Security Basics mailing list archives

RE: AD across both DMZ & LAN

From: Locher Thomas <Thomas.Locher () swarovski com>
Date: Wed, 2 Mar 2005 07:22:46 +0100

Hello Leon,

wouldn't it be better to use a proxy server? We have an proxy server in our
LAN who authenticates the users and an other one in the DMZ which just
forwards the Requests to the Internet and scans the traffic for viruses.
Or use the Bluecoat Appliance, you can put this device in the DMZ and have
to open just one port to the internal LAN for user authentication (NTLM with
a special service installed on a member server).

Best regards,
Thomas

-----Original Message-----
From: Leon North [mailto:leon_nc () linuxmail org]
Sent: Dienstag, 1. März 2005 16:20
To: security-basics () securityfocus com
Subject: AD across both DMZ & LAN


Hi,

We currently have an NT4 domain in the DMZ and an unrelated NT4 domain
internally. The DMZ domain contains a server running citrix, and is used for
internet web browsing/email, so that we only have to allow the citrix
connection through the FW to the LAN & no internal users can directly access
the internet from their PC's.

As part of an upgrade to Active Directory (both domains Win2k3), we would
like to get the DMZ to trust the internal domain, so that we only have one
set of user accounts to manage. But I am not sure about a couple of things
with this setup-

1. Will this work like this, so that we only need 1 user account per user
instead of a seperate one externally to internally? (excuse the vagueness of
the question)

2. If so, is that (not ideal I know but) an acceptable approach security
wise, when the DMZ DC can access the accounts on the internal domain?

3. Can we configure it somehow so that the user gets a different profile
when logging in to the DMZ only? I ask that because one potential issue I
see is getting a virus infection into user profile while logged into the
DMZ, then logging into an internal server.

Thanks for any help.

Leon
-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze

Current thread:

AD across both DMZ & LAN Leon North (Mar 01)
- <Possible follow-ups>
- RE: AD across both DMZ & LAN Depp, Dennis M. (Mar 02)
  - Separating authentication and authorization for admins was: RE: AD across both DMZ & LAN Nick Owen (Mar 04)
- RE: AD across both DMZ & LAN Locher Thomas (Mar 02)