Security Basics mailing list archives
Re: Exchange Server and External Access
From: chort <chort () amaunetsgothique com>
Date: 22 Aug 2003 15:20:21 -0700
On Fri, 2003-08-22 at 10:25, Cherian M. Palayoor wrote:
Hi, We presently use the Std edition of Exchange 2000 as a mail server for our internal users, behind the Firewall. However we would like to grant mailbox access to external users outside the Firewall. What would be the most secure and efficient method of accomplishing this. One stream of thought that I have been entertaining is having a separate Exchange/Mail Server on the DMZ. Now this solution would result in having to maintain 2 separate mailboxes for internal and external users. This creates problems for users who would access their emails from both inside and outside the office. How can I workaround this problem. Thanks in advance for any suggestions. Regards CP
The most straightforward and least complex solutions would be for remote users to VPN in and connect to Exchange natively (MAPI) across the VPN (to the internal IP). Another solution would be to setup OWA and let remote users only access OWA. Unfortunately, OWA is fairly riddled with security weaknesses, and it's dependent on IIS. I would not implement it without a reverse-proxy in front doing at the very least, buffer length checking, IDS signature detection, limiting directory recursion, real secure log-off (try logging out of OWA, then click stop, back, and presto you're in), etc and preferably SSL/TLS encryption too. The company I work for, CipherTrust has such a solution in the IronWebMail product. In the interest of fairness I will also mention that Whale have a similar product, and I believe Borderware also has this functionality. I'm sure there are several other vendors capable of reverse proxying HTTP(S). Last, you could also use POP3 or IMAP4 with Exchange. This won't allow access to the calendar, etc but you can get mail. Again, this shouldn't go straight into Exchange from the outside. You should have a reverse-proxy for those services in the DMZ. It should enforce password strength checking, check for brute force password guessing, denial of service attacks, etc. CipherTrust provide a product (IronMail) that does this. At the risk of sounding shamelessly self-promoting, I'm not aware of any other products which reverse-proxy POP3 or IMAP4. I'm sure this is not unique, so there must be some vendor out there who does it. Check with your firewall vendor to see if it's already supported in your current firewall. In any case, take some time and continue doing research (as you are now). Make sure whatever solution you come up with will fill both your functional and security requirements. Evaluate at least two products or solutions so you have some basis of comparison. -- Brian Keefer --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- Exchange Server and External Access Cherian M. Palayoor (Aug 22)
- Re: Exchange Server and External Access Moti Levy (Aug 22)
- Re: Exchange Server and External Access Moti Levy (Aug 25)
- Re: Exchange Server and External Access Moti Levy (Aug 25)
- RE: Exchange Server and External Access Jimmy Sansi (Aug 25)
- RE: Exchange Server and External Access Rick Kingslan (Aug 25)
- RE: Exchange Server and External Access mobile (Aug 26)
- RE: Exchange Server and External Access Joey Peloquin (Aug 25)
- Re: Exchange Server and External Access chort (Aug 25)
- <Possible follow-ups>
- RE: Exchange Server and External Access Rubottom, Karl (Aug 22)
- Re: Exchange Server and External Access salgak (Aug 22)
- Re: Exchange Server and External Access Tony (Aug 22)
- FW: Exchange Server and External Access Cherian M. Palayoor (Aug 25)
- Re: FW: Exchange Server and External Access chort (Aug 26)
- RE: Exchange Server and External Access Depp, Dennis M. (Aug 25)
- RE: Exchange Server and External Access Gregory M. Brown (Aug 25)
- RE: Exchange Server and External Access Nick Duda (Aug 25)
- RE: Exchange Server and External Access Nick Duda (Aug 25)
- RE: Exchange Server and External Access McGill, Lachlan (Aug 25)
(Thread continues...)