Here's what's so sacred: your users' ability to generate revenue. It's all a matter of perspective -- to someone in a small office with a handful of users, intrustion detection and DMZs sound ridiculous, and in a lot of cases probably are. To someone in a large enterprise envrionment with uptime requirements of 4 or 5 nine's, it's absolutely necessary and non-negotiable, and in those situations the notion of having internet traffic talking directly to an internal server is about as likely as a CEO forgiving you when 3000 of your users can't work because you thought all that extra work was "tiresome."
> -----Original Message----- > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 4:21 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > What is it that's so sacred you're protecting. OWA with SSL > through a firewall is adequate for most places. The mail is > secure and that's it. Gotta have credentials to get in...so > that's it. DMZ is a waste of time to me. Constantly > monitoring and patching/fixing dmz boxes gets to be tiresome. > I mean, they're gonna get blasted for sure and if they get > taken out, so does whatever service you're running...unless > they're redundant. So what's the point? Besides, you've > opened up 80 to get to the backend Exchange box anyway. > > Jason Cook > J.H. Ellwood and Associates > Network Administrator > [EMAIL PROTECTED] > > > -----Original Message----- > From: Ragar, Russell [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 3:02 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > Regarding Outlook Web Access deployments, particularly with > Exchange 2000, I can see a large benefit to deploying a front > end server in the DMZ which communicates to the Internet > client using SSL and the backend mailbox servers over HTTP. > Not only is there off-loading of the encryption processing, > but it provides you a location for containing external > attacks. Yes, in a sense, all servers in the DMZ are > sacrificial victims. The theory is that you keep your > sacrificial victims in a contained area so they can be > monitored carefully and you fall back and reformat them as > soon as they are compromised. Obviously you need both > intrusion detection and host-based firewalling with the DMZ > (to prevent compromise of the DMZ from host to host). If > there were no front-end server (direct OWA access on the > mailbox server) you couldn't possibly monitor it as well > since it is performing many more functions. Also, you > certainly couldn't scrub it easily if it were compromised. > If you were running a front-end server internally (no-DMZ), > if that box were compromised it could be used as a staging > area for an attack on all your internal systems. So, yes, > the assumption is that all machines in your DMZ will > eventually be compromised and they are suspect. > > Okay, given my recommended configuration, the essential > problem is that the front-end server has to have access to > some key internal services in order to function. The trick > would appear to be to lock down those internal services as > much as possible and to get a really good intrusion detection > system that will allow you to shutdown your front-end server > access to internal services as quickly as possible. > > Okay, there is a cost associated with providing this type of > set up. You can't run a front-end server on Exchange 2000 > Standard, you'll need Enterprise. You'll need a good > firewall. You'll need good virus protection, host-based > firewalls, and an intrusion detection system (network > defenses without intrusion detection is like a city wall with > no night watch). None of this is cheap, but that's the price > of using OWA on the Internet. If you don't have the money to > do it securely, don't provide the service. > > Russell Ragar, MCSE+I, CNE, CCNA > Senior Network Engineer > PowerTV, Inc. > > -----Original Message----- > From: Chris Scharff [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 3:05 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > I guess our needs here are somehwat different, perhaps. We > don't use Exchange in the DMZ (that's ridiculous overkill) > but we do have relays out there ... and we lock 'em down to > specific ports internally as well. I disagree that it would > be "just as harmful as in the DMZ", though ... perform a DoS > on a box in the DMZ, you only kill communications through > that one box. DoS the Exchange Server, bam -- you just lost > ALL email services. > > [CS] What box are you using to relay OWA that wouldn't be > just as secure on the internal network as it would be in a > DMZ? I can have a dedicated OWA server in either location and > the net impact to my Exchange org seems equivalent. As to > SMTP, the same thing applies IMO. If you DoS my SMTP relay, > why