whoops, my bad , your right for port 80 and it cannot be changed at the BE. You would still be protected from 443 exploits
>>> [EMAIL PROTECTED] 22/07/2004 10:56:40 a.m. >>> Explain what you mean by: "port 80/443 is not open between the BE and the FE for the FE/BE to work." For a front-end Exchange 200x server to provide OWA service to a back-end server, port 80 must be open between them. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Cunningham Sent: Wednesday, July 21, 2004 3:50 PM To: Exchange Discussions Subject: RE: DMZ ports for Front End Server Hi Chris, port 80/443 is not open between the BE and the FE for the FE/BE to work. Therefore, there would be no infection of the BE! if the ports required to access the FE from the internet == ports required for FE to access BE, then your right , there is no need for DMZ. IASOASG[1] any front facing box should be hardened. Lets assume any port 80/443 attempt to a FE running OWA is a potential hostile[2]. Newcodered compromises FE via 80 or 443. It then uses the FE to scan for other 80 or 443 open ports. Now of course your firewall is setup to block port 80 incoming from the DMZ to LAN but allow it out from DMZ to INTERNET. End result is other DMZ servers (inc FE) with port 80/443 open compromised and those servers scanning 80/443 out on the INTERNET to propergate but the LAN protected. Typically you use the DMZ as a "constrain and harden" area. It is a lot easier check to see if the DMZ servers they have been already compromised and apply the patch, and feel safe in the knowledge that the internal server cannot be accesed by the attack[3]. this enables you to go through a more structured change control on your production servers in regard to patches. Sure a hacker could compromise the FE and play "attack the domain controller". But what is more likely scenario "Newcodered" or "attack the domain controler" cheers Dean [1] IASOASG I am sort of a security guy. ;-) [2] any remote device whether it be a script kiddies PC or a corporate roadwarriors latop should be assume hostile. don't give me ."but I connect via VPN" "but I have a firewall on my laptop" they should be all considered hostile cause they can all be compromised. [3] of course if the infiltration is via attachements in email your probably screwed internally anyhoo. but thats another story... >>> [EMAIL PROTECTED] 22/07/2004 10:20:23 a.m. >>> IANASG[1] but shouldn't a box exposed to the internet be the most hardened regardless of its location on the physical network? In this example if the DMZ box was not sufficiently hardened and was exploited to the code red virus or its cousins via the internet would it not spread the same virus to the BE server which would then handle the task of infecting the rest of the network? As you say, there are a hellovalota unpatched webservers internal. [1] I am not a security guy. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:bounce- > [EMAIL PROTECTED] On Behalf Of Dean Cunningham > Posted At: Wednesday, July 21, 2004 5:09 PM Posted To: swynk > Conversation: DMZ ports for Front End Server > Subject: RE: DMZ ports for Front End Server > > Hello Ed, you know you and I will never agree on this :-) > > Your assuming that any compromise is worried about attacking domain > controllers. Code red and alike did not give a hoot about DC's all it was > concerned about was a buffer overrun in IIS. Betcha dollars to donuts > there are a hellovalota unpatched webservers internal on peoples LANS > compared to DMZs. > > > > >>> [EMAIL PROTECTED] 22/07/2004 9:27:14 a.m. >>> > Big deal. If it's compromized in the DMZ, they have access to domain > controllers. If putting front-end servers in the DMZ makes you feel > better, than so be it. That feeling doesn't mean that you're any > safer. > > Ed Crowley MCSE+Internet MVP > Freelance E-Mail Philosopher > Protecting the world from PSTs and Bricked Backups!T > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dean > Cunningham > Sent: Wednesday, July 21, 2004 2:00 PM > To: Exchange Discussions > Subject: RE: DMZ ports for Front End Server > > You'll never convince me to do that ;-) if the FE is compromised, so is > your > whole network. > At lease with it in the DMZ, you have some control over the ports and > addresses it can connect internally to. > > What persuaded you to change? > > >>> [EMAIL PROTECTED] 22/07/2004 7:10:36 a.m. >>> > It is not really THAT many ports, but we had these discussions here a > bunch ot times and came to a conclusion that front-end in DMZ would > not be a good thing to do. I actually used to be for the DMZ idea in > the past but got > persuaded to change my mind. > > If you still want to explore it, there are MS whitepapers on > front-end/back-end Exchange configuration and on Exchange hosting that > show all the ports that you will need to open. > > > > > ********************************************************************** > Have you clicked on yet? > www.nrc.govt.nz > ********************************************************************** > NORTHLAND REGIONAL COUNCIL > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > [EMAIL PROTECTED] > ********************************************************************** > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/cgi- > bin/lyris.pl?enter=exchange&text_mode=&lang=english > To unsubscribe send a blank email to [EMAIL PROTECTED] > dl.sparklist.com > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe send a blank email to %%email.unsub%% Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. ********************************************************************** Have you clicked on yet? www.nrc.govt.nz ********************************************************************** NORTHLAND REGIONAL COUNCIL This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify [EMAIL PROTECTED] ********************************************************************** _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe send a blank email to %%email.unsub%% Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. ********************************************************************** Have you clicked on yet? www.nrc.govt.nz ********************************************************************** NORTHLAND REGIONAL COUNCIL This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify [EMAIL PROTECTED] ********************************************************************** _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
