RE: Stupid Firewall Tricks
Good luck! Have fun. One the features I liked about Antigen was that it can use multiple AV scan engines. ( I know that Tred Micro probably does too ) so you can continue to use InoculateIT's engine and sig files along with Norman and McAfee. Joseph Ambrose System and Network Manager The Conference Board P: 001-212-339-0443 F: 001-212-836-3802 E: [EMAIL PROTECTED] Visit our Award Winning Web Site: www.conference-board.org -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 2:29 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks I love this name: Kristi Chiffone She was real helpful and answered my questions. So I'll be evaluating both Trend and Sybari. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, March 22, 2002 12:07 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > > Which sales person called? > > ~ > -K.Borndale > IT Manager > Sybari Software > 631.630.8569 -direct dial > 631.439.0689 -fax > http://www.sybari.com > "One man's ceiling is another man's floor" > > > |-+> > | | Ken Leyba| > | | <[EMAIL PROTECTED]| > | | >| > | || > | | 03/22/2002 11:53 | > | | AM | > | | Please respond to| > | | "MS-Exchange | > | | Admin Issues"| > | || > |-+> > > >- > -- > ---| > | > > | > | To: "MS-Exchange Admin Issues" > <[EMAIL PROTECTED]> > | > | cc: > > | > | Subject: RE: Stupid Firewall Tricks > > | > > >- > -- > ---| > > > > > Must be Karma, one of our other admins had Sybari call me. Unless of > course > he's a member of this list and saw my post (I know you're out there). > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: Ambrose, Joseph [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, March 21, 2002 12:33 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > One word > > > > ANTIGEN > > > > www.sybari.com > > > > > > Joseph Ambrose > > System and Network Manager > > The Conference Board > > P: 001-212-339-0443 > > F: 001-212-836-3802 > > E: [EMAIL PROTECTED] > > Visit our Award Winning Web Site: www.conference-board.org > > > > -Original Message- > > From:Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent:Wednesday, March 20, 2002 6:56 PM > > To:MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > No, we have A/V. I'm looking at alternatives to IncoulateIT. > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:54 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > no anti-virus?? egads... > > > > > > -Original Message- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:49 PM > > > To: MS-Exchange Admin Issues &
RE: Stupid Firewall Tricks
I love this name: Kristi Chiffone She was real helpful and answered my questions. So I'll be evaluating both Trend and Sybari. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, March 22, 2002 12:07 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > > Which sales person called? > > ~ > -K.Borndale > IT Manager > Sybari Software > 631.630.8569 -direct dial > 631.439.0689 -fax > http://www.sybari.com > "One man's ceiling is another man's floor" > > > |-+> > | | Ken Leyba| > | | <[EMAIL PROTECTED]| > | | >| > | || > | | 03/22/2002 11:53 | > | | AM | > | | Please respond to| > | | "MS-Exchange | > | | Admin Issues"| > | || > |-+> > > >- > -- > ---| > | > > | > | To: "MS-Exchange Admin Issues" > <[EMAIL PROTECTED]> > | > | cc: > > | > | Subject: RE: Stupid Firewall Tricks > > | > > >- > -- > ---| > > > > > Must be Karma, one of our other admins had Sybari call me. Unless of > course > he's a member of this list and saw my post (I know you're out there). > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: Ambrose, Joseph [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, March 21, 2002 12:33 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > One word > > > > ANTIGEN > > > > www.sybari.com > > > > > > Joseph Ambrose > > System and Network Manager > > The Conference Board > > P: 001-212-339-0443 > > F: 001-212-836-3802 > > E: [EMAIL PROTECTED] > > Visit our Award Winning Web Site: www.conference-board.org > > > > -Original Message- > > From:Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent:Wednesday, March 20, 2002 6:56 PM > > To:MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > No, we have A/V. I'm looking at alternatives to IncoulateIT. > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:54 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > no anti-virus?? egads... > > > > > > -Original Message- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:49 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > That's the rub. We have had no problems with on campus > > > users. All of our > > > Exchange problems have been viruses. I would have rather > > > spent the time and > > > money on a virus wall, content inspection or an alternative > > > A/V solution. > > > > > > - > > > Ken Leyba > > > Windows/Exchange System Administrator > > > California State University Dominguez Hills > > > > > > > > > >
RE: Stupid Firewall Tricks
Which sales person called? ~ -K.Borndale IT Manager Sybari Software 631.630.8569 -direct dial 631.439.0689 -fax http://www.sybari.com "One man's ceiling is another man's floor" |-+> | | Ken Leyba| | | <[EMAIL PROTECTED]| | | >| | || | | 03/22/2002 11:53 | | | AM | | | Please respond to| | | "MS-Exchange | | | Admin Issues"| | || |-+> >--| | | | To: "MS-Exchange Admin Issues" <[EMAIL PROTECTED]> | | cc: | | Subject: RE: Stupid Firewall Tricks | >--| Must be Karma, one of our other admins had Sybari call me. Unless of course he's a member of this list and saw my post (I know you're out there). - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: Ambrose, Joseph [mailto:[EMAIL PROTECTED]] > Sent: Thursday, March 21, 2002 12:33 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > One word > > ANTIGEN > > www.sybari.com > > > Joseph Ambrose > System and Network Manager > The Conference Board > P: 001-212-339-0443 > F: 001-212-836-3802 > E: [EMAIL PROTECTED] > Visit our Award Winning Web Site: www.conference-board.org > > -Original Message- > From:Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent:Wednesday, March 20, 2002 6:56 PM > To:MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > No, we have A/V. I'm looking at alternatives to IncoulateIT. > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -----Original Message- > > From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:54 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > no anti-virus?? egads... > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:49 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > That's the rub. We have had no problems with on campus > > users. All of our > > Exchange problems have been viruses. I would have rather > > spent the time and > > money on a virus wall, content inspection or an alternative > > A/V solution. > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:40 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > I have never worked for an .edu [1], but from my experience > > > with people who > > > have, they often have users that like to test the boundaries > > > of security and > > > go as far as their IT department allow. I hope your students > > > are not as > > > ambitious. > > > > > > It's great you'll be able to block, say, ftp to Exchange, but > > > the other > > > holes open up too many opportunities for fun. Move the > > firewall from > > > between the users and Exchange to between the internet and > > the users. > > > > > > [1] Hi Jamie > > > > > > > > > -Original Message- > > > From: Ken Leyba [mailt
RE: Stupid Firewall Tricks
Must be Karma, one of our other admins had Sybari call me. Unless of course he's a member of this list and saw my post (I know you're out there). - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: Ambrose, Joseph [mailto:[EMAIL PROTECTED]] > Sent: Thursday, March 21, 2002 12:33 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > One word > > ANTIGEN > > www.sybari.com > > > Joseph Ambrose > System and Network Manager > The Conference Board > P: 001-212-339-0443 > F: 001-212-836-3802 > E: [EMAIL PROTECTED] > Visit our Award Winning Web Site: www.conference-board.org > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 6:56 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > No, we have A/V. I'm looking at alternatives to IncoulateIT. > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:54 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > no anti-virus?? egads... > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:49 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > That's the rub. We have had no problems with on campus > > users. All of our > > Exchange problems have been viruses. I would have rather > > spent the time and > > money on a virus wall, content inspection or an alternative > > A/V solution. > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:40 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > I have never worked for an .edu [1], but from my experience > > > with people who > > > have, they often have users that like to test the boundaries > > > of security and > > > go as far as their IT department allow. I hope your students > > > are not as > > > ambitious. > > > > > > It's great you'll be able to block, say, ftp to Exchange, but > > > the other > > > holes open up too many opportunities for fun. Move the > > firewall from > > > between the users and Exchange to between the internet and > > the users. > > > > > > [1] Hi Jamie > > > > > > > > > -Original Message- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:35 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > IT. > > > > > > - > > > Ken Leyba > > > Windows/Exchange System Administrator > > > California State University Dominguez Hills > > > > > > > > > > -Original Message- > > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 3:34 PM > > > > To: MS-Exchange Admin Issues > > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > > > > The more important firewall is between the internet and your > > > > organisation. > > > > > > > > What is this guy a director of? > > > > > > > > > > > > -Original Message- > > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 3:32 PM > > > > To: MS-Exchange Admin Issues > > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That > > > was my point > > > > exactly, we'll have two Swiss Cheese firewalls. Unless the > > > > Cisco PIX can do > > > > some kind of magic firewall tricks that I don't know about. > > > > >
RE: Stupid Firewall Tricks
Surely they'd be lost in the honeypot, where they can hack away at the pseudo-configured Sendmail server while you laugh at them after your intrusion detection software alerted you. -Original Message- From: Campbell, Rob [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 6:19 AM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks IMHO, you'd be better protected using a bastion host outside the firewall. Internet/bastion host <-> Firewall <-> Users/Exchange Now you don't have to open up RPC's thru the firewall, and if you get attacked or hacked, the worst they can do is take down the bastion host and your Exchange servers are still good. > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 5:15 PM > To: MS-Exchange Admin Issues > Subject: Stupid Firewall Tricks > > > Our director wants us to implement a firewall in front of our Windows > 2000/Exchange 5.5 servers. Here is what the scenario is: > > Internet <--> Users <--> Firewall <--> Exchange > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > etc. servers. On > the public side we have the Windows 98/2000 clients, WINS > server (which is a > whole different issue) and Internet. There is a firewall before the > Internet connection but it is basically useless since nothing > is configured. > On the private side we are to use NAT, since all the servers > except the > backup server will need to be accessed from the outside I > really don't see > what this is buying us. Basically we are putting a firewall > in front of > Exchange. We are currently testing the configuration but I > think this may > end up being a nightmare once we begin to change the Windows > 2000 servers > (i.e. Active Directory) IP addresses and DNS settings to the private > addresses. > > I began by making registry hacks to force the RPC's through > specific ports > but our backbone admin figured out how to configure the PIX > firewall without > me having to make the changes. Now I'm reinstalling the test > server to see > that it's actually working. > > Can anyone give me any ammo as to why this is not the way to > do things. I > have tried to explain but I'm getting nowhere. I don't know maybe I'm > wrong. However it seems it would be safer to implement the > firewall at the > internet connection, we seem to be trying to protect > ourselves from our > users. There would be a lot of politics involved with the > Internet firewall > but it does seem like the way to go. > > Thx, > Ken > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Stupid Firewall Tricks
So you don't *really* have AV then, do you? :) -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 6:56 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks No, we have A/V. I'm looking at alternatives to IncoulateIT. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:54 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > no anti-virus?? egads... > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:49 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > That's the rub. We have had no problems with on campus > users. All of our > Exchange problems have been viruses. I would have rather > spent the time and > money on a virus wall, content inspection or an alternative > A/V solution. > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:40 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > I have never worked for an .edu [1], but from my experience > > with people who > > have, they often have users that like to test the boundaries > > of security and > > go as far as their IT department allow. I hope your students > > are not as > > ambitious. > > > > It's great you'll be able to block, say, ftp to Exchange, but > > the other > > holes open up too many opportunities for fun. Move the > firewall from > > between the users and Exchange to between the internet and > the users. > > > > [1] Hi Jamie > > > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:35 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > IT. > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:34 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > The more important firewall is between the internet and your > > > organisation. > > > > > > What is this guy a director of? > > > > > > > > > -Original Message- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:32 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That > > was my point > > > exactly, we'll have two Swiss Cheese firewalls. Unless the > > > Cisco PIX can do > > > some kind of magic firewall tricks that I don't know about. > > > > > > Ken > > > > > > - > > > Ken Leyba > > > Windows/Exchange System Administrator > > > California State University Dominguez Hills > > > > > > > > > > -Original Message- > > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 3:22 PM > > > > To: MS-Exchange Admin Issues > > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > > > > How are you intending these users access the exchange server? > > > > MAPI client > > > > like Outlook? > > > > > > > > The holes necessary for your users to communicate with > > > > Exchange are such > > > > that your firewall between the users and Exchange has been > > > > rendered useless. > > > > > > > > > > > > -Original Message- > > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 3:15 PM > > > > To: MS-Exchange Admin Issues > > > > Subject: Stupid Firewall Tricks > > > > &
RE: Stupid Firewall Tricks
Now add one more thing. The front-end talks to the back end without encryption. Deploy IPSec between front end and back end Exchange Servers.[1] William [1] See Martin Tuip's article in Exchange Administrator -Original Message- From: Clayton [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 12:49 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks On top of that, you may want to propose this sort of scenario for maximum protection Internet <> Firewall <> Exchange Front End Server <> Firewall <> Desktops and Exchange Back End Servers in this way you protect you Exchange system with Antigen and a firewall from the outside world, and cut off access from the exchange box between the two firewalls to your actual mailboxes and pubic folders. It means opening specific ports on the external firewall, while being able to close those, and open others on the internal one. Q280132 should give you a good overview of ports etc in this scenario, and will give you something to give to your IT director as well. This will probably allow you to make the best use of two firewalls HTH -Original Message- From: Ambrose, Joseph [mailto:[EMAIL PROTECTED]] Sent: March 21, 2002 4:33 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks One word ANTIGEN www.sybari.com Joseph Ambrose System and Network Manager The Conference Board P: 001-212-339-0443 F: 001-212-836-3802 E: [EMAIL PROTECTED] Visit our Award Winning Web Site: www.conference-board.org -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 6:56 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks No, we have A/V. I'm looking at alternatives to IncoulateIT. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:54 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > no anti-virus?? egads... > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:49 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > That's the rub. We have had no problems with on campus > users. All of our > Exchange problems have been viruses. I would have rather > spent the time and > money on a virus wall, content inspection or an alternative > A/V solution. > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:40 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > I have never worked for an .edu [1], but from my experience > > with people who > > have, they often have users that like to test the boundaries > > of security and > > go as far as their IT department allow. I hope your students > > are not as > > ambitious. > > > > It's great you'll be able to block, say, ftp to Exchange, but > > the other > > holes open up too many opportunities for fun. Move the > firewall from > > between the users and Exchange to between the internet and > the users. > > > > [1] Hi Jamie > > > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:35 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > IT. > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:34 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > The more important firewall is between the internet and your > > > organisation. > > > > > > What is this guy a director of? > > > > > > > > > -Original Message- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:32 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That > > was my point > &g
