Capping IT Off

Capping IT Off

Domain and DMZ – critical consideration

Category : Cybersecurity

A DMZ separates an external network from directly referencing an internal network. It does this by isolating the machine that is being directly accessed from all other machines. Most of the time the external network is the Internet and what is in the DMZ is the web server but this is not the only possible configuration. A DMZ can be used to isolate a particular machine within a network from other machines. This might be done for a branch office that needs its own Internet access but also needs access to the corporate network. In DMZ terminology, an internal connection is generally thought of as having more secret or valuable information than an external network. An easy way to understand which is the external and internal network is to ask yourself which network am I protecting from the other. Using DMZ we are protecting our internal domain from outside world that contains valuable information.

It is not a good proposal to place domain controllers or extend internal domain within the DMZ.

The primary advantage of a DMZ is that it provides a neutral ground, typically for services that must be accessed (example, Web service) by both internal and external users.

Domain controllers, by their nature, are some of the most highly valued assets within the organization. These are the servers that control access to the resources on a Windows network, including the Active Directory database. If an attacker is able to compromise a domain controller / domain, he or she essentially owns the entire Windows infrastructure. Therefore, given the immense importance of keeping it protected, placing a domain controller in DMZ is not a preferable solution.

The most common solution we experience is placing DMZ servers as standalone. If Active Directory authentication is required to allow internal users privileged access to those servers, use LDAP authentication back to the domain controller on the internal network. If you do need a domain controller inside the DMZ to facilitate specific services, we can prefer creating a separate Active Directory forest within the DMZ and then using a one-way trust mechanism that permits systems in the DMZ to trust user accounts within the internal forest.

Now the argument is that by having a separate forest in domain we are increasing management complexity. Nevertheless, for simplified management can we compromise a significant security risk? I think we should be very careful regarding domain in DMZ as otherwise the use of DMZ might be completely ineffective!

With windows 2008 R2 directory there is a possibility of extending domain in DMZ by placing RODC. However this solution also has several ifs and buts and may not server purpose of domain joining.

About the author

Leave a comment

Your email address will not be published. Required fields are marked *.