Guido,
It's my understanding that in the NT realm that RAS and PPTP2 are your
friends, not as solid and stable solutions that some folks in the unix
realm like to have to rely upon, but, NT centric systems offer this as
perhaps the best they have. There are weaknesses though, so you are best
to search out that information, if I recall L0ft <http://www.L0pht.com/>
has an extensive paper on PPTP2. Others will, I'm sure correct and add to
my understanding here.
Thanks,
Ron DuFresne
On 5 May 2000, Guido A.J. Stevens wrote:
> Is it feasible to firewall a Windows NT Primary Domain Controller?
>
> In the course of evaluating the external firewall configuration for a
> windows-based WAN, I'm also taking a look at internal network security
> policies.
>
> Most disturbing is that each and every node puts it's trust in one
> Primary Domain Controller, creating a single point of failure for the
> whole WAN. My client contact assures me this is The Way To Do It (tm)
> in the windoze (tm) business. Being a Linux guy with a "trust is your
> enemy" attitude, I find this hard to swallow.
>
> So what I want to try and do is to add some protection to the PDC by
> placing it behind an internal firewall. I've looked all over the net
> but I can't find any useful protocol specification I could base a nice
> ipchains rule set on, that would leave the PDC function intact whilst
> blocking other traffic to the PDC machine.
>
> Three questions:
> - does it make sense at all to try and internally firewall a PDC?
> - does anybody have any reference to an NT protocol/ports
> specification I can base my firewall rules on?
> - does anybody have any experience with this situation and some good
> advice or some example code to draw on?
>
> An additional question that's off-topic for this list, but maybe
> somebody has a useful opinion anyway:
> - is it really that hard to break up the trusts into multiple domains
> and just log into the appropriate domains from a central workstation?
>
> Thanx.
> --
> *** Guido A.J. Stevens *** mailto:[EMAIL PROTECTED] ***
> *** Net Facilities Group *** tel:+31.43.3618933 ***
> *** http://www.nfg.nl *** fax:+31.43.3560502 ***
>
> It is not true that the government has not moved to regulate the
> internet. The last few years has seen an extraordinary expansion
> of intellectual property rights [...] that is producing an
> extraordinary power to own and hence control ideas.
> [Lessig, http://cyber.law.harvard.edu/events/lessigkeynote.pdf ]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
