Firewall Wizards mailing list archives
Re: NTLM authentication from DMZ
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Fri, 20 Sep 2002 16:31:43 +0200
Jan van Rensburg wrote:
A related question I've sometimes wondered about, is where is the best place to put a company's Exchange server. Let us assume that the Exchange server is part of the normal company domain, so that you only have one authentication database to deal with. The second assumption is that people will access their Exchange mail remotely from the Internet. Now the obvious answer to this is a VPN, but lets assume that this is not possible.
I've been over this I don't know HOW many times on different mailing lists, and I've never managed to come up with an easy answer. The basic problem is that you need to allow _A LOT_ of traffic between the OWA box and the Exchange server and DC. So much in fact that there's almost no point in putting in it a separate segment. The only point remaining for putting it in a separate segment is that you can restrict access to only the above mentioned machines, and spend LOTS of time hardening them. (Including such non-obvious things as fixing the broken default permissions in the registry and so on). My first recommendation would probably be: stick something in front of the OWA box that does SSL and authentication. If someone gets to the OWA box, it's more or less game over; if nothing else because of all the sensitive stuff that is usually available in people's inboxes, public folders, etc etc. The "something" in front of the OWA box can/should probably use a different means of authentication. SecurID comes to mind; it's not _that_ expensive to implement and maintain, and still enables people on the road to check their mail from internet cafés. (Whether or not they should be allowed to _do_ that is another question altogether. Probably, the answer is "no", but that's never stopped a user from doing dumb things.) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NTLM authentication from DMZ miha (Sep 17)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
- Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
- RE: NTLM authentication from DMZ Frank Knobbe (Sep 19)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 20)
- RE: NTLM authentication from DMZ Frank Knobbe (Sep 20)
- Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
- Re: NTLM authentication from DMZ Mikael Olsson (Sep 20)
- <Possible follow-ups>
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ Dawes, Rogan (ZA - Johannesburg) (Sep 20)
- RE: NTLM authentication from DMZ Bill Royds (Sep 21)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ manatworkyes moderator (Sep 22)
- RE: NTLM authentication from DMZ Reckhard, Tobias (Sep 23)
- RE: NTLM authentication from DMZ Peter Robinson (Sep 23)
- RE: NTLM authentication from DMZ Steffen Kluge (Sep 25)
- RE: NTLM authentication from DMZ Paul D. Robertson (Sep 25)