RE: DMZ design - Exchange, SQL, & DCOM

[Henry Sieff <hsieff () orthodon com>]

> -----Original Message-----
> From: Mikael Olsson [mailto:mikael.olsson () enternet se]
> Sent: Sunday, February 06, 2000 11:22 AM
> To: Michael Borkin
> Cc: firewall-wizards () nfr net
> Subject: Re: DMZ design - Exchange, SQL, & DCOM
>
>
>
>
> Michael Borkin wrote:
> > Mikael Olsson wrote:
> > > I'd recommend placing a mail forwarder with content screening
> > > capabilities in a SEPARATE DMZ, and the Exchange server on
> > > the internal network.
> >
> > Why do you recommend a seperate DMZ just for mail forwarding?  
>
> I recommed separate segments for just about everything :-)

You really need to weigh the risks, imo. 

> The reason for the separate DMZ is that you don't want to expose
> your mail forwarder to your web server. The risk that someone
> will hack your web server through the firewall is much greater
> than the risk of someone hacking your mail forwarder through the
> firewall. However, with the two placed on the same LAN, hacking
> the mail forwarder most likely becomes a simple task.

No; if you have properly hardened both boxen, it shouldn't really be an
issue. Your mailforwarder can be set to refuse connections from other
machines in the DMZ (it realy should only talk to your internal mail server
and to the DMZ NIC anyways.) I mean, if you REALLY want to, you can set up
separate DMZ's for all components, but IMO your adding administrative
overhead and cost without gaining much by way of security.
 
> Also, by placing the mail forwarder in a separate DMZ, you 
> can be reasonably sure that the SMTP traffic going into
> your exchange server is actually coming from the mail forwarder,
> and not from the web server doing some serious IP and/or
> MAC spoofing.

If someone gains that degree of access to your web server (to the point
where they could start spoofing ip and mac addresses), you're pretty screwed
already; SMTP relay hijacking will be the least of your worries.

Henry