would the impact be any greater on my internal network > than in my DMZ. > > Granted, we've got more systems to support, but that's the > price we pay for the security and redundancy that comes with it. > > [CS] Your network seems more complex with no demonstrable > additional value when compared to my configuration.... for > the scenario as asked. > > And Chris, you asked to "demonstrate an exploit" ... we > prefer to not wait for one to be demonstrated, but rather do > the best we can to preemptively protect ourselves before one > is found: use relays in the DMZ, and mix relay products so > what exploits one may not be expoitable on another. > > [CS] But that's not the scenario or question that was asked. > > Have > different flavors of antivirus protection at the relay, > Exchange, and at the client. > > [CS] I am not opposed to an SMTP relay, it's a sound idea. I > don't see much value in putting one in a DMZ really, but an > SMTP relay is much different than an Exchange relay which is > where this thread started. Apples and Oranges or Horses for Courses. > > Like I said before though, it ain't right for everybody ... > it takes some bank to make it happen. Our requirements here > are a little more anal than others'. > > [CS] It's not about money in this case. It's about the > scenario as presented. > > Jon > > > > -----Original Message----- > > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 3:38 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > On specific ports? Sure, why not? > > > > I'd allow 443 to an inside box. It requires authentication > and it's > > encrypted. Any vulnerability in the application itself > would be just > > as harmful in the DMZ. > > > > I'd allow 25 to an inside box. The endpoint is a system > that accepts > > the mail and scans it for viruses and malicious content. Any > > vulnerability in the application would be almost as harmful in the > > DMZ. > > > > As it stands I have half the number of systems to secure in > my design > > as you do in yours. If we both block 98% of the vulnerabilities on > > those systems, you're less secure. I contend that I can do better > > than you given fewer systems to focus on. > > > > Now, I'm not saying that there aren't good uses for a DMZ. > There are. > > Exchange just isn't one of them. > > > > -----Original Message----- > > From: Jon Butler [mailto:[EMAIL PROTECTED]] > > Posted At: Thursday, June 06, 2002 1:53 PM > > Posted To: Microsoft Exchange > > Conversation: lesser of the evils - ssl or smtp > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > So you'd allow "from any" to your inside boxes? That would keep me > > awake at night. :) > > > > > > > -----Original Message----- > > > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, June 06, 2002 2:47 PM > > > To: Exchange Discussions > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > but you're not talking about a good use of the DMZ. the > > DMZ should be > > > an end point, not a hop. it doesn't really matter where > your SMTP > > > virus scanner sits - you should have one, I agree. but > on the DMZ > > > doesn't really make much difference based on your loose > > restrictions > > > between the DMZ and the LAN. > > > > > > OWA also doesn't make much difference. you have to open up rpc > > > traffic from the DMZ to the LAN. might as well keep the DMZ more > > > secure and put OWA inside. relative security of the LAN is > > about the > > > same. > > > > > > now, if you want to discuss multiple physical DMZ > segments, perhaps > > > it's more interesting, but not much. > > > > > > there's quite a lot of this discussion in the archives, by > > the way. > > > no new arguments so far. so, if you want to jump forward > > to the end > > > of the discussion, look back a couple years. > > > > > > ======================================================= > > > Andy Webb [EMAIL PROTECTED] www.swinc.com > > > Simpler-Webb, Inc. Austin, TX 512-322-0071 > > > -- Eating XXX Chili at Texas Chili Parlor since 1989 -- > > > ======================================================= > > > > > > > > > -----Original Message----- > > > From: Jon Butler [mailto:[EMAIL PROTECTED]] > > > Posted At: Thursday, June 06, 2002 1:30 PM > > > Posted To: Microsoft Exchange > > > Conversation: lesser of the evils - ssl or smtp > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > Perhaps I shouldn't have used the term "rule", but rather > > perhaps "a > > > good security practice." It's better to let the kiddies > > play with a > > > hardened DMZ bastion then your production Exchange Server > ... but I > > > also understand that's often not feasible for smaller > companies. A > > > good security paradigm can take some dough. > > > > > > > > > > -----Original Message----- > > > > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, June 