RE: Exchange Server and External Access (VPN)

["Gregory M. Brown" <gbrown () alvalearning com>]

With all due respect to the man from Disney, VPN's are an incredible
mail solution.  In my world of doing US Gov't contracts, we are severely
audited.  We can not run Win 2k Terminal Services ANYWHERE.  That is how
intensely insecure TS for Win 2k is.  Also, it is well known that TS
only has 7 bit encryption.  Citrix is way expensive and administratively
heinous.  VPN's are considered secure, robust and cost effective because
you're leveraging an asset you already have!

Firstly, ports that are opened are negligible.  For MS, ports 1723, 500
and 47 are all that is needed.

Secondly, as far as packet overhead and number of hops goes, it really
isn't that big of a deal.  My biggest choke point is the T1.  All
traffic destined for the VPN peer network is encapsulated and secured.
NetBIOS calls will run through the tunnel.  
My network has not one WINS or legacy desktop OS.  Native AD.  DNS is
the key.  That would be port 53 tcp/udp.  You don't need to create a
rule on your FW for that...  If it is destined for the peer network, the
packets will simply pass through the tunnel.  Last I heard, VPN tunnels
were a helluva hard crack.

Thirdly, when configuring a MS VPN, simply apply packet filtering to
accept only VPN traffic.  All other services that are not critical
should be shut off.  This way, ANY other request for services will be
rejected.  Period.

Lastly, users connect via a connectoid I made from the Connections
Manager within the IIS Admin kit.  After a few try's, I got it right...
Users simply click on it and voila.  Keepin' It Simple Sir!
That's my story and I'm stickin' to it...
gb

-----Original Message-----
From: Nero, Nick [mailto:Nick.Nero () disney com] 
Sent: Monday, August 25, 2003 1:22 PM
To: Nick Duda; jsansi () ritzfoodservice com; Cherian M. Palayoor;
security-basics () securityfocus com
Subject: RE: Exchange Server and External Access

VPNS are bad to use for mail.  As people are finding out this week, it
exposes way too many ports (TCP 135 particulary) just so you can make
native calls to the mail server.  Web mail is a much better solution
(OWA for 2000 is very good and OWA for Exchange 2003 is almost exactly
as full featured as the Outlook 2003 client) for security reasons.  Add
the benefit that no company information actually leaves the box and the
solution really shines.

A workstation/laptop that is used for VPN has to be as secure as an
internal machine.  So after apply your Windows 2000 GPO's, A-V updates,
service patches and hotfixes, the TCO of the solution gets out of
control.  Unless someone just HAD to have native port access to an app
server, I would stay away from VPN.  Go for Term.Services/Citrix before
you go there.

Nick Nero
CISSP
The Walt Disney Company

-----Original Message-----
From: Nick Duda [mailto:nduda () VistaPrint com] 
Sent: Monday, August 25, 2003 12:23 PM
To: jsansi () ritzfoodservice com; Cherian M. Palayoor;
security-basics () securityfocus com
Subject: RE: Exchange Server and External Access

The reason why we didn't do that in my location was ease of
connectivity. Principals and executives like to just pop open a browser
and get email. Adding them to the corporate vpn would require vpn
software installs..etc. Not to mention all the different hotels during
traveling tend to block a lot of vpn traffic.

- Nick

-----Original Message-----
From: Jimmy Sansi [mailto:jsansi () ritzfoodservice com]
Sent: Friday, August 22, 2003 5:09 PM
To: 'Cherian M. Palayoor'; security-basics () securityfocus com
Subject: RE: Exchange Server and External Access



Why not configure a VPN into the network. Easier then setting up another
server in the DMZ, plus users can have access to other network resources
as well.

-Jimmy

-----Original Message-----
From: Cherian M. Palayoor [mailto:cpalayoor () cwalkergroup com]
Sent: Friday, August 22, 2003 12:11 PM
To: security-basics () securityfocus com
Subject: Exchange Server and External Access


Hi,

We presently use the Std edition of Exchange 2000 as a mail server for
our internal users, behind the Firewall.

However we would like to grant mailbox access to external users outside
the Firewall.

What would be the most secure and efficient method of accomplishing
this. 

One stream of thought that I have been entertaining is having a separate
Exchange/Mail  Server on the DMZ.

Now this solution would result in having to maintain 2 separate
mailboxes for internal and external users. This creates problems for
users who would access their emails from both inside and outside the
office.

How can I workaround this problem.

Thanks in advance for any suggestions.

Regards

CP


 Scanned by Webshield E250



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's
premier technical IT security event.  Modeled after the famous Black Hat
event in Las Vegas! 6 tracks, 12 training sessions, top speakers and
sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----



------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------