Re: need advice on security scenarios
From: Joey Paisan (jpaisan@hotmail.com)
Date: 04/17/03
- Next message: Joey Paisan: "Re: need advice on security scenarios"
- Previous message: John Lambert[MSFT]: "Access Denied (My Documents)"
- In reply to: Not Much: "need advice on security scenarios"
- Next in thread: Joey Paisan: "Re: need advice on security scenarios"
- Reply: Joey Paisan: "Re: need advice on security scenarios"
- Reply: Joey Paisan: "Re: need advice on security scenarios"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joey Paisan" <jpaisan@hotmail.com> Date: Wed, 16 Apr 2003 21:56:04 -0700
Using Microsoft for your security mechanisms is like driving without
insurance - you can do it, but why would you want to?
You can get a Watchguard or Sonicwall firewall with a dedicated DMZ
interface for about $1500. You can also get a PIX (515e) or Netscreen that
will give you a dedicated DMZ interface for about $2,700. If you're already
comfortable with the PIX commands, it might be worth it to spend the extra
dineros and go for a PIX, if for no other reason than a negligible learning
curve. There are pros and cons to each vendor's offering, but all four are
decent and debating the merits of firewalls is for those with way too much
time on their hands.
The best security scenario for placing the concentrator in relation to the
PIX? That is a hotly debated topic and in my humble opinion, it depends on
your requirements. For example, if you were only doing site-to-site
tunnels, I'd say you'd want to hang the public i/f of the concentrator off
the DMZ of your firewall and the private i/f directly on your corporate net.
That way your ACL on your outside i/f could restrict access to just your
peer sites. However, given the scenario you've presented in which you need
to do both site-to-site and remote access for users, you'd probably want to
have the public i/f of the concentrator on the dirty side of the firewall
and bring the private i/f of the concentrator into the DMZ i/f of the
firewall.
Hope that helps. Best of luck.
JP
"Not Much" <imanidiot111@hotmail.com> wrote in message
news:16b0ecc6.0304140907.56a95915@posting.google.com...
> I'm currently migrating an exchange 5.5 on nt 4 box to exchange
> 2000(on win 2000) in our windows 2000 domain. a pix 501 blocks all
> traffic except SMTP, POP3, and HTTP(for OWA) to the exchange 5.5 box.
> However, I am looking at a better security model for when i move to
> exchange 2000. we have about 200 users.
>
> Here's what i've considered doing.
>
> 1) Purchasing a newer firewall with a DMZ interface. The 501 was great
> for when my company was a lot smaller, and functionally it still works
> preety well, but it has only an inside and outside interface.
>
> 2) purchasing ISA server for the DMZ. I also have need of a proxy to
> track internet usage, so this would help there as well. I don't need
> VPN though because I already have a Cisco 3000 series concentrator.
>
> I know I don't trust any microsoft product as my ONLY firewall. But
> ISA seems to be geared to help with securing OWA and also i need a
> proxy anyways.
>
> Is this a good way to go to secure exchange 2000/OWA? With the
> exception of the VPN concentrator, we don't run any other servers(web
> or otherwise) internally ,that require access from the outside, so
> this is just about the only traffic that comes in right now(SMTP,
> HTTP, and POP3). Should OWA be deployed in the DMZ? should SMTP/POP3
> be relayed from FE in the DMZ to the BE?
>
> Also, on a seperate but related note, what's the best security
> scenario for the VPN concentrator. The concentrator services a
> handfull of clients, and also has one LAN to LAN connection for a
> small branch office.
>
> Right now, the concentrator is internal, and i have the IPSEC ports
> forwarded by the PIX to the concentrator. Authentication is done on
> the VPN concentrator. If I go with the above scenario, I'm assuming i
> should move the concentrator to the DMZ - this seems to be common
> sense considering even though only a few people use VPN i am concerned
> with their home pc's being compromised and having carte blance access
> to the network. This way i can filter what the VPN clients have access
> to, but i am concerned with how they can access resources in the
> domain. Also, what are some recommended ways to authenticate? Should
> authentication be tied into the 2000 domain?
>
> Also, in a final issue, the company purchased a software product that
> uses MS SQL server 2000. With the product came a web based component
> that can be added to our company web site, so that customers can
> access some items on the SQL server. Because we don't host our web
> site here(it's with an external web hosting company), this component
> would require me to open and forward the SQL port to our internal SQL
> server(i could, of course, block it so that only the external web
> server IP has access to that port, but there's still the chance of
> spoofing). I'm not too comfortable with doing this. Any ideas on a
> way to secure this scenario? I've considered moving the web site to be
> hosted here instead of the web hosting company. That might help
> security-wise.
>
> My strengths are with TCP/IP filtering(ACL'S), but i'm a little green
> when it comes to web serving/DMZ security. i know most TCP ports like
> the back of my hand(i'm a CCNP and i'm best with routing/switching),
> but i am quite confused when it comes to all this FE/BE DMZ stuff.
>
> Any advice or books you can recommend would be appreciated.
- Next message: Joey Paisan: "Re: need advice on security scenarios"
- Previous message: John Lambert[MSFT]: "Access Denied (My Documents)"
- In reply to: Not Much: "need advice on security scenarios"
- Next in thread: Joey Paisan: "Re: need advice on security scenarios"
- Reply: Joey Paisan: "Re: need advice on security scenarios"
- Reply: Joey Paisan: "Re: need advice on security scenarios"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
