BillB
Tera Contributor

vpn image2.jpg

Last week we discussed why you don't need to use a VPN when running a user data import, and can instead use the MID server. But what if you don't want to use a MID server to sync data?

You still don't need a VPN tunnel!

VPN tunnels leave a leg in both networks unencrypted. So, a better method would be to use LDAPS-over-the-Internet.

I know, I know…"But it's our Domain Controller," you say, "sensitive data. We can't have that open to the Internet!" Right?

Well, SSL encrypts the traffic over the Internet using the same encryption methods as IPSec tunnels. If the data is intercepted, then either method, SSL or VPN, would present the same challenges to an attacker. In fact, VPN tunnels use pre-shared keys, which are basically like passwords. Most of the ones I have seen are pretty weak and fairly short—the equivalent of one word.

Using LDAPS-over-the-Internet

By contrast, the SSL key is several lines long, always gibberish, extremely hard to guess, and can be changed at-will by you, our customer, according to whatever policy you decide to implement, and all without even needing to involve anyone at ServiceNow. Change the key once a year or once a month—it's completely up to you. Simply upload the new key over an encrypted channel to your instance and you have a new set of encryption parameters. Changing VPN pre-shared keys, on the other hand, require a tunnel outage. I have never seen anyone change a tunnel key except when completely changing out their peers. SSL certificates are updated on a more frequent basis in most cases.

When using LDAPS-over-the-Internet without a VPN tunnel, is the server exposed to the Internet? Microsoft introduced the concept of a Read Only Domain Controller (RODC) in Windows 2008, which can be configured to not store any passwords. Since ServiceNow never asks for a password and makes a read-only Bind query to validate a token instead, this technology is perfect for our use case. Simply install an RODC in a DMZ, lock down access to allow connections from only the specific source addresses from ServiceNow and the port number of your choosing (since you can configure this in the Instance), and an attacker would be hard-pressed to obtain that information. Top that off with the fact that an attacker would need the key that you export and upload to your Instance (again over an encrypted channel), along with the username, password, and starting directory that you configure, and you have a very secure connection point.

All this to say, LDAPS-over-the-Internet will give you the flexibility to make changes to your environment quickly and efficiently without the need to engage ServiceNow to modify a tunnel. Your LDAPS-over-the-Internet solution would look something like this:

  1. You have a domain controller in your network. You install an RODC in a DMZ with a public IP address.
  2. On your firewall, you allow connections to that public IP address from only the specific source addresses that ServiceNow will be using from the two (paired) data centers where your instances are located.
  3. You further lock down access to a port of your choosing and do a port translation (PAT) on your firewall to redirect the non-standard port to port 636 (LDAPS).
  4. You then configure the non-standard port in your instance and upload the SSL cert over an encrypted channel.
  5. If you want to get really creative, you could also implement stateful inspection to ensure that only LDAP traffic is passing through, thereby preventing other TCP connections to your RODC.

Of course, using the MID server is much easier. But the MID server can't be used for authentication. For that we need something that is on-demand when we log in.

Check out Part III for why you still don't need VPN and the benefits of using Single Sign-On (SSO).

10 Comments
Terry Carter Jr
Tera Contributor

Thank you, thank you, thank you Bill!   Very well put together and easy to understand.   I'm enjoying educating myself from your series.  


BillB
Tera Contributor

You're quite welcome Terry, and thanks for the feedback.  


ravi1_tandon
Mega Guru

Cannot agree more. I recently ran into a situation where customer security team was not willing to go over LDAPS and we had to invest lot of time to prove that it is the most easiest   and safest way.



I wished this article was available at community at time, but its never too late.



Thanks Bill


BillB
Tera Contributor

Thanks Ravi!   Hopefully this will help future endeavors.  


ravi1_tandon
Mega Guru

Hello Bill,



Do you have a network diagram that shows this? One of my customer is looking for that.



I am planning to create but thought if you have something ready with information that can be shared then I will not have to reinvent the wheel



Regards



Ravi Tandon


Azad2
Tera Contributor

Many thanks Bill,


Your article is much appreciated, however, I was wondering if the step 5 (DPI) would work, since the traffic is encrypted.



Cheers,


Azad


sbostedor
Kilo Explorer

I'm looking for the IP address ranges to lock this down to and i cannot find that documentation anywhere.   What are the SN datacenter IP ranges that we can lock this down to at the firewall?


Kumar Tella
Mega Expert

The IP information can be found on HI instance (ServiceNow Customer Service System ) or submit request thru HI, you may need primary and backup data centers IPs.


Kumar Tella
Mega Expert

The image from Hi looks like this.


myIpInfoDiagram.pngx


Inactive_Us2231
Giga Expert

Hi Bill,

Really informative and an excellent blog. Had few questions, probably all silly one's, but still would like to know

1) If i am configuring my AD with VPN how do i define my LDAP server in the list of servers??

2) you have mentioned about LDAPS-over-the-internet without tunnel. so is it possible to have LDAPS-over-the-internet with VPN tunnel also?

3) Lets say if there is a VPN configured between servicenow and a client network. How do you test that the request is received at the other or if there is something that goes wrong, how would you troubleshoot.

Will highly appreciate your response on this 🙂