Whatever. There are many of us who deal with security on a daily basis as part of our jobs. Of course, I understand it's in your self-interest as a consultant to tell us we don't know what we are doing and that the sky is falling...
-----Original Message----- From: Frank Knobbe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 8:47 PM To: Exchange Discussions Subject: RE: Firewall and Exchange Ports. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Ed Crowley [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, October 16, 2001 9:55 PM > > Don't bother. Use a proxy server and publish OWA. Or > require SSL and open > port 443. Or implement a VPN. I still think putting an > Exchange front-end > server in a DMZ is kind of silly. Not as silly with Exchange > 2000 as with > Exchange 5.5, but silly nonetheless. Ed, I don't find this silly at all. Let me try to clarify: Scenario A: You have an Internet connection coming to a firewall. Behind the firewall in your internal network you have an Exchange server. You also have a web server (maybe on the same box, maybe different box). You allow HTTPS traffic through the firewall to the web server in the LAN. Scenario B: You have an Internet connection coming to a firewall. Behind the firewall in your internal network you have an Exchange server. In a DMZ segment (which can be a third network card in the firewall, or a segment between two firewalls) you have a web server. HTTPS traffic is allowed to the web server, and required ports (say, RPC, NetBIOS, InfoStore, Directory) are allowed from the web server through the firewall to the Exchange server. Scenario A has following disadvantages: If your web server gets compromised, the hacker is in your internal network. You have no means of further restricting access (besides shutting the server down). Intrusion Detection is almost impossible on the SSL session (unless you terminate SSL on a proxy and go clear text from there). So a compromise can easily go undetected, and the intruder can probe your network and advance access. The primary intrusion containment is all of your internal network. In Scenario B you have following advantages: If your web server gets compromised, the hacker can access everything in the DMZ. He will have to discover the address of the Exchange server (which can be made hard through proper host hardening). Once he has that he can attack the Exchange server, but using Exchange as another stepping stone to gain access to the rest of your network can again be very hard. All those 'hard' items will buy you time. In addition, Intrusion Detection in the DMZ can quickly alert you if it sees 'strange' traffic coming from the web server (say FTP connections, port scans, etc). The primary intrusion containment is only the DMZ. We can even go a step further. Using a host or network based IDS system, you can potentially reconfigure the firewall in an automated fashion to disallow any access from/to the web server in the DMZ. Now even the allowed ports are closed, the attacker has no way into your network. Scenario B buys you time and has far greater potential of protecting your internal network. Now, I'm primarily a security consultant, and less of an Exchange consultant, so I may look at this differently than the average Exchange Admin and mail list member. Reading comments like 'placing OWA into the internal network can secure your DMZ' and 'OWA in the DMZ opens you more up than OWA in your internal network' just make me scream since from a security perspective, they are completely wrong. If anyone wants to seriously discuss this further in a professional manner, please email me offline as I'm not going to enter a silly discussion with armchair security 'experts' on the list. Best regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBO84mfpytSsEygtEFEQLS6gCgh9p15rpWGqhxhV91v1t55j3Fy3kAoJyp HALyTWGaYQB8Ihjqgx1hWG71 =ooG7 -----END PGP SIGNATURE----- _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
