I was referring to DMZ's in general ... > -----Original Message----- > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 4:52 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > What? Can't work...so all people do all day is send emails? > In truth, that's all they do but it's not your job to make > sure Marge in Accounting gets her baby pictures to her Mom, > dig? So what do you mean by can't work...in the context of OWA? > > Jason Cook > J.H. Ellwood and Associates > Network Administrator > [EMAIL PROTECTED] > > > -----Original Message----- > From: Jon Butler [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 3:34 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > Here's what's so sacred: your users' ability to generate > revenue. It's all a matter of perspective -- to someone in a > small office with a handful of users, intrustion detection > and DMZs sound ridiculous, and in a lot of cases probably > are. To someone in a large enterprise envrionment with > uptime requirements of 4 or 5 nine's, it's absolutely > necessary and non-negotiable, and in those situations the > notion of having internet traffic talking directly to an > internal server is about as likely as a CEO forgiving you > when 3000 of your users can't work because you thought all > that extra work was "tiresome." > > > > > -----Original Message----- > > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > > Sent: Friday, June 07, 2002 4:21 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > What is it that's so sacred you're protecting. OWA with SSL > > through a firewall is adequate for most places. The mail is > > secure and that's it. Gotta have credentials to get in...so > > that's it. DMZ is a waste of time to me. Constantly > > monitoring and patching/fixing dmz boxes gets to be tiresome. > > I mean, they're gonna get blasted for sure and if they get > > taken out, so does whatever service you're running...unless > > they're redundant. So what's the point? Besides, you've > > opened up 80 to get to the backend Exchange box anyway. > > > > Jason Cook > > J.H. Ellwood and Associates > > Network Administrator > > [EMAIL PROTECTED] > > > > > > -----Original Message----- > > From: Ragar, Russell [mailto:[EMAIL PROTECTED]] > > Sent: Friday, June 07, 2002 3:02 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > Regarding Outlook Web Access deployments, particularly with > > Exchange 2000, I can see a large benefit to deploying a front > > end server in the DMZ which communicates to the Internet > > client using SSL and the backend mailbox servers over HTTP. > > Not only is there off-loading of the encryption processing, > > but it provides you a location for containing external > > attacks. Yes, in a sense, all servers in the DMZ are > > sacrificial victims. The theory is that you keep your > > sacrificial victims in a contained area so they can be > > monitored carefully and you fall back and reformat them as > > soon as they are compromised. Obviously you need both > > intrusion detection and host-based firewalling with the DMZ > > (to prevent compromise of the DMZ from host to host). If > > there were no front-end server (direct OWA access on the > > mailbox server) you couldn't possibly monitor it as well > > since it is performing many more functions. Also, you > > certainly couldn't scrub it easily if it were compromised. > > If you were running a front-end server internally (no-DMZ), > > if that box were compromised it could be used as a staging > > area for an attack on all your internal systems. So, yes, > > the assumption is that all machines in your DMZ will > > eventually be compromised and they are suspect. > > > > Okay, given my recommended configuration, the essential > > problem is that the front-end server has to have access to > > some key internal services in order to function. The trick > > would appear to be to lock down those internal services as > > much as possible and to get a really good intrusion detection > > system that will allow you to shutdown your front-end server > > access to internal services as quickly as possible. > > > > Okay, there is a cost associated with providing this type of > > set up. You can't run a front-end server on Exchange 2000 > > Standard, you'll need Enterprise. You'll need a good > > firewall. You'll need good virus protection, host-based > > firewalls, and an intrusion detection system (network > > defenses without intrusion detection is like a city wall with > > no night watch). None of this is cheap, but that's the price > > of using OWA on the Internet. If you don't have the money to > > do it securely, don't provide the service. > > > > Russell Ragar, MCSE+I, CNE, CCNA > > Senior Network Engineer > > PowerTV, Inc. > > > > -----Original Message----- > > From: Chris Scharff [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 3:05 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > I guess our needs here are somehwat different, perhaps. We > > don't use Exchange in the DMZ (that's ridiculous overkill) > > but we do have relays out there ... and we lock 'em down to > > specific ports internally as well. I disagree that it would > > be "just as harmful as in the DMZ", though ... perform a DoS > > on a box in the DMZ, you only kill communications through > > that