Given that the replication path (port/protocol) is well-defined and generally understood, it also makes sense that they could also provide a "door" to your AD controllers for those who wish to do you harm for no apparent reason.
 
With that in mind, it seems clear to me that a site-to-site VPN is not only preferable, it's mandatory.
 
* Jim Harrison <mailto:jmharrmicrosoft.com>
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA)

________________________________

From: Valentine M. Smith [mailto:vmsmithgrokking.org]
Sent: Thu 1/9/2003 06:21
To: focus-mssecurityfocus.com
Subject: AD replication over WAN
         

Hi,

I'm looking for some feedback from the community regarding the transfer of AD
traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each site
has perimeter NAT device and are obscuring internal subnets with IP addresses
provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and by
extension, DNS zone information that is AD-integrated is automatically
encrypted.

My question: if the data is already encrypted and is passing only across a
single ISP's network, should one be bothering with a router-router VPN tunnel
for this traffic? IOW, would setting up such a tunnel for this data be
redundant/unnecessary or am I missing something important here? Would anyone
care to comment on the relative safety of AD encryption out-of-the-box?

Thanks in advance for any feedback,

VS

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]