You could have searched the MSKB and figured that out. There's plenty of documentation out there...
-----Original Message----- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 10:00 AM To: Exchange Discussions Subject: RE: Firewall and Exchange Ports. Just a note to everyone. We called Microsoft and inquired what the range for the two random ports were that Exchange allocates to the client once it connects to a socket. According to Microsoft the range is from 1,024 to 64,000. -----Original Message----- From: Don Ely [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 10:16 AM To: Exchange Discussions Subject: RE: Firewall and Exchange Ports. No security consultant I know is going to open holes in the network from the DMZ to the Internal network. Being proficient in both Exchange and Security, I feel sorry for your clients if you suggest the model you propose below to them. I think you ought to study up on security some more... If you open holes from the DMZ to the internal LAN, why in the hell do you have a DMZ. You've made the DMZ virtually pointless. Or did your teacher or book you read say something different. If it were a book that told you to configure things this way, please send me the ISBN number, I really wanna read that book. Apparently, I've been taking the wrong approach for years now. I happen to know of a company who has the same model you describe. After I showed them the security issues, they were desiring a change for the better immediately. -----Original Message----- From: Frank Knobbe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 5:47 PM To: Exchange Discussions Subject: RE: Firewall and Exchange Ports. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Ed Crowley [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, October 16, 2001 9:55 PM > > Don't bother. Use a proxy server and publish OWA. Or require SSL and > open port 443. Or implement a VPN. I still think putting an > Exchange front-end > server in a DMZ is kind of silly. Not as silly with Exchange > 2000 as with > Exchange 5.5, but silly nonetheless. Ed, I don't find this silly at all. Let me try to clarify: Scenario A: You have an Internet connection coming to a firewall. Behind the firewall in your internal network you have an Exchange server. You also have a web server (maybe on the same box, maybe different box). You allow HTTPS traffic through the firewall to the web server in the LAN. Scenario B: You have an Internet connection coming to a firewall. Behind the firewall in your internal network you have an Exchange server. In a DMZ segment (which can be a third network card in the firewall, or a segment between two firewalls) you have a web server. HTTPS traffic is allowed to the web server, and required ports (say, RPC, NetBIOS, InfoStore, Directory) are allowed from the web server through the firewall to the Exchange server. Scenario A has following disadvantages: If your web server gets compromised, the hacker is in your internal network. You have no means of further restricting access (besides shutting the server down). Intrusion Detection is almost impossible on the SSL session (unless you terminate SSL on a proxy and go clear text from there). So a compromise can easily go undetected, and the intruder can probe your network and advance access. The primary intrusion containment is all of your internal network. In Scenario B you have following advantages: If your web server gets compromised, the hacker can access everything in the DMZ. He will have to discover the address of the Exchange server (which can be made hard through proper host hardening). Once he has that he can attack the Exchange server, but using Exchange as another stepping stone to gain access to the rest of your network can again be very hard. All those 'hard' items will buy you time. In addition, Intrusion Detection in the DMZ can quickly alert you if it sees 'strange' traffic coming from the web server (say FTP connections, port scans, etc). The primary intrusion containment is only the DMZ. We can even go a step further. Using a host or network based IDS system, you can potentially reconfigure the firewall in an automated fashion to disallow any access from/to the web server in the DMZ. Now even the allowed ports are closed, the attacker has no way into your network. Scenario B buys you time and has far greater potential of protecting your internal network. Now, I'm primarily a security consultant, and less of an Exchange consultant, so I may look at this differently than the average Exchange Admin and mail list member. Reading comments like 'placing OWA into the internal network can secure your DMZ' and 'OWA in the DMZ opens you more up than OWA in your internal network' just make me scream since from a security perspective, they are completely wrong. If anyone wants to seriously discuss this further in a professional manner, please email me offline as I'm not going to enter a silly discussion with armchair security 'experts' on the list. Best regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBO84mfpytSsEygtEFEQLS6gCgh9p15rpWGqhxhV91v1t55j3Fy3kAoJyp HALyTWGaYQB8Ihjqgx1hWG71 =ooG7 -----END PGP SIGNATURE----- _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
