Firewall Wizards mailing list archives
RE: NTLM authentication from DMZ
From: "Ben Nagy" <ben () iagu net>
Date: Thu, 19 Sep 2002 09:13:14 +0200
Short answer - don't do it. Longer answer - Um...this is contra-indicated from a security perspective. Long answer - If at gunpoint, I would run the IIS box which does the actual Exchange Webmail function on a separate box, in a separate domain, with one-way trusts, and stick _that_ box in the DMZ with the appropriate holes for the required traffic. From memory, you need the works for this, including MS-RPC. The key threat is that someone will hack your IIS box and then sit on it gathering valid password pairs for the LAN domain, and then just access C$ on whatever box they like as soon as anyone in the Domain Admins group checks their mail. We could argue about countermeasures to that, but believe me when I say that once someone has control over the DMZ box then you're in some pretty major schtuck unless you have an extremely smart IDS or Tingling Spider Senses. Note that I always recommend that Exchange boxen not talk SMTP to the outside world - setting up a secure mail relay in the DMZ is cheap, easy and can provide some good first-pass filtering / screening capabilities. Cheers, -- Ben Nagy Network Security Specialist Mb: +41792504687 PGP Key ID: 0x1A86E304
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Jan van Rensburg Sent: Wednesday, September 18, 2002 10:27 AM To: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] NTLM authentication from DMZ A related question I've sometimes wondered about, is where is the best place to put a company's Exchange server. Let us assume that the Exchange server is part of the normal company domain, so that you only have one authentication database to deal with. The second assumption is that people will access their Exchange mail remotely from the Internet. Now the obvious answer to this is a VPN, but lets assume that this is not possible. The two options left is: 1. Place the exchange server in the DMZ, but that would require a whole lot of ports open between the LAN and DMZ for the authentication to work. 2. Place it on the LAN, but that would require opening ports from the Internet to your LAN. Which of the two is worse? Any other (non VPN) alternatives? Jan van Rensburg
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NTLM authentication from DMZ miha (Sep 17)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
- Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
- RE: NTLM authentication from DMZ Frank Knobbe (Sep 19)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 20)
- RE: NTLM authentication from DMZ Frank Knobbe (Sep 20)
- Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
- Re: NTLM authentication from DMZ Mikael Olsson (Sep 20)
- <Possible follow-ups>
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ Dawes, Rogan (ZA - Johannesburg) (Sep 20)
- RE: NTLM authentication from DMZ Bill Royds (Sep 21)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ manatworkyes moderator (Sep 22)