At Tuesday, May 16, 2006 10:39 AM, [EMAIL PROTECTED] wrote: > I guess what I'm trying to do is get the most secure option with > what I have. I'm at the point now where I think no matter what I'm > kinda screwed unless I get ISA or something like it implemented.
Remember that security isn't a discipline of perfection; it's about identifying and managing your risks. > I'm under the impression that IF someone does get pass the external > firewall they'll be able to sniff for credentials/messages or whatever > because the FE/BE communicate via clear text. So if I secure the > communication between FE/BE via IPSEC then IF the front end server > is compromised then we're screwed once again. How likely is it that someone gets past your firewall? In order to accurately assess that option, you need to figure out what the most likely avenues of attack are. Most likely: services you have exposed or published through the firewall. These most likely live in your DMZ. Your FE server is one of them. Looks like you need to make sure those services are properly configured and the hosts are hardened. Yes, the FE and BE communicate in the clear. What will it take for someone to listen to that communication channel? What hosts could they do it from? Easiest would be the FE server itself -- which is why the IP tunnel option, even if it's technically feasible, isn't going to protect you against the real risk. Any process on that server will make use of the tunnel. I submit that if you have someone behind your firewall, you've probably got bigger problems than them sniffing your FE->BE communications. Maybe it's time to document that risk, note the chain of events that have to happen in order for it to be a risk, and document the cost involved in fixing that risk -- then bounce it up the chain of command for them to decide if they think it's enough of a risk to justify the cost of installing ISA. > So what's the better of my options? Someone suggested using > m0n0wall or another linux/bsd alternative for ISA. Not an alternative in the application proxy sense, but as an alternative to your current NAT firewall. The key to resolving your troubles here is telling your current NAT firewall/router to *NOT* perform NAT translation between your interior network and your DMZ network, but just to route the packets back and forth. If you can do that, then you can use strict IPsec communications between your FE and the rest of your Exchange servers. -- Devin L. Ganger Email: [EMAIL PROTECTED] 3Sharp LLC Phone: 425.882.1032 x 109 15311 NE 90th Street Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.702.8455 (e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/ --------------------------------------------------------------------------- ---------------------------------------------------------------------------
