[snip for brevity]
Scenario A has following disadvantages: If your web server gets compromised, the hacker is in your internal network. You have no means of further restricting access (besides shutting the server down). Intrusion Detection is almost impossible on the SSL session (unless you terminate SSL on a proxy and go clear text from there). So a compromise can easily go undetected, and the intruder can probe your network and advance access. The primary intrusion containment is all of your internal network. In Scenario B you have following advantages: If your web server gets compromised, the hacker can access everything in the DMZ. He will have to discover the address of the Exchange server (which can be made hard through proper host hardening). Once he has that he can attack the Exchange server, but using Exchange as another stepping stone to gain access to the rest of your network can again be very hard. All those 'hard' items will buy you time. In addition, Intrusion Detection in the DMZ can quickly alert you if it sees 'strange' traffic coming from the web server (say FTP connections, port scans, etc). The primary intrusion containment is only the DMZ. We can even go a step further. Using a host or network based IDS system, you can potentially reconfigure the firewall in an automated fashion to disallow any access from/to the web server in the DMZ. Now even the allowed ports are closed, the attacker has no way into your network. Scenario B buys you time and has far greater potential of protecting your internal network. Now, I'm primarily a security consultant, and less of an Exchange consultant, so I may look at this differently than the average Exchange Admin and mail list member. Reading comments like 'placing OWA into the internal network can secure your DMZ' and 'OWA in the DMZ opens you more up than OWA in your internal network' just make me scream since from a security perspective, they are completely wrong. If anyone wants to seriously discuss this further in a professional manner, please email me offline as I'm not going to enter a silly discussion with armchair security 'experts' on the list. Best regards, Frank We'll I'm not an expert in security, Exchange, or beermaking, but if you told me this in a consultation, I would ask this question: Aren't you assuming that any hosts in the Trusted Lan in Scenario A are completely defenseless and unmonitored, while all the hosts in the DMZ and the trusted LAN in Scenario B are completely hardened, monitored and have other defense systems like IDS running? Isn't this begging the question? The next question that I would have for you (and it may be one based on my ignorance) is why is it harder (all things being equal) for a hacker to exploit 3 or 4 different services that have holes in my firewall (NetBIOS, RPC, SMB, etc for OWA through a DMZ) than 1 open service (HTTPS) ? To get my company's money, you would have to prove and document these recomendations with independent documentation. Saying "I'm an expert, and no one else is" wouldn't go too far. Not saying you're wrong, mind. I just think you have to show your work to get credit for this answer. Jim Helfer _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
