I agree with that. Money is often the determining factor. Ah...if only we had unlimited budgets.
Jason Cook J.H. Ellwood and Associates Network Administrator [EMAIL PROTECTED] -----Original Message----- From: Jon Butler [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 1:30 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp Perhaps I shouldn't have used the term "rule", but rather perhaps "a good security practice." It's better to let the kiddies play with a hardened DMZ bastion then your production Exchange Server ... but I also understand that's often not feasible for smaller companies. A good security paradigm can take some dough. > -----Original Message----- > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 2:18 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > Seems a little rash mr. butler, a lot of small companies use > the scenario presented by Rob Ellis originally. A firewall, > a good hardware one anyway is great protection if used > effectively. OWA with ssl is a good and secure solution, so > I'm curious as to why you believe that it's a "rule" to use a dmz? > > > Jason Cook > J.H. Ellwood and Associates > Network Administrator > [EMAIL PROTECTED] > > > -----Original Message----- > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 1:06 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > No, not remote users, server smtp traffic. > > We are proposing citrix full desktop, OWA for some remote > users, no POP/smtp access for end users. > > The Webshield I mentioned is as you say, part of TVD. > > Our design sounds very much like your setup. > > > Regards, > > > Rob Ellis > > -----Original Message----- > From: Mellott, Bill [mailto:[EMAIL PROTECTED]] > Sent: 06 June 2002 18:49 > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > Ill throw in .02 > > Assuming you are referring to allowing remote users to get > their e-mail. > > I'm doing the OWA thing for "remote/roaming" users. > I do some Citrix for full desktops. > I do NOT allow users to connect to the exch box at this time > via SMTP/POP. > > I do at this time use the Simple Webshield product bundled > with the NIA/Mcafee TVD suite. It does reside on it's own machine. > so Internet smtp > webshield > Exch. > yes the webshield sit's before Exch box. > Yes it provides me with an additional layer of pre exch virus > protection...works ok yes it also provides some prefiltering > on attachments...sucks...does not go any deeper the first > level i.e. FWD> FWD it will miss. > Note: Their full blown product webshield APP is supposed to > work well..no exp with it, Ill keep my opinions to myself.. > > If I had to let user(s) directly get to either port 110/POP > and port25/smtp to do their e-mail... > 1.) I would not ..thats me.. > 2.) Forced too only via some secure connection like a VPN. > > bill > > PS for those interested I run the AV product to at the file > level and scan all files on the exchange box with no exceptions. > ;-) > > -----Original Message----- > From: Bendall, Paul [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 1:38 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > Okay I'll add another spanner to your works, I would advise > an SMTP relay server on your DMZ but I really wouldn't use > McAfee Webshield. Why I hear you cry for one it is pretty bad > at blocking viruses and two we have had no end of problems > with it crashing or not sending to certain domains when it > gets a DAT update. Why not use the SMTP component of IIS as > your SMTP relay server and then use ScanMail or Antigen on > your Exchange server. Either that or use someone like > MessageLabs to outsource your antivirus too. > > Regards, > > Paul > > -----Original Message----- > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > Sent: 06 June 2002 18:26 > To: Exchange Discussions > Subject: lesser of the evils - ssl or smtp > > > Ok, I've got a couple of scenarios, which of them is the least risky? > > Exchange 2000 mailbox server on the LAN, accepting/making > connections using SMTP through a firewall to the internet > > Exchange 2000 mailbox server on the LAN, accepting SSL > secured OWA connections from the internet, again, protected > by a firewall. > > > Basically I am being told I may have to do both with the same > box, but I'd rather have the smtp traffic going through a DMZ > based gateway running McAfee Webshield, and let the OWA > clients come into the internal box over SSL (which I see as > less of a risk than opening up port 25. > > If you had to choose one of the 2 above scenarios, which would it be? > > Regards, > > Rob Ellis > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > ---------------------------------------------------------------------- > If you have received this e-mail in error or wish to read our e-mail > disclaimer statement and monitoring policy, please refer to > http://www.drkw.com/disc/email/ or contact the sender. > ---------------------------------------------------------------------- > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
