Re: RE: Front End/Back End communication
- From: "Bryan S. Sampsel" <bsampsel@xxxxxxxxxxxxxxxxxxx>
- Date: Tue, 16 May 2006 13:02:26 -0600 (MDT)
Unless you're part of a large enterprise spread over different sites, you
have some simple, low cost options.
One thing you can do is put a mail relay, whether it's Qmail or Postfix,
on BSD or Linux, and stick that in your DMZ. Then, only open the SMTP
port into and out of your DMZ (lock down the rest) for traffic to pass to
your internal mail server. That opens up a much smaller hole for your
internal systems.
And your DMZ should be secured from both the outside world and your
internal network. That way, you limit the damage it can do.
Just one solution among many you can try...
Sincerely,
Bryan S. Sampsel
LibertyActivist.org
timpacalypse@xxxxxxxxx wrote:
I guess what I'm trying to do is get the most secure option with
what I have. I'm at the point now where I think no matter what I'm kinda
screwed unless I get ISA or something like it implemented. I'm under
the impression that IF someone does get pass the external firewall
they'll be able to sniff for credentials/messages or whatever because the
FE/BE communicate via clear text. So if I secure the communication
between FE/BE via IPSEC then IF the front end server is compromised then
we're screwed once again.
So what's the better of my options? Someone suggested using m0n0wall
or another linux/bsd alternative for ISA.
Miha Pihler <Miha.Pihler@xxxxxx> wrote:
Hi,
The problem that I see in this scenario is that Front End needs to
communicate with Back End Exchange server and domain controllers in
LAN.
Unfortunately this means that you have to open access from DMZ to LAN
to
(at least) all domain controllers in same Active Directory Site that
Exchange Front End is in -- unless you want to statically specify to
which domain controllers Front End Server can connect to (not
recommended).
If you are thinking about IPSec policies in Windows then you have to
know that IPSec between client (e.g. your Front End Server) and domain
controller is not supported -- specially if you plan to use IPSec with
Kerberos authentication.
Things you can do:
- you can set up IPSec between Front End, Back End and domain
controller
(but you are not supportable any more)
- you can fix ports that Exchange and Active Directory server(s) will
use and then open these ports from DMZ to LAN
Still one question remains... What is DMZs role in all this? It is
unfortunately not protecting LAN :-). Now if someone hacks your server
(for any reason) -- the attacker can simply use IPSec connection to
gain
access to Back End and Active Directory (and if you have IDS it will
not
even see the attack). Depending on the attack options (did the attacker
get the domain admin permissions) he could simply run dcpromo on this
server and promote it to domain controller. Now you have a domain
controller in DMZ...
Mike
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- References:
- Re: RE: Front End/Back End communication
- From: timpacalypse
- Re: RE: Front End/Back End communication
- Prev by Date: RE: RE: Front End/Back End communication
- Next by Date: SecurityFocus Microsoft Newsletter #291
- Previous by thread: Re: RE: Front End/Back End communication
- Next by thread: RE: RE: Front End/Back End communication
- Index(es):
Relevant Pages
|
