IANASG[1] but shouldn't a box exposed to the internet be the most hardened regardless of its location on the physical network? In this example if the DMZ box was not sufficiently hardened and was exploited to the code red virus or its cousins via the internet would it not spread the same virus to the BE server which would then handle the task of infecting the rest of the network? As you say, there are a hellovalota unpatched webservers internal.
[1] I am not a security guy. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:bounce- > [EMAIL PROTECTED] On Behalf Of Dean Cunningham > Posted At: Wednesday, July 21, 2004 5:09 PM > Posted To: swynk > Conversation: DMZ ports for Front End Server > Subject: RE: DMZ ports for Front End Server > > Hello Ed, you know you and I will never agree on this :-) > > Your assuming that any compromise is worried about attacking domain > controllers. Code red and alike did not give a hoot about DC's all it was > concerned about was a buffer overrun in IIS. Betcha dollars to donuts > there are a hellovalota unpatched webservers internal on peoples LANS > compared to DMZs. > > > > >>> [EMAIL PROTECTED] 22/07/2004 9:27:14 a.m. >>> > Big deal. If it's compromized in the DMZ, they have access to domain > controllers. If putting front-end servers in the DMZ makes you feel > better, > than so be it. That feeling doesn't mean that you're any safer. > > Ed Crowley MCSE+Internet MVP > Freelance E-Mail Philosopher > Protecting the world from PSTs and Bricked Backups!T > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dean > Cunningham > Sent: Wednesday, July 21, 2004 2:00 PM > To: Exchange Discussions > Subject: RE: DMZ ports for Front End Server > > You'll never convince me to do that ;-) if the FE is compromised, so is > your > whole network. > At lease with it in the DMZ, you have some control over the ports and > addresses it can connect internally to. > > What persuaded you to change? > > >>> [EMAIL PROTECTED] 22/07/2004 7:10:36 a.m. >>> > It is not really THAT many ports, but we had these discussions here a > bunch > ot times and came to a conclusion that front-end in DMZ would not be a > good > thing to do. I actually used to be for the DMZ idea in the past but got > persuaded to change my mind. > > If you still want to explore it, there are MS whitepapers on > front-end/back-end Exchange configuration and on Exchange hosting that > show > all the ports that you will need to open. > > > > > ********************************************************************** > Have you clicked on yet? > www.nrc.govt.nz > ********************************************************************** > NORTHLAND REGIONAL COUNCIL > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > [EMAIL PROTECTED] > ********************************************************************** > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/cgi- > bin/lyris.pl?enter=exchange&text_mode=&lang=english > To unsubscribe send a blank email to [EMAIL PROTECTED] > dl.sparklist.com > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
