Firewall Wizards mailing list archives
Re: (no subject)
From: "Paul D. Robertson" <proberts () patriot net>
Date: Sun, 24 Nov 2002 18:27:42 -0500 (EST)
On Fri, 22 Nov 2002, Dean Pullen wrote:
Hi guys, I've basically been told that we require an Exchange system operated within our DMZ setup. After much
Well, you're going to get flack for that here- so let's ask the question more carefully- have you been told you require SMTP services in your DMZ, or explicitly an Exchange server? If explicitly, what's the rationale? Most of us on this list would be extremely wary of even exposing just the IMC component of Exchange to the raw Internet. I can only think of two large well-staffed companies that might do that off the top of my head, and one of those would be Microsoft.
reading I've decided to go for a front-end, back-end Exhange system, with the Exchange front-end in the DMZ and the back-end in the LAN. However, even though I've opened up all the ports specified in MS' white papers between the DMZ and LAN, I cannot connect to the domain/active directory from the Front-End server. How
Exposing your domain controller or active directory server to a machine in the DMZ is probably less than optimal from a security perspective. Once again, you're best off outlining the basic requirements and finding tools that fit the job, rather than trying to fit specific tools to a particular job.
do I go about this? I mean all I am trying at the moment is to connect to our internal Domain by accessing the network ID in the My Computer properties and trying typing in the Domain. Do I have to do anything else?! Sorry for my amateurishness(!) but we're a small firm and cannot afford a fully-fledged exchange specialist, thus I'm doing it!
IMO, all the more reason to go back to the initial requirements and look into architectural solutions that provide seperation between the public facing side of your equipment and your core internal infrastructure. We place machines on the DMZ because of their increased exposure makes them more likely to be compromised. If we then connect them to core infrastrucutre like authentication servers, we're increasing the exposure to that infrastructure. That's something that should only be done with extreme care and a full understanding of the risks. You're getting a lot of "Why Exchange?" questions because people are concerned that you're going to expose a lot more than you absolutely *need* to expose by going down that path. If you don't have strong Exchange expertise, it makes us all a lot more nervous- it's like you're standing there with a knife asking "What's the best way to cut off my finger?" We all want to be *really* sure you've got no other alternative to cutting off your finger. It'll impair your typing and all that... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- (no subject) LazloCarreidas (Nov 06)
- <Possible follow-ups>
- Re: (no subject) broyds (Nov 06)
- (no subject) Dean Pullen (Nov 22)
- Re: (no subject) Skip Frizzell (Nov 22)
- Message not available
- Re: (no subject) Skip Frizzell (Nov 24)
- Re: (no subject) Skip Frizzell (Nov 22)
- Re: (no subject) Paul D. Robertson (Nov 24)
- RE: (no subject) Noonan, Wesley (Nov 22)
- RE: (no subject) Don Goldstein (Nov 25)
- RE: (no subject) Paul Robertson (Nov 25)
- RE: (no subject) Nieveler, Juergen (Nov 26)
- RE: (no subject) Paul D. Robertson (Nov 26)