RE: Stupid Firewall Tricks
On top of that, you may want to propose this sort of scenario for maximum protection Internet <> Firewall <> Exchange Front End Server <> Firewall <> Desktops and Exchange Back End Servers in this way you protect you Exchange system with Antigen and a firewall from the outside world, and cut off access from the exchange box between the two firewalls to your actual mailboxes and pubic folders. It means opening specific ports on the external firewall, while being able to close those, and open others on the internal one. Q280132 should give you a good overview of ports etc in this scenario, and will give you something to give to your IT director as well. This will probably allow you to make the best use of two firewalls HTH -Original Message- From: Ambrose, Joseph [mailto:[EMAIL PROTECTED]] Sent: March 21, 2002 4:33 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks One word ANTIGEN www.sybari.com Joseph Ambrose System and Network Manager The Conference Board P: 001-212-339-0443 F: 001-212-836-3802 E: [EMAIL PROTECTED] Visit our Award Winning Web Site: www.conference-board.org -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 6:56 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks No, we have A/V. I'm looking at alternatives to IncoulateIT. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:54 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > no anti-virus?? egads... > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:49 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > That's the rub. We have had no problems with on campus > users. All of our > Exchange problems have been viruses. I would have rather > spent the time and > money on a virus wall, content inspection or an alternative > A/V solution. > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:40 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > I have never worked for an .edu [1], but from my experience > > with people who > > have, they often have users that like to test the boundaries > > of security and > > go as far as their IT department allow. I hope your students > > are not as > > ambitious. > > > > It's great you'll be able to block, say, ftp to Exchange, but > > the other > > holes open up too many opportunities for fun. Move the > firewall from > > between the users and Exchange to between the internet and > the users. > > > > [1] Hi Jamie > > > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:35 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > IT. > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:34 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > The more important firewall is between the internet and your > > > organisation. > > > > > > What is this guy a director of? > > > > > > > > > -Original Message- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:32 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That > > was my point > > > exactly, we'll have two Swiss Cheese firewalls. Unless the > > > Cisco PIX can do > > > some kind of magic firewall tricks that I don't know about. > > > > > > Ken > > > > > > - > > > Ken Leyba > > > Windows/Exchange System Administrator > > > California State University Dominguez
RE: Stupid Firewall Tricks
That's a mighty good word IMHO. -Original Message- From: Ambrose, Joseph [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 2:33 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks One word ANTIGEN www.sybari.com Joseph Ambrose System and Network Manager The Conference Board P: 001-212-339-0443 F: 001-212-836-3802 E: [EMAIL PROTECTED] Visit our Award Winning Web Site: www.conference-board.org -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 6:56 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks No, we have A/V. I'm looking at alternatives to IncoulateIT. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:54 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > no anti-virus?? egads... > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:49 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > That's the rub. We have had no problems with on campus > users. All of our > Exchange problems have been viruses. I would have rather > spent the time and > money on a virus wall, content inspection or an alternative > A/V solution. > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:40 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > I have never worked for an .edu [1], but from my experience > > with people who > > have, they often have users that like to test the boundaries > > of security and > > go as far as their IT department allow. I hope your students > > are not as > > ambitious. > > > > It's great you'll be able to block, say, ftp to Exchange, but > > the other > > holes open up too many opportunities for fun. Move the > firewall from > > between the users and Exchange to between the internet and > the users. > > > > [1] Hi Jamie > > > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:35 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > IT. > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:34 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > The more important firewall is between the internet and your > > > organisation. > > > > > > What is this guy a director of? > > > > > > > > > -Original Message- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:32 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That > > was my point > > > exactly, we'll have two Swiss Cheese firewalls. Unless the > > > Cisco PIX can do > > > some kind of magic firewall tricks that I don't know about. > > > > > > Ken > > > > > > - > > > Ken Leyba > > > Windows/Exchange System Administrator > > > California State University Dominguez Hills > > > > > > > > > > -Original Message- > > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 3:22 PM > > > > To: MS-Exchange Admin Issues > > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > > > > How are you intending these users access the exchange server? > > > > MAPI client > > > > like Outlook? > > > > > > > > The holes necessary for your users to communicate with > > > > Exchange are such > > > > that your firewall between the users and Exchang
RE: Stupid Firewall Tricks
One word ANTIGEN www.sybari.com Joseph Ambrose System and Network Manager The Conference Board P: 001-212-339-0443 F: 001-212-836-3802 E: [EMAIL PROTECTED] Visit our Award Winning Web Site: www.conference-board.org -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 6:56 PM To: MS-Exchange Admin Issues Subject:RE: Stupid Firewall Tricks No, we have A/V. I'm looking at alternatives to IncoulateIT. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:54 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > no anti-virus?? egads... > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:49 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > That's the rub. We have had no problems with on campus > users. All of our > Exchange problems have been viruses. I would have rather > spent the time and > money on a virus wall, content inspection or an alternative > A/V solution. > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:40 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > I have never worked for an .edu [1], but from my experience > > with people who > > have, they often have users that like to test the boundaries > > of security and > > go as far as their IT department allow. I hope your students > > are not as > > ambitious. > > > > It's great you'll be able to block, say, ftp to Exchange, but > > the other > > holes open up too many opportunities for fun. Move the > firewall from > > between the users and Exchange to between the internet and > the users. > > > > [1] Hi Jamie > > > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:35 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > IT. > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:34 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > The more important firewall is between the internet and your > > > organisation. > > > > > > What is this guy a director of? > > > > > > > > > -Original Message- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:32 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That > > was my point > > > exactly, we'll have two Swiss Cheese firewalls. Unless the > > > Cisco PIX can do > > > some kind of magic firewall tricks that I don't know about. > > > > > > Ken > > > > > > - > > > Ken Leyba > > > Windows/Exchange System Administrator > > > California State University Dominguez Hills > > > > > > > > > > -Original Message- > > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 3:22 PM > > > > To: MS-Exchange Admin Issues > > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > > > > How are you intending these users access the exchange server? > > > > MAPI client > > > > like Outlook? > > > > > > > > The holes necessary for your users to communicate with > > > > Exchange are such > > > > that your firewall between the users and Exchange has been > > > > rendered useless. > > > > > > > > > > > > -Original Message- > > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > >
RE: Stupid Firewall Tricks
IMHO, you'd be better protected using a bastion host outside the firewall. Internet/bastion host <-> Firewall <-> Users/Exchange Now you don't have to open up RPC's thru the firewall, and if you get attacked or hacked, the worst they can do is take down the bastion host and your Exchange servers are still good. > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 5:15 PM > To: MS-Exchange Admin Issues > Subject: Stupid Firewall Tricks > > > Our director wants us to implement a firewall in front of our Windows > 2000/Exchange 5.5 servers. Here is what the scenario is: > > Internet <--> Users <--> Firewall <--> Exchange > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > etc. servers. On > the public side we have the Windows 98/2000 clients, WINS > server (which is a > whole different issue) and Internet. There is a firewall before the > Internet connection but it is basically useless since nothing > is configured. > On the private side we are to use NAT, since all the servers > except the > backup server will need to be accessed from the outside I > really don't see > what this is buying us. Basically we are putting a firewall > in front of > Exchange. We are currently testing the configuration but I > think this may > end up being a nightmare once we begin to change the Windows > 2000 servers > (i.e. Active Directory) IP addresses and DNS settings to the private > addresses. > > I began by making registry hacks to force the RPC's through > specific ports > but our backbone admin figured out how to configure the PIX > firewall without > me having to make the changes. Now I'm reinstalling the test > server to see > that it's actually working. > > Can anyone give me any ammo as to why this is not the way to > do things. I > have tried to explain but I'm getting nowhere. I don't know maybe I'm > wrong. However it seems it would be safer to implement the > firewall at the > internet connection, we seem to be trying to protect > ourselves from our > users. There would be a lot of politics involved with the > Internet firewall > but it does seem like the way to go. > > Thx, > Ken > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Stupid Firewall Tricks
The clients are faculty and staff. The idea is to protect from the Internet and the rest of the campus. Most clients are part of the domain, so yes, we have the domain logins as well as the Exchange. Others are just POP/SMTP clients, faculty mostly. We have some other kludges in place that require more ports open on the firewall (e.g. DNS zone transfers). I just wanted to do a brain check and make sure that I'm not making a big deal out of this and resisting too much. Ken - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: Keith Nelson [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:41 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > Just out of curiosity are your clients staff or students? > If he is trying to protect the servers from students on > campus I can sort of (just a little but still wouldn't do it) > see his point for the firewall. But still the firewall > between the machines that need access to the server is just > going to require you to open up a bunch of ports and render > the firewall useless. > > Also are the machines supposed to join the Domain that's > going to be on the other side of the firewall. > > The setup seems kind of silly to me. > > I live in San Pedro so if you need some consultant work that > has experience in educational institutions give me call. I > also do tours of my site. > > Keith Nelson > Network Administrator > Orange County High School of the Arts > [EMAIL PROTECTED] > (714) 560-0900 ex5910 > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Stupid Firewall Tricks
I agree Trend Micro's Scan Mail is just awesome. We got hit by the homepage.vbs virus about a year ago. After that we bought Scan Mail and haven't had a single thing get through. A firewall will not stop E-Mail based viruses. I have 2 PIX firewalls and I use them for firewalls not virus scanners. Scan Mail or Antigen are your best bet. Keith Nelson Network Administrator Orange County High School of the Arts [EMAIL PROTECTED] (714) 560-0900 ex5910 -Original Message- From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 3:58 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks Trend Micro's scan mail has been a truly wonderful thing here. The AVAPI mode works pretty well. Bob F. -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 3:56 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks No, we have A/V. I'm looking at alternatives to IncoulateIT. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:54 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > no anti-virus?? egads... > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:49 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > That's the rub. We have had no problems with on campus > users. All of our > Exchange problems have been viruses. I would have rather > spent the time and > money on a virus wall, content inspection or an alternative > A/V solution. > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:40 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > I have never worked for an .edu [1], but from my experience > > with people who > > have, they often have users that like to test the boundaries > > of security and > > go as far as their IT department allow. I hope your students > > are not as > > ambitious. > > > > It's great you'll be able to block, say, ftp to Exchange, but > > the other > > holes open up too many opportunities for fun. Move the > firewall from > > between the users and Exchange to between the internet and > the users. > > > > [1] Hi Jamie > > > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:35 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > IT. > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:34 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > The more important firewall is between the internet and your > > > organisation. > > > > > > What is this guy a director of? > > > > > > > > > -Original Message- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:32 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That > > was my point > > > exactly, we'll have two Swiss Cheese firewalls. Unless the > > > Cisco PIX can do > > > some kind of magic firewall tricks that I don't know about. > > > > > > Ken > > > > > > - > > > Ken Leyba > > > Windows/Exchange System Administrator > > > California State University Dominguez Hills > > > > > > > > > > -Original Message- > > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 3:22 PM > > > > To: MS-Exchange Admin Issues > > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > > > > How are you intending these us
RE: Stupid Firewall Tricks
Trend Micro's scan mail has been a truly wonderful thing here. The AVAPI mode works pretty well. Bob F. -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 3:56 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks No, we have A/V. I'm looking at alternatives to IncoulateIT. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:54 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > no anti-virus?? egads... > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:49 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > That's the rub. We have had no problems with on campus > users. All of our > Exchange problems have been viruses. I would have rather > spent the time and > money on a virus wall, content inspection or an alternative > A/V solution. > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:40 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > I have never worked for an .edu [1], but from my experience > > with people who > > have, they often have users that like to test the boundaries > > of security and > > go as far as their IT department allow. I hope your students > > are not as > > ambitious. > > > > It's great you'll be able to block, say, ftp to Exchange, but > > the other > > holes open up too many opportunities for fun. Move the > firewall from > > between the users and Exchange to between the internet and > the users. > > > > [1] Hi Jamie > > > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:35 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > IT. > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:34 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > The more important firewall is between the internet and your > > > organisation. > > > > > > What is this guy a director of? > > > > > > > > > -Original Message- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:32 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That > > was my point > > > exactly, we'll have two Swiss Cheese firewalls. Unless the > > > Cisco PIX can do > > > some kind of magic firewall tricks that I don't know about. > > > > > > Ken > > > > > > - > > > Ken Leyba > > > Windows/Exchange System Administrator > > > California State University Dominguez Hills > > > > > > > > > > -Original Message- > > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 3:22 PM > > > > To: MS-Exchange Admin Issues > > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > > > > How are you intending these users access the exchange server? > > > > MAPI client > > > > like Outlook? > > > > > > > > The holes necessary for your users to communicate with > > > > Exchange are such > > > > that your firewall between the users and Exchange has been > > > > rendered useless. > > > > > > > > > > > > -Original Message- > > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 3:15 PM > > > > To: MS-Exchange Admin Issues > > > > Subject: Stu
RE: Stupid Firewall Tricks
No, we have A/V. I'm looking at alternatives to IncoulateIT. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:54 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > no anti-virus?? egads... > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:49 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > That's the rub. We have had no problems with on campus > users. All of our > Exchange problems have been viruses. I would have rather > spent the time and > money on a virus wall, content inspection or an alternative > A/V solution. > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:40 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > I have never worked for an .edu [1], but from my experience > > with people who > > have, they often have users that like to test the boundaries > > of security and > > go as far as their IT department allow. I hope your students > > are not as > > ambitious. > > > > It's great you'll be able to block, say, ftp to Exchange, but > > the other > > holes open up too many opportunities for fun. Move the > firewall from > > between the users and Exchange to between the internet and > the users. > > > > [1] Hi Jamie > > > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:35 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > IT. > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:34 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > The more important firewall is between the internet and your > > > organisation. > > > > > > What is this guy a director of? > > > > > > > > > -Original Message- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:32 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That > > was my point > > > exactly, we'll have two Swiss Cheese firewalls. Unless the > > > Cisco PIX can do > > > some kind of magic firewall tricks that I don't know about. > > > > > > Ken > > > > > > - > > > Ken Leyba > > > Windows/Exchange System Administrator > > > California State University Dominguez Hills > > > > > > > > > > -Original Message- > > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 3:22 PM > > > > To: MS-Exchange Admin Issues > > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > > > > How are you intending these users access the exchange server? > > > > MAPI client > > > > like Outlook? > > > > > > > > The holes necessary for your users to communicate with > > > > Exchange are such > > > > that your firewall between the users and Exchange has been > > > > rendered useless. > > > > > > > > > > > > -Original Message- > > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 3:15 PM > > > > To: MS-Exchange Admin Issues > > > > Subject: Stupid Firewall Tricks > > > > > > > > > > > > Our director wants us to implement a firewall in front of > > > our Windows > > > > 2000/Exchange 5.5 servers. Here is what the scenario is: > > > > > > > > Inte
RE: Stupid Firewall Tricks
no anti-virus?? egads... -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 3:49 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks That's the rub. We have had no problems with on campus users. All of our Exchange problems have been viruses. I would have rather spent the time and money on a virus wall, content inspection or an alternative A/V solution. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:40 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > I have never worked for an .edu [1], but from my experience > with people who > have, they often have users that like to test the boundaries > of security and > go as far as their IT department allow. I hope your students > are not as > ambitious. > > It's great you'll be able to block, say, ftp to Exchange, but > the other > holes open up too many opportunities for fun. Move the firewall from > between the users and Exchange to between the internet and the users. > > [1] Hi Jamie > > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:35 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > IT. > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:34 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > The more important firewall is between the internet and your > > organisation. > > > > What is this guy a director of? > > > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:32 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That > was my point > > exactly, we'll have two Swiss Cheese firewalls. Unless the > > Cisco PIX can do > > some kind of magic firewall tricks that I don't know about. > > > > Ken > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:22 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > How are you intending these users access the exchange server? > > > MAPI client > > > like Outlook? > > > > > > The holes necessary for your users to communicate with > > > Exchange are such > > > that your firewall between the users and Exchange has been > > > rendered useless. > > > > > > > > > -Original Message- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:15 PM > > > To: MS-Exchange Admin Issues > > > Subject: Stupid Firewall Tricks > > > > > > > > > Our director wants us to implement a firewall in front of > > our Windows > > > 2000/Exchange 5.5 servers. Here is what the scenario is: > > > > > > Internet <--> Users <--> Firewall <--> Exchange > > > > > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > > > etc. servers. On > > > the public side we have the Windows 98/2000 clients, WINS > > > server (which is a > > > whole different issue) and Internet. There is a firewall > before the > > > Internet connection but it is basically useless since nothing > > > is configured. > > > On the private side we are to use NAT, since all the servers > > > except the > > > backup server will need to be accessed from the outside I > > > really don't see > > > what this is buying us. Basically we are putting a firewall > > > in front of > > > Exchange. We are currently testing the configuration but I > > > think this may > > > end up being a nightmare once we begin to change the Windows > > > 2000 s
RE: Stupid Firewall Tricks
