Yes, I Know that active directory is ldap. But having a firewall product into your domain structure is just a bad idea. A firewall should just be a firewall and not implement into a domain structure and if you want to use ldap, use a different ldap server than active directory. If you don't Then you are running a Microsoft product ontop of a Microsoft product in a Microsoft domain. Let me ask this, what is the name of the company who has not been able to secure their own software? Microsoft have pretty good OS's etc. But they are far from a security company. And also they have ports open by default on their firewall like port 88 for Kerberos. Just throw netcat into the mix listening on port 88 and forwarding to port 139. Good bye network! That is why there are so many 3rd party wendors who sell security products for Microsoft networks
-----Original Message----- From: David Moisan [mailto:[EMAIL PROTECTED] Sent: Monday, May 26, 2003 1:27 PM To: [EMAIL PROTECTED] At 08:23 PM 5/24/2003 -0400, David Ellis wrote: >Let me ask a question here? Why would anyone want tight active directory >integration on a firewall which by all means constitutes a security >flaw? The AD features in ISA are used to control outbound access, as in "Jane User can only surf non-company sites during lunch hour" sort of thing. AD --which is just LDAP & proprietary extensions--is not exposed to the outside on my ISA server. Can you describe a scenario where AD is compromised? I don't like using the term "vulnerability" unless I can imagine roughly where such a thing might happen. Take care, Dave David Moisan, N1KGH ARES/SKYWARN [EMAIL PROTECTED] Invisible Disability: http://www.davidmoisan.org/invisible_disability.html ATS-909 FAQ: http://www.davidmoisan.org/radio/sangean/ats909faq.html ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ************************************************************************************************** ** eSafe-portsmouth scanned this email for viruses, vandals and malicious content ** ************************************************************************************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
