[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LDAP, DMZ, private lan

On Sun, May 20, 2001 at 03:15:01PM -0400, Jeremy T. Bouse wrote:
> 	Depending on what firewall system you are using (ipchains vs. iptables)
> you might be better putting the LDAP server on the LAN and just have LDAP
> connections from the DMZ interface NAT'd to the LAN interface. Deny all LDAP
> access attempts from the WAN -> LAN channel so your LDAP server is properly
> protected.

Wouldn't it be better to place the LDAP server into the DMZ? In case nothing
evel happens it doesn't make a difference but in case the LDAP server gets
cracked you could use the gained (normal) UID to exploit local root bugs
in the intranet. Ok, very hypotetical, but which drawbacks would have 
putting it into the DMZ?



              Save the forests, eat more beavers!

Reply to: