RE: Webserver on a DMZ still needed?

["Steve Armstrong" <stevearmstrong () logicallysecure com>]

The problem with books is they do not understand (nor care) about your
infrastructure.  

The cost aspect of a 'ideal' solution must be considered against the
gain and the numbers of users.  Your email suggests the network is not
supporting many clients, so I doubt the value of having split DMZ and
internal services.  The licences and support costs to create this
infrastructure is probably too much (exchange x 2 ISA x 1 and server x
3!).  

Certainly your suggestion to have a email server in a DMZ but still have
it as a DC is confusing and scary.  Servers as placed in DMZs so they
are isolated from the internal LAN, to have it functioning as the
internal LAN DC undermines the purpose and renders your DMZ useless.
For small configurations like your new provider suggests (certainly by
suggesting a free firewall - smoothwall) would probably benefit from
having the exchange server on the internal LAN with only the smtp ports
open (with smtp banners removed).

I would recommend having the exchange server in its own domain or not a
DC.  I would ensure the smoothwall has the snort engine updated and
suggest that the Guardian IPS is added to the smoothy and that AV
software integrated into the smoothy too.  

With good port configuration on the smoothy - via the "full firewall
control" mod you can limit external access and dmz access to key servers
without impacting performance or security.

I have used all of the mentioned mods with the exception of the AV mod
(I like to examine viruses!).  The ones I used are listed here
http://www.logicallysecure.com/forum/viewtopic.php?t=42 and the AV and
content monitoring mod is here
http://community.smoothwall.org/forum/viewtopic.php?t=8488.

Steve A
 
-------------------------------------------------
Check out our new UK IT Security forum www.logicallysecure.com/forum 


-----Original Message-----
From: Murda Mcloud [mailto:murdamcloud () bigpond com] 
Sent: 06 September 2006 00:17
To: security-basics () securityfocus com
Subject: RE: Webserver on a DMZ still needed?


Talking of the financial cost of setup by the book vs the security cost
of not having it setup by the book, does anyone have links or ideas on
how to actually quantify this particular setup?

I understand the basic equation of risk = threat x vulnerability x cost
but are there any concrete examples that have figures for how vulnerable
an exchange server in a DMZ(or on the LAN, for that matter) is in the
real world? Magic numbers I know, but in our SME that kind of thing
makes a big impact when seeking approval for acquisitions/planning etc.
I don't really want to make up numbers here.

Also, if anyone could point me to a costing whitepaper for exchange for
50-100 seats, ie initial setup + maintenance costs (which usually
outweigh the former by far) that would be great.

-----Original Message-----
From: Peter Marshall [mailto:Peter.Marshall () gtsi com]
Sent: Wednesday, September 06, 2006 2:32 AM
To: Davie Elliott - Eluse; security-basics () securityfocus com
Subject: RE: Webserver on a DMZ still needed?

It is still recommended to have your exchange box (and any other outward
accessible services) hosted in a DMZ to prevent access to the internal
segment if they are compromised.  If you do put the exchange box in the
DMZ, however, you need to open up a bunch of ports to allow the exchange
box to query the global catalog, perform authentication, etc. which, to
a certain degree, removes the safety added by having it in the DMZ in
the first place.  MS recommends using front end/back end exchange
servers coupled with an ISA server to do it by the book but this is
expensive and complicated for a small/mid sized organization.  Many
small/mids simply place the exchange server on the inside and only open
up tcp 25 (SMTP) and TCP 443 (HTTPS for OWA) to that box.

In your instance, since the exchange box is also a DC, I would not
recommend putting it into the DMZ.  Technically, you should split those
roles for performance and security but again, budget is sometimes more
important than doing everything by the book.


Cheers, 

-----Original Message-----
From: Davie Elliott - Eluse [mailto:delliott () eluse co uk]
Sent: Sunday, September 03, 2006 7:43 AM
To: security-basics () securityfocus com
Subject: Webserver on a DMZ still needed?

Hi all,

I have been working as a systems admin for a charity for about 3 years,
I have no schooling in network I have learnt everything myself. During
my research I read that servers with public services should be put on a
separate subnet which is used as a DMZ (such as POP3, SMTP, webserver
ect).

Recently I have left that charity and a network company is taking over
the administration, and they want to put the Exchange (email) server on
the trusted network subnet (the network has a smoothwall firewall, so
there are literally 2 separate networks). My question is this: does the
Exchange server definatly, need to be put in the DMZ? Or should
Microsoft have patched all the vulnerabilities by now? There isn't any
other software on the server, such as forums which I see have
vulnerabilities found just about ever day.

Secondly, if the Exchange server is on the DMZ subnet, how do you get it
to interact securely with the Domain Controller on the secure subnet?
When I built the network, I made the Exchange server its own Domain
Controller.

Thanks for your advice,

Davie Elliott



------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---




------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------