I just answered that. But let me ask you a question. What is the logic of putting an Exchange server in a DMZ?
-----Original Message----- From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 11:22 AM To: NT 2000 Discussions Subject: RE: Sort of OT: DMZ I only have 2 ports open between the DMZ and the "Real World" and only 3 ports open between DMZ and Inside... Why such a security risk? Joshua Morgan PH: (864) 250-1350 Ext 133 [EMAIL PROTECTED] http://www.profit-lab.com http://ncontrol.info -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 2:20 PM To: NT 2000 Discussions Subject: RE: Sort of OT: DMZ You couldn't be putting the server at too much more risk after putting Exchange out there already. The ports that have been opened between the DMZ and the LAN have pretty much negated the security of the DMZ by now. -----Original Message----- From: John Shi [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 11:14 AM To: NT 2000 Discussions Subject: RE: Sort of OT: DMZ Tony, I am more focus on the corporate network. When you talk about the security, there is no 100% security. More or less, you are exposing some risk to the outside. On your Linksys, do you open all traffic to your server? You might want to open the ports that is needed for your server to talk to outside. In your situation, your DNS does not even do any zone transfer. You basically use your internal DNS for name resolution. You actually use your secondary DNS for Internet domain name resolution. Suggestions: 1. If you need to do zone transfer, make sure you only open the needed UDP port for DNS zone transfer. 2. Make sure your server is not quite open for attack. Go the advanced property to open only necessarily port to whatever service you need. John Shi -----Original Message----- From: Woods, Tony MHR:EX [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 11:03 AM To: NT 2000 Discussions Subject: RE: Sort of OT: DMZ Question then, I have a small AD network at home and behind a Linksys firewall with one external IP. I have the one internal server hosting AD, DNS, DCHP... Etc. On the server, I have the Primary DNS pointing to itself and the secondary DNS pointing to the ISP. All internal machines receive DHCP with only the one DNS setting for the internal server. I can surf from any machine. Am I exposing anything at risk in this scenario? Cheers, Tony -----Original Message----- From: John Shi [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 10:52 AM To: NT 2000 Discussions Subject: RE: Sort of OT: DMZ I think it should be ok. Cisco suggests to put DNS on the DMZ. If you put the DNS in the inside network, then you would need to create a static accesss-list on your firewall/router to allow the DNS traffic to go out and come in. When you have a static access list for incoming traffic to come into your inside network, you are exposing your inside network to the outside. That is why it is good to put your DNS in the DMZ. By default, Cisco firewall does not allow DMZ traffic to come into the inside network unless you specifically state it. You can configure other firewalls to do so as well. You basic allow inside to go to DMZ, but not the other way around for security reason. John Shi -----Original Message----- From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 6:18 AM To: NT 2000 Discussions Subject: Sort of OT: DMZ I have an Exchange Box in my DMZ running SMTP and OWA.... Is there any known problems with Hosting DNS on it ? Joshua Morgan PROFITLAB Senior Network Engineer PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] http://www.profit-lab.com http://ncontrol.info The greatest glory is not in never failing, but in rising up every time we fall. -- Confucius ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
