Dangers of Exchange inside LAN (non-DMZ)

[MulLa]

Hi all,

Just a quick question.

What are the dangers of having Exchange inside my LAN and having router port redirection for SMTP, IMAP4, LDAP, HTTP going to my Exchange server.


Thanks in advance.

 

[cmetz]

When, er, if there was a security problem that could be exploited to gain access to the Exchange server, they'd be able to hop around inside your firewall unrestricted. Putting it on a DMZ port normally means there are access controls between the internal net and the DMZ as well as between the DMZ and the outside.

 

[MulLa]

Just wondering for a 35 user office. If it makes sense to create a DMZ for Exchange.

 

[Nothinman]

Just wondering for a 35 user office.

The amount of users isn't terribly important, it's more the amount and sensitivity of data that is important. And of course how much of a problem you would consider it if you were to get broken into. And allowing things like IMAP, LDAP and HTTP access to the box is just asking for trouble, you know IMAP passwords are passed in plain-text, right?

If it makes sense to create a DMZ for Exchange.

If that's your only point of contact for SMTP it should be isolated. We have a few Exchange boxes and they're all internal, but they relay through a SMTP proxy so no real access is available to them from the Internet which is how it should be, IMO.

 

[MulLa]

Nothinman: Well first of all thank you for your info.

Yes I do know that IMAP passwords are exchanged in plain text. Am I wrong to say that "I'm comfortable in plain text password exchange as we have a passworded FTP server and it has been alright for the past year?" The FTP was setup by someone before I came here.

If I eliminate IMAP and impliment ROH would that improve the password situation? I suppose LDAP and HTTP are still necessary for OWA and address lookups.

Alright, I'll go and do some reading on DMZ implimentation for Exchange.

Thanks once again for everyone's help.

 

[n0cmonkey]

Originally posted by: MulLa
Nothinman: Well first of all thank you for your info.

Yes I do know that IMAP passwords are exchanged in plain text. Am I wrong to say that "I'm comfortable in plain text password exchange as we have a passworded FTP server and it has been alright for the past year?" The FTP was setup by someone before I came here.

If I eliminate IMAP and impliment ROH would that improve the password situation? I suppose LDAP and HTTP are still necessary for OWA and address lookups.

Alright, I'll go and do some reading on DMZ implimentation for Exchange.

Thanks once again for everyone's help.

Past performance is not indicative of future performance. I haven't been mauled by a tiger, but I'm not going to the zoo with t-bone underpants.

For the webserver, you should be able to do all of those transactions over an SSL encrypted link. I imagine you should be able to do IMAP and other such protocols over encrypted links too.

 

[Nothinman]

Am I wrong to say that "I'm comfortable in plain text password exchange as we have a passworded FTP server and it has been alright for the past year?" The FTP was setup by someone before I came here.

You have to decide if it's a risk you're willing to take. Personally I wouldn't use any real accounts for those FTP servers and I wouldn't allow IMAP access via the Internet without some form of encryption wrapping it. Even for my personal mail server I only use IMAP over SSH or webmail via HTTPS to access may mail remotely, I would never even consider a plain-text service for my work network unless forced to.

If I eliminate IMAP and impliment ROH would that improve the password situation? I suppose LDAP and HTTP are still necessary for OWA and address lookups.

I'm not sure how OWA works but I know I wouldn't have the web server on the same box as the Exchange server unless it's unavoidable. We use Citrix for all of our remote access so that eliminates the need for something like OWA and I trust Citrix a little more than OWA, IIS and Exchange.

 

[mboy]

Make sure when you opt for DMZ (and you will,um should) that it is a REAL dmz with an interface that is physically seperate (think 3rd NIC) from the LAN and WANinterfaces, NOT the DMZ as Linksys, Dlink,etc think it is.

 

[MulLa]

n0cmonkey: Thanks for giving me a kick in the butt. I know laziness is no excuse for lack of security. I've successfully tested IMAP over SSL last night in a test lab environment. I'll go and try out HTTPS and secure LDAP over this week. But I must say... "Where do I pick up a pair of those t-bone underpants"?? :evil:

Nothinman: If I may ask what sort of mail server do you run at home? Just interested in having one of my own to play around with. Unfortunately, being the small company that we are. Don't think they'll allow for another server. Heck they are even saying the whole exchange package for USD$13300 with 35 licenses is a tad expensive! Will investigate more into HTTPS and locking down IIS. I suppose IIS6 is more secure than IIS5.

mboy: I was thinking to get an additional router to do this DMZ thing. Thank you for the tip here, I was checking our router last night to see if it had a DMZ feature but forgotten about the "3rd NIC" thingy.

Alright thank you once again everybody. It's back to more testing and experimenting in my lab :light:

 

[Nothinman]

If I may ask what sort of mail server do you run at home?

I run postfix and Cyrus-IMAPd on Debian and I use Apache and Horde/IMP for the web interface. It's all 100% free software but can be a little confusing to setup at first, especially Cyrus because of the SASL stuff, but once you get that figured out it's pretty simple.

 

[MysticLlama]

I have my Exchange server on the Internal network, with two ports opened and allowed in.

I let in SMTP (so it will work) and https (OWA over https, no http at all)

I looked into doing the DMZ thing with the PIX, and once you've let all the LDAP ports and such that you need through, you are making a lot of attacks that use those ports available to someone who manages to compromise the box, and with that level of access, it becomes almost as bad as just having the box on the internal network.

I wouldn't recommend allowing http traffic to your Exchange server though, their aren't any recent holes that I know of, but there has been a fair share in the past, and they didn't affect https.

 

[n0cmonkey]

Originally posted by: MysticLlama
I have my Exchange server on the Internal network, with two ports opened and allowed in.

I let in SMTP (so it will work) and https (OWA over https, no http at all)

I looked into doing the DMZ thing with the PIX, and once you've let all the LDAP ports and such that you need through, you are making a lot of attacks that use those ports available to someone who manages to compromise the box, and with that level of access, it becomes almost as bad as just having the box on the internal network.

I wouldn't recommend allowing http traffic to your Exchange server though, their aren't any recent holes that I know of, but there has been a fair share in the past, and they didn't affect https.

http attacks will generally work over https, just encrypted so you can't see what's going on. :evil:

 

[MysticLlama]

Right, that's true, but there are no inherent problems with OWA, like there is with http, that's what I was getting at.

Nothing like that lovely one a few weeks back that affected http and https on Win2k and 2k3, at least they got it on Windows Update quick.

 

[Nothinman]

Right, that's true, but there are no inherent problems with OWA, like there is with http, that's what I was getting at.

Doesn't OWA just sit on top of IIS?

 

[wlee]

If ya really wanna do this the "poor man's" way, then just multi-home the mail server. Have one NIC on your internal LAN subnet and the other plugged into your WAN side. ( You could even stick a Linksys SOHO junkbox router between the "outside" NIC and the WAN IP. )

 

[Nothinman]

If ya really wanna do this the "poor man's" way, then just multi-home the mail server. Have one NIC on your internal LAN subnet and the other plugged into your WAN side. ( You could even stick a Linksys SOHO junkbox router between the "outside" NIC and the WAN IP. )

Which negates pretty much all of the security you'd gain from using a DMZ.

 

[wlee]

Originally posted by: Nothinman

If ya really wanna do this the "poor man's" way, then just multi-home the mail server. Have one NIC on your internal LAN subnet and the other plugged into your WAN side. ( You could even stick a Linksys SOHO junkbox router between the "outside" NIC and the WAN IP. )

Which negates pretty much all of the security you'd gain from using a DMZ.

Well, this *ASS*umes that a software firewall would be used as well. This technique allows the lan side to still have full network speed, be it 100Mbit or even Gigabit. No "cheap" Firewall box that I know of has that kind of I/O on its DMZ. One of the reasons for running your own mail server is to make it "feel" blazing fast to the users, even if it can only connect via dial-up to the outside world. I had to run a 25 client mail server that way for 4 years because we couldn't get broadband and as the powers that be put it, "we're not in the computer business. We don't need frame relay or T1. Why do we even need a mail server at all ? We can use HotMail ! " Most "small business" owners have such mentality. They think that home user infra-structure and pricing applies to their business as well. I guess you've never had to keep everyone spoon-fed, fat, dumb, and happy on a poor man's ( home user ) budget.

 

[Nothinman]

Well, this *ASS*umes that a software firewall would be used as well.

If this is a corporate network I wouldn't trust a multi-homed Windows box even no matter how much software it's running.

This technique allows the lan side to still have full network speed, be it 100Mbit or even Gigabit. No "cheap" Firewall box that I know of has that kind of I/O on its DMZ

And I can't imagine why you would need gigabit to a mail server unless you have a huge number of clients, but if you can't afford a real firewall or router to seperate the networks put together a Linux box and you can use whatever speed NICs you want. I believe all of our Exchange servers where I work are 100Mb and the speed is fine with ~200-300 people per box.

I guess you've never had to keep everyone spoon-fed, fat, dumb, and happy on a poor man's ( home user ) budget.

I've spoon-fed a lot of dumb, fat people, but the company I work for does have a budget that includes things like firewalls and Exchange servers.

 

[wlee]

Originally posted by: Nothinman

Well, this *ASS*umes that a software firewall would be used as well.

If this is a corporate network I wouldn't trust a multi-homed Windows box even no matter how much software it's running.

Works fine if you stay on top of patches, etc.

This technique allows the lan side to still have full network speed, be it 100Mbit or even Gigabit. No "cheap" Firewall box that I know of has that kind of I/O on its DMZ

And I can't imagine why you would need gigabit to a mail server unless you have a huge number of clients, but if you can't afford a real firewall or router to seperate the networks put together a Linux box and you can use whatever speed NICs you want. I believe all of our Exchange servers where I work are 100Mb and the speed is fine with ~200-300 people per box.

I have just "aquired" an old 500Mhz Celeron box to do just that. ( SmoothWall or ASTARO ) An no, my budget didn't allow for MS Exchange. We use "Mdaemon" ( I like it better anyway ) , which at the time was $189 for 25 User License.

It doesn't matter if you have 10 or 10,000 users. When they send a letter with a 20MB attachment, they want to see if fly out of their machine like lightning. As is, they sometimes b*tch that the status bar didn't zip past them fast enough. Try that if you didn't have a 100Mbit connected mail server to "buffer" the data.

I guess you've never had to keep everyone spoon-fed, fat, dumb, and happy on a poor man's ( home user ) budget.

I've spoon-fed a lot of dumb, fat people, but the company I work for does have a budget that includes things like firewalls and Exchange servers.

Yea, well, if you've got so much budget, send it my way.

 

[n0cmonkey]

Why not forget the firewall altogether? Maybe put your DC, Exchange, and use ICS all from the same box!

 

[Nothinman]

Yea, well, if you've got so much budget, send it my way.

It's not my budget we were discussing =)

 

[mboy]

Why would u allow users to send 20mb emails?
I berate my users for sending ones larger then 2mb

 

[AFB]

Originally posted by: mboy
Why would u allow users to send 20mb emails?
I berate my users for sending ones larger then 2mb

Yes, do you know how long that would take and what it would do ?

 

[MulLa]

Wow, I thought this thread was dead, but still decided to check it one more time. I was really surprised by the amount of discussion going on here. Certainly very educational on my part.

I was doing a lot of experimenting these days. I think I've decided on allowing remote access via VPN instead of all these IMAP4 and OWA business.

Just get another router with VPN function and stick it outside the current firewall and create a DMZ.

I totally understand the difficulty to explain to the boss why we need to spend more money on yet another router.

 

[Boscoh]

Are you talking about IPSec VPN?

If so, you need to understand the can of worms you are opening. IPSec VPN can be thought of as an extension of your LAN. Without proper access-control lists, the remote PC acts as if it was sitting on your network and has unrestricted access to it. This means if the remote PC is infected with 40 million worms, which most home user PC's are, then you have 40 million worms running across your network.

Personally, I'd stick Exchange in the DMZ, restrict the hell out of it's access back to the inside, or better yet stick it on the inside with a relay device in the DMZ such as TrendMicro's MailScan which filters for viruses. If you want people to have OWA, force them to do it over HTTPS, or better yet deploy an SSL secure proxy which they have to tunnel through to get access to OWA. I'd do any of those things before I deployed IPSec to allow access to Exchange.