RE: DMZ design - Exchange, SQL, & DCOM

["Omar T. Fahnbulleh" <otariq () bellatlantic net>]

Mike,
networks that I've configured I've put a SMTP relay server in the DMZ that
will pass all incoming e-mail to the Exchange server and the exchange server
will forward all e-mail destine for the internet to the smtp server to send
out.  I will suggest 3 nic cards, you should also use SPLIT DNS.  Your web
server that will be accessed from the internet should be placed in the DMZ
with valid IP address. If you are using NAT you will need to configure an
ARP file that will map the mac address of the external interface to the
valid addresses that will be placed in your DMZ, you will also need to
create routes since the OS will be doing the routing.  If using NAT you will
need to use Static NAT to map the private address to the legal address.
In the ARP File you will have:
Mac address ext. interface        Valid IP addresses
00-A0-C9-A8-B6-28                    address of Webserver
00-A0-C9-A8-B6-28                    Address of SMTP relay server
00-A0-C9-A8-B6-28                    Address of DNS Server
***Issues with ARP files is that it does not work consistently if you create
10 or more entries. The Arp file should be placed in the FW\state folder as
ex:local.arp

You can get an SMTP Relay server (Mimesweeper) that will also scan all
incoming and out going e-mails for Viruses.  I like using this functionality
because it's your first line of defense against trojan horses, virus and
other bad stuff out there on the internet.  You will always have to keep the
Virus software updated with the most recent patch.

I have so much more information to help you.  I don't have the time to spell
it all out for you here tonight.  Send me an e-mail if you would like my
help and I'll forward you my number.
Checkout www.checkpoint.com\~joe


Omar
  -----Original Message-----
  From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Michael Borkin
  Sent: Friday, February 04, 2000 5:53 AM
  To: firewall-wizards () nfr net
  Subject: DMZ design - Exchange, SQL, & DCOM


  I have been called upon to re-design an existing network to allow the
hosting of a web and e-mail server.  It is a pure Microsoft network (95/98,
NT, and W2K) that will incorporate a checkpoint FW-1 firewall (actually
VPN-1) as part of the design.  My main questions at this point have to do
with the DMZ, what belongs there, and how to connect it to the firewall and
the internet.  The connection to the internet will come in over an SDSL
router (brand unknown at this time), but from there I have gotten
conflicting advice.

  Should all traffic be passed back to the firewall which will have 3-nic
cards (1- Internet, 2- DMZ, 3- Internal network), or should the router
itself have two ethernet ports (1- Firewall, 2- DMZ) and the firewall only
have two nic cards (1- Internet, 2- Internal Network) as well?  The argument
for the 3-card configuration is that logging is better that way.  Meanwhile,
the 2+2 argument is to keep as little traffic from being able to flow into
and through the firewall machine as possible for both overhead and security
reasons.  I am leaning towards the 3-card configuration based on the fact
that it is the recommendation from Checkpoint (or at least their vendors),
but I would like to know if anyone has any opinions before I decide.  As for
the machines in the DMZ, other than the web server itself (IIS 4.0) I am not
sure which ones need to reside there and which need to be placed on the
internal network for the best security configuration.  Below is described
the main services that I am concerned with at the moment.

  E-mail is currently handled by an Exchange Server, but is also used for
services besides just internet e-mail such as public folders and internal
company mail.  One person therefore recommended setting up an SMTP box in
the DMZ and having it dedicated to relaying internet based e-mail from the
outside back through the firewall (and vice-versa) to protect the other
information on the Exchange server.  That sounded good to me, but later when
I was discussing this with another person I got a totally different opinion.
He said it was a bad idea to let another box handle the e-mail and that to
have the Exchange box on the internal network would cause me to have to
punch huge holes in the firewall to let certain services through.
Therefore, the Exchange box needed to reside in the DMZ rather than behind
it.  What he said really didn't make sense to me, because I would think that
it would be having the Exchange server in the DMZ that would cause me to
have to punch holes rather than the other way around.  But, just because I
don't understand his reasoning doesn't mean he is incorrect especially since
he knows a lot more about firewalling than I do, so I ask which is the
better way to go?

  Next, is that the web server uses dynamic html for much of the website
content.  This leverages both a SQL server and DCOM programming built
through Visual InterDev to deliver the content to the web server.  This is
where it really goes over my head at the moment, if it was just SQL server
then I know to place it on the inside and let the calls from the web server
come back through the firewall.  However from what I have been told by a
developer, DCOM uses dynamic port allocation when establishing a stateful
connection (although from what I have read it uses udp, so I don't know why
there should be a stateful connection).  I honestly don't understand enough
to know where the DCOM part of the process sits (although I am guessing it
is on the web rather than the database server), and whether this means that
I have to open up a port range for DCOM to work properly or to move the SQL
server out to the DMZ (neither of which sounds like a good idea to me).
Also, I am not sure about what ports or rules would need to be incorporated
to get this to function as securely as possible if everything other than the
web server resides behind the firewall.

  If anyone could either point me towards reference material and/or give me
advice about how the DMZ portion of the network should be setup based on the
factors explained above it will be greatly appFrom owner-firewall-wizards  Sun Feb  6 09:41:20 2000
Received: (from lists@localhost)
        by lists.nfr.net (8.9.3/8.9.3) id JAA19651
        for firewall-wizards-outgoing; Sun, 6 Feb 2000 09:41:20 -0600 (CST)
Received: from nfr.net (tower.nfr.net [208.196.145.10])
        by lists.nfr.net (8.9.3/8.9.3) with ESMTP id JAA19613
        for <firewall-wizards () lists nfr net>; Sun, 6 Feb 2000 09:41:11 -0600 (CST)
Received: (from fwiz@localhost)
        by nfr.net (8.8.8+Sun/8.8.8) id JAA09426
        for firewall-wizards () lists nfr net; Sun, 6 Feb 2000 09:45:53 -0600 (CST)
Received: from nfr.net (tower.nfr.net [208.196.145.10])
        by lists.nfr.net (8.9.3/8.9.3) with ESMTP id MAA08668
        for <firewall-wizards () lists nfr net>; Fri, 4 Feb 2000 12:15:02 -0600 (CST)
Received: from chaka.orthodon.com (chaka.orthodon.com [204.251.9.48])
        by nfr.net (8.8.8+Sun/8.8.8) with ESMTP id MAA00953
        for <firewall-wizards () nfr net>; Fri, 4 Feb 2000 12:19:34 -0600 (CST)
Received: by chaka.orthodon.com with Internet Mail Service (5.5.2448.0)
        id <YYLYD1HG>; Fri, 4 Feb 2000 12:18:21 -0600
Message-ID: <734375705752D211BE3C00A0C9E105C4B4C8A8 () chaka orthodon com>
From: Henry Sieff <hsieff () orthodon com>
To: "'Michael Borkin'" <borkin () netquest com>, firewall-wizards () nfr net
Subject: RE: DMZ design - Exchange, SQL, & DCOM
Date: Fri, 4 Feb 2000 12:18:20 -0600 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: text/plain;
        charset="iso-8859-1"
Sender: owner-firewall-wizards () lists nfr net
Precedence: bulk
Reply-To: Henry Sieff <hsieff () orthodon com>

[grr. . .html email]

-----Original Message-----
From: Michael Borkin [mailto:borkin () netquest com]
Sent: Friday, February 04, 2000 4:53 AM
To: firewall-wizards () nfr net
Subject: DMZ design - Exchange, SQL, & DCOM


[SNIP]
 
E-mail is currently handled by an Exchange Server, but is also used for
services besides just internet e-mail such as public folders and internal
company mail.  One person therefore recommended setting up an SMTP box in
the DMZ and having it dedicated to relaying internet based e-mail from the
outside back through the firewall (and vice-versa) to protect the other
information on the Exchange server.  That sounded good to me, but later when
I was discussing this with another person I got a totally different opinion.
He said it was a bad idea to let another box handle the e-mail and that to
have the Exchange box on the internal network would cause me to have to
punch huge holes in the firewall to let certain services through.
Therefore, the Exchange box needed to reside in the DMZ rather than behind
it.  What he said really didn't make sense to me, because I would think that
it would be having the Exchange server in the DMZ that would cause me to
have to punch holes rather than the other way around.  But, just because I
don't understand his reasoning doesn't mean he is incorrect especially since
he knows a lot more about firewalling than I do, so I ask which is the
better way to go?


Response:
That depends on the balance between security and services you're looking to
achieve.  If the only thing you want outsiders (ie people from the internet)
to be able to do is read mail, and you just want to send and receive good
old smtp/pop3 mail you should put a nice hardened smtpd/popd linux box in
your DMZ; the only hole you need between your DMZ and your internal would
then be smtp and pop. Your MSEXCH server in the internal should only acceept
connections from iinternal and that one mail relayer. 

However, if you want users to be able to access the whole slew of exchange
services from the internet, you've got issues. If you put it in the DMZ, you
have to open up lotsa ports between your internal and DMZ, and between your
external and DMZ. If you put it in your internal, you have to open up holes
all the way.  You can use SSL and just access the exchange server via https,
but that's flaky and slow and not much better.  

We use citrix with secure ICA to provide exchange access to the outside
world (which is not without its problems, but at least it limits exposure).

For the basic specs on running exchange through a firewall, check out the MS
knowledge base (query on exchange and firewalls). Particular attention must
be paid to the RPC endpoint mapping service, and the fact that an exchange
server MUST be a member of a domain, which causes many of the hassles.

BTW, you can set up another exchange server in the dmz as a memeber of its
own domain with a one way trust (ie it trusts the internal exchange server
but not vice versa) and use that as a relay, but then you still have to open
up several additional ports between the DMZ and external if you want to
access exchange services from outside.

HTH.

Henry Sieff


reciated.  If you need any
further information before making a suggestion or recommendation, please
feel free to contact me either on or off list and I will be more than glad
to do what I can to fill in the gaps.

  Thanks,

  Mike