[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and Firewalls

To: Tejas Shah <Tejas.Shah@oracle.com>
Subject: Re: LDAP and Firewalls
From: Ron Chmara <ron@Opus1.COM>
Date: Mon, 23 Oct 2000 22:12:39 -0700
Cc: openldap-general@OpenLDAP.org
References: <034c01c03d32$225b93e0$c0901990@us.oracle.com>

>Hi All,
> 
> I'm currently looking into LDAP enabling our product. The product's architecture
> has Java applets on the client, which can be used from outside a Firewall and
> C++ servers inside the Firewall. The LDAP server where I intend to store user
> preferences etc. will be inside the Firewall. Ideally, I'd like to use JNDI
> to talk to the LDAP server from the Java Applets, however, I'm unsure of the
> security restrictions imposed by Firewalls on LDAP.

That depends on the firewall. Firewalls can be set up as very simple renumbering
boxes, as filtering and scanning routers, as store and inspect proxies...
the range of firewall technology available means that there are equal ranges
of access, equal ranges of ways of working with them.

> I'm aware that there
> are LDAP proxies available in the market that make it possible for internet
> clients to talk to LDAP servers inside the firewall, but I'm not sure how
> widespread the use of these proxies is.

The point of a firewall is to stop access. That means that products which allow
access *through* the firewall are pretty dangerous things.... this is another
issue of a company's firewall policy. What if you allow port 389 straight
through, and somebody sets up telnet on an different internal machine at 389? What if
somebody outside the firewall gets admin access into your LDAP db?

> Also I'm not sure if its common practice
> to access LDAP servers from outside the Firewall. I think companies might be
> a little reluctant to allow complete access to LDAP servers from the Internet,
> in which case the LDAP integration should be done inside the firewall.        
> Any insights on this will be greatly appreciated. 

The firewall is there to keep the outside separated from the inside. This
means that like your other systems, you will want to keep your LDAP access
separate. If your _are_ using a proxying firewall, and trying to run LDAP
through it, your latency will make life... interesting.

Here's best practice, do with it as you will:
One regular inside-the-firewall, trusted, server.
One outside server, bare minimum of records and data.
Firewall only allows traffic to the outside server from the inside server,
and vice versa.
Outside server is assumed dangerous, and the LDAP data on it is not to
be trusted by inside users. Replication should only be from trusted records
(inside) to untrusted records (outside).
Once every month or so, destroy all the data on the outside server and
reinstall from safe backups.

Now, take a look at that and see where you have to compromise between
security and usability. :-)

-Ron

--
Brought to you from iBop the iMac, a MacOS, Win95, Win98, LinuxPPC machine,
which is currently in MacOS land.  Your bopping may vary.

References:
- Re: LDAP and Firewalls
  - From: "Tejas Shah" <Tejas.Shah@oracle.com>

Prev by Date: Re: LDAP and Firewalls
Next by Date: Re: Some Really General Questions ?
Index(es):
- Chronological
- Thread