Re: Near and far dmz (is this model secure)

Date: 10/04/02

From: "Leonid Rosenboim" <MY_FIRST_NAME@CONSULTANT.COM>
Date: Fri, 4 Oct 2002 17:08:00 +0200

I think that your boss is right, the Exchange servers should be on the
Internal network.

I do not see however, how the creation of two DMZs will change things.
It might be a good idea if you had more services, say you where an
company, then I would advise to put some front-end servers on hosting
(that is your far-DMZ), that are allowed to talk to some back-end servers
in a (near) DMZ via VPN tunnel.

If this is mainly for mail however, you need to allow incoming SMTP
connections from the DMZ to the internal network, but you can
mittigate some of the risks involved if you also use an SMTP-aware
firewall between the DMZ and internal network, so even somebody
who has access to the DMZ won't be able to expoit any Exchange bug
to hack the internal server.

Once you have multiple services in your DMZ, it might be good
idea to crate a DMZ per service, and tightly control how those
different services are talking to eachother. Look at the RN20
switch from, it might make
the idea of multiple DMZs more palletable (and affordable

 - Leonid

"Christiaan Ehlers" <> wrote in message
> We have to secure our nework, where we have an mail gateway (accepting
> connections from the outside) which forwards it to exchange servers. Now
> believe in a strict DMZ policy where there is NO connections from the
> outside or DMZ into the internal network.
> My manager disagrees because he says that he wants the exchange in the
> internal network and does not trust it on the DMZ (i can see his side of
> sine the whole companys mail is on the exchange server)
> He proposed a scheme using a near and far DMZ. Basicaly the far-dmz
> traffic from the internet, near-dmz and internal network. The near-dmz
> allows connections from only the far-dmz and internal network. The
> network would ultimately only allow limited connections from the near-dmz.
> The last point I dont agree with I believe that the internal network
> not allow ANY incomming connections... Am I being to paranoid? Is this
> model a trusted way of doing things? Is there a way that the top descibed
> exchange setup can be made secure?
> They are also planning extra server like rass server that might need
> to the internal network, I guess it is better having stuff like this sit
> a near dmz than on the internal network
> any comments sugestions will help
> regards
> christiaan ehlers