How would you expect to secure Exchange and put it in a DMZ? Let's say that you "secure" the box by putting it in the DMZ. This usually means that you've restricted port access to the server to the HTTPS port.
Okay, fine. Now why isn't this same box secure if you put it inside the network and restrict the same ports? Well, you say, if the box's security is breached, you're still protected. Common response, but very incorrect. If your DMZ box gets breached, and a hacker is able to launch a script on the box, then let's see what they have access to. All other Exchange Servers and Domain Controllers at a minimum, and more than likely NetBIOS access to every machine on the network with 139 open. But let's say that you restricted it as much as possible. Then you only have access to Exchange Servers and Domain Controllers. Do you happen to see the problem here? Once you have access to the Domain Controllers, it really doesn't matter what else you have access to! So by putting an Exchange Server in the DMZ, you completely compromised the DMZ. BTW, the concept of the DMZ is a area in which connections enter, but do not exit. The original types of DMZ boxes were FTP servers. People from the inside would FTP to the server and drop off files, people on the outside would FTP to the server and pickup the files. At the point that you allow a connection to exit the DMZ, you have compromised the security of the DMZ. -----Original Message----- From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] Posted At: Monday, March 18, 2002 8:48 AM Posted To: Microsoft Exchange Conversation: Front-End/Back-End Topology - Ex2K Subject: RE: Front-End/Back-End Topology - Ex2K How do you guys secure exchange with OWA and POP/IMAP if you don't put it in a DMZ? Matt _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
