Exchange server 2k w/ OWA...behind or in front of firewall?

[Woodie]

<< have it over 2 years now, no problem. I have no paranoia. like any other port >>



A few things....
Nimda, Code Red did not exist two years ago, luck??
I DO have paranoia (well, I'm paid to be that way).
We don't allow *any* ports directly from the internet into our private network. Period. All inbound traffic must stop at some point outside the private network. (Yes, even SMTP mail)

BTW, in case you weren't aware...I'm referring to a business implementation, and not a small one. (We're in the >10,000 employee category).

--Woodie

 

[IgorTs]

Yes, those viruses do exist. I'm also get paid for my work. But is there any way to surf or receive mail without opening a port?
Sure it's critical for enterprises, so for small businesses. Sure MS products are more vulnerable because they are more targeted.

Any suggestion for it? I don?t see any complete secure design there.

 

[Woodie]

The only secure design? (Well, acceptable level of risk) Don't use Exchange for web-based mail.

We're working on an architecture, but the "folks" who wrote Exchange, and the IIS front-end obviously paid next to no attention to security. The logoff bug is enough to prove that. The architecture of the rest of the application makes it very difficult, at best, to try and set it up in a secure fashion.



<< is there any way to surf or receive mail without opening a port? >>


Yes.
1. Surfing is done on port 80, OUTBOUND only. You can use proxy servers and firewall logins/ACLs if you want to restrict/control browsing.
2. Put an email server in a DMZ. Open port 25 (SMTP) inbound to the mail server. Configure the mail server to: Drop all executable/script attachments. Virus-scan all other attachments (including opening up compressed attachments). Have some sort of spam-filtering enabled. Forward whatever mail is left to an internal mail server, for distribution to IMAP or POP3 servers on the private network. Could be port 25, but preferably a different one. Note: Write the internal firewall such that: the Email server is the only sending IP addy, the internal email server is the only recipient, and it's limited to a single port.
3. You could also set it up such that the inbound and outbound mail servers are different, on different networks, behind different firewalls. Depends on how paranoid you are.

--Woodie

 

[Saltin]

Woodie: So you open port 80 from your internal network, outbound only. Your set up sounds nice and secure. You should know, however, that an open port, wether it be inbound or outbound, is an open port. A hack that knows enough and wants in is capable of making your firewall think that his inbound HTTP has been solicited by a client surfing out on your internal network. That's just a fact. You sound like you know your stuff, so I am sure you know there is no such thing as 100% security. It's all a matter of how badly a skilled hack wants in.
I only put forth my solution because it actually involves opening less ports on the firewall then any DMZ solution.
Even with your set up, you still have to allow for all the ports (in and out) I listed above. An exchange server in a DMZ needs to talk with the DC's on the private network, no exceptions, and especially if OWA is a desire. I can think of ten compromises of LDAP alone, let alone DNS.
I guess this is why you are saying that Exchange is not a great option for Email, and I take that point.
What I suggest to you is, it isnt so bad outside of a DMZ. Not any worse than any other set-up.

 

[Santa]

Then theres that nice upper managment user who has to check his Hotmail account and open the daily virus attachment to keep you on your toes arrg.

I do agree that there are ways to implement super safety but it all is dependent on budget, time, staff ect.. Good thread! keep it going..

 

[Woodie]

Saltin
I agree with your points about locating the Exch FE in the private network, rather than a DMZ, because of the multitude of ports necessary for it to talk to a DC in the private network.

It's ugly, no matter how you do it. That's why our decision was not to do it at all. That's the right decision for us, based on *our* level of risk tolerance. In our conf calls w/ MS, their operations folks indicated that they were not too happy with their implementation of Exchange, from a security perspective. They have a different tolerance for risk, and as operations, doesn't have too much choice--they have to use the company product.

--Woodie

edit: Typo

 

[Saltin]

I understand where you are coming from Woodie. The problem with Exchange 2000 is it's complete and utter dependance on Active Directory. It makes things really easy in day to day administration ( creating mailboxes, authenticating users, etc) but that ease comes with a price (diminished security). That's a price not everyone is willing to pay.

 

[spidey07]

<----smiles because of notes 🙂

good thread though. As always network security decisions will be based on risk vs. ease of use/business requirments. Woodie has brought up some very good points. especially the no web access to e-mail.

 

[SR]

Ok one more way to secure your exchange box from .exe's and other attacks. Setup NBAR to strip them on your router. Go to Cisco's website and read about it. This has limitations though but some draw backs like router overhead.

 

[Woodie]

SR brings up a good point, about using a filtering router to help contain worms.

I asked our network folks about this during the NIMDA attack, and their response was that they wouldn't implement this, because it was more likely to bring the router to its knees, because of the volume of traffic, vs the speed of the hardware. Obviously, YMMV.

I think it's a particularly elegant solution, myself.

--Woodie