That's the rub. We have had no problems with on campus users. All of our Exchange problems have been viruses. I would have rather spent the time and money on a virus wall, content inspection or an alternative A/V solution. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:40 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > I have never worked for an .edu [1], but from my experience > with people who > have, they often have users that like to test the boundaries > of security and > go as far as their IT department allow. I hope your students > are not as > ambitious. > > It's great you'll be able to block, say, ftp to Exchange, but > the other > holes open up too many opportunities for fun. Move the firewall from > between the users and Exchange to between the internet and the users. > > [1] Hi Jamie > > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:35 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > IT. > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:34 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > The more important firewall is between the internet and your > > organisation. > > > > What is this guy a director of? > > > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:32 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That > was my point > > exactly, we'll have two Swiss Cheese firewalls. Unless the > > Cisco PIX can do > > some kind of magic firewall tricks that I don't know about. > > > > Ken > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -Original Message- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:22 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > How are you intending these users access the exchange server? > > > MAPI client > > > like Outlook? > > > > > > The holes necessary for your users to communicate with > > > Exchange are such > > > that your firewall between the users and Exchange has been > > > rendered useless. > > > > > > > > > -Original Message- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:15 PM > > > To: MS-Exchange Admin Issues > > > Subject: Stupid Firewall Tricks > > > > > > > > > Our director wants us to implement a firewall in front of > > our Windows > > > 2000/Exchange 5.5 servers. Here is what the scenario is: > > > > > > Internet <--> Users <--> Firewall <--> Exchange > > > > > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > > > etc. servers. On > > > the public side we have the Windows 98/2000 clients, WINS > > > server (which is a > > > whole different issue) and Internet. There is a firewall > before the > > > Internet connection but it is basically useless since nothing > > > is configured. > > > On the private side we are to use NAT, since all the servers > > > except the > > > backup server will need to be accessed from the outside I > > > really don't see > > > what this is buying us. Basically we are putting a firewall > > > in front of > > > Exchange. We are currently testing the configuration but I > > > think this may > > > end up being a nightmare once we begin to change the Windows > > > 2000 servers > > > (i.e. Active Directory) IP addresses and DNS settings to > the private > > > addresses. > > > > > > I began by making registry hacks to force
RE: Stupid Firewall Tricks
I have never worked for an .edu [1], but from my experience with people who have, they often have users that like to test the boundaries of security and go as far as their IT department allow. I hope your students are not as ambitious. It's great you'll be able to block, say, ftp to Exchange, but the other holes open up too many opportunities for fun. Move the firewall from between the users and Exchange to between the internet and the users. [1] Hi Jamie -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 3:35 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks IT. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:34 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > The more important firewall is between the internet and your > organisation. > > What is this guy a director of? > > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:32 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That was my point > exactly, we'll have two Swiss Cheese firewalls. Unless the > Cisco PIX can do > some kind of magic firewall tricks that I don't know about. > > Ken > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:22 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > How are you intending these users access the exchange server? > > MAPI client > > like Outlook? > > > > The holes necessary for your users to communicate with > > Exchange are such > > that your firewall between the users and Exchange has been > > rendered useless. > > > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:15 PM > > To: MS-Exchange Admin Issues > > Subject: Stupid Firewall Tricks > > > > > > Our director wants us to implement a firewall in front of > our Windows > > 2000/Exchange 5.5 servers. Here is what the scenario is: > > > > Internet <--> Users <--> Firewall <--> Exchange > > > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > > etc. servers. On > > the public side we have the Windows 98/2000 clients, WINS > > server (which is a > > whole different issue) and Internet. There is a firewall before the > > Internet connection but it is basically useless since nothing > > is configured. > > On the private side we are to use NAT, since all the servers > > except the > > backup server will need to be accessed from the outside I > > really don't see > > what this is buying us. Basically we are putting a firewall > > in front of > > Exchange. We are currently testing the configuration but I > > think this may > > end up being a nightmare once we begin to change the Windows > > 2000 servers > > (i.e. Active Directory) IP addresses and DNS settings to the private > > addresses. > > > > I began by making registry hacks to force the RPC's through > > specific ports > > but our backbone admin figured out how to configure the PIX > > firewall without > > me having to make the changes. Now I'm reinstalling the test > > server to see > > that it's actually working. > > > > Can anyone give me any ammo as to why this is not the way to > > do things. I > > have tried to explain but I'm getting nowhere. I don't > know maybe I'm > > wrong. However it seems it would be safer to implement the > > firewall at the > > internet connection, we seem to be trying to protect > > ourselves from our > > users. There would be a lot of politics involved with the > > Internet firewall > > but it does seem like the way to go. > > > > Thx, > > Ken > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > List Charter and FAQ at: > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > List Charter and FAQ at: > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Stupid Firewall Tricks
Just out of curiosity are your clients staff or students? If he is trying to protect the servers from students on campus I can sort of (just a little but still wouldn't do it) see his point for the firewall. But still the firewall between the machines that need access to the server is just going to require you to open up a bunch of ports and render the firewall useless. Also are the machines supposed to join the Domain that's going to be on the other side of the firewall. The setup seems kind of silly to me. I live in San Pedro so if you need some consultant work that has experience in educational institutions give me call. I also do tours of my site. Keith Nelson Network Administrator Orange County High School of the Arts [EMAIL PROTECTED] (714) 560-0900 ex5910 -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 3:32 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks Yes, the clients will use POP/SMTP, IMAP and MAPI. That was my point exactly, we'll have two Swiss Cheese firewalls. Unless the Cisco PIX can do some kind of magic firewall tricks that I don't know about. Ken - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:22 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > How are you intending these users access the exchange server? > MAPI client > like Outlook? > > The holes necessary for your users to communicate with > Exchange are such > that your firewall between the users and Exchange has been > rendered useless. > > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:15 PM > To: MS-Exchange Admin Issues > Subject: Stupid Firewall Tricks > > > Our director wants us to implement a firewall in front of our Windows > 2000/Exchange 5.5 servers. Here is what the scenario is: > > Internet <--> Users <--> Firewall <--> Exchange > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > etc. servers. On > the public side we have the Windows 98/2000 clients, WINS > server (which is a > whole different issue) and Internet. There is a firewall before the > Internet connection but it is basically useless since nothing > is configured. > On the private side we are to use NAT, since all the servers > except the > backup server will need to be accessed from the outside I > really don't see > what this is buying us. Basically we are putting a firewall > in front of > Exchange. We are currently testing the configuration but I > think this may > end up being a nightmare once we begin to change the Windows > 2000 servers > (i.e. Active Directory) IP addresses and DNS settings to the private > addresses. > > I began by making registry hacks to force the RPC's through > specific ports > but our backbone admin figured out how to configure the PIX > firewall without > me having to make the changes. Now I'm reinstalling the test > server to see > that it's actually working. > > Can anyone give me any ammo as to why this is not the way to > do things. I > have tried to explain but I'm getting nowhere. I don't know maybe I'm > wrong. However it seems it would be safer to implement the > firewall at the > internet connection, we seem to be trying to protect > ourselves from our > users. There would be a lot of politics involved with the > Internet firewall > but it does seem like the way to go. > > Thx, > Ken > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Stupid Firewall Tricks
