Webserver on a DMZ still needed?

["Davie Elliott - Eluse" <delliott () eluse co uk>]

Hi all,

I have been working as a systems admin for a charity for about 3 years, I
have no schooling in network I have learnt everything myself. During my
research I read that servers with public services should be put on a
separate subnet which is used as a DMZ (such as POP3, SMTP, webserver ect).

Recently I have left that charity and a network company is taking over the
administration, and they want to put the Exchange (email) server on the
trusted network subnet (the network has a smoothwall firewall, so there are
literally 2 separate networks). My question is this: does the Exchange
server definatly, need to be put in the DMZ? Or should Microsoft have
patched all the vulnerabilities by now? There isn't any other software on
the server, such as forums which I see have vulnerabilities found just about
ever day.

Secondly, if the Exchange server is on the DMZ subnet, how do you get it to
interact securely with the Domain Controller on the secure subnet? When I
built the network, I made the Exchange server its own Domain Controller.

Thanks for your advice,

Davie Elliott



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------