Re: LDAP, DMZ, private lan
Christian Hammers <email@example.com> writes:
> On Sun, May 20, 2001 at 03:15:01PM -0400, Jeremy T. Bouse wrote:
> > Depending on what firewall system you are using (ipchains vs. iptables)
> > you might be better putting the LDAP server on the LAN and just have LDAP
> > connections from the DMZ interface NAT'd to the LAN interface. Deny all LDAP
> > access attempts from the WAN -> LAN channel so your LDAP server is properly
> > protected.
> Wouldn't it be better to place the LDAP server into the DMZ? In case nothing
> evel happens it doesn't make a difference but in case the LDAP server gets
> cracked you could use the gained (normal) UID to exploit local root bugs
> in the intranet. Ok, very hypotetical, but which drawbacks would have
> putting it into the DMZ?
Well, if you place the LDAP server in the DMZ and use it for user
authentification on the internal network, you have a _huge_ problem if
the LDAP server machine gets compromised (i.e. evil cracker has
control over you accounts and passwords)
I've been thinking about the same problem, and at our site we are
planning to put separate LDAP servers in the DMZ, and use replication
to push changes to them from a master server on the internal network.
(Just have to find a way of preventing it from pushing atributes we
don't wan't published in the DMZ (i.e. the user passwords and such -
the ldap-servers in the DMZ will be used for mail-routing, so the
passwords are not needed)