06, 2002 2:18 PM > > > > To: Exchange Discussions > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > Seems a little rash mr. butler, a lot of small companies use the > > > > scenario presented by Rob Ellis originally. A firewall, a good > > > > hardware one anyway is great protection if used > effectively. OWA > > > > with ssl is a good and secure solution, so I'm curious as > > to why you > > > > > > believe that it's a "rule" to use a dmz? > > > > > > > > > > > > Jason Cook > > > > J.H. Ellwood and Associates > > > > Network Administrator > > > > [EMAIL PROTECTED] > > > > > > > > > > > > -----Original Message----- > > > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, June 06, 2002 1:06 PM > > > > To: Exchange Discussions > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > No, not remote users, server smtp traffic. > > > > > > > > We are proposing citrix full desktop, OWA for some remote > > users, no > > > > POP/smtp access for end users. > > > > > > > > The Webshield I mentioned is as you say, part of TVD. > > > > > > > > Our design sounds very much like your setup. > > > > > > > > > > > > Regards, > > > > > > > > > > > > Rob Ellis > > > > > > > > -----Original Message----- > > > > From: Mellott, Bill [mailto:[EMAIL PROTECTED]] > > > > Sent: 06 June 2002 18:49 > > > > To: Exchange Discussions > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > Ill throw in .02 > > > > > > > > Assuming you are referring to allowing remote users to get their > > > > e-mail. > > > > > > > > I'm doing the OWA thing for "remote/roaming" users. > > > > I do some Citrix for full desktops. > > > > I do NOT allow users to connect to the exch box at this time via > > > > SMTP/POP. > > > > > > > > I do at this time use the Simple Webshield product > > bundled with the > > > > NIA/Mcafee TVD suite. It does reside on it's own machine. > > > > so Internet smtp > webshield > Exch. > > > > yes the webshield sit's before Exch box. > > > > Yes it provides me with an additional layer of pre exch virus > > > > protection...works ok yes it also provides some prefiltering on > > > > attachments...sucks...does not go any deeper the first > level i.e. > > > > FWD> FWD it will miss. > > > > Note: Their full blown product webshield APP is > supposed to work > > > > well..no exp with it, Ill keep my opinions to myself.. > > > > > > > > If I had to let user(s) directly get to either port 110/POP and > > > > port25/smtp to do their e-mail... > > > > 1.) I would not ..thats me.. > > > > 2.) Forced too only via some secure connection like a VPN. > > > > > > > > bill > > > > > > > > PS for those interested I run the AV product to at the > file level > > > > and scan all files on the exchange box with no exceptions. > > > > ;-) > > > > > > > > -----Original Message----- > > > > From: Bendall, Paul [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, June 06, 2002 1:38 PM > > > > To: Exchange Discussions > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > Okay I'll add another spanner to your works, I would > > advise an SMTP > > > > relay server on your DMZ but I really wouldn't use McAfee > > Webshield. > > > > > > Why I hear you cry for one it is pretty bad at blocking > > viruses and > > > > two we have had no end of problems with it crashing or > > not sending > > > > to certain domains when it gets a DAT update. Why not use > > the SMTP > > > > component of IIS as your SMTP relay server and then use > > ScanMail or > > > > Antigen on your Exchange server. Either that or use someone like > > > > MessageLabs to outsource your antivirus too. > > > > > > > > Regards, > > > > > > > > Paul > > > > > > > > -----Original Message----- > > > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > > > Sent: 06 June 2002 18:26 > > > > To: Exchange Discussions > > > > Subject: lesser of the evils - ssl or smtp > > > > > > > > > > > > Ok, I've got a couple of scenarios, which of them is the > > > least risky? > > > > > > > > Exchange 2000 mailbox server on the LAN, accepting/making > > > > connections using SMTP through a firewall to the internet > > > > > > > > Exchange 2000 mailbox server on the LAN, accepting SSL > secured OWA > > > > > connections from the internet, again, protected by a firewall. > > > > > > > > > > > > Basically I am being told I may have to do both with > the same box, > > > > > but I'd rather have the smtp traffic going through a DMZ based > > > > gateway running McAfee Webshield, and let the OWA clients > > come into > > > > the internal box over SSL (which I see as less of a risk than > > > > opening up port 25. > > > > > > > > If you had to choose one of the 2 above scenarios, which > > > would it be? > > > > > > > > Regards, > > > > > > > > Rob Ellis > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
