Firewall Wizards mailing list archives
RE: DMZ design - Exchange, SQL, & DCOM
From: Henry Sieff <hsieff () orthodon com>
Date: Mon, 7 Feb 2000 15:45:24 -0600
-----Original Message----- From: Mikael Olsson [mailto:mikael.olsson () enternet se] Sent: Sunday, February 06, 2000 11:22 AM To: Michael Borkin Cc: firewall-wizards () nfr net Subject: Re: DMZ design - Exchange, SQL, & DCOM Michael Borkin wrote:Mikael Olsson wrote:I'd recommend placing a mail forwarder with content screening capabilities in a SEPARATE DMZ, and the Exchange server on the internal network.Why do you recommend a seperate DMZ just for mail forwarding?I recommed separate segments for just about everything :-)
You really need to weigh the risks, imo.
The reason for the separate DMZ is that you don't want to expose your mail forwarder to your web server. The risk that someone will hack your web server through the firewall is much greater than the risk of someone hacking your mail forwarder through the firewall. However, with the two placed on the same LAN, hacking the mail forwarder most likely becomes a simple task.
No; if you have properly hardened both boxen, it shouldn't really be an issue. Your mailforwarder can be set to refuse connections from other machines in the DMZ (it realy should only talk to your internal mail server and to the DMZ NIC anyways.) I mean, if you REALLY want to, you can set up separate DMZ's for all components, but IMO your adding administrative overhead and cost without gaining much by way of security.
Also, by placing the mail forwarder in a separate DMZ, you can be reasonably sure that the SMTP traffic going into your exchange server is actually coming from the mail forwarder, and not from the web server doing some serious IP and/or MAC spoofing.
If someone gains that degree of access to your web server (to the point where they could start spoofing ip and mac addresses), you're pretty screwed already; SMTP relay hijacking will be the least of your worries. Henry
Current thread:
- RE: DMZ design - Exchange, SQL, & DCOM, (continued)
- RE: DMZ design - Exchange, SQL, & DCOM Phil Cox (Feb 10)
- Re: DMZ design - Exchange, SQL, & DCOM Jack Dingler (Feb 10)
- Re: DMZ design - Exchange, SQL, & DCOM Michael Borkin (Feb 06)
- Re: DMZ design - Exchange, SQL, & DCOM Michael Borkin (Feb 07)
- Re: DMZ design - Exchange, SQL, & DCOM billp (Feb 07)
- Re: DMZ design - Exchange, SQL, & DCOM Michael Borkin (Feb 07)
- Re: DMZ design - Exchange, SQL, & DCOM Michael Borkin (Feb 07)
- Message not available
- Re: DMZ design - Exchange, SQL, & DCOM Jan Schultheiss (Feb 10)
- Re: DMZ design - Exchange, SQL, & DCOM Mikael Olsson (Feb 11)
- Message not available
- Re: DMZ design - Exchange, SQL, & DCOM Michael Borkin (Feb 07)
- RE: DMZ design - Exchange, SQL, & DCOM Henry Sieff (Feb 10)
- Re: DMZ design - Exchange, SQL, & DCOM Michael Borkin (Feb 10)
- Re: DMZ design - Exchange, SQL, & DCOM Michael Borkin (Feb 10)
- Re: DMZ design - Exchange, SQL, & DCOM Francois Dupont (Feb 10)
- RE: Re: DMZ design - Exchange, SQL, & DCOM jan . schultheiss (Feb 15)