[How-To] Secure your DMZ with a proxy

Back to Blog

[How-To] Secure your DMZ with a proxy

How to secure your DMZ with a proxy. Security is becoming ever more important. Securing the on-premise infrastructure is a top priority for many of our customers and we’re here to help. Today we’re going to tell you all about how to secure your DMZ with a proxy.

 

 

How-To use a proxy for LDAP, NTP and DNS

It is important that used ports are not opened across the board for all systems in order to seal off a DMZ. One common challenge is that when domain users want to log on to the DMZ, they cannot access the Active Directory servers.

The answer is to install a proxy server that forwards the queries coming from the DMZ. That applies to the NTP, DNS and LDAPS protocols.

To keep the DMZ isolated, ports 53 (DNS), 123 (NTP), 636 (LDAPS) and 3268-3269 (LDAP GC) are opened by the proxy to the Active Directory servers. All other systems in the DMZ are being served by the proxy server.

To set up the whole thing, you need a Linux system that serves as a proxy. The required services are installed and configured on it. Here we have used a current RedHat Enterprise Linux 8.

Because certain tools are no longer included in the base distribution, they have to be obtained from the opensource community.

OpenLDAP

OpenLDAP is used for proxying the LDAP queries. It can be obtained at https://ltb-project.org/ .
The configuration looks in our case as follows.

/usr/local/openldap/etc/openldap/slapd.conf

### Schema includes ###########################################################
include                 /usr/local/openldap/etc/openldap/schema/core.schema
include                 /usr/local/openldap/etc/openldap/schema/cosine.schema
include                 /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include                 /usr/local/openldap/etc/openldap/schema/misc.schema
include                 /usr/local/openldap/etc/openldap/schema/nis.schema
include                 /usr/local/openldap/etc/openldap/schema/microsoft.minimal.schema

## Module paths ##############################################################
modulepath              /usr/local/openldap/libexec/openldap
moduleload              back_ldap
moduleload              rwm

# Main settings ###############################################################
pidfile                 /usr/local/openldap/var/run/slapd.pid
argsfile                /usr/local/openldap/var/run/slapd.args

### Database definition (Proxy to AD) #########################################
database                ldap
suffix                  "DC=sample,DC=intra"
rootdn                  "cn=ldap,DC=sample,DC=intra"
rootpw                  "BIND-PW-PROXY"
readonly                yes
protocol-version        3
rebind-as-user          yes
uri                     "ldaps://ADC001,ldaps://ADC002"
idassert-bind bindmethod=simple
    binddn="CN=svc-ldap,OU=Service_Accounts,DC=sample,DC=intra"
    credentials="BIND-PW-AD"
    mode=none
    flags=non-prescriptive
    tls_reqcert=never
    tls_cacert=/usr/local/openldap/etc/openldap/CA.cer  # AD Certificate
overlay                 rwm
rwm-map                 attribute       uid     sAMAccountName

### Logging ###################################################################
loglevel                0

### Limits ####################################################################
sizelimit               unlimited

### LDAPS ####################################################################
TLSCACertificateFile /usr/local/openldap/etc/openldap/CA.cer # PKI CA Certificate
TLSCertificateFile /usr/local/openldap/etc/openldap/proxyldap001.cer # LDAP Proxy Certificate
TLSCertificateKeyFile /usr/local/openldap/etc/openldap/proxyldap001.key # LDAP Proxy Key

When the configuration has been created, the service can be started. A test can be made directly on the proxy.

[root@localhost]# ldapsearch -LLL -x -h localhost -b "DC=sample,DC=intra" -D "cn=ldap,DC=sample,DC=intra" -w "BIND-PW-PROXY" "(objectClass=USER)"

The output should now return all user objects of the AD.

NTP

To use Windows as source for the Linux Chrony service, the NTP service must be adapted on the Windows domain controllers. Else Chrony cannot trust the NTP servers.

Tasks on Windows

First, a CMD must be started as administrator. Then simply execute the following commands.

w32tm /config /manualpeerlist:"0.ch.pool.ntp.org,0x8 1.ch.pool.ntp.org,0x8 2.ch.pool.ntp.org,0x8 3.ch.pool.ntp.org,0x8" /syncfromflags:manual /reliable:yes /update
w32tm /resync /rediscover
w32tm /config /LocalClockDispersion:0 
w32tm /config /update
net stop w32time && net start w32time

Configuration on Linux

To use Linux as NTP proxy, you can simply use Chrony, which is included with RedHat. The configuration only has to be adjusted and the service has to be started afterwards.

/etc/chrony.conf
# These servers were defined in the installation: (Active Directory)
server 192.168.46.100 trust
server 192.168.46.101 trust
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *

# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2

# Allow NTP client access from local network. (DMZ)
allow 10.10.10.0/24

# Serve time even if not synchronized to a time source.
local stratum 5

# Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys

# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
#log measurements statistics tracking

To test, you can query the sources.

[root@localhost]# chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 192.168.46.100                  2   6     1     9    +76us[  +76us] +/-   32ms
^  192.168.46.101                  4   6     1     9   +206us[ +206us] +/-   29ms

DNS

We use the ISC BIND service as DNS server. This is available for all current Linux distributions and can be configured easily.

Forwards can be easily configured for this purpose.

/etc/named.conf

options {
        listen-on port 53 { 127.0.0.1; 10.10.10.200; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 10.10.10.0/24; };

        forwarders {
            192.168.46.100;
            192.168.46.101;
        };

        recursion yes;

        dnssec-enable no;
        dnssec-validation no;

        auth-nxdomain no;
        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

After starting the service, queries can be made via DNS.

[root@localhost]# nslookup ADC001
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   ADC001.sample.intra
Address: 192.168.46.100

Linux Firewall

To enable the systems in the DMZ to use the services, the Linux firewall must be opened accordingly.

firewall-cmd --add-service=dns --permanent 
firewall-cmd --add-service=ntp --permanent 
firewall-cmd --add-port=123/udp --permanent 
firewall-cmd --add-port=636/tcp --permanent 
firewall-cmd --reload

Summary

After configuring these three services, you have a working proxy that can answer NTP, DNS and LDAPS queries within the DMZ, and you don’t have to loop all systems through the firewall.

If you want to take your security to the next level, don’t hesitate to contact us and we’ll gladly help you make your IT infrastructure secure.

Share this post

Leave a Reply

Your email address will not be published.

Back to Blog