OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Keith Smith (ksmith_at_firesnacks.com)
Date: Mon Jan 13 2003 - 09:53:02 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I have a similar question, though in application to Outlook 2002 clients
    accessing an exchange server across the Internet. Microsoft claims that with
    OL2002, clients don't need to employ a VPN across the internet, as the RPC
    is all encrypted.

    Would a VPN also be recommended in this instance given the observations
    below?

    Thanks
    Keith

    -----Original Message-----
    From: Jim Harrison (SPG) [mailto:jmharrmicrosoft.com]
    Sent: Sunday January 12, 2003 9:43 PM
    To: Valentine M. Smith; focus-mssecurityfocus.com
    Subject: RE: AD replication over WAN

    Given that the replication path (port/protocol) is well-defined and
    generally understood, it also makes sense that they could also provide a
    "door" to your AD controllers for those who wish to do you harm for no
    apparent reason.
     
    With that in mind, it seems clear to me that a site-to-site VPN is not only
    preferable, it's mandatory.
     
    * Jim Harrison <mailto:jmharrmicrosoft.com>
    MCP(NT4/2K), A+, Network+
    Security Business Unit (ISA)

    ________________________________

    From: Valentine M. Smith [mailto:vmsmithgrokking.org]
    Sent: Thu 1/9/2003 06:21
    To: focus-mssecurityfocus.com
    Subject: AD replication over WAN
             

    Hi,

    I'm looking for some feedback from the community regarding the transfer of
    AD
    traffic over a public WAN.

    The basic plan is this:

    Single Win 2000 domain spread over two sites in different cities. Each site
    has perimeter NAT device and are obscuring internal subnets with IP
    addresses
    provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
    at both sites. Both DCs are patched to SP3.

    The MS documentation I've consulted indicates that AD replication, and by
    extension, DNS zone information that is AD-integrated is automatically
    encrypted.

    My question: if the data is already encrypted and is passing only across a
    single ISP's network, should one be bothering with a router-router VPN
    tunnel
    for this traffic? IOW, would setting up such a tunnel for this data be
    redundant/unnecessary or am I missing something important here? Would anyone
    care to comment on the relative safety of AD encryption out-of-the-box?

    Thanks in advance for any feedback,

    VS