Firewall Wizards mailing list archives

Re: NTLM authentication from DMZ

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Fri, 20 Sep 2002 16:31:43 +0200



Jan van Rensburg wrote:


A related question I've sometimes wondered about, is where is the best
place to put a company's Exchange server. Let us assume that the
Exchange server is part of the normal company domain, so that you only
have one authentication database to deal with. The second assumption is
that people will access their Exchange mail remotely from the Internet.
Now the obvious answer to this is a VPN, but lets assume that this is
not possible.


I've been over this I don't know HOW many times on different mailing
lists, and I've never managed to come up with an easy answer. 

The basic problem is that you need to allow _A LOT_ of traffic between
the OWA box and the Exchange server and DC. So much in fact that there's
almost no point in putting in it a separate segment.

The only point remaining for putting it in a separate segment is that
you can restrict access to only the above mentioned machines, and 
spend LOTS of time hardening them. (Including such non-obvious things
as fixing the broken default permissions in the registry and so on).


My first recommendation would probably be: stick something in front 
of the OWA box that does SSL and authentication. If someone gets to
the OWA box, it's more or less game over; if nothing else because
of all the sensitive stuff that is usually available in people's
inboxes, public folders, etc etc.

The "something" in front of the OWA box can/should probably use a 
different means of authentication. SecurID comes to mind; it's not
_that_ expensive to implement and maintain, and still enables 
people on the road to check their mail from internet cafés.
(Whether or not they should be allowed to _do_ that is another
question altogether. Probably, the answer is "no", but that's never
stopped a user from doing dumb things.)


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"Senex semper diu dormit"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

NTLM authentication from DMZ miha (Sep 17)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
  - Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
    - RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
    - RE: NTLM authentication from DMZ Frank Knobbe (Sep 19)
    - RE: NTLM authentication from DMZ Ben Nagy (Sep 20)
    - RE: NTLM authentication from DMZ Frank Knobbe (Sep 20)
    - Re: NTLM authentication from DMZ Mikael Olsson (Sep 20)
  - RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
- <Possible follow-ups>
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ Dawes, Rogan (ZA - Johannesburg) (Sep 20)
  - RE: NTLM authentication from DMZ Bill Royds (Sep 21)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ manatworkyes moderator (Sep 22)
- RE: NTLM authentication from DMZ Reckhard, Tobias (Sep 23)
  - RE: NTLM authentication from DMZ Peter Robinson (Sep 23)
  - RE: NTLM authentication from DMZ Steffen Kluge (Sep 25)
    - RE: NTLM authentication from DMZ Paul D. Robertson (Sep 25)

(Thread continues...)