For an email gateway to protect your Exchange infrastructure (including antispam and antivirus), and which can be put in the DMZ, there's an open source project called Maia Mailguard. Commercial alternatives include Barracuda's offerings.
On Fri, Jan 27, 2012 at 07:32, [email protected] <[email protected]> wrote: > I am figuring on putting somekind of smtp/owa forwarding device in the dmz. > Leave Exchange 2003 or even 2010 out of the DMZ but off my core tellering > (SQL server) LAN as well just to apease them. > > VPN is currently Cisco anyconnect. I am going to add some kind of multi > factor and ACL to the firewall for those that do get access. As well the > software or agent that verifies windows updates and virusscan patching prior > to authentication. > > Looking at DLP now. Currently all I do is look at outgoing emails. So > anything more will be better. > > > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Posted At: Friday, January 27, 2012 10:04 AM > Posted To: [email protected] > Conversation: DLP, SIEM, Network Access Control, VPN multi factor > authentication, Moving Exchange into a DMZ > Subject: Re: DLP, SIEM, Network Access Control, VPN multi factor > authentication, Moving Exchange into a DMZ > > DLP is way more than just restricting access to removable devices. > http://code.google.com/p/opendlp/ > > VPN access restrictions such as you mentioned are a good thing. There are > open source two factor auth solutions. > > Exchange doesn't go in a DMZ > > On Fri, Jan 27, 2012 at 06:46, [email protected] <[email protected]> wrote: >> >> >> Ok, so we have had a NCUA IT audit and some of the recommendations are >> as >> follows: >> >> >> >> Data Loss Prevention (DLP) >> >> The Credit Union should have the the ability to use USB storage >> devices, DVD, and CD drives turned off unless required. With some for >> of alerting if a user is trying to use those devices without permission. >> >> >> >> Security Information and Event Management (SIEM) system >> >> The Credit Union should have a SIEM system in place to consolidate >> logs from all devices and applications, encrypt those logs, have real >> time alerting, and compliance reporting. >> >> >> >> VPN access >> >> The Credit Union should have Network Access Controls such as scanning >> the connecting machine for correct configuration prior to allowing >> access to the network, some kind of multi factor token or device, and >> a more detailed access list on the VPN client area of the firewall. >> >> >> >> DMZ >> >> The Credit Union should move the Microsoft Exchange server into a DMZ >> of the firewall or industry best practice for proxing email traffic >> into and out of the DMZ to protect the Credit Union's internal network >> if a breach occurs on the email system. >> >> >> >> With all of this being said, can you get me some vendor information >> about about each of these areas. It can be freeware, it can be >> appliances, it can be anything that is easily managable. >> >> And Management is looking for a quick turn around on this so >> whitepapers and recommendations first. >> >> >> >> This is what I sent my software vendors. Did I ask the right questions? >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
