The Futility of Firewalls within Active Directory Boundaries

By Ken Travis, Wayland Engineering

Conventional wisdom suggests one should place firewalls between connected enterprise sites, even if those sites belong to the same Active Directory domain. IT staffs believe this will prevent all sites from compromise when one site experiences a security breach, but they don’t realize that the open ports required to allow AD (and many enterprise applications) to function belong to the most dangerous, and allowing that traffic through those firewalls renders their effectiveness practically useless. A much better strategy secures domain boundaries, preventing an attack from within. Consider the below corporation. Corp corporation has there separate locations that need to be connected, in this case by VPNs. The VPNs themselves are secured from the Internet via encrypted tunnels.

Implementing a firewall at each end of a VPN tunnel and still allowing Active Directory to function would require these ports to be open between sites:

  • UDP Port 88 for Kerberos authentication
  • UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations
  • TCP Port 139 and UDP 138 for File Replication Service between domain controllers
  • UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers
  • TCP and UDP Port 445 for File Replication Service
  • TCP and UDP Port 464 for Kerberos Password Change
  • TCP Port 3268 and 3269 for Global Catalog from client to domain controller
  • TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller
  • UDP 123 for time service

No doubt Corp corporation has other enterprise application including databases, email systems, shells, terminals, file transfers, and especially file sharing all using ports high on the list of ports that would compromise security if an attacker had access.

This all makes sense. Secure you castle walls, not your inner streets. Once they are within your gates, you’ve lost. You want your workers to have access, you want evil doers not to, don’t let them within your Active Directory Boundaries.

Now, the question comes up, some sites are more secure than others. The manufacturing site leaves their shop PCs logged into so they can work efficiently, the distribution center leaves their shipping dock’s doors open while awaiting a shipment with no one watching, and all these departments needs access to corporate systems to get their work done. How can I secure my corporation? I am not saying it’s the easiest way. I am saying it’s the only way. You have to establish a secure perimeter, or the enemy will get in.