one box. DoS the Exchange Server, bam -- you just lost > > ALL email services. > > > > [CS] What box are you using to relay OWA that wouldn't be > > just as secure on the internal network as it would be in a > > DMZ? I can have a dedicated OWA server in either location and > > the net impact to my Exchange org seems equivalent. As to > > SMTP, the same thing applies IMO. If you DoS my SMTP relay, > > why would the impact be any greater on my internal network > > than in my DMZ. > > > > Granted, we've got more systems to support, but that's the > > price we pay for the security and redundancy that comes with it. > > > > [CS] Your network seems more complex with no demonstrable > > additional value when compared to my configuration.... for > > the scenario as asked. > > > > And Chris, you asked to "demonstrate an exploit" ... we > > prefer to not wait for one to be demonstrated, but rather do > > the best we can to preemptively protect ourselves before one > > is found: use relays in the DMZ, and mix relay products so > > what exploits one may not be expoitable on another. > > > > [CS] But that's not the scenario or question that was asked. > > > > Have > > different flavors of antivirus protection at the relay, > > Exchange, and at the client. > > > > [CS] I am not opposed to an SMTP relay, it's a sound idea. I > > don't see much value in putting one in a DMZ really, but an > > SMTP relay is much different than an Exchange relay which is > > where this thread started. Apples and Oranges or Horses for Courses. > > > > Like I said before though, it ain't right for everybody ... > > it takes some bank to make it happen. Our requirements here > > are a little more anal than others'. > > > > [CS] It's not about money in this case. It's about the > > scenario as presented. > > > > Jon > > > > > > > -----Original Message----- > > > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, June 06, 2002 3:38 PM > > > To: Exchange Discussions > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > On specific ports? Sure, why not? > > > > > > I'd allow 443 to an inside box. It requires authentication > > and it's > > > encrypted. Any vulnerability in the application itself > > would be just > > > as harmful in the DMZ. > > > > > > I'd allow 25 to an inside box. The endpoint is a system > > that accepts > > > the mail and scans it for viruses and malicious content. Any > > > vulnerability in the application would be almost as > harmful in the > > > DMZ. > > > > > > As it stands I have half the number of systems to secure in > > my design > > > as you do in yours. If we both block 98% of the > vulnerabilities on > > > those systems, you're less secure. I contend that I can > do better > > > than you given fewer systems to focus on. > > > > > > Now, I'm not saying that there aren't good uses for a DMZ. > > There are. > > > Exchange just isn't one of them. > > > > > > -----Original Message----- > > > From: Jon Butler [mailto:[EMAIL PROTECTED]] > > > Posted At: Thursday, June 06, 2002 1:53 PM > > > Posted To: Microsoft Exchange > > > Conversation: lesser of the evils - ssl or smtp > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > So you'd allow "from any" to your inside boxes? That > would keep me > > > awake at night. :) > > > > > > > > > > -----Original Message----- > > > > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, June 06, 2002 2:47 PM > > > > To: Exchange Discussions > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > but you're not talking about a good use of the DMZ. the > > > DMZ should be > > > > an end point, not a hop. it doesn't really matter where > > your SMTP > > > > virus scanner sits - you should have one, I agree. but > > on the DMZ > > > > doesn't really make much difference based on your loose > > > restrictions > > > > between the DMZ and the LAN. > > > > > > > > OWA also doesn't make much difference. you have to open up rpc > > > > traffic from the DMZ to the LAN. might as well keep > the DMZ more > > > > secure and put OWA inside. relative security of the LAN is > > > about the > > > > same. > > > > > > > > now, if you want to discuss multiple physical DMZ > > segments, perhaps > > > > it's more interesting, but not much. > > > > > > > > there's quite a lot of this discussion in the archives, by > > > the way. > > > > no new arguments so far. so, if you want to jump forward > > > to the end > > > > of the discussion, look back a couple years. > > > > > > > > ======================================================= > > > > Andy Webb [EMAIL PROTECTED] www.swinc.com > > > > Simpler-Webb, Inc. Austin, TX 512-322-0071 > > > > -- Eating XXX Chili at Texas Chili Parlor since 1989 -- > > > > ======================================================= > > > > > > > > > > > > -----Original Message----- > > > > From: Jon Butler [mailto:[EMAIL PROTECTED]] > > > > Posted At: Thursday, June 06, 2002 1:30 PM > > > > Posted To: Microsoft Exchange > > > > Conversation: lesser of the evils - ssl or smtp > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > Perhaps I shouldn't have used the term "rule", but rather > > > perhaps "a > > > > good security practice." It's better to let the kiddies > > > play with a > > > > hardened DMZ bastion then your production Exchange Server > > ... but I > > > > also understand