Hello folks! I would like an advice. I am planning a small lan infra-structure to an office I work for. My structure needs a Firewall, Proxy and Active Directory. I will use one deskserver for shorewall and squid and a server for AD and fileserver. I want to install the AD server on DMZ. I made some research and lot of people said that they don''t recommend that configuration. In this case, I will open DMZ only for LAN connections. The WAN interface will only have open ports for LAN adapter. It is dangerous, in this case, to have an Active Directory installed on DMZ? Best regards! João K. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
João Kuchnier wrote:>I am planning a small lan infra-structure to an office I work for. > >My structure needs a Firewall, Proxy and Active Directory. I will use >one deskserver for shorewall and squid and a server for AD and >fileserver. > >I want to install the AD server on DMZ. I made some research and lot >of people said that they don''t recommend that configuration. > >In this case, I will open DMZ only for LAN connections. The WAN >interface will only have open ports for LAN adapter. > >It is dangerous, in this case, to have an Active Directory installed on DMZ?It''s not dangerous, but it is tricky to set up. I did something not too dissimilar a while ago - multi-zone firewall for a multi-tenant business centre. The biggest problem is that by default, desktop-server communications for some stuff doesn''t use defined ports - IIRC the server picks a random port and tells the client what it is. There is a registry setting to disable this and make it used fixed ports - and then you can configure the firewall accordingly. I don''t recall any more detail that that, I wasn''t involved in the Windows side of it, and I don''t have access to the systems now. I *think* the clients initially find the server by DNS. I used ISC DHCP server and Bind for the root of the clients domain - and delegated all the "_<stuff>" subdomains to the Windows server. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
I wrote:>It''s not dangerous, but it is tricky to set up. I >did something not too dissimilar a while ago - >multi-zone firewall for a multi-tenant business >centre. The biggest problem is that by default, >desktop-server communications for some stuff >doesn''t use defined ports - IIRC the server picks >a random port and tells the client what it is. >There is a registry setting to disable this and >make it used fixed ports - and then you can >configure the firewall accordingly.I should add, that it''s not a problem if you have a default policy to allow connections from local lan to DMZ. In our case we had something akin to a DMZ but with a default policy of drop - all the switch management stuff etc in there so it was more like a management LAN. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
In general you should never have a windows machine in a dmz.Thats the biggest problem with this setup On Sep 4, 2009, at 11:31, Simon Hobson <linux@thehobsons.co.uk> wrote:> I wrote: > >> It''s not dangerous, but it is tricky to set up. I >> did something not too dissimilar a while ago - >> multi-zone firewall for a multi-tenant business >> centre. The biggest problem is that by default, >> desktop-server communications for some stuff >> doesn''t use defined ports - IIRC the server picks >> a random port and tells the client what it is. >> There is a registry setting to disable this and >> make it used fixed ports - and then you can >> configure the firewall accordingly. > > I should add, that it''s not a problem if you have a default policy to > allow connections from local lan to DMZ. In our case we had something > akin to a DMZ but with a default policy of drop - all the switch > management stuff etc in there so it was more like a management LAN. > -- > Simon Hobson > > Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed > author Gladys Hobson. Novels - poetry - short stories - ideal as > Christmas stocking fillers. Some available as e-books. > > --- > --- > --- > --------------------------------------------------------------------- > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Christ Schlacta wrote:>In general you should never have a windows machine in a dmz.Thats the >biggest problem with this setupWell if you are exposing it to the outside world then that''s exactly where it should be. I agree that if it''s not accessible from outside, it shouldn''t be there. It wasn''t clear from the original question if this was publicly visible machine. In our case, it wasn''t a DMZ but a management VLAN to which the customers didn''t have access. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Thanks for your help guys. I think there is no need to create a DMZ with only one server for now. Best regards, João K. Simon Hobson escreveu: Christ Schlacta wrote: In general you should never have a windows machine in a dmz.Thats the biggest problem with this setup Well if you are exposing it to the outside world then that''s exactly where it should be. I agree that if it''s not accessible from outside, it shouldn''t be there. It wasn''t clear from the original question if this was publicly visible machine. In our case, it wasn''t a DMZ but a management VLAN to which the customers didn''t have access. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
no, I''m saying exposing windows to the internet is always a bad idea. it should NEVER be in a dmz, and should always be protected by the firewall with a policy reject or policy drop. Simon Hobson wrote:> Christ Schlacta wrote: >> In general you should never have a windows machine in a dmz.Thats the >> biggest problem with this setup > > Well if you are exposing it to the outside world then that''s exactly > where it should be. I agree that if it''s not accessible from outside, > it shouldn''t be there. It wasn''t clear from the original question if > this was publicly visible machine. > > In our case, it wasn''t a DMZ but a management VLAN to which the > customers didn''t have access.------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christ Schlacta wrote:> no, I''m saying exposing windows to the internet is always a bad idea. > it should NEVER be in a dmz, and should always be protected by the > firewall with a policy reject or policy drop.Christ -- perhaps you need to re-read the OP''s post: "In this case, I will open DMZ only for LAN connections. The WAN interface will only have open ports for LAN adapter." It seems that in his case, the DMZ is more protected from the Internet than the LAN is. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkqhvXEACgkQO/MAbZfjDLJ54wCfU7aN3J5Lui0fyYtN1KaWQWDJ vuMAoJg1l7K6RC29BTqNq0ffW5Emi7hL =ZKV5 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
:op. My bad On Sep 4, 2009, at 18:22, Tom Eastep <teastep@shorewall.net> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Christ Schlacta wrote: >> no, I''m saying exposing windows to the internet is always a bad idea. >> it should NEVER be in a dmz, and should always be protected by the >> firewall with a policy reject or policy drop. > > Christ -- perhaps you need to re-read the OP''s post: > > "In this case, I will open DMZ only for LAN connections. The WAN > interface will only have open ports for LAN adapter." > > It seems that in his case, the DMZ is more protected from the Internet > than the LAN is. > > - -Tom > - -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkqhvXEACgkQO/MAbZfjDLJ54wCfU7aN3J5Lui0fyYtN1KaWQWDJ > vuMAoJg1l7K6RC29BTqNq0ffW5Emi7hL > =ZKV5 > -----END PGP SIGNATURE----- > > --- > --- > --- > --------------------------------------------------------------------- > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Christ Schlacta wrote:>no, I''m saying exposing windows to the internet is always a bad idea. >it should NEVER be in a dmz, and should always be protected by the >firewall with a policy reject or policy drop.I''ll politely disagree, I think you are being "a bit strong" there. I''m as ''sceptical'' about Windows as most - I''m the lone Mac and linux guy in a totally Windows setup at work. The bulk of our public servers are running Windows, they are as capable of being an internet host as Linux provided you manage them properly. And of course, the whole point of having a DMZ is so that you have got separation from the outside via the firewall - plus separation from your LAN in case a public host does get compromised. But that''s getting a bit off topic for both this thread and the list. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july