Unless you're part of a large enterprise spread over different sites, you have some simple, low cost options.
One thing you can do is put a mail relay, whether it's Qmail or Postfix, on BSD or Linux, and stick that in your DMZ. Then, only open the SMTP port into and out of your DMZ (lock down the rest) for traffic to pass to your internal mail server. That opens up a much smaller hole for your internal systems. And your DMZ should be secured from both the outside world and your internal network. That way, you limit the damage it can do. Just one solution among many you can try... Sincerely, Bryan S. Sampsel LibertyActivist.org [EMAIL PROTECTED] wrote: > I guess what I'm trying to do is get the most secure option with > what I have. I'm at the point now where I think no matter what I'm kinda > screwed unless I get ISA or something like it implemented. I'm under > the impression that IF someone does get pass the external firewall > they'll be able to sniff for credentials/messages or whatever because the > FE/BE communicate via clear text. So if I secure the communication > between FE/BE via IPSEC then IF the front end server is compromised then > we're screwed once again. > > So what's the better of my options? Someone suggested using m0n0wall > or another linux/bsd alternative for ISA. > > Miha Pihler <[EMAIL PROTECTED]> wrote: > Hi, > > The problem that I see in this scenario is that Front End needs to > communicate with Back End Exchange server and domain controllers in > LAN. > Unfortunately this means that you have to open access from DMZ to LAN > to > (at least) all domain controllers in same Active Directory Site that > Exchange Front End is in -- unless you want to statically specify to > which domain controllers Front End Server can connect to (not > recommended). > > If you are thinking about IPSec policies in Windows then you have to > know that IPSec between client (e.g. your Front End Server) and domain > controller is not supported -- specially if you plan to use IPSec with > Kerberos authentication. > > Things you can do: > - you can set up IPSec between Front End, Back End and domain > controller > (but you are not supportable any more) > - you can fix ports that Exchange and Active Directory server(s) will > use and then open these ports from DMZ to LAN > > Still one question remains... What is DMZs role in all this? It is > unfortunately not protecting LAN :-). Now if someone hacks your server > (for any reason) -- the attacker can simply use IPSec connection to > gain > access to Back End and Active Directory (and if you have IDS it will > not > even see the attack). Depending on the attack options (did the attacker > get the domain admin permissions) he could simply run dcpromo on this > server and promote it to domain controller. Now you have a domain > controller in DMZ... > > Mike > > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
