opinion needed... w2k domain controller in dmz for authentication?

[fumper]

Hi,

I have been asked to place one of my domain controllers into our DMZ in order for our vpn users to be able to authenticate using their network logins. I have opened only the ports that are needed for the dc in the dmz to communicate with the dc on the inside interface.
I was able to get everything working, but I am not sure if this is the best way to go about it... any suggestions?

Thx

 

[yizhar]

HI.

> I have been asked to place one of my domain controllers into our DMZ in order for our vpn users to be able to authenticate using their network logins

Seems to me like a bad idea.
What kind of authentication - do you mean the XAUTH authentication for VPN connection (RADIUS), or authentication after the VPN is established and the user already have the yellow icon?
In any case I don't see the advantage of DC in the DMZ, unless I didn't get something here.

Try to add more description and details:
What OS in use on client computers?
What kind of services are accessed by VPN users?
What other servers are in the same DMZ?
And more details that are relevant...

Remember that one of the basic ideas of DMZ is that servers on the DMZ cannot access the internal network because they are at higher risk for attacks from the Internet.
If someone hacks a neighbor server (web server for example) in DMZ, it can then take control of the DC and from there it can control the whole entire network (for example simple change of logon script). This is not science fiction...

If VPN users have already access to the inside network, then there is no advantage for additional server in DMZ.

There are other issues like bandwidth. For example if your logon script or group policy is configured to automatic deploy software to workstations, it can cause bandwidth issues.

I normally prefer not to configure VPN clients to logon to the internal network. They logon locally before initiating VPN, and then use VPN to access specific services on the internal network (and/or for remote control/terminal services if they need to run things like database software).
Such services can run even on a XP Home machine that is not participating in the domain - do you get the idea?


Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar

 

[fumper]

I understand what you are saying. I originally had the w2k server (stand alone)running IAS for Radius authentication in the dmz, (with local users added for vpn authentication), but was asked if the vpn users could logon with their network id's rather then have to remember an additional logon.
The idea was my boss wanted the vpn users to feel like they are actually in the office, for email, printing and file access. Most of the vpn clients are running xp, with a few w2k.
Currently the dc is the only server in the dmz, but we plan to roll out outlook web access in the near future along with the possibility of a web server in the dmz.
Any ideas about those?
thx

 

[yizhar]

HI.

> but was asked if the vpn users could logon with their network id's rather then have to remember an additional logon
I think that for that purpose - you can configure IAS on an internal DC (or member) server, no need to place a DC in DMZ for that.

Placing a DC in DMZ should be considered as the lowest priority solution because:
A. It makes network administration more complex, and adds un-needed problems that can be avoided.
B. It creates a security risk because it opens a broad pass for attacks from DMZ to INSIDE.



Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar

 

[fumper]

how would I go about using a dc on the inside for IAS? I was able to get it to work in the dmz by adding the following, but haven't been able to get it to work with the inside dc...

access-list 100 permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0
nat (dmz) 0 access-list 100

aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 10.1.0.10 255.255.255.255 password timeout 5

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynmaic dynmap
crypto map client authentication partnetauth
crypto map mymap interface outside

isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

ip local pool vpnpool 10.0.10.1-10.0.10.254
vpngroup my-vpn-group address-pool vpnpool
vpngroup my-vpn-group DNS-SERVER 10.0.10.11
vpngroup my-vpn-group WINS-SERVER 10.0.10.11
vpngroup my-vpn-group IDLE-TIME 1800
vpngroup my-vpn-group default-domain my-domain.com
VPNGROUP MY-VPN-GROUP password xxxxxxxx

thanks again for the help.

 

[NorwellBob]

I think I'm in the same boat...

I've got a PIX 506e authenticating Cisco VPN clients against a Win2K IAS server... the IAS server is also a DC, and IAS uses AD for authentication.

My problem is, users can access "open" domain resources, but cannot access secured resources, such as their home directories, etc. How do I authenticate them against the domain?

Thanks,
Rob