It seems to be working, though some applications have hard times with ipsec
Amit Zinman MCSE, Project Manager Professional Services Group Getronics (Israel) Tel: +972-3-5127306 Mobile: +972-53-570139 Email: [EMAIL PROTECTED] -----Original Message----- From: Neil Hobson [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 4:32 PM To: Exchange Discussions Subject: RE: Firewall and Exchange Ports. How do you rate using IPSec between FE and BE? Neil -----Original Message----- From: Don Ely [mailto:[EMAIL PROTECTED]] Posted At: 18 October 2001 15:30 Posted To: Exchange Mailing List Conversation: Firewall and Exchange Ports. Subject: RE: Firewall and Exchange Ports. I will somewhat agree with you there as I have also experience that as well. Although, I try very hard to not advocate that kind of usage. In certain circumstances yes, in the case of OWA, I don't think so. Then again, I'm rather uptight when it comes to things like that. ;o) D -----Original Message----- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 7:23 AM To: Exchange Discussions Subject: RE: Firewall and Exchange Ports. Hmm... I don't know. I think there are instances where a box in the DMZ communicating with the internal network makes sense. I think the number of scenarios where allowing that same box to also talk to an external network makes sense is very small. > -----Original Message----- > From: Don Ely [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 18, 2001 9:16 AM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > No security consultant I know is going to open holes in the network > from the DMZ to the Internal network. Being proficient in both > Exchange and Security, I feel sorry for your clients if you suggest > the model you propose below to them. > > I think you ought to study up on security some more... > > If you open holes from the DMZ to the internal LAN, why in the hell do > you have a DMZ. You've made the DMZ virtually pointless. Or did your > teacher or book you read say something different. If it were a book > that told you to configure things this way, please send me the ISBN > number, I really wanna read that book. Apparently, I've been taking > the wrong approach for years now. > > I happen to know of a company who has the same model you describe. > After I showed them the security issues, they were desiring a change > for the better immediately. > > -----Original Message----- > From: Frank Knobbe [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 17, 2001 5:47 PM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > -----Original Message----- > > From: Ed Crowley [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, October 16, 2001 9:55 PM > > > > Don't bother. Use a proxy server and publish OWA. Or > require SSL and > > open port 443. Or implement a VPN. I still think putting an > > Exchange front-end server in a DMZ is kind of silly. Not as silly > > with Exchange 2000 as with > > Exchange 5.5, but silly nonetheless. > > Ed, > > I don't find this silly at all. Let me try to clarify: > > Scenario A: > > You have an Internet connection coming to a firewall. Behind the > firewall in your internal network you have an Exchange server. You > also have a web server (maybe on the same box, maybe different box). > You allow HTTPS traffic through the firewall to the web server in the > LAN. > > Scenario B: > > You have an Internet connection coming to a firewall. Behind the > firewall in your internal network you have an Exchange server. In a > DMZ segment (which can be a third network card in the firewall, or a > segment between two > firewalls) you have a web server. HTTPS traffic is allowed to > the web server, and required ports (say, RPC, NetBIOS, > InfoStore, Directory) are allowed from the web server through > the firewall to the Exchange server. > > > Scenario A has following disadvantages: > If your web server gets compromised, the hacker is in your internal > network. You have no means of further restricting access (besides > shutting the server down). Intrusion Detection is almost impossible on > the SSL session (unless you terminate SSL on a proxy and go clear text > from there). So a compromise can easily go undetected, and the > intruder can probe your network and advance access. The primary > intrusion containment is all of your internal network. > > In Scenario B you have following advantages: > If your web server gets compromised, the hacker can access everything > in the DMZ. He will have to discover the address of the Exchange > server (which can be made hard through proper host hardening). Once he > has that he can attack the Exchange server, but using Exchange as > another stepping stone to gain access to the rest of your network can > again be very hard. All those 'hard' items will buy you time. In > addition, Intrusion Detection in the DMZ can quickly alert you if it > sees 'strange' traffic coming from the web server (say FTP > connections, port scans, etc). The primary intrusion > containment is only the DMZ. > > We can even go a step further. Using a host or network based IDS > system, you can potentially reconfigure the firewall in an automated > fashion to disallow any access from/to the web server in the DMZ. Now > even the allowed ports are closed, the attacker has no way into your > network. > > > Scenario B buys you time and has far greater potential of protecting > your internal network. > > Now, I'm primarily a security consultant, and less of an Exchange > consultant, so I may look at this differently than the average > Exchange Admin and mail list member. Reading comments like 'placing > OWA into the internal network can secure your DMZ' and 'OWA in the DMZ > opens you more up than OWA in your internal network' just make me > scream since from a security perspective, they are completely wrong. > > If anyone wants to seriously discuss this further in a professional > manner, please email me offline as I'm not going to enter a silly > discussion with armchair security 'experts' on the list. > > Best regards, > Frank > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.5.8 > Comment: PGP or S/MIME (X.509) encrypted email preferred. > > iQA/AwUBO84mfpytSsEygtEFEQLS6gCgh9p15rpWGqhxhV91v1t55j3Fy3kAoJyp > HALyTWGaYQB8Ihjqgx1hWG71 > =ooG7 > -----END PGP SIGNATURE----- > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] ********************************************************************** This eMail and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands or any of its subsidiary companies. If you have received this eMail in error please contact the Support Desk Immediately by telephone on 01202-360000 or on eMail at [EMAIL PROTECTED] ********************************************************************** _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
