But it's just so much more fun to rehash it every six months than it is to read the archives, silly!
----- Original Message ----- From: "Chris Scharff" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Friday, June 07, 2002 11:39 PM Subject: RE: lesser of the evils - ssl or smtp This really is all in the archives at this point isn't it? -----Original Message----- Okay, your specific point is that having a FE server in the internal network is as good as having one in the DMZ? CS: That's one of my points yes. Well, if the FE server in the internal network is compromised it has open access to all of your internal network. CS: Not my FE server, because I'vwe suffucuently hardened it, wasn't that one of the criteria we were using in our DMZ? I haven't thrown out best practices simple because I located the server on my internal network instead of the DMZ. Instead, I've implemented IPSec and I know exactly what servers my FE server is allowed to talk to. So, there would be be no difference if all of the hosts and workstations within your internal network were hardened to the security level provided by the firewall between the DMZ and your internal network. CS: A logical falicy IMO, because you have not hardened the internal servers that your FE server can speak to in your scenario and if you do, you won't be hardening them any more because the servers communicate with your FE server in the DMZ than I'll harden them talkign to my FE server on the internal network will you? But, practically, I've never found that to be a possibility. I suppose if I personally created every internal system I could achieve this, but I'd be swamped trying to do this with more than a few dozen machines. CS: Sure. But your need to harden internal or intermediary systems seems to be no greater for a FE server in a DMZ then my FE server on the itnernal network does it? IPSec is fairly inexpensive to implement and would be high on my list of good ideas if I had high security concerns.... Minimally, you'd need a software firewall on all your internal hosts and workstations (which admittedly is where technology seems to be heading). CS: I disagre. IPSec is more than sufficient for this scenario to my way of thinking. I suppose you could put a router access-control list between your FE server and the rest of your internal network, but really that would just be a way of recreating a DMZ. But this path will become more elaborate than deploying the DMZ. CS: No, I've taken the time to understand who and what my OWA server talks to and made sure that it only talks to those machines it needs to talk to. It's not in a DMZ by any definition of a DMZ I'd care to use. What is your fear of implementing a DMZ? It's no more complicated than the initial firewall deployment and often can be done with the same hardware/software used for that firewall. CS: I have no fear of impelementing a DMZ. In fact I have rather a sizeable IT budget I could draw from to implement such a scenario for Exchange if one could provide a demonstrable benefit it provides. I still don't believe I've seen that. My assumption is that you have an internal network. I suppose if there wasn't one, then my arguments might be tenuous. CS: Sure do. In fact my security guy is a anal SOB who reads the rainbow books for pleasure and used to write encryption and compression algorythms for fun and profit. We argue about security stuff after a fashion on a regular basis. Regarding costs, you can't really design without attention to costs (hardware, software, technician time, user disruption/training). CS: Cost is irrelavent to the discussion at hand. We're talking about what is more secure. Your contention is that a FE server in a DMZ is more secure than one on the internal network. I have more than enough hardware and software about to implement this scenario if someone can demonstrate a real security benefit from it. Yes, you can build rather than buy to some extent (open source firewalls, intrusion detection scripts you design yourself, etc) but that would just push up the technician time and expertise requirements to save hardware and software costs. CS: Again, this was a discussion fo the technical merits of a particular configuration. If someone came to me and said "I have unlimited budget, design me the most secure OWA solution you can" you can be damn sure my solution would bear only a passing resemblance to my current configuration or the one you proposed. Pie in the sky desires are not what we're talking about here... this thread was started on a very specific set of questions and a small subset of possible impelementation scenarios. An answer of what is ideal is not terribly useful if it's not an option. It might be entertaining to totally disregard costs in an engineering solution, but it has almost no practical value. CS: Right, so assuming I have exactly the same hardware you do, why is my FE server on the internal network less secure than your FE server in the DMZ? IMO a very practical question. Ultimately, resource allocation is the primary limiting factor in all engineering designs, so I can't ignore costs in proposing any solution. CS: OK, but can you ignore technical merits? Assuming cost is not a deciding factor in whether I place my FE server in the DMZ or the internal network what are the technica reasons I would choose one over the other. The reasons I've seen so far from anyone in this thread look more like straw men then compelling arguments. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
