Using Windows authentication to access a Linux DMZ
The following is the ITKnowledge Exchange Tip of the Week for March 28, 2005.
"Stephang" writes: I am designing a new network with a demilitarized zone (
) containing Linux Web servers and a Windows BackOffice behind a firewall. I'd like to use Linux to run our company intranet on the DMZ side. However, I want to limit employee access from the Internet and from behind the firewall using Windows Server 2003 logon authentication. Can I do this, and if so, how do I configure the firewall? Are there any resources out there that someone can point me to?
Responses"astronomer" writes: There are good firewalls based on Unix/Linux, Windows and appliances. My personal prejudice for the most secure, configurable and inexpensive firewall for the majority of needs is OpenBSD running pf. The disadvantage here is Unix user hostility. If you are using Linux, a good book to start with is New Riders' book on iptables. There are also many prepackaged firewalls out there but most seem to be designed to protect your home network.
For external access by employees, I assume you are planning VPNs. They can be accommodated by a variety of platforms using Radius authentication from your Windows domain controllers. Some of your description is confusing. Normally the term intranet is used to describe the company network behind the internal firewall, not the DMZ.
I agree with using Unix and Linux systems on the DMZ. Historically, this has been safer, although the facts may be changing now. Regardless of the OS, all bastion hosts and firewalls need to be hardened. Systems like the Cisco PIX come that way, which is part of the reason many people have trouble configuring them. There are several books on Linux hardening. If you need a reference on hardening Windows, check the NSA site.
"mdiha1" writes: First you need to find what type of firewall you want to implement (for example packet filtering, at least dual-homed, screening subnet, etc. A good reference on this is the book Building Internet Firewalls. You will find very useful architectural concepts. For more specific information on configuration, defining ACLs, etc., it depends on the product you choose. Cisco PIX, CheckPoint FW1 are some examples of very popular firewalls. The user's guide for these products should help you configure your firewall if you decide to go this way.
As a previous response mentioned, always harden your systems, mainly those interfacing with the Internet. For resources on hardening take a look on Amazon and search for the Hardening series of books including Hardening Windows and Hardening Network Infrastructure. Also check out Practical Unix & Internet Security.
"zottmann" writes: You've got two excellent replies regarding the firewall architecture that you should use. Regarding the Windows 2003 authentication on the intranet Web site, assuming you are going to use Apache to do this, there are some authentication modules that could work very well, such as mod_ntlm and mod_auth_ldap. You could set up your intranet Web site inside your LAN and place an Apache Web Server on your DMZ, mapping your intranet site with reverse proxy technique (see the ProxyPass directive).
SearchEnterpriseLinux.com expert Mark Hinkle writes: This is a pretty common request these days, and the answer is not that difficult. What you want to do is configure a proxy server. I would suggest you look at Squid to proxy your traffic and then authenticate the traffic from your Windows 2003 logon authentication database using Samba. Click here for more information about proxy authentication with Squid.
Get additional recommendations here.
Start your own discussion
Do you have a Windows security dilemma that needs quick attention? Talk about it in ITKE.
About the ITKnowledge Exchange
ITKnowledge Exchange is a place where IT pros can share ideas, expertise and get answers to their technical and strategic questions. It provides direct access between groups or individuals who are grappling with similar IT issues in a safe and seamless environment. Click to start participating today
or go to the Tip of the Week archives