Re: LDAP, DMZ, private lan

To: undrgrid@westend.com, debian-security@lists.debian.org
Subject: Re: LDAP, DMZ, private lan
From: Christian Hammers <ch@westend.com>
Date: Sun, 20 May 2001 21:32:21 +0200
Message-id: <20010520213221.A809@westend.com>
Mail-followup-to: Christian Hammers <ch@westend.com>, undrgrid@westend.com, debian-security@lists.debian.org
In-reply-to: <20010520151501.A18735@UnderGrid.net>; from undrgrid@Toons.UnderGrid.net on Sun, May 20, 2001 at 03:15:01PM -0400
References: <20010520171038.A2425@mira.psychotron> <20010520151501.A18735@UnderGrid.net>

On Sun, May 20, 2001 at 03:15:01PM -0400, Jeremy T. Bouse wrote:
> 	Depending on what firewall system you are using (ipchains vs. iptables)
> you might be better putting the LDAP server on the LAN and just have LDAP
> connections from the DMZ interface NAT'd to the LAN interface. Deny all LDAP
> access attempts from the WAN -> LAN channel so your LDAP server is properly
> protected.

Wouldn't it be better to place the LDAP server into the DMZ? In case nothing
evel happens it doesn't make a difference but in case the LDAP server gets
cracked you could use the gained (normal) UID to exploit local root bugs
in the intranet. Ok, very hypotetical, but which drawbacks would have 
putting it into the DMZ?

bye,

    -christian-

-- 
              Save the forests, eat more beavers!

Reply to:

Follow-Ups:
- Re: LDAP, DMZ, private lan
  - From: Torstein Tauno Svendsen <torstei@linpro.no>

References:
- LDAP, DMZ, private lan
  - From: Florian Friesdorf <42ff@gmx.net>
- Re: LDAP, DMZ, private lan
  - From: "Jeremy T. Bouse" <undrgrid@Toons.UnderGrid.net>

Prev by Date: Re: LDAP, DMZ, private lan
Next by Date: Re: pam-mysql has open security bug since >180 days - want NMU!
Previous by thread: Re: LDAP, DMZ, private lan
Next by thread: Re: LDAP, DMZ, private lan
Index(es):
- Date
- Thread