Hosting Provided By

RE: AD replication over WAN

From: Jim Harrison (SPG) <jmharr(at)microsoft.com>
Date: Mon Jan 13 2003 - 16:41:15 EST

That's a very similar scenario, IMHO.
The point they're trying to make is that if data protection is your biggest concern, then RPC encryption offers the same protection level as a VPN tunnel.
My earlier point was, RPC uses known interfaces (multiple), which are popular targets. Encrypting the data prevents some forms of snooping, but it doesn't protect the machine interfaces that provide this communication.
If you block access to them (via tunneling, for instance) and RPC-encrypt them, you've just increased your jerk-resistance that much more.
Of course, there may be times when you have to choose one over the other.
In that case, I'd choose VPN.

Jim Harrison MCP(NT4/2K), A+, Network+ Security Business Unit (ISAQFE)

The burden of proof is not satisfied by a lack of evidence to the contrary..

-----Original Message-----
From: Keith Smith [mailto:ksmith@firesnacks.com] Sent: Monday, January 13, 2003 07:53
To: focus-ms@securityfocus.com
Subject: RE: AD replication over WAN

I have a similar question, though in application to Outlook 2002 clients accessing an exchange server across the Internet. Microsoft claims that with OL2002, clients don't need to employ a VPN across the internet, as the RPC is all encrypted.

Would a VPN also be recommended in this instance given the observations below?

Thanks
Keith

-----Original Message-----
From: Jim Harrison (SPG) [mailto:jmharr@microsoft.com] Sent: Sunday January 12, 2003 9:43 PM
To: Valentine M. Smith; focus-ms@securityfocus.com Subject: RE: AD replication over WAN

Given that the replication path (port/protocol) is well-defined and generally understood, it also makes sense that they could also provide a "door" to your AD controllers for those who wish to do you harm for no apparent reason.

Do you need help?

With that in mind, it seems clear to me that a site-to-site VPN is not only preferable, it's mandatory.

Jim Harrison <mailto:jmharr@microsoft.com> MCP(NT4/2K), A+, Network+ Security Business Unit (ISA)

From:	 Valentine M. Smith [mailto:vmsmith@grokking.org]	
Sent:	 Thu 1/9/2003 06:21	
To:	 focus-ms@securityfocus.com	
Subject:	 AD replication over WAN

Hi,

I'm looking for some feedback from the community regarding the transfer of AD traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each site has perimeter NAT device and are obscuring internal subnets with IP addresses provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and by extension, DNS zone information that is AD-integrated is automatically encrypted.

My question: if the data is already encrypted and is passing only across a single ISP's network, should one be bothering with a router-router VPN tunnel for this traffic? IOW, would setting up such a tunnel for this data be redundant/unnecessary or am I missing something important here? Would anyone care to comment on the relative safety of AD encryption out-of-the-box?

Thanks in advance for any feedback,

Do you need more help?

VS Received on Tue Jan 14 21:23:48 2003

This message: [ Message body ]
Next message: Kolde, Jennifer E.: "RE: Understaing Event Details in Windows NT"
Previous message: Deus, Attonbitus: "RE: AD replication over WAN"
Maybe in reply to: Valentine M. Smith: "AD replication over WAN"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:25 EDT