Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: RE: Front End/Back End communication

from [timpacalypse] Network Security [Permanent Link]
Subject: Re: RE: Front End/Back End communication
Date: 16 May 2006 17:39:22 -0000 
    I guess what I'm trying to do is get the most secure option with 
what I have.  I'm at the point now where I think no matter what I'm kinda 
screwed unless I get ISA or something like it implemented.  I'm under 
the impression that IF someone does get pass the external firewall 
they'll be able to sniff for credentials/messages or whatever because the 
FE/BE communicate via clear text.  So if I secure the communication 
between FE/BE via IPSEC then IF the front end server is compromised then 
we're screwed once again.  
   
  So what's the better of my options?  Someone suggested using m0n0wall 
or another linux/bsd alternative for ISA.  

Miha Pihler <Miha.Pihler@snt.si> wrote:
  Hi,

The problem that I see in this scenario is that Front End needs to
communicate with Back End Exchange server and domain controllers in 
LAN.
Unfortunately this means that you have to open access from DMZ to LAN 
to
(at least) all domain controllers in same Active Directory Site that
Exchange Front End is in -- unless you want to statically specify to
which domain controllers Front End Server can connect to (not
recommended).

If you are thinking about IPSec policies in Windows then you have to
know that IPSec between client (e.g. your Front End Server) and domain
controller is not supported -- specially if you plan to use IPSec with
Kerberos authentication. 

Things you can do:
- you can set up IPSec between Front End, Back End and domain 
controller
(but you are not supportable any more)
- you can fix ports that Exchange and Active Directory server(s) will
use and then open these ports from DMZ to LAN

Still one question remains... What is DMZs role in all this? It is
unfortunately not protecting LAN :-). Now if someone hacks your server
(for any reason) -- the attacker can simply use IPSec connection to 
gain
access to Back End and Active Directory (and if you have IDS it will 
not
even see the attack). Depending on the attack options (did the attacker
get the domain admin permissions) he could simply run dcpromo on this
server and promote it to domain controller. Now you have a domain
controller in DMZ...

Mike

---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Front End/Back End communication, Miha Pihler
Next by Date:  RE: RE: Front End/Back End communication, Devin Ganger
Previous by Thread:  RE: Front End/Back End communication, Miha Pihler
Next by Thread:  Re: RE: Front End/Back End communication, Bryan S. Sampsel
Indexes:  [Date] [Thread] [Top] [All Lists]