That's an unfortunate part of the job we have to accept, yes. Or, hire people under you to keep an eye on it all. :)
> -----Original Message----- > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 5:07 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > I see. What's your take though? Are we babysitters or what? > > Jason Cook > J.H. Ellwood and Associates > Network Administrator > [EMAIL PROTECTED] > > > -----Original Message----- > From: Jon Butler [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 4:01 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > I was referring to DMZ's in general ... > > > -----Original Message----- > > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > > Sent: Friday, June 07, 2002 4:52 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > What? Can't work...so all people do all day is send emails? > > In truth, that's all they do but it's not your job to make > > sure Marge in Accounting gets her baby pictures to her Mom, > > dig? So what do you mean by can't work...in the context of OWA? > > > > Jason Cook > > J.H. Ellwood and Associates > > Network Administrator > > [EMAIL PROTECTED] > > > > > > -----Original Message----- > > From: Jon Butler [mailto:[EMAIL PROTECTED]] > > Sent: Friday, June 07, 2002 3:34 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > Here's what's so sacred: your users' ability to generate > > revenue. It's all a matter of perspective -- to someone in a > > small office with a handful of users, intrustion detection > > and DMZs sound ridiculous, and in a lot of cases probably > > are. To someone in a large enterprise envrionment with > > uptime requirements of 4 or 5 nine's, it's absolutely > > necessary and non-negotiable, and in those situations the > > notion of having internet traffic talking directly to an > > internal server is about as likely as a CEO forgiving you > > when 3000 of your users can't work because you thought all > > that extra work was "tiresome." > > > > > > > > > -----Original Message----- > > > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > > > Sent: Friday, June 07, 2002 4:21 PM > > > To: Exchange Discussions > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > What is it that's so sacred you're protecting. OWA with > SSL through > > > a firewall is adequate for most places. The mail is secure and > > > that's it. Gotta have credentials to get in...so that's > it. DMZ is > > > a waste of time to me. Constantly monitoring and patching/fixing > > > dmz boxes gets to be tiresome. I mean, they're gonna get blasted > > > for sure and if they get taken out, so does whatever > service you're > > > running...unless they're redundant. So what's the point? > Besides, > > > you've opened up 80 to get to the backend Exchange box anyway. > > > > > > Jason Cook > > > J.H. Ellwood and Associates > > > Network Administrator > > > [EMAIL PROTECTED] > > > > > > > > > -----Original Message----- > > > From: Ragar, Russell [mailto:[EMAIL PROTECTED]] > > > Sent: Friday, June 07, 2002 3:02 PM > > > To: Exchange Discussions > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > Regarding Outlook Web Access deployments, particularly > with Exchange > > > 2000, I can see a large benefit to deploying a front end > server in > > > the DMZ which communicates to the Internet client using > SSL and the > > > backend mailbox servers over HTTP. > > > Not only is there off-loading of the encryption processing, > > > but it provides you a location for containing external > > > attacks. Yes, in a sense, all servers in the DMZ are > > > sacrificial victims. The theory is that you keep your > > > sacrificial victims in a contained area so they can be > > > monitored carefully and you fall back and reformat them as > > > soon as they are compromised. Obviously you need both > > > intrusion detection and host-based firewalling with the DMZ > > > (to prevent compromise of the DMZ from host to host). If > > > there were no front-end server (direct OWA access on the > > > mailbox server) you couldn't possibly monitor it as well > > > since it is performing many more functions. Also, you > > > certainly couldn't scrub it easily if it were compromised. > > > If you were running a front-end server internally (no-DMZ), > > > if that box were compromised it could be used as a staging > > > area for an attack on all your internal systems. So, yes, > > > the assumption is that all machines in your DMZ will > > > eventually be compromised and they are suspect. > > > > > > Okay, given my recommended configuration, the essential > problem is > > > that the front-end server has to have access to some key internal > > > services in order to function. The trick would appear to > be to lock > > > down those internal services as much as possible and to > get a really > > > good intrusion detection system that will allow you to > shutdown your > > > front-end server access to internal services as quickly > as possible. > > > > > > Okay, there is a cost associated with providing this type > of set up. > > > You can't run a front-end server on Exchange 2000 > Standard, you'll > > > need Enterprise. You'll need a good firewall. You'll need good > > > virus protection, host-based firewalls, and an intrusion > detection > > > system (network defenses without intrusion detection is > like a city > > > wall with no night watch). None of this is cheap, but that's the > > > price of using OWA on the Internet. If you don't have > the money to > > > do it securely, don't provide the service. > > > > > > Russell Ragar, MCSE+I, CNE, CCNA > > > Senior Network Engineer > > > PowerTV, Inc. > > > > > > -----Original Message----- > > > From: Chris Scharff [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, June 06, 2002 3:05 PM > > > To: