RE: [fw-wiz] NTLM authentication from DMZ
From: Ben Nagy (ben@iagu.net)
Date: 09/19/02
- Next message: Frank Knobbe: "RE: [fw-wiz] NTLM authentication from DMZ"
- Previous message: Ben Nagy: "RE: [fw-wiz] NTLM authentication from DMZ"
- In reply to: Jan van Rensburg: "Re: [fw-wiz] NTLM authentication from DMZ"
- Next in thread: Frank Knobbe: "RE: [fw-wiz] NTLM authentication from DMZ"
- Reply: Frank Knobbe: "RE: [fw-wiz] NTLM authentication from DMZ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ben Nagy" <ben@iagu.net> To: "'Jan van Rensburg'" <jan.van.rensburg@epiuse.com>, <firewall-wizards@honor.icsalabs.com> Date: Thu Sep 19 07:44:16 2002
Short answer - don't do it.
Longer answer - Um...this is contra-indicated from a security
perspective.
Long answer - If at gunpoint, I would run the IIS box which does the
actual Exchange Webmail function on a separate box, in a separate
domain, with one-way trusts, and stick _that_ box in the DMZ with the
appropriate holes for the required traffic. From memory, you need the
works for this, including MS-RPC.
The key threat is that someone will hack your IIS box and then sit on it
gathering valid password pairs for the LAN domain, and then just access
C$ on whatever box they like as soon as anyone in the Domain Admins
group checks their mail. We could argue about countermeasures to that,
but believe me when I say that once someone has control over the DMZ box
then you're in some pretty major schtuck unless you have an extremely
smart IDS or Tingling Spider Senses.
Note that I always recommend that Exchange boxen not talk SMTP to the
outside world - setting up a secure mail relay in the DMZ is cheap, easy
and can provide some good first-pass filtering / screening capabilities.
Cheers,
-- Ben Nagy Network Security Specialist Mb: +41792504687 PGP Key ID: 0x1A86E304 > -----Original Message----- > From: firewall-wizards-admin@honor.icsalabs.com > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf > Of Jan van Rensburg > Sent: Wednesday, September 18, 2002 10:27 AM > To: firewall-wizards@honor.icsalabs.com > Subject: Re: [fw-wiz] NTLM authentication from DMZ > > > A related question I've sometimes wondered about, is where is > the best > place to put a company's Exchange server. Let us assume that the > Exchange server is part of the normal company domain, so that > you only > have one authentication database to deal with. The second > assumption is > that people will access their Exchange mail remotely from the > Internet. > Now the obvious answer to this is a VPN, but lets assume that this is > not possible. > > The two options left is: > 1. Place the exchange server in the DMZ, but that would > require a whole > lot of ports open between the LAN and DMZ for the authentication to > work. > 2. Place it on the LAN, but that would require opening ports from the > Internet to your LAN. > > Which of the two is worse? Any other (non VPN) alternatives? > > Jan van Rensburg
- Next message: Frank Knobbe: "RE: [fw-wiz] NTLM authentication from DMZ"
- Previous message: Ben Nagy: "RE: [fw-wiz] NTLM authentication from DMZ"
- In reply to: Jan van Rensburg: "Re: [fw-wiz] NTLM authentication from DMZ"
- Next in thread: Frank Knobbe: "RE: [fw-wiz] NTLM authentication from DMZ"
- Reply: Frank Knobbe: "RE: [fw-wiz] NTLM authentication from DMZ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
