Get an e-mail security appliance, keep Exchange "all the way back". Also, having the appliance lets you down Exchange for maintenance w/out hiccups (assuming you're not running Exchange clustered).
Having an appliance gave unexpected benefits that I hadn't realized I would use. However, seeing as how 90%+ of all incoming mail is SPAM it's nice to not have the Exchange server have to waste any cycles on them. From: itli...@imcu.com [mailto:itli...@imcu.com] Sent: Friday, January 27, 2012 11:08 AM To: NT System Admin Issues Subject: RE: DLP, SIEM, Network Access Control, VPN multi factor authentication, Moving Exchange into a DMZ We have 4-5 vendors we work with and use against each other for bidding. But mostly we listen to all and make an informed decision from all the information we get. From: Andrew S. Baker [mailto:asbz...@gmail.com]<mailto:[mailto:asbz...@gmail.com]> Posted At: Friday, January 27, 2012 12:00 PM Posted To: itli...@imcu.com<mailto:itli...@imcu.com> Conversation: DLP, SIEM, Network Access Control, VPN multi factor authentication, Moving Exchange into a DMZ Subject: Re: DLP, SIEM, Network Access Control, VPN multi factor authentication, Moving Exchange into a DMZ I always recommend that Sys Admins and IT Managers have a good technology partner that they can bounce these types of things off of. A single source, if possible, since many of these elements will need to work together. Also, much of this will have hardware components. The Exchange issue is, as others have pointed out, going to involve some sort of email security appliance, of which there are hundreds, if not thousands. Do you have a VAR that you work with? Or do you just purchase everything directly? ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Fri, Jan 27, 2012 at 9:46 AM, itli...@imcu.com<mailto:itli...@imcu.com> <itli...@imcu.com<mailto:itli...@imcu.com>> wrote: Ok, so we have had a NCUA IT audit and some of the recommendations are as follows: Data Loss Prevention (DLP) The Credit Union should have the the ability to use USB storage devices, DVD, and CD drives turned off unless required. With some for of alerting if a user is trying to use those devices without permission. Security Information and Event Management (SIEM) system The Credit Union should have a SIEM system in place to consolidate logs from all devices and applications, encrypt those logs, have real time alerting, and compliance reporting. VPN access The Credit Union should have Network Access Controls such as scanning the connecting machine for correct configuration prior to allowing access to the network, some kind of multi factor token or device, and a more detailed access list on the VPN client area of the firewall. DMZ The Credit Union should move the Microsoft Exchange server into a DMZ of the firewall or industry best practice for proxing email traffic into and out of the DMZ to protect the Credit Union's internal network if a breach occurs on the email system. With all of this being said, can you get me some vendor information about about each of these areas. It can be freeware, it can be appliances, it can be anything that is easily managable. And Management is looking for a quick turn around on this so whitepapers and recommendations first. This is what I sent my software vendors. Did I ask the right questions? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin