|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Use of L2TP in isolated W2K3 AD
afreyman
dsw.net
Date: Tue Jun 08 2004 - 16:43:40 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Are you saying that all your computers have public IP addresses and most of
them are accessible from the internet?
If so, this is bad, but assuming that you can do nothing about it, try to at
least get a hardware firewall in front of your DCs. You can filter IP
ranges, but that doesn't necessarily protect you from IP spoofing, or
someone exploiting a vulnerable client.
L2TP is an option, but firstly I'd suggest that your harden your servers as
much as possible, also consider using Kerberos on the network, which may
give you an additional layer of security. Try running some IDS/IDP software
on the DCs, or a least something resembling a personal
firewall.....ZoneAlarm and BlackICE come to mind. Auditing is a must as
well.
Since you mentioned L2TP, that means you're probably going to run VPN on one
of the Windows boxes. Maybe you can isolate that box in the DMZ and put
everything else in a private LAN? Also, what services are the clients
accessing on the servers? Just file and print?
-----Original Message-----
From: Milos Puchta [mailto:puchtacslab.felk.cvut.cz]
Sent: Monday, June 07, 2004 11:47 PM
To: focus-mssecurityfocus.com
Subject: Use of L2TP in isolated W2K3 AD
1.
Imagine a large network that is more or less opened to the Internet.
I mean that there is packet filtering for some ports, one subnet
is blocked from the access from the Internet but due to the routing
between subnets all subnets are opened....
2.
I can do nothing as to the changes in the structure of LAN :-(((
except asking for blocking direct access to the selected computers.
(No private LAN for private range of ip, no blocking routing,... :-(( ...)
3.
There are various services and operating system on the LAN,
including Windows, FreeBSD, Novell, SUN,VMS etc
4.
I "develop" and maintain Active Directory (Windows 2003 Server and Windows
XP Professional) in this structure. Windows XP clients should reach
data on various system (data and licenses on license servers).
Because of security problems I consider the isolation of domain controllers
behind
internal ISA firewall and Windows clients would use L2TP protocol, as if
they were
accessing domain controllers and file servers from the Internet.
Is this solution in my case?
Thanks for your opinion and qualified guess.
Regards,
Milos
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]