RE: Exchange2K/DMZ

From: Robert Schwartz (robert@mrsquirrel.com)
Date: 07/14/02


From: "Robert Schwartz" <robert@mrsquirrel.com>
To: <focus-ms@securityfocus.com>
Date: Sun, 14 Jul 2002 10:26:29 -0700

Many have recommended using a UNIX server with a SMTP server on it in
your DMZ to protect Exchange. This doesn't mean Exchange SMTP is
vulnerable to anything, but it is Defense in Depth and multiple layers
of security based on different vendor products. These are all Good
Things(tm).

Many of these same people then show how you need to open tons of holes
on your DMZ firewall. Most security policies call for "one well known
port coming in and one well known port going out". Why not use a UNIX
server with some Web Mail variant on it to "protect" exchange here too?

OWA is way more dangerous then SMTP. I'd say the risk you accept by
putting a full-bore Front-End server with OWA on your DMZ is at least 10
times the risk for a Microsoft SMTP server on the DMZ with one
well-known port coming in and one well known port going out.

If you used something like http://www.squirrelmail.org/ then you get web
mail from a different vendor then your email servers and you get Defense
in Depth as there are multiple hosts and systems with extra defense on
the perimiter. There is one well known port (HTTPS) coming in, and one
well known port (IMAP) going out. The only functionality you lose is
the proprietary MS calendaring can't be displayed this way.

> -----Original Message-----
> From: Nicole Tutt [mailto:Nicolet@meddata.com]
> Sent: Wednesday, July 10, 2002 3:46 PM
> To: focus-ms@securityfocus.com
> Subject: Exchange2K/DMZ
>
>
> The LAN Administrator set up an Exchange server and placed it
> inside the firewall - opening ports for SSL and SMTP to the
> Exchange box from the outside world. I want to move the
> Exchange services to the DMZ. I'm not that familiar with
> Exchange 2k specifically but am used to being able to split
> out services from mail servers (IE. put WebAccess and SMTP
> gateways) and place vulnerable items in the DMZ or if not
> place the whole Exchange server in the DMZ. The LAN admin is
> concerned because the Exchange server has to see the domain
> controller on the inside net. How have others handled this setup?
>
> Thanks in advance
> Nicole
>
>