able to access the DMZ servers. We believe this includes creating a certificate authority on both the LAN DC and the DMZ DC, which would create a secure trust between the domains. I am not very familiar with this so I'd like to get some help/tutorials on exactly how to do this.
Please ask any questions you may have to help me with this.
Thank you,
Christian
I respectfully disagree with [pwindell]. A DMZ can dramatically reduce your attack profile, especially for those machines you would normally hav e open many firewall ports for. Even machines in the DMZ that need access to the LAN can have specific ports opened that allow communication only from that machine to the LAN. While it's true machines in the DMZ can be compromised, you're no worse off (and perhaps several times better off) than if you didn't have a DMZ at all.
That said, and in the interest of full disclosure, I do not operate a DMZ on my network.
Here's some information on what you're trying to accomplish:
https://www.experts-exchange.com/questions/23924164/Clarification-on-group-membership-across-forest-trusts.html
Good luck!
That said, and in the interest of full disclosure, I do not operate a DMZ on my network.
Here's some information on what you're trying to accomplish:
https://www.experts-exchange.com/questions/23924164/Clarification-on-group-membership-across-forest-trusts.html
Good luck!
ASKER
Thank you paulmacd. I am not opposed to DMZ's because at the very least, they provide another level of security from a straight on attack.
The link you sent me doesn't mention anything about a certificate authority. Do you know how to configure that on both domains?
Thanks,
Christian
The link you sent me doesn't mention anything about a certificate authority. Do you know how to configure that on both domains?
Thanks,
Christian
You shouldn't need a CA to establish a trust (one-way or otherwise) between the two domains.
http://technet.microsoft.com/en-us/library/cc756735(WS.10).aspx
(alternately http://technet.microsoft.com/en-us/library/cc779045(WS.10).aspx )
http://technet.microsoft.com/en-us/library/cc756735(WS.10).aspx
(alternately http://technet.microsoft.com/en-us/library/cc779045(WS.10).aspx )
ASKER
Thank you, but we have been told by our security team that we have to set up a CA in order to allow users in the corporate.local domain to access specific servers (RDP, UNC) on the dmz.local domain. Can a CA be set up to set up a proper SSL connection between the two domains?
Christian
Christian
I should think, but if you set up a trust between the two domains, and the specific servers are in the trusting domain, the users in the trusted domain should be able to access them without certificates. Otherwise you may just as well use local accounts on each machine or some such.
ASKER
That was my initial thought as well but then they asked us to set up a SSL connection. Have you ever heard of a CA being used in this scenario?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
By the time you do what you are attempting you are not better off (maybe arguably worse off) then what you are now to start with.
The only time the DMZ is worth anything is when the the Machines in the DMZ never have to interact in any way whatsoever wit the AD on the LAN. But as soon as that needs to happen you have thrown away any reason for the DMZ to exist.
It is just a "religion" that you have to have a DMZ to be secure anyway. I have been in the business for well over a decade and I never use a DMZ,..ever. You can be just as secure without one.
If I were going to break into your LAN I would use whatever you "allow",...not what you "don't" allow,...meaning the DMZ isn't even an obstacle. It is just simple common sense.