Re: (no subject)

["Paul D. Robertson" <proberts () patriot net>]

On Fri, 22 Nov 2002, Dean Pullen wrote:

> Hi guys,
>
> I've basically been told that we require an Exchange
> system operated within our DMZ setup. After much

Well, you're going to get flack for that here- so let's ask the question 
more carefully- have you been told you require SMTP services in your DMZ, 
or explicitly an Exchange server?  If explicitly, what's the rationale?

Most of us on this list would be extremely wary of even exposing just the 
IMC component of Exchange to the raw Internet.  I can only think of two 
large well-staffed companies that might do that off the top of my head, 
and one of those would be Microsoft.

> reading I've decided to go for a front-end, back-end
> Exhange system, with the Exchange front-end in the DMZ
> and the back-end in the LAN. However, even though I've
> opened up all the ports specified in MS' white papers
> between the DMZ and LAN, I cannot connect to the
> domain/active directory from the Front-End server. How

Exposing your domain controller or active directory server to a machine in 
the DMZ is probably less than optimal from a security perspective.  Once 
again, you're best off outlining the basic requirements and finding tools 
that fit the job, rather than trying to fit specific tools to a particular 
job.

> do I go about this? I mean all I am trying at the
> moment is to connect to our internal Domain by
> accessing the network ID in the My Computer properties
> and trying typing in the Domain. Do I have to do
> anything else?! Sorry for my amateurishness(!) but
> we're a small firm and cannot afford a fully-fledged
> exchange specialist, thus I'm doing it!

IMO, all the more reason to go back to the initial requirements and look 
into architectural solutions that provide seperation between the public 
facing side of your equipment and your core internal infrastructure.

We place machines on the DMZ because of their increased exposure makes 
them more likely to be compromised.  If we then connect them to core 
infrastrucutre like authentication servers, we're increasing the exposure 
to that infrastructure.  That's something that should only be done with 
extreme care and a full understanding of the risks.  

You're getting a lot of "Why Exchange?" questions because people are 
concerned that you're going to expose a lot more than you absolutely 
*need* to expose by going down that path.  If you don't have strong 
Exchange expertise, it makes us all a lot more nervous- it's like you're 
standing there with a knife asking "What's the best way to cut off my 
finger?"  We all want to be *really* sure you've got no other alternative 
to cutting off your finger.  It'll impair your typing and all that...  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards