|
Posted by =?Utf-8?B?R2FicmllbC9URkk=?= on September 24, 2007, 8:58 am
If you were Registered and logged in, you could reply and use other advanced thread options
Secure network architecture and authentication, expecially when secure
external access is needed, is a big head-ache for me, due to my limited
knowledge of this matter and to many conflicting literature I find on the
Internet.
Very confusing.
I even gave a look at IBM's vision of Enterprise Security Architecture.
http://www.redbooks.ibm.com/redbooks/pdfs/sg246014.pdf
Although firewall zone is said to be obsolete by many sides, as you stated
too, IBM concept of network architecture still relies on firewall zones.
My will to have separate ADs for internal and external users come from my
concerns about:
1) the security boundary in AD is the forest
2) regulatory standards such as Sarbox or best-practice standards such as
CoBIT, do all of these allow external users to be profiled in the corporate
directory?
As you can understand I am confused and lost! :-(
Thanks for your support.
Regards,
Gabriele
"S. Pidgorny <MVP>" wrote:
> That is a reasonable architecture by Microsoft. As more radical in my own
> views, I'd prefer using single domain. There are enough means to segregate
> different types of users within the domain. On the other hand, separate
> domains give different account policies, admin authority and replication
> boundry, which is more useful in big organisations.
>
> Yet there's one thing that's not justified: putting the external user in DMZ
> and using a firewall to separate it from internal space. You have provided
> reasons for that - and there are some more. Thinking of different domains
> and identity management is the right thing to do; thinking in terms of
> firewall zones is now obsolete.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> > Hi Svyatoslav,
> >
> > thanks for your reply.
> >
> > In the meanwhile I came throguh some readings of
> > Microsoft_Identity_and_Access_Management_Series_v1.4
> >
> > It looks like the basic level of security wants a separate AD forest for
> > external authentication with a trust relationship to the corporate AD
> > forest
> > to preserve users' SSO experience.
> >
> > Because of ports to be opened on the firewall to allow trust relationship
> > between DMZ and Intranet, another way to achieve authentication is
> > shadowing
> > corporate identities to the external AD forest by the use of MIIS, or in
> > some
> > cases, if application are claims-aware, with the deployment of ADFS to
> > federate identities of the 2 forests (ADFS proxy in the DMZ). This second
> > option does not require an AD trust relationship.
> >
> > An external forest can even allow mapping of digital certificates to
> > improve
> > authenticaion security (SSL/TLS) without requiring password to be
> > replicated
> > to shadowed accounts.
> >
> > According to this vision, the DMZ should be layered:
> > - the reverse-proxy to be placed in the DMZ (let's call it "outer DMZ")
> > - the external AD forest and SFTP server to be placed in the "production
> > zone" (let's call it "inner DMZ)
> > - the internal AD forest obviously to be placed in the Internal Zone (aka
> > "Intranet")
> >
> > Of course I am talking about an authentication framework that will be used
> > not only for FTP services, but ready to host additional application
> > servers
> > to be shared with external users.
> >
> > What's your opinion?
> >
> > Thanks,
> > Gabriele
> >
> >
> > "S. Pidgorny <MVP>" wrote:
> >
> >> 1) Internal network is better; and
> >> 2) No. It's overengineering, thus the answer to 1.
> >>
> >> --
> >> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> >> -= F1 is the key =-
> >>
> >> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
> >>
> >> > We need to implement a SFTP server that will be used by internal users
> >> > and
> >> > external customers to exchange files.
> >> > As a coporate policy, any connections coming from the internet has to
> >> > be
> >> > accepted and managed by a reverse proxy in DMZ.
> >> >
> >> > Questions:
> >> > 1) is it better to place the SFTP server in the Trusted Internal
> >> > Network
> >> > or
> >> > in the DMZ?
> >> > 2) the SFTP server supports Active Directory. Is it a good choice to
> >> > create
> >> > a DMZ-Extranet Forest and create a one-way trust to the internal AD?
> >> >
> >> > Ideas? Suggestions?
> >> >
> >> > Regards,
> >> > Gabriele
> >>
> >>
> >>
>
>
>
| 
XML site map