OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Brian W. Spolarich (bspolarich_at_nephrostherapeutics.com)
Date: Sat Jan 11 2003 - 16:09:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

      Valerie, I have a very similar configuration: three sites, PAT/NAT at the perimeter, and AD controllers at each site.
     
      I was not comfortable having my AD controllers communicate over the public Internet untunneled/unencrypted because of the heavy use of RPC by some parts of the AD protocol suite. I would strongly recommend considering establishing a meshed VPN topology if possible w/ your router hardware. It was relatively straighforward to set this up with the Cisco 1700-series routers I use at my network edges, and Cisco has since improved the detail of their example configs on their web site.
     
      I would be happy to help w/ the Cisco configs if that's the flavor of routing hardware you're using.
     
      -bws

            -----Original Message-----
            From: Valentine M. Smith [mailto:vmsmithgrokking.org]
            Sent: Thu 1/9/2003 9:21 AM
            To: focus-mssecurityfocus.com
            Cc:
            Subject: AD replication over WAN
            
            

            Hi,
            
            I'm looking for some feedback from the community regarding the transfer of AD
            traffic over a public WAN.
            
            The basic plan is this:
            
            Single Win 2000 domain spread over two sites in different cities. Each site
            has perimeter NAT device and are obscuring internal subnets with IP addresses
            provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
            at both sites. Both DCs are patched to SP3.
            
            The MS documentation I've consulted indicates that AD replication, and by
            extension, DNS zone information that is AD-integrated is automatically
            encrypted.
            
            My question: if the data is already encrypted and is passing only across a
            single ISP's network, should one be bothering with a router-router VPN tunnel
            for this traffic? IOW, would setting up such a tunnel for this data be
            redundant/unnecessary or am I missing something important here? Would anyone
            care to comment on the relative safety of AD encryption out-of-the-box?
            
            Thanks in advance for any feedback,
            
            VS