that's often not feasible for smaller > > companies. A > > > > good security paradigm can take some dough. > > > > > > > > > > > > > -----Original Message----- > > > > > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > > > > > Sent: Thursday, June 06, 2002 2:18 PM > > > > > To: Exchange Discussions > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > > > > Seems a little rash mr. butler, a lot of small > companies use the > > > > > scenario presented by Rob Ellis originally. A > firewall, a good > > > > > hardware one anyway is great protection if used > > effectively. OWA > > > > > with ssl is a good and secure solution, so I'm curious as > > > to why you > > > > > > > > believe that it's a "rule" to use a dmz? > > > > > > > > > > > > > > > Jason Cook > > > > > J.H. Ellwood and Associates > > > > > Network Administrator > > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > > > > Sent: Thursday, June 06, 2002 1:06 PM > > > > > To: Exchange Discussions > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > No, not remote users, server smtp traffic. > > > > > > > > > > We are proposing citrix full desktop, OWA for some remote > > > users, no > > > > > POP/smtp access for end users. > > > > > > > > > > The Webshield I mentioned is as you say, part of TVD. > > > > > > > > > > Our design sounds very much like your setup. > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > Rob Ellis > > > > > > > > > > -----Original Message----- > > > > > From: Mellott, Bill [mailto:[EMAIL PROTECTED]] > > > > > Sent: 06 June 2002 18:49 > > > > > To: Exchange Discussions > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > Ill throw in .02 > > > > > > > > > > Assuming you are referring to allowing remote users > to get their > > > > > e-mail. > > > > > > > > > > I'm doing the OWA thing for "remote/roaming" users. > > > > > I do some Citrix for full desktops. > > > > > I do NOT allow users to connect to the exch box at > this time via > > > > > SMTP/POP. > > > > > > > > > > I do at this time use the Simple Webshield product > > > bundled with the > > > > > NIA/Mcafee TVD suite. It does reside on it's own machine. > > > > > so Internet smtp > webshield > Exch. > > > > > yes the webshield sit's before Exch box. > > > > > Yes it provides me with an additional layer of pre exch virus > > > > > protection...works ok yes it also provides some > prefiltering on > > > > > attachments...sucks...does not go any deeper the first > > level i.e. > > > > > FWD> FWD it will miss. > > > > > Note: Their full blown product webshield APP is > > supposed to work > > > > > well..no exp with it, Ill keep my opinions to myself.. > > > > > > > > > > If I had to let user(s) directly get to either port > 110/POP and > > > > > port25/smtp to do their e-mail... > > > > > 1.) I would not ..thats me.. > > > > > 2.) Forced too only via some secure connection like a VPN. > > > > > > > > > > bill > > > > > > > > > > PS for those interested I run the AV product to at the > > file level > > > > > and scan all files on the exchange box with no exceptions. > > > > > ;-) > > > > > > > > > > -----Original Message----- > > > > > From: Bendall, Paul [mailto:[EMAIL PROTECTED]] > > > > > Sent: Thursday, June 06, 2002 1:38 PM > > > > > To: Exchange Discussions > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > > > > Okay I'll add another spanner to your works, I would > > > advise an SMTP > > > > > relay server on your DMZ but I really wouldn't use McAfee > > > Webshield. > > > > > > > > Why I hear you cry for one it is pretty bad at blocking > > > viruses and > > > > > two we have had no end of problems with it crashing or > > > not sending > > > > > to certain domains when it gets a DAT update. Why not use > > > the SMTP > > > > > component of IIS as your SMTP relay server and then use > > > ScanMail or > > > > > Antigen on your Exchange server. Either that or use > someone like > > > > > MessageLabs to outsource your antivirus too. > > > > > > > > > > Regards, > > > > > > > > > > Paul > > > > > > > > > > -----Original Message----- > > > > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > > > > Sent: 06 June 2002 18:26 > > > > > To: Exchange Discussions > > > > > Subject: lesser of the evils - ssl or smtp > > > > > > > > > > > > > > > Ok, I've got a couple of scenarios, which of them is the > > > > least risky? > > > > > > > > > > Exchange 2000 mailbox server on the LAN, accepting/making > > > > > connections using SMTP through a firewall to the internet > > > > > > > > > > Exchange 2000 mailbox server on the LAN, accepting SSL > > secured OWA > > > > > > > connections from the internet, again, protected by a firewall. > > > > > > > > > > > > > > > Basically I am being told I may have to do both with > > the same box, > > > > > > > but I'd rather have the smtp traffic going through a > DMZ based > > > > > gateway running McAfee Webshield, and let the OWA clients > > > come into > > > > > the internal box over SSL (which I see as less of a risk than > > > > > opening up port 25. > > > > > > > > > > If you had to choose one of the 2 above scenarios, which > > > > would it be? > > > > > > > > > > Regards, > > > > > > > > > > Rob Ellis > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] >
_________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
