Okay, your specific point is that having a FE server in the internal network is as good as having one in the DMZ?
Well, if the FE server in the internal network is compromised it has open access to all of your internal network. So, there would be be no difference if all of the hosts and workstations within your internal network were hardened to the security level provided by the firewall between the DMZ and your internal network. But, practically, I've never found that to be a possibility. I suppose if I personally created every internal system I could achieve this, but I'd be swamped trying to do this with more than a few dozen machines. Minimally, you'd need a software firewall on all your internal hosts and workstations (which admittedly is where technology seems to be heading). I suppose you could put a router access-control list between your FE server and the rest of your internal network, but really that would just be a way of recreating a DMZ. But this path will become more elaborate than deploying the DMZ. What is your fear of implementing a DMZ? It's no more complicated than the initial firewall deployment and often can be done with the same hardware/software used for that firewall. My assumption is that you have an internal network. I suppose if there wasn't one, then my arguments might be tenuous. Regarding costs, you can't really design without attention to costs (hardware, software, technician time, user disruption/training). Yes, you can build rather than buy to some extent (open source firewalls, intrusion detection scripts you design yourself, etc) but that would just push up the technician time and expertise requirements to save hardware and software costs. It might be entertaining to totally disregard costs in an engineering solution, but it has almost no practical value. Ultimately, resource allocation is the primary limiting factor in all engineering designs, so I can't ignore costs in proposing any solution. Russell Ragar, MCSE+I, CNE, CCNA Senior Network Engineer PowerTV, Inc. -----Original Message----- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 2:37 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp -----Original Message----- Regarding Outlook Web Access deployments, particularly with Exchange 2000, I can see a large benefit to deploying a front end server in the DMZ which communicates to the Internet client using SSL and the backend mailbox servers over HTTP. CS: Specifically over a FE server on the internal network? Not only is there off-loading of the encryption processing, CS: Apparently not over a FE server on the internal network. I too can compare apples and pears and claim an apple is a woefully inadequate pear. but it provides you a location for containing external attacks. CS: How specifically are they contained when between my FE server and my other E2K servers/AD/DNS servers there are a host of ports open, including quite possibly the ports which you used to run your original exploit. Yes, in a sense, all servers in the DMZ are sacrificial victims. The theory is that you keep your sacrificial victims in a contained area so they can be monitored carefully and you fall back and reformat them as soon as they are compromised. CS: What are we using to monitor this box specifically and what exploit did we use to access the box in the first place (any Exchange version 443 based exploit) that our IDS is going to detect the behavior and alert us? Obviously you need both intrusion detection and host-based firewalling with the DMZ (to prevent compromise of the DMZ from host to host). If there were no front-end server (direct OWA access on the mailbox server) you couldn't possibly monitor it as well since it is performing many more functions. CS: This post began with the question of what is the advantage of a particular server in a DMZ. Changing the equation to say 'if we add this, that and the other, and implement a DMZ we'll be more secure than if we just publish our password on the internet' is silly. Also, you certainly couldn't scrub it easily if it were compromised. CS: IBID If you were running a front-end server internally (no-DMZ), if that box were compromised it could be used as a staging area for an attack on all your internal systems. CS: And the FE server in my DMZ couldn't? Puhleese. So, yes, the assumption is that all machines in your DMZ will eventually be compromised and they are suspect. Okay, given my recommended configuration, the essential problem is that the front-end server has to have access to some key internal services in order to function. The trick would appear to be to lock down those internal services as much as possible and to get a really good intrusion detection system that will allow you to shutdown your front-end server access to internal services as quickly as possible. CS: And I couldn't harden my FE server on the internal network in the exact same way? What would be the net increased risk if I were to do so? Okay, there is a cost associated with providing this type of set up. CS: Ignore cost, it's a red herring thrown up to say... if I spend more money than you, I can design a more secure system then you. If I spend the same amount of $ and have the same basic config except my FE server is in my internal network specifically and demonstrably how am I less secure? You can't run a front-end server on Exchange 2000 Standard, you'll need Enterprise. You'll need a good firewall. You'll need good virus protection, host-based firewalls, and an intrusion detection system (network defenses without intrusion detection is like a city wall with no night watch). None of this is cheap, but that's the price of using OWA on the Internet. If you don't have the money to do it securely, don't provide the service. CS: I'm using OWA on the internet and am quite content with my current configuration/ risks. I don't see how simply placing my OWA server in the DMZ will make it more secure and your post, while interesting in a 'it's redundant because it's been covered ad infinitum in the archives' kind of way is purely theoretical and demonstrates no intrinsic value gained specifically from the placement of the Exchange server in a DMZ in my mind. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