Exchange Discussions > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > I guess our needs here are somehwat different, perhaps. We don't > > > use Exchange in the DMZ (that's ridiculous overkill) but > we do have > > > relays out there ... and we lock 'em down to specific ports > > > internally as well. I disagree that it would be "just as > harmful as > > > in the DMZ", though ... perform a DoS on a box in the > DMZ, you only > > > kill communications through that one box. DoS the > Exchange Server, > > > bam -- you just lost ALL email services. > > > > > > [CS] What box are you using to relay OWA that wouldn't be just as > > > secure on the internal network as it would be in a DMZ? I > can have a > > > dedicated OWA server in either location and the net impact to my > > > Exchange org seems equivalent. As to SMTP, the same thing applies > > > IMO. If you DoS my SMTP relay, why would the impact be > any greater > > > on my internal network than in my DMZ. > > > > > > Granted, we've got more systems to support, but that's > the price we > > > pay for the security and redundancy that comes with it. > > > > > > [CS] Your network seems more complex with no demonstrable > additional > > > value when compared to my configuration.... for the scenario as > > > asked. > > > > > > And Chris, you asked to "demonstrate an exploit" ... we prefer to > > > not wait for one to be demonstrated, but rather do the > best we can > > > to preemptively protect ourselves before one is found: > use relays in > > > the DMZ, and mix relay products so what exploits one may not be > > > expoitable on another. > > > > > > [CS] But that's not the scenario or question that was asked. > > > > > > Have > > > different flavors of antivirus protection at the relay, Exchange, > > > and at the client. > > > > > > [CS] I am not opposed to an SMTP relay, it's a sound > idea. I don't > > > see much value in putting one in a DMZ really, but an > SMTP relay is > > > much different than an Exchange relay which is where this thread > > > started. Apples and Oranges or Horses for Courses. > > > > > > Like I said before though, it ain't right for everybody > ... it takes > > > some bank to make it happen. Our requirements here are a little > > > more anal than others'. > > > > > > [CS] It's not about money in this case. It's about the > scenario as > > > presented. > > > > > > Jon > > > > > > > > > > -----Original Message----- > > > > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, June 06, 2002 3:38 PM > > > > To: Exchange Discussions > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > On specific ports? Sure, why not? > > > > > > > > I'd allow 443 to an inside box. It requires authentication > > > and it's > > > > encrypted. Any vulnerability in the application itself > > > would be just > > > > as harmful in the DMZ. > > > > > > > > I'd allow 25 to an inside box. The endpoint is a system > > > that accepts > > > > the mail and scans it for viruses and malicious content. Any > > > > vulnerability in the application would be almost as > > harmful in the > > > > DMZ. > > > > > > > > As it stands I have half the number of systems to secure in > > > my design > > > > as you do in yours. If we both block 98% of the > > vulnerabilities on > > > > those systems, you're less secure. I contend that I can > > do better > > > > than you given fewer systems to focus on. > > > > > > > > Now, I'm not saying that there aren't good uses for a DMZ. > > > There are. > > > > Exchange just isn't one of them. > > > > > > > > -----Original Message----- > > > > From: Jon Butler [mailto:[EMAIL PROTECTED]] > > > > Posted At: Thursday, June 06, 2002 1:53 PM > > > > Posted To: Microsoft Exchange > > > > Conversation: lesser of the evils - ssl or smtp > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > So you'd allow "from any" to your inside boxes? That > > would keep me > > > > awake at night. :) > > > > > > > > > > > > > -----Original Message----- > > > > > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > > > > > Sent: Thursday, June 06, 2002 2:47 PM > > > > > To: Exchange Discussions > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > > > > but you're not talking about a good use of the DMZ. the > > > > DMZ should be > > > > > an end point, not a hop. it doesn't really matter where > > > your SMTP > > > > > virus scanner sits - you should have one, I agree. but > > > on the DMZ > > > > > doesn't really make much difference based on your loose > > > > restrictions > > > > > between the DMZ and the LAN. > > > > > > > > > > OWA also doesn't make much difference. you have to > open up rpc > > > > > traffic from the DMZ to the LAN. might as well keep > > the DMZ more > > > > > secure and put OWA inside. relative security of the LAN is > > > > about the > > > > > same. > > > > > > > > > > now, if you want to discuss multiple physical DMZ > > > segments, perhaps > > > > > it's more interesting, but not much. > > > > > > > > > > there's quite a lot of this discussion in the archives, by > > > > the way. > > > > > no new arguments so far. so, if you want to jump forward > > > > to the end > > > > > of the discussion, look back a couple years. > > > > > > > > > > ======================================================= > > > > > Andy Webb [EMAIL PROTECTED] www.swinc.com > > > > > Simpler-Webb, Inc. Austin, TX 512-322-0071 > > > > > -- Eating XXX Chili at Texas Chili Parlor since 1989 -- > > > > > ======================================================= > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Jon Butler [mailto:[EMAIL PROTECTED]] Posted At: > > > > > Thursday, June 06, 2002 1:30 PM Posted To: Microsoft Exchange > > > > > Conversation: lesser of the evils - ssl or smtp > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > > > > Perhaps I shouldn't have used the term "rule", but rather > > > > perhaps "a > > > > > good security practice." It's better to let the kiddies > > > > play with a > > > > > hardened DMZ bastion then your production Exchange Server > > > ... but I > > > > > also understand that's often not feasible for smaller > > > companies. A > > > > > good security paradigm can take some dough. > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > > > > > > Sent: Thursday, June 06, 2002 2:18 PM > > > > > > To: Exchange Discussions > > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > > > > > > > Seems a little rash mr. butler, a lot of small > > companies use the > > > > > > scenario presented by Rob Ellis originally. A > > firewall, a good > > > > > > hardware one anyway is great protection if used > > > effectively. OWA > > > > > > with ssl is a good and secure solution, so I'm curious as > > > > to why you > > > > > > > > > > believe that it's a "rule" to use a dmz? > > > > > > > > > > > > > > > > > > Jason Cook > > > > > > J.H. Ellwood and Associates > > > > > > Network Administrator > > > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > > > > > Sent: Thursday, June 06, 2002 1:06 PM > > > > > > To: Exchange Discussions > > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > No, not remote users, server smtp traffic. > > > > > > > > > > > > We are proposing citrix full desktop, OWA for some remote > > > > users, no > > > > > > POP/smtp access for end users. > > > > > > > > > > > > The Webshield I mentioned is as you say, part of TVD. > > > > > > > > > > > > Our design sounds very much like your setup. > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > > > > Rob Ellis > > > > > > > > > > > > -----Original Message----- > > > > > > From: Mellott, Bill [mailto:[EMAIL PROTECTED]] > > > > > > Sent: 06 June 2002 18:49 > > > > > > To: Exchange Discussions > > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > Ill throw in .02 > > > > > > > > > > > > Assuming you are referring to allowing remote users > > to get their > > > > > > e-mail. > > > > > > > > > > > > I'm doing the OWA thing for "remote/roaming" users. > > > > > > I do some Citrix for full desktops. > > > > > > I do NOT allow users to connect to the exch box at > > this time via > > > > > > SMTP/POP. > > > > > > > > > > > > I do at this time use the Simple Webshield product > > > > bundled with the > > > > > > NIA/Mcafee TVD suite. It does reside on it's own machine. > > > > > > so Internet smtp > webshield > Exch. > > > > > > yes the webshield sit's before Exch box. > > > > > > Yes it provides me with an additional layer of pre > exch virus > > > > > > protection...works ok yes it also provides some > > prefiltering on > > > > > > attachments...sucks...does not go any deeper the first > > > level i.e. > > > > > > FWD> FWD it will miss. > > > > > > Note: Their full blown product webshield APP is > > > supposed to work > > > > > > well..no exp with it, Ill keep my opinions to myself.. > > > > > > > > > > > > If I had to let user(s) directly get to either port > > 110/POP and > > > > > > port25/smtp to do their e-mail... > > > > > > 1.) I would not ..thats me.. > > > > > > 2.) Forced too only via some secure connection like a VPN. > > > > > > > > > > > > bill > > > > > > > > > > > > PS for those interested I run the AV product to at the > > > file level > > > > > > and scan all files on the exchange box with no exceptions. > > > > > > ;-) > > > > > > > > > > > > -----Original Message----- > > > > > > From: Bendall, Paul [mailto:[EMAIL PROTECTED]] > > > > > > Sent: Thursday, June 06, 2002 1:38 PM > > > > > > To: Exchange Discussions > > > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > > > > > > > Okay I'll add another spanner to your works, I would > > > > advise an SMTP > > > > > > relay server on your DMZ but I really wouldn't use McAfee > > > > Webshield. > > > > > > > > > > Why I hear you cry for one it is pretty bad at blocking > > > > viruses and > > > > > > two we have had no end of problems with it crashing or > > > > not sending > > > > > > to certain domains when it gets a DAT update. Why not use > > > > the SMTP > > > > > > component of IIS as your SMTP relay server and then use > > > > ScanMail or > > > > > > Antigen on your Exchange server. Either that or use > > someone like > > > > > > MessageLabs to outsource your antivirus too. > > > > > > > > > > > > Regards, > > > > > > > > > > > > Paul > > > > > > > > > > > > -----Original Message----- > > > > > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > > > > > Sent: 06 June 2002 18:26 > > > > > > To: Exchange Discussions > > > > > > Subject: lesser of the evils - ssl or smtp > > > > > > > > > > > > > > > > > > Ok, I've got a couple of scenarios, which of them is the > > > > > least risky? > > > > > > > > > > > > Exchange 2000 mailbox server on the LAN, accepting/making > > > > > > connections using SMTP through a firewall to the internet > > > > > > > > > > > > Exchange 2000 mailbox server on the LAN, accepting SSL > > > secured OWA > > > > > > > > > connections from the internet, again, protected by > a firewall. > > > > > > > > > > > > > > > > > > Basically I am being told I may have to do both with > > > the same box, > > > > > > > > > but I'd rather have the smtp traffic going through a > > DMZ based > > > > > > gateway running McAfee Webshield, and let the OWA clients > > > > come into > > > > > > the internal box over SSL (which I see as less of a > risk than > > > > > > opening up port 25. > > > > > > > > > > > > If you had to choose one of the 2 above scenarios, which > > > > > would it be? > > > > > > > > > > > > Regards, > > > > > > > > > > > > Rob Ellis > > > > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]