Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Protect Active Directory traffic with a VPN

Active Directory network traffic is mission critical and highly sensitive, and must be protected by a VPN.

Q: "Do you have any suggestions on a package for spam filtering?" -M.M.

A: With my e-mail showing up more than 4,000 times in Google alone, you can imagine how many spam messages I get every day. On average, I receive 55 personalized e-mails a day, 39 of which are spam.

There are dozens of antispam products out there, but I use a free service called SpamNet, from Cloudmark. Unfortunately, you didn't say what e-mail program you use, but SpamNet works on Outlook 2000 and Outlook XP. However, it won't work on Outlook Express.

I've been keeping detailed stats since June 2002, and SpamNet catches 52.82 percent of my spam, on average. It may be more successful for most readers because your e-mail addresses haven't made it into as many nooks and crannies as mine. The most important part of SpamNet is its incredibly low false positive rate, which for me has been less than 1 percent.

Q: "My question is regarding Active Directory replication over firewalls. One solution I've heard is to open all the high ports from 1024 to 65535/ TCP for RPC dynamic assignment. But this turns my firewall into Swiss cheese. Also, I should note that I tested IPSec and can't use it for this. -M.A.

A: Active Directory is the "family jewels" of a Windows 2000 environment. Access to it is critical for every computer in your environment, and the information it contains is crucial to your business operation. Obviously, you need to ensure any access to it is from systems you trust.

Having your Active Directory information traverse the public Internet opens up a huge can of worms. There's the possibility that someone, between your office and the other end, may sniff the traffic and glean important information, like user ID/password combinations. It also gives attackers the ability to target the service itself, attempting to gain access to your AD servers.

One option is to set up a dedicated private network between sites, but that can get expensive. Many companies use VPNs to encrypt communications. This eliminates the risk of someone sniffing AD traffic. Further, VPNs authenticate the user to the AD server.

You mention you've tested and ruled out IPSec. IPSec can be set up as client-to-client or server-to-server. Cisco routers, for example, can set up IPSec tunnels between themselves (and others), so there are no client requirements. There are dozens of VPN solutions you can consider, like L2TP via Microsoft's Routing and Remote Access Services. Many of these (including Microsoft's) don't require certificates and can rely upon the credentials already known to the user, so you may find them easier to work with. If you have a firewall, it can likely establish a VPN between itself and clients or other firewalls of the same brand (in addition to IPSec).

The bottom line is that AD-oriented traffic is mission critical and highly sensitive, and must be protected by some sort of VPN.

As an aside, remember that VPNs represent another way for the Internet to get into your network. In some cases, January's SQL Slammer worm slipped into the network via unfiltered VPN connections, either from branch offices or remote users. So VPNs aren't foolproof; you still have to filter traffic coming into your network at the VPN connection point.

About the author:
Russ Cooper is surgeon general of TruSecure Corp. and editor of the NTBugtraq mailing list.

This was last published in March 2003

Dig Deeper on Active Directory security