Re: E-Mail gateway on IIS.
From: Jitendra Kalyankar (jitendra.kalyankar_at_gmail.com)
Date: 06/14/05
- Previous message: rpm_at_interworx.ca: "RE: DHCP database"
- In reply to: Beauford, Jason: "RE: E-Mail gateway on IIS."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 14 Jun 2005 02:07:30 -0400 To: "Beauford, Jason" <jbeauford@eightinonepet.com>, BStrauss3@comcast.net, drolling@infovue.net, meni@kdm.co.il
Thanks much guys! I will go with two seperate boxes! Preferably with
*nix as mentioned in one of the mails below...
Sincerely,
Jitendra Kalyankar
On 6/13/05, Beauford, Jason <jbeauford@eightinonepet.com> wrote:
> An issue I can think of is this:
>
> Say that Email gateway has a local quarantine, as does Brightmail, and
> is using LDAP authentications for AD users to log on to their local
> quarantine boxes. If the IIS server is compromised (very common
> nowadays) then it would be trivial to capture those unencrypted LDAP
> authentications and essentially the hacker would have valid AD usernames
> and passwords.
>
> Also: Since it is an email gateway, (is this an Exchange backend?) then
> it probably has relay permissions on your backend mail server. If IIS
> is comp'd then it would be trivial for a hacker to use your Backend mail
> server to relay mail.
>
> I can imagine a situation where your IIS is hijacked or modded to host
> Phishing scams and your backend mail server is used to send out the
> initial phishing emails. This of course would set off too many red
> flags for it to be viable, but it is still possible.
>
> I'd put them on separate boxes with both boxes in the DMZ and a pinhole
> for port 25. I'm sure you know not to make either a part of your Domain
> (if you're in an AD environment).
>
> With regards to budgets: Figure out the cost of mitigating the risk
> versus the cost of an intrusion where confidential corporate data is
> stolen (a recent popular trend - Motorola, Citibank etc.). I'm sure the
> cost of a separate server plus the cost of maintenance < the cost of the
> intrusion.
>
> Just my $.02.
>
> JMB
>
> -----Original Message-----
> From: Meni Milstein [mailto:meni@kdm.co.il]
> Sent: Monday, June 13, 2005 1:04 PM
> Cc: focus-ms@securityfocus.com
> Subject: RE: E-Mail gateway on IIS.
>
>
>
>
> You are looking at it from two perspectives. (or at least - you should
> be).
>
> One machine is one point of attack - meaning if the machine is
> successfully attacked then both services are down... as Burton implies.
>
> Two different machines are more costly to maintain and if you say that
> you run both sevrices on the same machine I assume that they have the
> same OS... which means that securing them would just about be the same
> Job (aside from securing the actual protocols themselves...)
>
> I would go with two separate machines if I had the budjet... always
> cooler to have at least 50% of services running in case a of a real
> attack. But I see no real issue that can arise from running the services
> on one machine. Of course - this machine should be strong enough to
> support both services. If your mail GW scans outgoing mails for viruses,
> then I guess, depending on the size of your org, the server may need to
> handle loads... in which case you should consider seperating the
> services.
>
> In terms of security - I see no problem.
>
> Good luck.
>
> Meni Milstein
> http://www.lcs-guides.com
>
>
>
> -----Original Message-----
> From: Burton Strauss [mailto:BStrauss3@comcast.net]
> Sent: Monday, June 13, 2005 6:38 PM
> To: 'Jitendra Kalyankar'; focus-ms@securityfocus.com
> Subject: RE: E-Mail gateway on IIS.
>
> Two separate boxes are two separate points of attack. One box is a
> single point, slightly more attractive to the bad guy.
>
> Two boxes mean both require the same OS patches and basic OS security
> (hardening).
>
> Either way, each service needs to be secured individually.
>
> It might be less disruptive to be able to reboot separately, or it may
> be easier to only need one reboot.
>
> Probably can go both ways depending on your personal preference.
>
>
> -----Burton
>
>
>
> -----Original Message-----
> From: Jitendra Kalyankar [mailto:jitendra.kalyankar@gmail.com]
> Sent: Monday, June 13, 2005 6:27 AM
> To: focus-ms@securityfocus.com
> Subject: E-Mail gateway on IIS.
>
> MS Gurus -
>
> I have on question about the e-mail gateway. I am working with this
> company where company has webserver as well as E-Mail gateway on the
> same server. Let me know if this will create any security risks. In
> other words is it recommanded that you need to have seperate webserver
> and e-mail gateway servers.
>
> Any inputs on this are highly appreciated.
>
> --
> Thanks,
> Jitendra Kalyankar
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ---
>
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ---
>
>
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ---
>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>
>
-- Thanks, Jitendra Kalyankar --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: rpm_at_interworx.ca: "RE: DHCP database"
- In reply to: Beauford, Jason: "RE: E-Mail gateway on IIS."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
