RE: lesser of the evils - ssl or smtp

Sat, 08 Jun 2002 13:54:13 -0700 

It isn't really important what I would consider since I'm not the one stating 
requirement.  But since you asked, I really don't have any problem with a front-end 
server, properly patched, sitting on an intranet and with HTTP-SSL (only) allowed 
through.  You'd know that if you'd read my earlier posts in this thread.  If you want 
to tighten it down more and require smart cards, well that's your decision.

Ed Crowley MCSE+Internet MVP kcCC+I
Tech Consultant
hp Services
Protecting the world from PSTs and Bricked Backups!


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Ragar, Russell
Sent: Friday, June 07, 2002 7:59 PM
To: Exchange Discussions
Subject: RE: lesser of the evils - ssl or smtp


Requiring a VPN and not providing an Internet OWA is certainly a valid stance.  Would 
you consider other designs?  How about two factor authentication provided by smart 
cards before you can open HTTP over SSL to the FE server?  
 
What other alternatives are available?  Perhaps a substitute for OWA in the DMZ that 
doesn't require so much internat data access and isn't based on IIS?
 
Russell Ragar, MCSE+I, CNE, CCNA
Senior Network Engineer
PowerTV, Inc.  

        -----Original Message----- 
        From: Ed Crowley [mailto:[EMAIL PROTECTED]] 
        Sent: Fri 6/7/2002 4:00 PM 
        To: Exchange Discussions 
        Cc: 
        Subject: RE: lesser of the evils - ssl or smtp
        
        

        The point is that a front-end server in a DMZ requires you to open up a
        whole slew of ports between it and your intranet, so it is almost as
        effective, if not completely as effective, a staging area for exploits
        as putting it inside the intranet.  One could argue that putting a
        front-end server in your intranet might even give you a false sense of
        security.
        
        If you want "real" security, don't expose a front-end server to the
        Internet at all.  Require a virtual private network.
        
        Ed Crowley MCSE+Internet MVP kcCC+I
        Tech Consultant
        hp Services
        Protecting the world from PSTs and Bricked Backups!
        
        
        -----Original Message-----
        From: [EMAIL PROTECTED]
        [mailto:[EMAIL PROTECTED]] On Behalf Of Ragar, Russell
        Sent: Friday, June 07, 2002 3:21 PM
        To: Exchange Discussions
        Subject: RE: lesser of the evils - ssl or smtp
        
        
        Okay, your specific point is that having a FE server in the internal
        network is as good as having one in the DMZ?
        
        Well, if the FE server in the internal network is compromised it has
        open access to all of your internal network.  So, there would be be no
        difference if all of the hosts and workstations within your internal
        network were hardened to the security level provided by the firewall
        between the DMZ and your internal network.  But, practically, I've never
        found that to be a possibility.  I suppose if I personally created every
        internal system I could achieve this, but I'd be swamped trying to do
        this with more than a few dozen machines.  Minimally, you'd need a
        software firewall on all your internal hosts and workstations (which
        admittedly is where technology seems to be heading).  I suppose you
        could put a router access-control list between your FE server and the
        rest of your internal network, but really that would just be a way of
        recreating a DMZ.  But this path will become more elaborate than
        deploying the DMZ. 
        
        What is your fear of implementing a DMZ?  It's no more complicated than
        the initial firewall deployment and often can be done with the same
        hardware/software used for that firewall. 
        
        My assumption is that you have an internal network.  I suppose if there
        wasn't one, then my arguments might be tenuous. 
        
        Regarding costs, you can't really design without attention to costs
        (hardware, software, technician time, user disruption/training). Yes,
        you can build rather than buy to some extent (open source firewalls,
        intrusion detection scripts you design yourself, etc) but that would
        just push up the technician time and expertise requirements to save
        hardware and software costs.  It might be entertaining to totally
        disregard costs in an engineering solution, but it has almost no
        practical value.  Ultimately, resource allocation is the primary
        limiting factor in all engineering designs, so I can't ignore costs in
        proposing any solution.     
        
        Russell Ragar, MCSE+I, CNE, CCNA
        Senior Network Engineer
        PowerTV, Inc.
        
        -----Original Message-----
        From: Chris Scharff [mailto:[EMAIL PROTECTED]]
        Sent: Friday, June 07, 2002 2:37 PM
        To: Exchange Discussions
        Subject: RE: lesser of the evils - ssl or smtp
        
        
        
        -----Original Message-----
        Regarding Outlook Web Access deployments, particularly with Exchange
        2000, I can see a large benefit to deploying a front end server in the
        DMZ which communicates to the Internet client using SSL and the backend
        mailbox servers over HTTP. 
        
