That's a very similar scenario, IMHO.
The point they're trying to make is that if data protection is your
biggest concern, then RPC encryption offers the same protection level as
a VPN tunnel.
My earlier point was, RPC uses known interfaces (multiple), which are
popular targets. Encrypting the data prevents some forms of snooping,
but it doesn't protect the machine interfaces that provide this
communication.
If you block access to them (via tunneling, for instance) and
RPC-encrypt them, you've just increased your jerk-resistance that much
more.
Of course, there may be times when you have to choose one over the
other.
In that case, I'd choose VPN.

* Jim Harrison
MCP(NT4/2K), A+, Network+
Security Business Unit (ISAQFE)

The burden of proof is not satisfied by a lack of evidence to the
contrary..

-----Original Message-----
From: Keith Smith [mailto:ksmithfiresnacks.com]
Sent: Monday, January 13, 2003 07:53
To: focus-mssecurityfocus.com
Subject: RE: AD replication over WAN

I have a similar question, though in application to Outlook 2002 clients
accessing an exchange server across the Internet. Microsoft claims that
with OL2002, clients don't need to employ a VPN across the internet, as
the RPC is all encrypted.

Would a VPN also be recommended in this instance given the observations
below?

Thanks
Keith

-----Original Message-----
From: Jim Harrison (SPG) [mailto:jmharrmicrosoft.com]
Sent: Sunday January 12, 2003 9:43 PM
To: Valentine M. Smith; focus-mssecurityfocus.com
Subject: RE: AD replication over WAN

Given that the replication path (port/protocol) is well-defined and
generally understood, it also makes sense that they could also provide a
"door" to your AD controllers for those who wish to do you harm for no
apparent reason.
 
With that in mind, it seems clear to me that a site-to-site VPN is not
only preferable, it's mandatory.
 
* Jim Harrison <mailto:jmharrmicrosoft.com>
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA)

________________________________

From: Valentine M. Smith [mailto:vmsmithgrokking.org]
Sent: Thu 1/9/2003 06:21
To: focus-mssecurityfocus.com
Subject: AD replication over WAN
         

Hi,

I'm looking for some feedback from the community regarding the transfer
of AD traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each
site has perimeter NAT device and are obscuring internal subnets with IP
addresses provided by a single ISP. No internetwork VPN planned. DNS is
AD-integrated at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and
by extension, DNS zone information that is AD-integrated is
automatically encrypted.

My question: if the data is already encrypted and is passing only across
a single ISP's network, should one be bothering with a router-router VPN
tunnel for this traffic? IOW, would setting up such a tunnel for this
data be redundant/unnecessary or am I missing something important here?
Would anyone care to comment on the relative safety of AD encryption
out-of-the-box?

Thanks in advance for any feedback,

VS

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]