Re: Exchange server in DMZ, not FE server. Is this ever ok?

---

• From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
• Date: Mon, 11 Jun 2007 07:13:07 -0700

---

"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:evtKebBrHHA.4180@xxxxxxxxxxxxxxxxxxxxxxx

Do some threat modeling: what will happen if firewall will pass all
traffic? It will turn out that it doesn't add value in terms of security
at all.

If I hear you as saying having a firewall present is without value,
then I would have to suggest that is really not so.
Under the assumptions of a completely well-configured W2k3,
and of no unpatched exploitable flaws, that is so. Those are
however large assumptions, especially considering "average"
admin skill level and time to configure and patch.
On the other hand I will admit that Windows 2k3 can be
configured to be pretty darn resistant to exposure to internet
(but this poster has DC/Exchange server - different story).

Roger

"Shads79" <wayne.meehan@xxxxxxxxxxxxxxx> wrote in message
news:1181533757.227318.121760@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I've just started with a new company and their setup isn't like
anything I've dealt with before, and goes against what I consider best
practice. Here's how the network is laid out:

1 Exchange 2003/AD server, with Mail Marshall on the same box. Two
NICs - one for the internal network, and the other for the DMZ. The
NICs are on two different IP subnets, one for the internal network and
the other for the DMZ. There is a firewall that provides VPN access
and splits the network into the internal and DMZ segments.

Having the Exchange/AD server in the DMZ seems like madness to me, the
fact that it's on a different subnet seems almost meaningless in terms
of security. The reason it's been done like that I think is to
provide access to OWA.

Before I make any suggestions around what to do I wanted to gather
some feedback on weather this is an acceptable solution. Your
thoughts and comments are welcome...

Thanks
Wayne

.

---

• Follow-Ups:
  • Re: Exchange server in DMZ, not FE server. Is this ever ok?
    • From: fiftysixkilo@xxxxxxxxx

• References:
  • Exchange server in DMZ, not FE server. Is this ever ok?
    • From: Shads79

• Prev by Date: Repeated Password Fill In
• Next by Date: Re: Downloader & Vundo?
• Previous by thread: Re: Exchange server in DMZ, not FE server. Is this ever ok?
• Next by thread: Re: Exchange server in DMZ, not FE server. Is this ever ok?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Unable to join AD domain from DMZ network ... To me that points to something outside the machine (Firewall most likely culprit) ... > the captured traffic between the server in DMZ to the DC from internal ... >>> authentication from DMZ to 2003 AD internal network. ... (microsoft.public.windows.server.active_directory) RE: Proxy & Firewall Implementation ... Put a firewall between your internal network and the DMZ which allows ... DMZ servers to the gills. ... (Security-Basics) Re: Inline firewalls vs. Inline firewalls "spaced out" ... You internal network should only be able to talk outwards, ... the first design. ... a third firewall has to be compromised. ... > greater security to your web boxes than the first design. ... (Security-Basics) Re: Firewall and DMZ topology ... > network, Windows and Linux. ... > laptop used as a simple firewall setup. ... > machine and placing it in a DMZ. ... > internal network, one for the DMZ and one for the Internet. ... (Security-Basics) RE: Firewall and DMZ topology ... purpose of a DMZ is to segment machines from your internal network whilst ... Subject: Firewall and DMZ topology ... I would like to set up a SOHO network with a firewall and DMZ for mostly ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2007-06