I will somewhat agree with you there as I have also experience that as well. Although, I try very hard to not advocate that kind of usage.
In certain circumstances yes, in the case of OWA, I don't think so. Then again, I'm rather uptight when it comes to things like that. ;o) D -----Original Message----- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 7:23 AM To: Exchange Discussions Subject: RE: Firewall and Exchange Ports. Hmm... I don't know. I think there are instances where a box in the DMZ communicating with the internal network makes sense. I think the number of scenarios where allowing that same box to also talk to an external network makes sense is very small. > -----Original Message----- > From: Don Ely [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 18, 2001 9:16 AM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > No security consultant I know is going to open holes in the > network from the DMZ to the Internal network. Being > proficient in both Exchange and Security, I feel sorry for > your clients if you suggest the model you propose below to them. > > I think you ought to study up on security some more... > > If you open holes from the DMZ to the internal LAN, why in > the hell do you have a DMZ. You've made the DMZ virtually > pointless. Or did your teacher or book you read say > something different. If it were a book that told you to > configure things this way, please send me the ISBN number, I > really wanna read that book. Apparently, I've been taking > the wrong approach for years now. > > I happen to know of a company who has the same model you > describe. After I showed them the security issues, they were > desiring a change for the better immediately. > > -----Original Message----- > From: Frank Knobbe [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 17, 2001 5:47 PM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > -----Original Message----- > > From: Ed Crowley [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, October 16, 2001 9:55 PM > > > > Don't bother. Use a proxy server and publish OWA. Or > require SSL and > > open port 443. Or implement a VPN. I still think putting an > > Exchange front-end server in a DMZ is kind of silly. Not as silly > > with Exchange 2000 as with > > Exchange 5.5, but silly nonetheless. > > Ed, > > I don't find this silly at all. Let me try to clarify: > > Scenario A: > > You have an Internet connection coming to a firewall. Behind > the firewall in your internal network you have an Exchange > server. You also have a web server (maybe on the same box, > maybe different box). You allow HTTPS traffic through the > firewall to the web server in the LAN. > > Scenario B: > > You have an Internet connection coming to a firewall. Behind > the firewall in your internal network you have an Exchange > server. In a DMZ segment (which can be a third network card > in the firewall, or a segment between two > firewalls) you have a web server. HTTPS traffic is allowed to > the web server, and required ports (say, RPC, NetBIOS, > InfoStore, Directory) are allowed from the web server through > the firewall to the Exchange server. > > > Scenario A has following disadvantages: > If your web server gets compromised, the hacker is in your > internal network. You have no means of further restricting > access (besides shutting the server down). Intrusion > Detection is almost impossible on the SSL session (unless you > terminate SSL on a proxy and go clear text from there). So a > compromise can easily go undetected, and the intruder can > probe your network and advance access. The primary intrusion > containment is all of your internal network. > > In Scenario B you have following advantages: > If your web server gets compromised, the hacker can access > everything in the DMZ. He will have to discover the address > of the Exchange server (which can be made hard through proper > host hardening). Once he has that he can attack the Exchange > server, but using Exchange as another stepping stone to gain > access to the rest of your network can again be very hard. > All those 'hard' items will buy you time. In addition, > Intrusion Detection in the DMZ can quickly alert you if it > sees 'strange' traffic coming from the web server (say FTP > connections, port scans, etc). The primary intrusion > containment is only the DMZ. > > We can even go a step further. Using a host or network based > IDS system, you can potentially reconfigure the firewall in > an automated fashion to disallow any access from/to the web > server in the DMZ. Now even the allowed ports are closed, the > attacker has no way into your network. > > > Scenario B buys you time and has far greater potential of > protecting your internal network. > > Now, I'm primarily a security consultant, and less of an > Exchange consultant, so I may look at this differently than > the average Exchange Admin and mail list member. Reading > comments like 'placing OWA into the internal network can > secure your DMZ' and 'OWA in the DMZ opens you more up than > OWA in your internal network' just make me scream since from > a security perspective, they are completely wrong. > > If anyone wants to seriously discuss this further in a > professional manner, please email me offline as I'm not going > to enter a silly discussion with armchair security 'experts' > on the list. > > Best regards, > Frank > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.5.8 > Comment: PGP or S/MIME (X.509) encrypted email preferred. > > iQA/AwUBO84mfpytSsEygtEFEQLS6gCgh9p15rpWGqhxhV91v1t55j3Fy3kAoJyp > HALyTWGaYQB8Ihjqgx1hWG71 > =ooG7 > -----END PGP SIGNATURE----- > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
