|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Use of L2TP in isolated W2K3 AD
From: stefan avgoustakis (stefan.avgoustakis
atosorigin.com)
Date: Wed Jun 09 2004 - 02:25:11 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In-Reply-To: <00cb01c44d24$684ee9a0$37532093nt.fel>
Hi Milos,
Although at first sight your solution seems ok, you might want to consider using certificates to authenticate your managed stations/servers.
E.g. using the 802.1x authentication protocol.
Greetz,
Stefan
>Received: (qmail 16889 invoked from network); 8 Jun 2004 17:28:26 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
> by mail.securityfocus.com with SMTP; 8 Jun 2004 17:28:26 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id E4FAC23706D; Tue, 8 Jun 2004 16:17:53 -0600 (MDT)
>Mailing-List: contact focus-ms-helpsecurityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <focus-ms.list-id.securityfocus.com>
>List-Post: <mailto:focus-mssecurityfocus.com>
>List-Help: <mailto:focus-ms-helpsecurityfocus.com>
>List-Unsubscribe: <mailto:focus-ms-unsubscribesecurityfocus.com>
>List-Subscribe: <mailto:focus-ms-subscribesecurityfocus.com>
>Delivered-To: mailing list focus-mssecurityfocus.com
>Delivered-To: moderator for focus-mssecurityfocus.com
>Received: (qmail 15728 invoked from network); 8 Jun 2004 06:36:01 -0000
>Message-ID: <00cb01c44d24$684ee9a0$37532093nt.fel>
>From: "Milos Puchta" <puchtacslab.felk.cvut.cz>
>To: <focus-mssecurityfocus.com>
>Subject: Use of L2TP in isolated W2K3 AD
>Date: Tue, 8 Jun 2004 08:47:03 +0200
>MIME-Version: 1.0
>Content-Type: text/plain; charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook Express 6.00.2800.1409
>X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>X-MailScanner-felk: Found to be clean
>X-MailScanner-SpamCheck-felk: not spam, SpamAssassin (score=-1.428,
> required 5, BAYES_20)
>
>1.
>Imagine a large network that is more or less opened to the Internet.
>I mean that there is packet filtering for some ports, one subnet
>is blocked from the access from the Internet but due to the routing
>between subnets all subnets are opened....
>
>2.
> I can do nothing as to the changes in the structure of LAN :-(((
> except asking for blocking direct access to the selected computers.
> (No private LAN for private range of ip, no blocking routing,... :-(( ...)
>
>3.
>There are various services and operating system on the LAN,
>including Windows, FreeBSD, Novell, SUN,VMS etc
>
>4.
>I "develop" and maintain Active Directory (Windows 2003 Server and Windows
>XP Professional) in this structure. Windows XP clients should reach
>data on various system (data and licenses on license servers).
>
>Because of security problems I consider the isolation of domain controllers
>behind
>internal ISA firewall and Windows clients would use L2TP protocol, as if
>they were
>accessing domain controllers and file servers from the Internet.
>Is this solution in my case?
>
>Thanks for your opinion and qualified guess.
>
>Regards,
>Milos
>
>
>---------------------------------------------------------------------------
>---------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]