Re: [fw-wiz] (no subject)
From: Paul D. Robertson (proberts@patriot.net)
Date: 11/24/02
- Next message: Pierre-Yves: "[fw-wiz] Inspecting routers"
- Previous message: Skip Frizzell: "Re: [fw-wiz] (no subject)"
- In reply to: Dean Pullen: "[fw-wiz] (no subject)"
- Next in thread: Don Goldstein: "RE: [fw-wiz] (no subject)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Paul D. Robertson" <proberts@patriot.net> To: Dean Pullen <deanpullen@yahoo.com> Date: Sun Nov 24 18:12:01 2002
On Fri, 22 Nov 2002, Dean Pullen wrote:
> Hi guys,
>
> I've basically been told that we require an Exchange
> system operated within our DMZ setup. After much
Well, you're going to get flack for that here- so let's ask the question
more carefully- have you been told you require SMTP services in your DMZ,
or explicitly an Exchange server? If explicitly, what's the rationale?
Most of us on this list would be extremely wary of even exposing just the
IMC component of Exchange to the raw Internet. I can only think of two
large well-staffed companies that might do that off the top of my head,
and one of those would be Microsoft.
> reading I've decided to go for a front-end, back-end
> Exhange system, with the Exchange front-end in the DMZ
> and the back-end in the LAN. However, even though I've
> opened up all the ports specified in MS' white papers
> between the DMZ and LAN, I cannot connect to the
> domain/active directory from the Front-End server. How
Exposing your domain controller or active directory server to a machine in
the DMZ is probably less than optimal from a security perspective. Once
again, you're best off outlining the basic requirements and finding tools
that fit the job, rather than trying to fit specific tools to a particular
job.
> do I go about this? I mean all I am trying at the
> moment is to connect to our internal Domain by
> accessing the network ID in the My Computer properties
> and trying typing in the Domain. Do I have to do
> anything else?! Sorry for my amateurishness(!) but
> we're a small firm and cannot afford a fully-fledged
> exchange specialist, thus I'm doing it!
IMO, all the more reason to go back to the initial requirements and look
into architectural solutions that provide seperation between the public
facing side of your equipment and your core internal infrastructure.
We place machines on the DMZ because of their increased exposure makes
them more likely to be compromised. If we then connect them to core
infrastrucutre like authentication servers, we're increasing the exposure
to that infrastructure. That's something that should only be done with
extreme care and a full understanding of the risks.
You're getting a lot of "Why Exchange?" questions because people are
concerned that you're going to expose a lot more than you absolutely
*need* to expose by going down that path. If you don't have strong
Exchange expertise, it makes us all a lot more nervous- it's like you're
standing there with a knife asking "What's the best way to cut off my
finger?" We all want to be *really* sure you've got no other alternative
to cutting off your finger. It'll impair your typing and all that...
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
- Next message: Pierre-Yves: "[fw-wiz] Inspecting routers"
- Previous message: Skip Frizzell: "Re: [fw-wiz] (no subject)"
- In reply to: Dean Pullen: "[fw-wiz] (no subject)"
- Next in thread: Don Goldstein: "RE: [fw-wiz] (no subject)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