Normal setup Internet - Firewall - clients and servers Firewall blocks all inbound traffic... Open Port 25 and 80 as necessary, but nothing else if looking for a DMZ setup, hardened, function specific machines What this guy's asking for is pointless, and prolly gonna cause huge headaches when you get to tweaking DNS. -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 15:32 To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks Yes, the clients will use POP/SMTP, IMAP and MAPI. That was my point exactly, we'll have two Swiss Cheese firewalls. Unless the Cisco PIX can do some kind of magic firewall tricks that I don't know about. Ken - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:22 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > How are you intending these users access the exchange server? > MAPI client > like Outlook? > > The holes necessary for your users to communicate with > Exchange are such > that your firewall between the users and Exchange has been > rendered useless. > > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:15 PM > To: MS-Exchange Admin Issues > Subject: Stupid Firewall Tricks > > > Our director wants us to implement a firewall in front of our Windows > 2000/Exchange 5.5 servers. Here is what the scenario is: > > Internet <--> Users <--> Firewall <--> Exchange > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > etc. servers. On > the public side we have the Windows 98/2000 clients, WINS > server (which is a > whole different issue) and Internet. There is a firewall before the > Internet connection but it is basically useless since nothing > is configured. > On the private side we are to use NAT, since all the servers > except the > backup server will need to be accessed from the outside I > really don't see > what this is buying us. Basically we are putting a firewall > in front of > Exchange. We are currently testing the configuration but I > think this may > end up being a nightmare once we begin to change the Windows > 2000 servers > (i.e. Active Directory) IP addresses and DNS settings to the private > addresses. > > I began by making registry hacks to force the RPC's through > specific ports > but our backbone admin figured out how to configure the PIX > firewall without > me having to make the changes. Now I'm reinstalling the test > server to see > that it's actually working. > > Can anyone give me any ammo as to why this is not the way to > do things. I > have tried to explain but I'm getting nowhere. I don't know maybe I'm > wrong. However it seems it would be safer to implement the > firewall at the > internet connection, we seem to be trying to protect > ourselves from our > users. There would be a lot of politics involved with the > Internet firewall > but it does seem like the way to go. > > Thx, > Ken > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Stupid Firewall Tricks
Director, of Seagull Mgmt. -Original Message- From: William Lefkovics [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 18:34 To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks The more important firewall is between the internet and your organisation. What is this guy a director of? -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 3:32 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks Yes, the clients will use POP/SMTP, IMAP and MAPI. That was my point exactly, we'll have two Swiss Cheese firewalls. Unless the Cisco PIX can do some kind of magic firewall tricks that I don't know about. Ken - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:22 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > How are you intending these users access the exchange server? > MAPI client > like Outlook? > > The holes necessary for your users to communicate with > Exchange are such > that your firewall between the users and Exchange has been > rendered useless. > > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:15 PM > To: MS-Exchange Admin Issues > Subject: Stupid Firewall Tricks > > > Our director wants us to implement a firewall in front of our Windows > 2000/Exchange 5.5 servers. Here is what the scenario is: > > Internet <--> Users <--> Firewall <--> Exchange > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > etc. servers. On > the public side we have the Windows 98/2000 clients, WINS > server (which is a > whole different issue) and Internet. There is a firewall before the > Internet connection but it is basically useless since nothing > is configured. > On the private side we are to use NAT, since all the servers > except the > backup server will need to be accessed from the outside I > really don't see > what this is buying us. Basically we are putting a firewall > in front of > Exchange. We are currently testing the configuration but I > think this may > end up being a nightmare once we begin to change the Windows > 2000 servers > (i.e. Active Directory) IP addresses and DNS settings to the private > addresses. > > I began by making registry hacks to force the RPC's through > specific ports > but our backbone admin figured out how to configure the PIX > firewall without > me having to make the changes. Now I'm reinstalling the test > server to see > that it's actually working. > > Can anyone give me any ammo as to why this is not the way to > do things. I > have tried to explain but I'm getting nowhere. I don't know maybe I'm > wrong. However it seems it would be safer to implement the > firewall at the > internet connection, we seem to be trying to protect > ourselves from our > users. There would be a lot of politics involved with the > Internet firewall > but it does seem like the way to go. > > Thx, > Ken > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Stupid Firewall Tricks
IT. - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:34 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > The more important firewall is between the internet and your > organisation. > > What is this guy a director of? > > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:32 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That was my point > exactly, we'll have two Swiss Cheese firewalls. Unless the > Cisco PIX can do > some kind of magic firewall tricks that I don't know about. > > Ken > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -Original Message- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:22 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > How are you intending these users access the exchange server? > > MAPI client > > like Outlook? > > > > The holes necessary for your users to communicate with > > Exchange are such > > that your firewall between the users and Exchange has been > > rendered useless. > > > > > > -Original Message- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:15 PM > > To: MS-Exchange Admin Issues > > Subject: Stupid Firewall Tricks > > > > > > Our director wants us to implement a firewall in front of > our Windows > > 2000/Exchange 5.5 servers. Here is what the scenario is: > > > > Internet <--> Users <--> Firewall <--> Exchange > > > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > > etc. servers. On > > the public side we have the Windows 98/2000 clients, WINS > > server (which is a > > whole different issue) and Internet. There is a firewall before the > > Internet connection but it is basically useless since nothing > > is configured. > > On the private side we are to use NAT, since all the servers > > except the > > backup server will need to be accessed from the outside I > > really don't see > > what this is buying us. Basically we are putting a firewall > > in front of > > Exchange. We are currently testing the configuration but I > > think this may > > end up being a nightmare once we begin to change the Windows > > 2000 servers > > (i.e. Active Directory) IP addresses and DNS settings to the private > > addresses. > > > > I began by making registry hacks to force the RPC's through > > specific ports > > but our backbone admin figured out how to configure the PIX > > firewall without > > me having to make the changes. Now I'm reinstalling the test > > server to see > > that it's actually working. > > > > Can anyone give me any ammo as to why this is not the way to > > do things. I > > have tried to explain but I'm getting nowhere. I don't > know maybe I'm > > wrong. However it seems it would be safer to implement the > > firewall at the > > internet connection, we seem to be trying to protect > > ourselves from our > > users. There would be a lot of politics involved with the > > Internet firewall > > but it does seem like the way to go. > > > > Thx, > > Ken > > > > - > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > List Charter and FAQ at: > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > List Charter and FAQ at: > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Stupid Firewall Tricks
