True indeed. I support about half and half in terms of mobile and static users. So, it's appropriate for us but internal email isn't that critical to us. Once internet email goes down that's where the rub is. So to the user here, it doesn't matter that internal email is working. If internet email goes down or they can't access it from the road, they don't know or care whether it's the dmz box or the mail server. That's why there's backups. Either way, you're rebuilding a server right?
Jason Cook J.H. Ellwood and Associates Network Administrator [EMAIL PROTECTED] -----Original Message----- From: Ragar, Russell [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 4:11 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp Okay, I'll bite. Your original point was there was no advantage over a front-end server from a hacking perspective since if it were compromised you'd have to take OWA down. But without a front-end server, you'd have to take the mailbox server down. So I'd say that Jon Bulter's response is completely appropriate. But further, my users are highly mobile. Many telecomute. Others travel a lot and are in client sites. Internet OWA is production for us. Perhaps it's not really needed in your environment? It depends on your client base. Russell Ragar, MCSE+I, CNE, CCNA Senior Network Engineer PowerTV, Inc. -----Original Message----- From: Cook, Jason [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 1:52 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp What? Can't work...so all people do all day is send emails? In truth, that's all they do but it's not your job to make sure Marge in Accounting gets her baby pictures to her Mom, dig? So what do you mean by can't work...in the context of OWA? Jason Cook J.H. Ellwood and Associates Network Administrator [EMAIL PROTECTED] -----Original Message----- From: Jon Butler [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 3:34 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp Here's what's so sacred: your users' ability to generate revenue. It's all a matter of perspective -- to someone in a small office with a handful of users, intrustion detection and DMZs sound ridiculous, and in a lot of cases probably are. To someone in a large enterprise envrionment with uptime requirements of 4 or 5 nine's, it's absolutely necessary and non-negotiable, and in those situations the notion of having internet traffic talking directly to an internal server is about as likely as a CEO forgiving you when 3000 of your users can't work because you thought all that extra work was "tiresome." > -----Original Message----- > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 4:21 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > What is it that's so sacred you're protecting. OWA with SSL > through a firewall is adequate for most places. The mail is > secure and that's it. Gotta have credentials to get in...so > that's it. DMZ is a waste of time to me. Constantly > monitoring and patching/fixing dmz boxes gets to be tiresome. > I mean, they're gonna get blasted for sure and if they get > taken out, so does whatever service you're running...unless > they're redundant. So what's the point? Besides, you've > opened up 80 to get to the backend Exchange box anyway. > > Jason Cook > J.H. Ellwood and Associates > Network Administrator > [EMAIL PROTECTED] > > > -----Original Message----- > From: Ragar, Russell [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 3:02 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > Regarding Outlook Web Access deployments, particularly with > Exchange 2000, I can see a large benefit to deploying a front > end server in the DMZ which communicates to the Internet > client using SSL and the backend mailbox servers over HTTP. > Not only is there off-loading of the encryption processing, > but it provides you a location for containing external > attacks. Yes, in a sense, all servers in the DMZ are > sacrificial victims. The theory is that you keep your > sacrificial victims in a contained area so they can be > monitored carefully and you fall back and reformat them as > soon as they are compromised. Obviously you need both > intrusion detection and host-based firewalling with the DMZ > (to prevent compromise of the DMZ from host to host). If > there were no front-end server (direct OWA access on the > mailbox server) you couldn't possibly monitor it as well > since it is performing many more functions. Also, you > certainly couldn't scrub it easily if it were compromised. > If you were running a front-end server internally (no-DMZ), > if that box were compromised it could be used as a staging > area for an attack on all your internal systems. So, yes, > the assumption is that all machines in your DMZ will > eventually be compromised and they are suspect. > > Okay, given my recommended configuration, the essential > problem is that the front-end server has to have access to > some key internal services in order to function. The trick > would appear to be to lock down those internal services as > much as possible and to get a really good intrusion detection > system that will allow you to shutdown your front-end server > access to internal services as quickly as possible. > > Okay, there is a cost associated with providing this type of > set up. You can't run a front-end server on Exchange 2000 > Standard, you'll need Enterprise. You'll need a good > firewall. You'll need good virus protection, host-based > firewalls, and an intrusion detection system (network > defenses without intrusion detection is like a city wall with > no night watch). None of this is cheap, but that's the price > of using OWA on the Internet. If you don't have the money to > do it securely, don't provide the service. > > Russell Ragar, MCSE+I, CNE, CCNA > Senior Network Engineer > PowerTV, Inc. > > -----Original Message----- > From: Chris Scharff [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 3:05 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > I guess our needs here are somehwat different, perhaps. We > don't use Exchange in the DMZ (that's ridiculous overkill) > but we do have relays out there ... and we lock 'em down to > specific ports internally as well. I disagree that it would > be "just as harmful as in the DMZ", though ... perform a DoS > on a box in the DMZ, you only kill communications through > that one box. DoS the Exchange Server, bam -- you just lost > ALL email services. > > [CS] What box are you using to relay OWA that wouldn't be > just as secure on the internal network as it would be in a > DMZ? I can have a dedicated OWA server in either location and > the net impact to my Exchange org seems equivalent. As to > SMTP, the same thing applies IMO. If you DoS my SMTP relay, > why would the impact be any greater on my internal network > than in my DMZ. > > Granted, we've got more systems to support, but that's the > price we pay for the security and redundancy that comes with it. > > [CS] Your network seems more complex with no demonstrable > additional value when compared to my configuration.... for > the scenario as asked. > > And Chris, you asked to "demonstrate an exploit" ... we > prefer to not wait for one to be demonstrated, but rather do > the best we can to preemptively protect ourselves before one > is found: use relays in the DMZ, and mix relay products so > what exploits one may not be expoitable on another. > > [CS] But that's not the scenario or question that was asked. > > Have > different flavors of antivirus protection at the relay, > Exchange, and at the client. > > [CS] I am not opposed to an SMTP relay, it's a sound idea. I > don't see much value in putting one in a DMZ really, but an > SMTP relay is much different than an Exchange relay which is > where this thread started. Apples and Oranges or Horses for Courses. > > Like I said before though, it ain't right for everybody ... > it takes some bank to make it happen. Our requirements here > are a little more anal than others'. > > [CS] It's not about money in this case. It's about the > scenario as presented. > > Jon > > > > -----Original Message----- > > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 3:38 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > On specific ports? Sure, why not? > > > > I'd allow 443 to an inside box. It requires authentication > and it's > > encrypted. Any vulnerability in the application itself > would be just > > as harmful in the DMZ. > > > > I'd allow 25 to an inside box. The endpoint is a system > that accepts > > the mail and scans it for viruses and malicious content. Any > > vulnerability in the application would be almost as harmful in the > > DMZ. > > > > As it stands I have half the number of systems to secure in > my design > > as you do in yours. If we both block 98% of the vulnerabilities on > > those systems, you're less secure. I contend that I can do better > > than you given fewer systems to focus on. > > > > Now, I'm not saying that there aren't good uses for a DMZ. > There are. > > Exchange just isn't one of them. > > > > -----Original Message----- > > From: Jon Butler [mailto:[EMAIL PROTECTED]] > > Posted At: Thursday, June 06, 2002 1:53 PM > > Posted To: Microsoft Exchange > > Conversation: lesser of the evils - ssl or smtp > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > So you'd allow "from any" to your inside boxes? That would keep me > > awake at night. :) > > > > > > > -----Original Message----- > > > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, June 06, 2002 2:47 PM > > > To: Exchange Discussions > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > but you're not talking about a good use of the DMZ. the > > DMZ should be > > > an end point, not a hop. it doesn't really matter where > your SMTP > > > virus scanner sits - you should have one, I agree. but > on the DMZ > > > doesn't really make much difference based on your loose > > restrictions > > > between the DMZ and the LAN. > > > > > > OWA also doesn't make much difference. you have to open up rpc > > > traffic from the DMZ to the LAN. might as well keep the DMZ more > > > secure and put OWA inside. relative security of the LAN is > > about the > > > same. > > > > > > now, if you want to discuss multiple physical DMZ > segments, perhaps > > > it's more interesting, but not much. > > > > > > there's quite a lot of this discussion in the archives, by > > the way. > > > no new arguments so far. so, if you want to jump forward > > to the end > > > of the discussion, look back a couple years. > > > > > > ======================================================= > > > Andy Webb [EMAIL PROTECTED] www.swinc.com > > > Simpler-Webb, Inc. Austin, TX 512-322-0071 > > > -- Eating XXX Chili at Texas Chili Parlor since 1989 -- > > > ======================================================= > > > > > > > > > -----Original Message----- > > > From: Jon Butler [mailto:[EMAIL PROTECTED]] > > > Posted At: Thursday, June 06, 2002 1:30 PM > > > Posted To: Microsoft Exchange > > > Conversation: lesser of the evils - ssl or smtp > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > Perhaps I shouldn't have used the term "rule", but rather > > perhaps "a > > > good security practice." It's better to let the kiddies > > play with a > > > hardened DMZ bastion then your production Exchange Server > ... but I > > > also understand that's often not feasible for smaller > companies. A > > > good security paradigm can take some dough. > > > > > > > > > > -----Original Message----- > > > > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, June 06, 2002 2:18 PM > > > > To: Exchange Discussions > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > Seems a little rash mr. butler, a lot of small companies use the > > > > scenario presented by Rob Ellis originally. A firewall, a good > > > > hardware one anyway is great protection if used > effectively. OWA > > > > with ssl is a good and secure solution, so I'm curious as > > to why you > > > > > > believe that it's a "rule" to use a dmz? > > > > > > > > > > > > Jason Cook > > > > J.H. Ellwood and Associates > > > > Network Administrator > > > > [EMAIL PROTECTED] > > > > > > > > > > > > -----Original Message----- > > > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, June 06, 2002 1:06 PM > > > > To: Exchange Discussions > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > No, not remote users, server smtp traffic. > > > > > > > > We are proposing citrix full desktop, OWA for some remote > > users, no > > > > POP/smtp access for end users. > > > > > > > > The Webshield I mentioned is as you say, part of TVD. > > > > > > > > Our design sounds very much like your setup. > > > > > > > > > > > > Regards, > > > > > > > > > > > > Rob Ellis > > > > > > > > -----Original Message----- > > > > From: Mellott, Bill [mailto:[EMAIL PROTECTED]] > > > > Sent: 06 June 2002 18:49 > > > > To: Exchange Discussions > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > Ill throw in .02 > > > > > > > > Assuming you are referring to allowing remote users to get their > > > > e-mail. > > > > > > > > I'm doing the OWA thing for "remote/roaming" users. > > > > I do some Citrix for full desktops. > > > > I do NOT allow users to connect to the exch box at this time via > > > > SMTP/POP. > > > > > > > > I do at this time use the Simple Webshield product > > bundled with the > > > > NIA/Mcafee TVD suite. It does reside on it's own machine. > > > > so Internet smtp > webshield > Exch. > > > > yes the webshield sit's before Exch box. > > > > Yes it provides me with an additional layer of pre exch virus > > > > protection...works ok yes it also provides some prefiltering on > > > > attachments...sucks...does not go any deeper the first > level i.e. > > > > FWD> FWD it will miss. > > > > Note: Their full blown product webshield APP is > supposed to work > > > > well..no exp with it, Ill keep my opinions to myself.. > > > > > > > > If I had to let user(s) directly get to either port 110/POP and > > > > port25/smtp to do their e-mail... > > > > 1.) I would not ..thats me.. > > > > 2.) Forced too only via some secure connection like a VPN. > > > > > > > > bill > > > > > > > > PS for those interested I run the AV product to at the > file level > > > > and scan all files on the exchange box with no exceptions. > > > > ;-) > > > > > > > > -----Original Message----- > > > > From: Bendall, Paul [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, June 06, 2002 1:38 PM > > > > To: Exchange Discussions > > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > > > > Okay I'll add another spanner to your works, I would > > advise an SMTP > > > > relay server on your DMZ but I really wouldn't use McAfee > > Webshield. > > > > > > Why I hear you cry for one it is pretty bad at blocking > > viruses and > > > > two we have had no end of problems with it crashing or > > not sending > > > > to certain domains when it gets a DAT update. Why not use > > the SMTP > > > > component of IIS as your SMTP relay server and then use > > ScanMail or > > > > Antigen on your Exchange server. Either that or use someone like > > > > MessageLabs to outsource your antivirus too. > > > > > > > > Regards, > > > > > > > > Paul > > > > > > > > -----Original Message----- > > > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > > > Sent: 06 June 2002 18:26 > > > > To: Exchange Discussions > > > > Subject: lesser of the evils - ssl or smtp > > > > > > > > > > > > Ok, I've got a couple of scenarios, which of them is the > > > least risky? > > > > > > > > Exchange 2000 mailbox server on the LAN, accepting/making > > > > connections using SMTP through a firewall to the internet > > > > > > > > Exchange 2000 mailbox server on the LAN, accepting SSL > secured OWA > > > > > connections from the internet, again, protected by a firewall. > > > > > > > > > > > > Basically I am being told I may have to do both with > the same box, > > > > > but I'd rather have the smtp traffic going through a DMZ based > > > > gateway running McAfee Webshield, and let the OWA clients > > come into > > > > the internal box over SSL (which I see as less of a risk than > > > > opening up port 25. > > > > > > > > If you had to choose one of the 2 above scenarios, which > > > would it be? > > > > > > > > Regards, > > > > > > > > Rob Ellis > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
