So you'd allow "from any" to your inside boxes? That would keep me awake at night. :)
> -----Original Message----- > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 2:47 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > but you're not talking about a good use of the DMZ. the DMZ > should be an end point, not a hop. it doesn't really matter > where your SMTP virus scanner sits - you should have one, I > agree. but on the DMZ doesn't really make much difference > based on your loose restrictions between the DMZ and the LAN. > > OWA also doesn't make much difference. you have to open up > rpc traffic from the DMZ to the LAN. might as well keep the > DMZ more secure and put OWA inside. relative security of the > LAN is about the same. > > now, if you want to discuss multiple physical DMZ segments, > perhaps it's more interesting, but not much. > > there's quite a lot of this discussion in the archives, by > the way. no new arguments so far. so, if you want to jump > forward to the end of the discussion, look back a couple years. > > ======================================================= > Andy Webb [EMAIL PROTECTED] www.swinc.com > Simpler-Webb, Inc. Austin, TX 512-322-0071 > -- Eating XXX Chili at Texas Chili Parlor since 1989 -- > ======================================================= > > > -----Original Message----- > From: Jon Butler [mailto:[EMAIL PROTECTED]] > Posted At: Thursday, June 06, 2002 1:30 PM > Posted To: Microsoft Exchange > Conversation: lesser of the evils - ssl or smtp > Subject: RE: lesser of the evils - ssl or smtp > > > Perhaps I shouldn't have used the term "rule", but rather > perhaps "a good security practice." It's better to let the > kiddies play with a hardened DMZ bastion then your production > Exchange Server ... but I also understand that's often not > feasible for smaller companies. A good security paradigm can > take some dough. > > > > -----Original Message----- > > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 2:18 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > Seems a little rash mr. butler, a lot of small companies use > > the scenario presented by Rob Ellis originally. A firewall, > > a good hardware one anyway is great protection if used > > effectively. OWA with ssl is a good and secure solution, so > > I'm curious as to why you believe that it's a "rule" to use a dmz? > > > > > > Jason Cook > > J.H. Ellwood and Associates > > Network Administrator > > [EMAIL PROTECTED] > > > > > > -----Original Message----- > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 1:06 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > No, not remote users, server smtp traffic. > > > > We are proposing citrix full desktop, OWA for some remote > > users, no POP/smtp access for end users. > > > > The Webshield I mentioned is as you say, part of TVD. > > > > Our design sounds very much like your setup. > > > > > > Regards, > > > > > > Rob Ellis > > > > -----Original Message----- > > From: Mellott, Bill [mailto:[EMAIL PROTECTED]] > > Sent: 06 June 2002 18:49 > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > Ill throw in .02 > > > > Assuming you are referring to allowing remote users to get > > their e-mail. > > > > I'm doing the OWA thing for "remote/roaming" users. > > I do some Citrix for full desktops. > > I do NOT allow users to connect to the exch box at this time > > via SMTP/POP. > > > > I do at this time use the Simple Webshield product bundled > > with the NIA/Mcafee TVD suite. It does reside on it's own machine. > > so Internet smtp > webshield > Exch. > > yes the webshield sit's before Exch box. > > Yes it provides me with an additional layer of pre exch virus > > protection...works ok yes it also provides some prefiltering > > on attachments...sucks...does not go any deeper the first > > level i.e. FWD> FWD it will miss. > > Note: Their full blown product webshield APP is supposed to > > work well..no exp with it, Ill keep my opinions to myself.. > > > > If I had to let user(s) directly get to either port 110/POP > > and port25/smtp to do their e-mail... > > 1.) I would not ..thats me.. > > 2.) Forced too only via some secure connection like a VPN. > > > > bill > > > > PS for those interested I run the AV product to at the file > > level and scan all files on the exchange box with no exceptions. > > ;-) > > > > -----Original Message----- > > From: Bendall, Paul [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 1:38 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > Okay I'll add another spanner to your works, I would advise > > an SMTP relay server on your DMZ but I really wouldn't use > > McAfee Webshield. Why I hear you cry for one it is pretty bad > > at blocking viruses and two we have had no end of problems > > with it crashing or not sending to certain domains when it > > gets a DAT update. Why not use the SMTP component of IIS as > > your SMTP relay server and then use ScanMail or Antigen on > > your Exchange server. Either that or use someone like > > MessageLabs to outsource your antivirus too. > > > > Regards, > > > > Paul > > > > -----Original Message----- > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > Sent: 06 June 2002 18:26 > > To: Exchange Discussions > > Subject: lesser of the evils - ssl or smtp > > > > > > Ok, I've got a couple of scenarios, which of them is the > least risky? > > > > Exchange 2000 mailbox server on the LAN, accepting/making > > connections using SMTP through a firewall to the internet > > > > Exchange 2000 mailbox server on the LAN, accepting SSL > > secured OWA connections from the internet, again, protected > > by a firewall. > > > > > > Basically I am being told I may have to do both with the same > > box, but I'd rather have the smtp traffic going through a DMZ > > based gateway running McAfee Webshield, and let the OWA > > clients come into the internal box over SSL (which I see as > > less of a risk than opening up port 25. > > > > If you had to choose one of the 2 above scenarios, which > would it be? > > > > Regards, > > > > Rob Ellis > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > ---------------------------------------------------------------------- > > If you have received this e-mail in error or wish to read our e-mail > > disclaimer statement and monitoring policy, please refer to > > http://www.drkw.com/disc/email/ or contact the sender. > > > ---------------------------------------------------------------------- > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
