Firewall Wizards mailing list archives

RE: NTLM authentication from DMZ

From: "Ben Nagy" <ben () iagu net>
Date: Thu, 19 Sep 2002 09:13:14 +0200

Short answer - don't do it.

Longer answer - Um...this is contra-indicated from a security
perspective.

Long answer - If at gunpoint, I would run the IIS box which does the
actual Exchange Webmail function on a separate box, in a separate
domain, with one-way trusts, and stick _that_ box in the DMZ with the
appropriate holes for the required traffic. From memory, you need the
works for this, including MS-RPC. 

The key threat is that someone will hack your IIS box and then sit on it
gathering valid password pairs for the LAN domain, and then just access
C$ on whatever box they like as soon as anyone in the Domain Admins
group checks their mail. We could argue about countermeasures to that,
but believe me when I say that once someone has control over the DMZ box
then you're in some pretty major schtuck unless you have an extremely
smart IDS or Tingling Spider Senses.

Note that I always recommend that Exchange boxen not talk SMTP to the
outside world - setting up a secure mail relay in the DMZ is cheap, easy
and can provide some good first-pass filtering / screening capabilities.

Cheers,

--
Ben Nagy
Network Security Specialist
Mb: +41792504687  PGP Key ID: 0x1A86E304

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com 
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
Of Jan van Rensburg
Sent: Wednesday, September 18, 2002 10:27 AM
To: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] NTLM authentication from DMZ

A related question I've sometimes wondered about, is where is 
the best 
place to put a company's Exchange server. Let us assume that the 
Exchange server is part of the normal company domain, so that 
you only 
have one authentication database to deal with. The second 
assumption is 
that people will access their Exchange mail remotely from the 
Internet. 
Now the obvious answer to this is a VPN, but lets assume that this is 
not possible.

The two options left is:
1. Place the exchange server in the DMZ, but that would 
require a whole 
lot of ports open between the LAN and DMZ for the authentication to 
work.
2. Place it on the LAN, but that would require opening ports from the 
Internet to your LAN.

Which of the two is worse? Any other (non VPN) alternatives?

Jan van Rensburg


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

NTLM authentication from DMZ miha (Sep 17)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
  - Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
    - RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
    - RE: NTLM authentication from DMZ Frank Knobbe (Sep 19)
    - RE: NTLM authentication from DMZ Ben Nagy (Sep 20)
    - RE: NTLM authentication from DMZ Frank Knobbe (Sep 20)
    - Re: NTLM authentication from DMZ Mikael Olsson (Sep 20)
  - RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
- <Possible follow-ups>
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ Dawes, Rogan (ZA - Johannesburg) (Sep 20)
  - RE: NTLM authentication from DMZ Bill Royds (Sep 21)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ manatworkyes moderator (Sep 22)

(Thread continues...)