        CS: Specifically over a FE server on the internal network?
        
        Not only is there off-loading of the
        encryption processing,
        
        CS: Apparently not over a FE server on the internal network. I too can
        compare apples and pears and claim an apple is a woefully inadequate
        pear.
        
         but it provides you a location for containing
        external attacks.
        
        CS: How specifically are they contained when between my FE server and my
        other E2K servers/AD/DNS servers there are a host of ports open,
        including quite possibly the ports which you used to run your original
        exploit.
        
         Yes, in a sense, all servers in the DMZ are
        sacrificial victims.  The theory is that you keep your sacrificial
        victims in a contained area so they can be monitored carefully and you
        fall back and reformat them as soon as they are compromised.
        
        CS: What are we using to monitor this box specifically and what exploit
        did we use to access the box in the first place (any Exchange version
        443 based
        exploit) that our IDS is going to detect the behavior and alert us?
        
          Obviously
        you need both intrusion detection and host-based firewalling with the
        DMZ (to prevent compromise of the DMZ from host to host).  If there were
        no front-end server (direct OWA access on the mailbox server) you
        couldn't possibly monitor it as well since it is performing many more
        functions. 
        
        CS: This post began with the question of what is the advantage of a
        particular server in a DMZ. Changing the equation to say 'if we add
        this, that and the other, and implement a DMZ we'll be more secure than
        if we just publish our password on the internet' is silly.
        
        Also, you certainly couldn't scrub it easily if it were compromised.
        
        CS: IBID
        
         If you were running a front-end server internally
        (no-DMZ), if that box were compromised it could be used as a staging
        area for an attack on all your internal systems. 
        
        CS: And the FE server in my DMZ couldn't? Puhleese.
        
        So, yes, the
        assumption is that all machines in your DMZ will eventually be
        compromised and they are suspect. 
        
        Okay, given my recommended configuration, the essential problem is that
        the front-end server has to have access to some key internal services in
        order to function. The trick would appear to be to lock down those
        internal services as much as possible and to get a really good intrusion
        detection system that will allow you to shutdown your front-end server
        access to internal services as quickly as possible. 
        
        CS: And I couldn't harden my FE server on the internal network in the
        exact same way? What would be the net increased risk if I were to do so?
        
        Okay, there is a cost associated with providing this type of set up.
        
        CS: Ignore cost, it's a red herring thrown up to say... if I spend more
        money than you, I can design a more secure system then you. If I spend
        the same amount of $ and have the same basic config except my FE server
        is in my internal network specifically and demonstrably how am I less
        secure?
        
        You can't run a front-end server on Exchange 2000 Standard, you'll need
        Enterprise.  You'll need a good firewall.  You'll need good virus
        protection, host-based firewalls, and an intrusion detection system
        (network defenses without intrusion detection is like a city wall with
        no night watch).  None of this is cheap, but that's the price of using
        OWA on the Internet.  If you don't have the money to do it securely,
        don't provide the service.
        
        CS: I'm using OWA on the internet and am quite content with my current
        configuration/ risks. I don't see how simply placing my OWA server in
        the DMZ will make it more secure and your post, while interesting in a
        'it's redundant because it's been covered ad infinitum in the archives'
        kind of way is purely theoretical and demonstrates no intrinsic value
        gained specifically from the placement of the Exchange server in a DMZ
        in my mind.
        
        _________________________________________________________________
        List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
        Archives:               http://www.swynk.com/sitesearch/search.asp
        To unsubscribe:         mailto:[EMAIL PROTECTED]
        Exchange List admin:    [EMAIL PROTECTED]
        
        _________________________________________________________________
        List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
        Archives:               http://www.swynk.com/sitesearch/search.asp
        To unsubscribe:         mailto:[EMAIL PROTECTED]
        Exchange List admin:    [EMAIL PROTECTED]
        
        
        _________________________________________________________________
        List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
        Archives:               http://www.swynk.com/sitesearch/search.asp
        To unsubscribe:         mailto:[EMAIL PROTECTED]
        Exchange List admin:    [EMAIL PROTECTED]
        

.+x )r뺷  ퟘ���   zǭȱr:楞˱m [y z[)rÉ Z Zvh˧+-i٢2̞G(


_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

Reply via email to