| |||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Hello and welcome to CertForums.co.uk, here we host free active certification forums with links to the best free resources for Microsoft's MCSA MCSE MCDBA Cisco's CCNA CCDA and CCNP, and CompTIA's A+ Network+ i-NET+ and Security+ certifications in the UK. If you wish to post or use other advanced features you will need to register first. Registration is absolutely free and takes only a few minutes to complete so sign up today! If you have any problems with the registration process or your account login, please contact support |
|
|||||||
| Home | Forums | Community | Register | Search | Today's Posts | Mark Forums Read |
|
|
|
Network Security Question |
  |
|
|
Thread Tools | Display Modes |
|
#1
10-Apr-2008, 12:09 PM
|
||||
|
||||
|
Network Security Question
Hi all,
I just wonder if anyone could help me here. (this is an internal network split in two between firewall a AD server each side no details given on forrest or domain setup just asked to comment) Basically you have two networks one either side and my idea was to create a secure tunnel between the two. I was told that was incorrect, but at the back of my mind I thought no not when you have two AD servers... one either side that would need to replicate to each other. The primary reason I thought would be that you would end up opening too many ports, ie all the ports need for AD rep plus a massive of amount of high end ports. So two end points would be better (I was told this would stop IDS's but the traffic would be encrypted only between the two points, so the inside traffic could still be sniffed), then only the IPSec ports would need to be open at each firewall. Quote from MS site: Getting replication to function properly in environments where a directory forest is distributed among internal, perimeter networks and external networks can be challenging. There are three possible approaches: Open the firewall wide to permit RPC's native dynamic behaviour. Limit RPC's use of TCP ports and open the firewall just a little bit. Encapsulate domain controller (DC-to-DC) traffic inside IP Security Protocol (IPSec) and open the firewall for that. So as stated above, the dynamic nature of AD is the problem (I suppose you could do a registry change to make AD replication choose the same port every time and not the wide dynamic native behaviour) If it was also two separate companies collaborating i.e. one either side and replication was not needed between the two then you would still look to a secure tunnel like IPSec and look towards reducing things down with a trust relationship. i.e. depending on the resources to be shared we could use a selective one-way trust and then secure it with the correct NTFS permissions also. IPSec provides a way to easily encapsulate and carry RPC traffic over a firewall. Besides simplifying the transport of RPC, IPSec also increases security between the DCs because of IPSec's mutual authentication feature: by using either Kerberos or machine certificates, the DCs will "know" whom they are communicating with before any actual information exchange occurs. 
|
|
|
|
#2
10-Apr-2008, 03:10 PM
|
|||||
|
|||||
|
Who told you that you shouldn't use a tunnel?
BosonMichael MCSE+I, MCSE: Security, MCDST, MCDBA, OCP, CCNP, CCDP, CNE, SCSA, Security+, Linux+, Server+, Network+, A+ Served proudly, US Army, 98C Intelligence Analyst, '89-'92
|
|
#3
10-Apr-2008, 03:30 PM
|
||||
|
||||
|
Oh I attended a job interview and was asked to comment on a network diagram. Had silly things like port 139 open to the outside world so said that should be closed. All ports out were open said those rules should be tighter or at very least using stateful. Had Ras server I said should be controlled with a AAA Radius type control. SMTP should have a rule only accepting port 25 from ISP SMTP feed etc
But I had the two networks that appeared to be the same company joined or they must have been collabrating connected over a IPSec tunnel.... On the diagram it had ports like 3389 RDP, 445 open, showing a file share which I guess could be a problem if not secured with correct NTFS or no sharing was needed. Anyway I saw the two AD servers and then thought no I keep the firewall ports tight between the two networks and secure thing correctly via NTFS or selective trusts, ie if someone only needed resources on one server then only give trust to that server..... Anyway I'm just keen to learn what I did wrong, as now I'm not so sure I am wrong?
|
|
#4
10-Apr-2008, 04:14 PM
|
|||||
|
|||||
|
If locking down ports and creating tunnels was the "wrong answer" to that company... perhaps you dodged a bullet by not being hired there!!!
 BosonMichael MCSE+I, MCSE: Security, MCDST, MCDBA, OCP, CCNP, CCDP, CNE, SCSA, Security+, Linux+, Server+, Network+, A+ Served proudly, US Army, 98C Intelligence Analyst, '89-'92
|
|
#5
10-Apr-2008, 07:16 PM
|
|||||
|
|||||
|
There are only two 'real' solutions to this problem - the first would be to purchase a leased line solution from a telco (IPVPN, MPLS or straight site to site) - which would be hideously expensive. The other is to do what your answer to the question was - implement a site to site VPN. Quite why the company you were interviewing for told you that you were 'wrong' is beyond me. I have worked for more than twenty different companies for varying lengths of time (from one week consults to two year full time jobs). Every single one of them has had site to site VPNs (except three that were large enough to use leased MPLS).
Simply - you're right, and they're wrong.
|
|
#6
11-Apr-2008, 07:55 AM
|
||||
|
||||
Mmmmm the only thing I can think is that because it's an internal LAN (not clear as had a lightning strike which usually indicates a wan link from memory) that by running a tunnel you're letting all traffic traverse the connection. (Think that's what he said) but again if you're going to open that many ports then your attack surface has grown anyway with the amount of ports you would have to open (TCP 135-139,RPC dynamic 1024-65535, 445, 389, 3268, 88, 53 & then 1512 plus 42 if using wins. Added to these the relevant udp ports also. Also I wouldn't fancy making a reg change like that on my AD servers (less than ideal) plus you would'nt get the added benefits of encryption and mutual authentication that you're talking to the correct party. As stated before even if two separate companies I'd use trust's and NTFS permissions. I mean if you're collaborating you have to have some connection and level of trust? So if the data is encrypted and locked down with permissions, access is denied and sniffing and even man in the middle/session Hijacking type threats are reduced when compared to just opening the right ports.
Any more comments greatly appreciated, otherwise thanks chaps
|
|
#7
16-Apr-2008, 01:27 PM
|
||||
|
||||
I've had another thought about why I'm partly wrong. The one side of the network had an e-commerce server. So I'd caused the other network to have a physical connection. (even though logically it would still be locked with the trust and NTFS controls or IPSec negotiations) So in this situation I was partly wrong, again I stand by the IPSec tunnel, but I should of sectioned the sensitive server away. A Even better solution would have been to isolated the server, physically and logically if possible from the normal production network. Perhaps using a separate workgroup or domain behind its own security measures?
|
Spread this thread:
|
|
|
|
||||||
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Security Power Tools | tripwire45 | Reviews | 1 | 03-Mar-2008 11:19 PM |
| Network Security Assessment, 2nd Edition | tripwire45 | Reviews | 2 | 21-Dec-2007 06:06 PM |
| Network Security Tools Assigment | zimbo | The Lounge - Off Topic | 4 | 26-Nov-2007 11:40 AM |
| Book Review: Network Management Fundamentals | tripwire45 | Reviews | 3 | 01-Dec-2006 01:55 AM |
All times are GMT. The time now is 10:00 PM.