is it safe to put KDC into DMZ?
Jeffrey Altman
jaltman2 at nyc.rr.com
Mon Sep 11 11:17:38 EDT 2006
Herbert Steininger wrote:
> Hi,
>
> Just wanted to know if it is safe to put a KDC-Server into DMZ?
>
> TIA
> Herbert
Kerberos is designed to be the authentication service that clients
will use to obtain access to the rest of the services within your
infrastructure. As such it must be accessible to the clients in
order for it to perform its job.
Adding a proxy service in front of the KDC would not add any additional
security but does increase the amount of code that would need to be
audited to prevent against attacks.
Whether you decide to place your KDC in the DMZ is a decision that
must be made based upon a risk assessment of your organization's
infrastructure. However, it is the intent of the designers that making
access to the KDC publicly available should be safe.
Jeffrey Altman
Secure Endpoints Inc.
More information about the Kerberos
mailing list