Took him that long to read FAQ 3.24? And still confuse 64k with 64,000? Well, at least he knew how much 1k is.
> -----Original Message----- > From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] > Posted At: Thursday, October 18, 2001 01:46 PM > Posted To: MSExchange Mailing List > Conversation: Firewall and Exchange Ports. > Subject: RE: Firewall and Exchange Ports. > > > Went through TechNet and couldn't find any reference to the > actual range. > Found the articles on how to make it static, but no range. > Also posted that > question on the list asking about the range and I don't recall anyone > stating what it was. The MS tech I talked to had to place me > on hold 3 > times to get the answer. > -----Original Message----- > From: Don Ely [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 18, 2001 12:56 PM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > You could have searched the MSKB and figured that out. > There's plenty of > documentation out there... > > -----Original Message----- > From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 18, 2001 10:00 AM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > Just a note to everyone. We called Microsoft and inquired > what the range > for the two random ports were that Exchange allocates to the > client once it > connects to a socket. According to Microsoft the range is > from 1,024 to > 64,000. > > -----Original Message----- > From: Don Ely [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 18, 2001 10:16 AM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > No security consultant I know is going to open holes in the > network from the > DMZ to the Internal network. Being proficient in both Exchange and > Security, I feel sorry for your clients if you suggest the > model you propose > below to them. > > I think you ought to study up on security some more... > > If you open holes from the DMZ to the internal LAN, why in > the hell do you > have a DMZ. You've made the DMZ virtually pointless. Or did > your teacher > or book you read say something different. If it were a book > that told you > to configure things this way, please send me the ISBN number, > I really wanna > read that book. Apparently, I've been taking the wrong > approach for years > now. > > I happen to know of a company who has the same model you > describe. After I > showed them the security issues, they were desiring a change > for the better > immediately. > > -----Original Message----- > From: Frank Knobbe [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 17, 2001 5:47 PM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > -----Original Message----- > > From: Ed Crowley [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, October 16, 2001 9:55 PM > > > > Don't bother. Use a proxy server and publish OWA. Or > require SSL and > > open port 443. Or implement a VPN. I still think putting an > > Exchange front-end > > server in a DMZ is kind of silly. Not as silly with Exchange > > 2000 as with > > Exchange 5.5, but silly nonetheless. > > Ed, > > I don't find this silly at all. Let me try to clarify: > > Scenario A: > > You have an Internet connection coming to a firewall. Behind > the firewall in > your internal network you have an Exchange server. You also have a web > server (maybe on the same box, maybe different box). You > allow HTTPS traffic > through the firewall to the web server in the LAN. > > Scenario B: > > You have an Internet connection coming to a firewall. Behind > the firewall in > your internal network you have an Exchange server. In a DMZ > segment (which > can be a third network card in the firewall, or a segment between two > firewalls) you have a web server. HTTPS traffic is allowed to the web > server, and required ports (say, RPC, NetBIOS, InfoStore, > Directory) are > allowed from the web server through the firewall to the > Exchange server. > > > Scenario A has following disadvantages: > If your web server gets compromised, the hacker is in your > internal network. > You have no means of further restricting access (besides > shutting the server > down). Intrusion Detection is almost impossible on the SSL > session (unless > you terminate SSL on a proxy and go clear text from there). > So a compromise > can easily go undetected, and the intruder can probe your network and > advance access. The primary intrusion containment is all of > your internal > network. > > In Scenario B you have following advantages: > If your web server gets compromised, the hacker can access > everything in the > DMZ. He will have to discover the address of the Exchange > server (which can > be made hard through proper host hardening). Once he has that > he can attack > the Exchange server, but using Exchange as another stepping > stone to gain > access to the rest of your network can again be very hard. > All those 'hard' > items will buy you time. In addition, Intrusion Detection in > the DMZ can > quickly alert you if it sees 'strange' traffic coming from > the web server > (say FTP connections, port scans, etc). The primary intrusion > containment is > only the DMZ. > > We can even go a step further. Using a host or network based > IDS system, you > can potentially reconfigure the firewall in an automated > fashion to disallow > any access from/to the web server in the DMZ. Now even the > allowed ports are > closed, the attacker has no way into your network. > > > Scenario B buys you time and has far greater potential of > protecting your > internal network. > > Now, I'm primarily a security consultant, and less of an Exchange > consultant, so I may look at this differently than the > average Exchange > Admin and mail list member. Reading comments like 'placing > OWA into the > internal network can secure your DMZ' and 'OWA in the DMZ > opens you more up > than OWA in your internal network' just make me scream since > from a security > perspective, they are completely wrong. > > If anyone wants to seriously discuss this further in a > professional manner, > please email me offline as I'm not going to enter a silly > discussion with > armchair security 'experts' on the list. > > Best regards, > Frank > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.5.8 > Comment: PGP or S/MIME (X.509) encrypted email preferred. > > iQA/AwUBO84mfpytSsEygtEFEQLS6gCgh9p15rpWGqhxhV91v1t55j3Fy3kAoJyp > HALyTWGaYQB8Ihjqgx1hWG71 > =ooG7 > -----END PGP SIGNATURE----- > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
