Somewhat OT: DirectAccess choices

> Firewall would be Layer 3 - you are running your storage over layer 3 aka iSCSI or something? Or you're using local storage, so the FW doesn't come into the picture?

We're running two hosts with direct-attached local storage in the DMZ
- and soon we'll be putting up a SAN (probably equalogic) in that
environment, so that we can achieve high(er) availability.

> FWIW we have strict separation between DMZ and internal zones, but no general compute
> DMZ (it's all appliances - proxies, hygiene appliances, VPN gateways etc.) The storage is
> generally all SAN or NAS, but physically separate SAN/NAS from internal zones. That way,
> even though we have FC etc. for storage, DMZ data storage runs over separate fabrics and
> networks to internal. If you're not doing that today, you already run risks - how are you
> managing those? Can they be reused to manage the risk of shared hosts?

We have strict separation also, but instead of appliances we have a
couple of web sites in the DMZ that are customer-facing, and a Lync
edge server there also. We even have a separate AD forest, for ease of
management.

> I assumed you were running ESX, but if you are running Hyper-V, then perhaps wait for Win 2016
> which has some SDN capabilities apparently. Not sure they're going to match NSX, but if they
> do, that might provide a bit more comfort that simple VLAN separation.

I haven't seen 2016 yet. I suppose I'll have to take a look at it soon.

Thanks,

Kurt

>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Kurt Buff
> Sent: Sunday, 6 March 2016 6:07 AM
> To: activedir
> Subject: Re: [ActiveDir] Somewhat OT: DirectAccess choices
>
> Yes, separate environment for the DMZ - separated from production by our firewall. We're actually running multiple HyperV hosts in the DMZ.
>
>
> On Fri, Mar 4, 2016 at 9:42 PM, Ken Schaefer wrote:
>> Do you have separate storage for your DMZ? If not, you're already running risks of having data or a VM presented to the wrong security zone. How are you handling that today?
>>
>> -----Original Message-----
>> From: ActiveDir-owner@xxxxxxxxxxxxxxxx
>> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Kurt Buff
>> Sent: Saturday, 5 March 2016 7:07 AM
>> To: activedir
>> Subject: Re: [ActiveDir] Somewhat OT: DirectAccess choices
>>
>> There are three of us on the infrastructure team - we handle all of VMware, AD, PKI, servers, routers, switches, firewalls, etc. - and it's not in my nature to trust anyone on the team (including myself).
>>
>> It's not that we aren't competent, but mistakes happen, and attacks never get harder, only easier.
>>
>> Kurt
>>
>> On Fri, Mar 4, 2016 at 10:56 AM, Gil Kirkpatrick (gilkirkpatrick.com) wrote:
>>> Not really my area of expertise, but a rough threat analysis would seem to come down to two questions: How much do you trust VMWare to provide isolation between virtual networks and virtual machines, and how much do you trust your VMWare administrators?
>>>
>>> There have been several hypervisor vulnerabilities over the years. Reaching into your squishy bits would require an attacker to exploit vulnerabilities in the guest OS as well as the hypervisor. Not impossible, but seems pretty unlikely.
>>>
>>> I'd be more concerned about your VMWare admins and their standards of practice.
>>>
>>> -gil
>>>
>>> -----Original Message-----
>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxx
>>> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Kurt Buff
>>> Sent: Friday, March 4, 2016 11:29 AM
>>> To: activedir
>>> Subject: [ActiveDir] Somewhat OT: DirectAccess choices
>>>
>>> All,
>>>
>>> I'm not sure where to ask this question, but I have to believe that some of you here have some experience and opinions with DirectAccess, so will ask here first, while I'm doing my STFW work.
>>>
>>> Please feel free to direct me elsewhere if you know somewhere better.
>>>
>>> Does anyone have thoughts or concrete (referenceable?) recommendations on placement for a DA server?
>>>
>>> We currently are using UAG 2010 SP1 for DirectAccess (and only for DA, nothing else).
>>>
>>> We're looking to move to DirectAccess on 2012R2. One of the major design goals is to enable "manage out". I'll be doing a parallel install, and migrating current users to the new facility.
>>>
>>> We have a choice to make regarding placement of the new DA server - I know my preference, but I'm getting pushed to implement in a way I'm not comfortable with.
>>>
>>> The way we have it now: one NIC exterior, one NIC interior on its own VLAN - basically it straddles the perimeter, and bypasses our firewall. AFAICT, it was the best way to implement it at the time.
>>>
>>> With DA 2012R2, I can do that, or I can do a 2 NIC setup behind the firewall or I can do a single NIC behind the firewall. I'm not too concerned about that part of it.
>>>
>>> What I'm unhappy about is being pushed to put the DA server on the same VMware cluster as the rest of our production servers. It seems like a fairly major sin to mix security domains like that. I don't care that it would have its own VLAN, etc. - it just seems wrong to be mixing a security device that's supposed to be at the perimeter in with the soft gooey production servers.
>>>
>>>
>>> Kurt
>>> Forum info: http://www.activedir.org
>>> Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx
>> Forum info: http://www.activedir.org
>> Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx
> Forum info: http://www.activedir.org
> Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx
Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx