This forum has a higher turnover rate than McDonalds. -----Original Message----- From: Jon Butler [mailto:[EMAIL PROTECTED]] Sent: 08 June 2002 00:53 To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp
Yeah, you're right. Even though I posted just my Exchange experience, I probably don't know a thing about other enterprise-level technologies. And I did miss your sarcasm -- sorry for mistaking you for someone that can post without slamming someone. Don't worry dude, they've got operations now that can fix your shortcomings. I'm off this list. I need to find one with less egos and more professionalism ... someplace where ideas are shared, not trampled and pissed on. Maybe I'm just naive. > -----Original Message----- > From: Slinger, Gary [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 6:35 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > Um, Jon? You posted your experience the other day. I don't > think you get to comment on "large enterprises" and "4 or 5 > nine's" with only "1 to 3" servers in a site... You missed > it, but I was being sarcastic when I asked for your > experience with storage management. Your response kinda > proved my point. > > You're wrong in your statements below - "absolutely necessary > and non-negotiable" FFS! There are SEVERAL people on this > list with REAL deployments that do that and that ARE "large > enterprises". Do you every check where people work or what > their experience is before you post? You might find it > enlightening... > > G. > > > > -----Original Message----- > From: Jon Butler [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 21:34 > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > Here's what's so sacred: your users' ability to generate > revenue. It's all a matter of perspective -- to someone in a > small office with a handful of users, intrustion detection > and DMZs sound ridiculous, and in a lot of cases probably > are. To someone in a large enterprise envrionment with > uptime requirements of 4 or 5 nine's, it's absolutely > necessary and non-negotiable, and in those situations the > notion of having internet traffic talking directly to an > internal server is about as likely as a CEO forgiving you > when 3000 of your users can't work because you thought all > that extra work was "tiresome." > > > > > -----Original Message----- > > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > > Sent: Friday, June 07, 2002 4:21 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > What is it that's so sacred you're protecting. OWA with > SSL through a > > firewall is adequate for most places. The mail is secure > and that's > > it. Gotta have credentials to get in...so that's it. DMZ > is a waste > > of time to me. Constantly monitoring and patching/fixing dmz boxes > > gets to be tiresome. I mean, they're gonna get blasted for > sure and > > if they get taken out, so does whatever service you're > > running...unless they're redundant. So what's the point? Besides, > > you've opened up 80 to get to the backend Exchange box anyway. > > > > Jason Cook > > J.H. Ellwood and Associates > > Network Administrator > > [EMAIL PROTECTED] > > > > > > -----Original Message----- > > From: Ragar, Russell [mailto:[EMAIL PROTECTED]] > > Sent: Friday, June 07, 2002 3:02 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > Regarding Outlook Web Access deployments, particularly with > Exchange > > 2000, I can see a large benefit to deploying a front end > server in the > > DMZ which communicates to the Internet client using SSL and the > > backend mailbox servers over HTTP. > > Not only is there off-loading of the encryption processing, > > but it provides you a location for containing external > > attacks. Yes, in a sense, all servers in the DMZ are > > sacrificial victims. The theory is that you keep your > > sacrificial victims in a contained area so they can be > > monitored carefully and you fall back and reformat them as > > soon as they are compromised. Obviously you need both > > intrusion detection and host-based firewalling with the DMZ > > (to prevent compromise of the DMZ from host to host). If > > there were no front-end server (direct OWA access on the > > mailbox server) you couldn't possibly monitor it as well > > since it is performing many more functions. Also, you > > certainly couldn't scrub it easily if it were compromised. > > If you were running a front-end server internally (no-DMZ), > > if that box were compromised it could be used as a staging > > area for an attack on all your internal systems. So, yes, > > the assumption is that all machines in your DMZ will > > eventually be compromised and they are suspect. > > > > Okay, given my recommended configuration, the essential problem is > > that the front-end server has to have access to some key internal > > services in order to function. The trick would appear to be to lock > > down those internal services as much as possible and to get > a really > > good intrusion detection system that will allow you to > shutdown your > > front-end server access to internal services as quickly as possible. > > > > Okay, there is a cost associated with providing this type > of set up. > > You can't run a front-end server on Exchange 2000 Standard, you'll > > need Enterprise. You'll need a good firewall. You'll need > good virus > > protection, host-based firewalls, and an intrusion detection system > > (network defenses without intrusion detection is like a > city wall with > > no night watch). None of this is cheap, but that's the price > > of using OWA on the Internet. If you don't have the money to > > do it securely, don't provide the service. > > > > Russell Ragar, MCSE+I, CNE, CCNA > > Senior Network Engineer > > PowerTV, Inc. > > > > -----Original Message----- > > From: Chris Scharff [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 3:05 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > I guess our needs here are somehwat different, perhaps. We > don't use > > Exchange in the DMZ (that's ridiculous overkill) but we do > have relays > > out there ... and we lock 'em down to specific ports internally as > > well. I disagree that it would be "just as harmful as in the DMZ", > > though ... perform a DoS on a box in the DMZ, you only kill > > communications through that one box. DoS the Exchange > Server, bam -- > > you just lost ALL email services. > > > > [CS] What box are you using to relay OWA that wouldn't be just as > > secure on the internal network as it would be in a DMZ? I > can have a > > dedicated OWA server in either location and the net impact to my > > Exchange org seems equivalent. As to SMTP, the same thing > applies IMO. > > If you DoS my SMTP relay, why would the impact be any greater on my > > internal network than in my DMZ. > > > > Granted, we've got more systems to support, but that's the price we > > pay for the security and redundancy that comes with it. > > > > [CS] Your network seems more complex with no demonstrable > additional > > value when compared to my configuration.... for the > scenario as asked. > > > > And Chris, you asked to "demonstrate an exploit" ... we > prefer to not > > wait for one to be demonstrated, but rather do the best we can to > > preemptively protect ourselves before one is found: use > relays in the > > DMZ, and mix relay products so what exploits one may not be > expoitable > > on another. > > > > [CS] But that's not the scenario or question that was asked. > > > > Have > > different flavors of antivirus protection at the relay, > Exchange, and > > at the client. > > > > [CS] I am not opposed to an SMTP relay, it's a sound idea. > I don't see > > much value in putting one in a DMZ really, but an SMTP > relay is much > > different than an Exchange relay which is where this thread > started. > > Apples and Oranges or Horses for Courses. > > > > Like I said before though, it ain't right for everybody ... > it takes > > some bank to make it happen. Our requirements here are a > little more > > anal than others'. > > > > [CS] It's not about money in this case. It's about the scenario as > > presented. > > > > Jon > > > > > > > -----Original Message----- > > > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, June 06, 2002 3:38 PM > > > To: Exchange Discussions > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > On specific ports? Sure, why not? > > > > > > I'd allow 443 to an inside box. It requires authentication > > and it's > > > encrypted. Any vulnerability in the application itself > > would be just > > > as harmful in the DMZ. > > > > > > I'd allow 25 to an inside box. The endpoint is a system > > that accepts > > > the mail and scans it for viruses and malicious content. Any > > > vulnerability in the application would be almost as > harmful in the > > > DMZ. > > > > > > As it stands I have half the number of systems to secure in > > my design > > > as you do in yours. If we both block 98% of the > vulnerabilities on > > > those systems, you're less secure. I contend that I can > do better > > > than you given fewer systems to focus on. > > > > > > Now, I'm not saying that there aren't good uses for a DMZ. > > There are. > > > Exchange just isn't one of them. > > > > > > -----Original Message----- > > > From: Jon Butler [mailto:[EMAIL PROTECTED]] > > > Posted At: Thursday, June 06, 2002 1:53 PM > > > Posted To: Microsoft Exchange > > > Conversation: lesser of the evils - ssl or smtp > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > So you'd allow "from any" to your inside boxes? That > would keep me > > > awake at night. :) > > > > > > > > > > -----Original Message----- > > > > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, June 06, 2002 2:47 PM > > > > To: Exchange Discussions > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > but you're not talking about a good use of the DMZ. the > > > DMZ should be > > > > an end point, not a hop. it doesn't really matter where > > your SMTP > > > > virus scanner sits - you should have one, I agree. but > > on the DMZ > > > > doesn't really make much difference based on your loose > > > restrictions > > > > between the DMZ and the LAN. > > > > > > > > OWA also doesn't make much difference. you have to open up rpc > > > > traffic from the DMZ to the LAN. might as well keep > the DMZ more > > > > secure and put OWA inside. relative security of the LAN is > > > about the > > > > same. > > > > > > > > now, if you want to discuss multiple physical DMZ > > segments, perhaps > > > > it's more interesting, but not much. > > > > > > > > there's quite a lot of this discussion in the archives, by > > > the way. > > > > no new arguments so far. so, if you want to jump forward > > > to the end > > > > of the discussion, look back a couple years. > > > > > > > > ======================================================= > > > > Andy Webb [EMAIL PROTECTED] www.swinc.com > > > > Simpler-Webb, Inc. Austin, TX 512-322-0071 > > > > -- Eating XXX Chili at Texas Chili Parlor since 1989 -- > > > > ======================================================= > > > > > > > > > > > > -----Original Message----- > > > > From: Jon Butler [mailto:[EMAIL PROTECTED]] > > > > Posted At: Thursday, June 06, 2002 1:30 PM > > > > Posted To: Microsoft Exchange > > > > Conversation: lesser of the evils - ssl or smtp > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > Perhaps I shouldn't have used the term "rule", but rather > > > perhaps "a > > > > good security practice." It's better to let the kiddies > > > play with a > > > > hardened DMZ bastion then your production Exchange Server > > ... but I > > > > also understand that's often not feasible for smaller > > companies. A > > > > good security paradigm can take some dough. > > > > > > > > > > > > > -----Original Message----- > > > > > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > > > > > Sent: Thursday, June 06, 2002 2:18 PM > > > > > To: Exchange Discussions > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > > > > Seems a little rash mr. butler, a lot of small > companies use the > > > > > scenario presented by Rob Ellis originally. A > firewall, a good > > > > > hardware one anyway is great protection if used > > effectively. OWA > > > > > with ssl is a good and secure solution, so I'm curious as > > > to why you > > > > > > > > believe that it's a "rule" to use a dmz? > > > > > > > > > > > > > > > Jason Cook > > > > > J.H. Ellwood and Associates > > > > > Network Administrator > > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > > > > Sent: Thursday, June 06, 2002 1:06 PM > > > > > To: Exchange Discussions > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > No, not remote users, server smtp traffic. > > > > > > > > > > We are proposing citrix full desktop, OWA for some remote > > > users, no > > > > > POP/smtp access for end users. > > > > > > > > > > The Webshield I mentioned is as you say, part of TVD. > > > > > > > > > > Our design sounds very much like your setup. > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > Rob Ellis > > > > > > > > > > -----Original Message----- > > > > > From: Mellott, Bill [mailto:[EMAIL PROTECTED]] > > > > > Sent: 06 June 2002 18:49 > > > > > To: Exchange Discussions > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > Ill throw in .02 > > > > > > > > > > Assuming you are referring to allowing remote users > to get their > > > > > e-mail. > > > > > > > > > > I'm doing the OWA thing for "remote/roaming" users. > > > > > I do some Citrix for full desktops. > > > > > I do NOT allow users to connect to the exch box at > this time via > > > > > SMTP/POP. > > > > > > > > > > I do at this time use the Simple Webshield product > > > bundled with the > > > > > NIA/Mcafee TVD suite. It does reside on it's own machine. > > > > > so Internet smtp > webshield > Exch. > > > > > yes the webshield sit's before Exch box. > > > > > Yes it provides me with an additional layer of pre exch virus > > > > > protection...works ok yes it also provides some > prefiltering on > > > > > attachments...sucks...does not go any deeper the first > > level i.e. > > > > > FWD> FWD it will miss. > > > > > Note: Their full blown product webshield APP is > > supposed to work > > > > > well..no exp with it, Ill keep my opinions to myself.. > > > > > > > > > > If I had to let user(s) directly get to either port > 110/POP and > > > > > port25/smtp to do their e-mail... > > > > > 1.) I would not ..thats me.. > > > > > 2.) Forced too only via some secure connection like a VPN. > > > > > > > > > > bill > > > > > > > > > > PS for those interested I run the AV product to at the > > file level > > > > > and scan all files on the exchange box with no exceptions. > > > > > ;-) > > > > > > > > > > -----Original Message----- > > > > > From: Bendall, Paul [mailto:[EMAIL PROTECTED]] > > > > > Sent: Thursday, June 06, 2002 1:38 PM > > > > > To: Exchange Discussions > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > > > > Okay I'll add another spanner to your works, I would > > > advise an SMTP > > > > > relay server on your DMZ but I really wouldn't use McAfee > > > Webshield. > > > > > > > > Why I hear you cry for one it is pretty bad at blocking > > > viruses and > > > > > two we have had no end of problems with it crashing or > > > not sending > > > > > to certain domains when it gets a DAT update. Why not use > > > the SMTP > > > > > component of IIS as your SMTP relay server and then use > > > ScanMail or > > > > > Antigen on your Exchange server. Either that or use > someone like > > > > > MessageLabs to outsource your antivirus too. > > > > > > > > > > Regards, > > > > > > > > > > Paul > > > > > > > > > > -----Original Message----- > > > > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > > > > Sent: 06 June 2002 18:26 > > > > > To: Exchange Discussions > > > > > Subject: lesser of the evils - ssl or smtp > > > > > > > > > > > > > > > Ok, I've got a couple of scenarios, which of them is the > > > > least risky? > > > > > > > > > > Exchange 2000 mailbox server on the LAN, accepting/making > > > > > connections using SMTP through a firewall to the internet > > > > > > > > > > Exchange 2000 mailbox server on the LAN, accepting SSL > > secured OWA > > > > > > > connections from the internet, again, protected by a firewall. > > > > > > > > > > > > > > > Basically I am being told I may have to do both with > > the same box, > > > > > > > but I'd rather have the smtp traffic going through a DMZ based > > > > > gateway running McAfee Webshield, and let the OWA clients > > > come into > > > > > the internal box over SSL (which I see as less of a risk than > > > > > opening up port 25. > > > > > > > > > > If you had to choose one of the 2 above scenarios, which > > > > would it be? > > > > > > > > > > Regards, > > > > > > > > > > Rob Ellis > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