The more important firewall is between the internet and your organisation. What is this guy a director of? -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 3:32 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks Yes, the clients will use POP/SMTP, IMAP and MAPI. That was my point exactly, we'll have two Swiss Cheese firewalls. Unless the Cisco PIX can do some kind of magic firewall tricks that I don't know about. Ken - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:22 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > How are you intending these users access the exchange server? > MAPI client > like Outlook? > > The holes necessary for your users to communicate with > Exchange are such > that your firewall between the users and Exchange has been > rendered useless. > > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:15 PM > To: MS-Exchange Admin Issues > Subject: Stupid Firewall Tricks > > > Our director wants us to implement a firewall in front of our Windows > 2000/Exchange 5.5 servers. Here is what the scenario is: > > Internet <--> Users <--> Firewall <--> Exchange > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > etc. servers. On > the public side we have the Windows 98/2000 clients, WINS > server (which is a > whole different issue) and Internet. There is a firewall before the > Internet connection but it is basically useless since nothing > is configured. > On the private side we are to use NAT, since all the servers > except the > backup server will need to be accessed from the outside I > really don't see > what this is buying us. Basically we are putting a firewall > in front of > Exchange. We are currently testing the configuration but I > think this may > end up being a nightmare once we begin to change the Windows > 2000 servers > (i.e. Active Directory) IP addresses and DNS settings to the private > addresses. > > I began by making registry hacks to force the RPC's through > specific ports > but our backbone admin figured out how to configure the PIX > firewall without > me having to make the changes. Now I'm reinstalling the test > server to see > that it's actually working. > > Can anyone give me any ammo as to why this is not the way to > do things. I > have tried to explain but I'm getting nowhere. I don't know maybe I'm > wrong. However it seems it would be safer to implement the > firewall at the > internet connection, we seem to be trying to protect > ourselves from our > users. There would be a lot of politics involved with the > Internet firewall > but it does seem like the way to go. > > Thx, > Ken > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Stupid Firewall Tricks
Yes, the clients will use POP/SMTP, IMAP and MAPI. That was my point exactly, we'll have two Swiss Cheese firewalls. Unless the Cisco PIX can do some kind of magic firewall tricks that I don't know about. Ken - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -Original Message- > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:22 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > How are you intending these users access the exchange server? > MAPI client > like Outlook? > > The holes necessary for your users to communicate with > Exchange are such > that your firewall between the users and Exchange has been > rendered useless. > > > -Original Message- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:15 PM > To: MS-Exchange Admin Issues > Subject: Stupid Firewall Tricks > > > Our director wants us to implement a firewall in front of our Windows > 2000/Exchange 5.5 servers. Here is what the scenario is: > > Internet <--> Users <--> Firewall <--> Exchange > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > etc. servers. On > the public side we have the Windows 98/2000 clients, WINS > server (which is a > whole different issue) and Internet. There is a firewall before the > Internet connection but it is basically useless since nothing > is configured. > On the private side we are to use NAT, since all the servers > except the > backup server will need to be accessed from the outside I > really don't see > what this is buying us. Basically we are putting a firewall > in front of > Exchange. We are currently testing the configuration but I > think this may > end up being a nightmare once we begin to change the Windows > 2000 servers > (i.e. Active Directory) IP addresses and DNS settings to the private > addresses. > > I began by making registry hacks to force the RPC's through > specific ports > but our backbone admin figured out how to configure the PIX > firewall without > me having to make the changes. Now I'm reinstalling the test > server to see > that it's actually working. > > Can anyone give me any ammo as to why this is not the way to > do things. I > have tried to explain but I'm getting nowhere. I don't know maybe I'm > wrong. However it seems it would be safer to implement the > firewall at the > internet connection, we seem to be trying to protect > ourselves from our > users. There would be a lot of politics involved with the > Internet firewall > but it does seem like the way to go. > > Thx, > Ken > > - > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Stupid Firewall Tricks
How are you intending these users access the exchange server? MAPI client like Outlook? The holes necessary for your users to communicate with Exchange are such that your firewall between the users and Exchange has been rendered useless. -Original Message- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 3:15 PM To: MS-Exchange Admin Issues Subject: Stupid Firewall Tricks Our director wants us to implement a firewall in front of our Windows 2000/Exchange 5.5 servers. Here is what the scenario is: Internet <--> Users <--> Firewall <--> Exchange On the Exchange side we have the DC's, Exchange, IMC, OWA, etc. servers. On the public side we have the Windows 98/2000 clients, WINS server (which is a whole different issue) and Internet. There is a firewall before the Internet connection but it is basically useless since nothing is configured. On the private side we are to use NAT, since all the servers except the backup server will need to be accessed from the outside I really don't see what this is buying us. Basically we are putting a firewall in front of Exchange. We are currently testing the configuration but I think this may end up being a nightmare once we begin to change the Windows 2000 servers (i.e. Active Directory) IP addresses and DNS settings to the private addresses. I began by making registry hacks to force the RPC's through specific ports but our backbone admin figured out how to configure the PIX firewall without me having to make the changes. Now I'm reinstalling the test server to see that it's actually working. Can anyone give me any ammo as to why this is not the way to do things. I have tried to explain but I'm getting nowhere. I don't know maybe I'm wrong. However it seems it would be safer to implement the firewall at the internet connection, we seem to be trying to protect ourselves from our users. There would be a lot of politics involved with the Internet firewall but it does seem like the way to go. Thx, Ken - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
Stupid Firewall Tricks
Our director wants us to implement a firewall in front of our Windows 2000/Exchange 5.5 servers. Here is what the scenario is: Internet <--> Users <--> Firewall <--> Exchange On the Exchange side we have the DC's, Exchange, IMC, OWA, etc. servers. On the public side we have the Windows 98/2000 clients, WINS server (which is a whole different issue) and Internet. There is a firewall before the Internet connection but it is basically useless since nothing is configured. On the private side we are to use NAT, since all the servers except the backup server will need to be accessed from the outside I really don't see what this is buying us. Basically we are putting a firewall in front of Exchange. We are currently testing the configuration but I think this may end up being a nightmare once we begin to change the Windows 2000 servers (i.e. Active Directory) IP addresses and DNS settings to the private addresses. I began by making registry hacks to force the RPC's through specific ports but our backbone admin figured out how to configure the PIX firewall without me having to make the changes. Now I'm reinstalling the test server to see that it's actually working. Can anyone give me any ammo as to why this is not the way to do things. I have tried to explain but I'm getting nowhere. I don't know maybe I'm wrong. However it seems it would be safer to implement the firewall at the internet connection, we seem to be trying to protect ourselves from our users. There would be a lot of politics involved with the Internet firewall but it does seem like the way to go. Thx, Ken - Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm