Feature

Protect Active Directory traffic with a VPN

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Dollars and sense: Getting the security budget you need -- and spending it wisely."

Download it now to read this article plus other related content.

Q: "Do you have any suggestions on a package for spam filtering?" -M.M.

A: With my e-mail showing up more than 4,000 times in Google alone, you can imagine how many spam messages I get every day. On average, I receive 55 personalized e-mails a day, 39 of which are spam.

There are dozens of antispam products out there, but I use a free service called SpamNet, from Cloudmark. Unfortunately, you didn't say what e-mail program you use, but SpamNet works on Outlook 2000 and Outlook XP. However, it won't work on Outlook Express.

I've been keeping detailed stats since June 2002, and SpamNet catches 52.82 percent of my spam, on average. It may be more successful for most readers because your e-mail addresses haven't made it into as many nooks and crannies as mine. The most important part of SpamNet is its incredibly low false positive rate, which for me has been less than 1 percent.

Q: "My question is regarding Active Directory replication over firewalls. One solution I've heard is to open all the high ports from 1024 to 65535/ TCP for RPC dynamic assignment. But this turns my firewall into Swiss cheese. Also, I should note that I tested IPSec and can't use it for this. -M.A.

A: Active Directory is the "family jewels" of a Windows 2000 environment. Access to it is critical for every computer in your environment, and the information it contains is crucial to your business operation. Obviously, you need to ensure any access to it is from systems you trust.

Having your Active Directory information traverse the public Internet opens up a huge can of worms. There's the possibility that someone, between your office and the other end, may sniff the traffic and glean important information, like user ID/password combinations. It also gives attackers the ability to target the service itself, attempting to gain access to your AD servers.

One option is to set up a dedicated private network between sites, but that can get expensive. Many companies use VPNs to encrypt communications. This eliminates the risk of someone sniffing AD traffic. Further, VPNs authenticate the user to the AD server.

You mention you've tested and ruled out IPSec. IPSec can be set up as client-to-client or server-to-server. Cisco routers, for example, can set up IPSec tunnels between themselves (and others), so there are no client requirements. There are dozens of VPN solutions you can consider, like L2TP via Microsoft's Routing and Remote Access Services. Many of these (including Microsoft's) don't require certificates and can rely upon the credentials already known to the user, so you may find them easier to work with. If you have a firewall, it can likely establish a VPN between itself and clients or other firewalls of the same brand (in addition to IPSec).

The bottom line is that AD-oriented traffic is mission critical and highly sensitive, and must be protected by some sort of VPN.

As an aside, remember that VPNs represent another way for the Internet to get into your network. In some cases, January's SQL Slammer worm slipped into the network via unfiltered VPN connections, either from branch offices or remote users. So VPNs aren't foolproof; you still have to filter traffic coming into your network at the VPN connection point.

About the author:
Russ Cooper is surgeon general of TruSecure Corp. and editor of the NTBugtraq mailing list.

This was first published in March 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: