Security Basics mailing list archives
RE: Webserver on a DMZ still needed?
From: "Robert D. Holtz - Lists" <robert.d.holtz () gmail com>
Date: Tue, 5 Sep 2006 15:17:30 -0500
Your suggestion of placing the server behind the firewall and opening up SSH and SMTP is ideal. We used static NAT mappings to make the OWA visible to the outside world. I did this exact setup for a charity and it worked fine. As for the front end recommendation this does add some complexity but if the charity is a 501(c) they can get MS licenses for pennies on the dollar. Another Windows and an Exchange server license were < $50.00 from what I recall. I would still place the front end box behind a firewall too. -----Original Message----- From: Peter Marshall [mailto:Peter.Marshall () gtsi com] Sent: Tuesday, September 05, 2006 11:32 AM To: Davie Elliott - Eluse; security-basics () securityfocus com Subject: RE: Webserver on a DMZ still needed? It is still recommended to have your exchange box (and any other outward accessible services) hosted in a DMZ to prevent access to the internal segment if they are compromised. If you do put the exchange box in the DMZ, however, you need to open up a bunch of ports to allow the exchange box to query the global catalog, perform authentication, etc. which, to a certain degree, removes the safety added by having it in the DMZ in the first place. MS recommends using front end/back end exchange servers coupled with an ISA server to do it by the book but this is expensive and complicated for a small/mid sized organization. Many small/mids simply place the exchange server on the inside and only open up tcp 25 (SMTP) and TCP 443 (HTTPS for OWA) to that box. In your instance, since the exchange box is also a DC, I would not recommend putting it into the DMZ. Technically, you should split those roles for performance and security but again, budget is sometimes more important than doing everything by the book. Cheers, -----Original Message----- From: Davie Elliott - Eluse [mailto:delliott () eluse co uk] Sent: Sunday, September 03, 2006 7:43 AM To: security-basics () securityfocus com Subject: Webserver on a DMZ still needed? Hi all, I have been working as a systems admin for a charity for about 3 years, I have no schooling in network I have learnt everything myself. During my research I read that servers with public services should be put on a separate subnet which is used as a DMZ (such as POP3, SMTP, webserver ect). Recently I have left that charity and a network company is taking over the administration, and they want to put the Exchange (email) server on the trusted network subnet (the network has a smoothwall firewall, so there are literally 2 separate networks). My question is this: does the Exchange server definatly, need to be put in the DMZ? Or should Microsoft have patched all the vulnerabilities by now? There isn't any other software on the server, such as forums which I see have vulnerabilities found just about ever day. Secondly, if the Exchange server is on the DMZ subnet, how do you get it to interact securely with the Domain Controller on the secure subnet? When I built the network, I made the Exchange server its own Domain Controller. Thanks for your advice, Davie Elliott ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Webserver on a DMZ still needed? Davie Elliott - Eluse (Sep 05)
- RE: Webserver on a DMZ still needed? Peter Marshall (Sep 05)
- RE: Webserver on a DMZ still needed? Robert D. Holtz - Lists (Sep 05)
- RE: Webserver on a DMZ still needed? Murda Mcloud (Sep 06)
- RE: Webserver on a DMZ still needed? Steve Armstrong (Sep 06)
- Re: Webserver on a DMZ still needed? Micheal Espinola Jr (Sep 07)
- Re: Webserver on a DMZ still needed? MandommGmail (Sep 05)
- Re: Webserver on a DMZ still needed? irado furioso com tudo (Sep 05)
- Re: Webserver on a DMZ still needed? MaddHatter (Sep 06)
- <Possible follow-ups>
- RE: Webserver on a DMZ still needed? Verma, Neeraj K (Sep 05)
- Re: Webserver on a DMZ still needed? lexnlondon (Sep 05)
- Re: RE: Webserver on a DMZ still needed? vikas . leekha (Sep 06)
- RE: Webserver on a DMZ still needed? Peter Marshall (Sep 05)