Exchange server 5.5 on DMZ or trusted interface?
1st, new user here, 80 pts is all I have so far.
I will be purchasing a firewall, probably either a Cisco PIX 515E, or Netscreen 25.
On an internet T1 line. I have an Exchange Server 5.5 on NT4 member server. This server is providing SMTP, IIS Web for Outlook Web Access only, and I am doing light traffic with IIS's ftp server (logging only into local logon accounts on the member server for ftp). Eventually the ftp services may move to another software package yet to be eval'd.
The OWA website is using CHAP (you are asked for your logon credentials first, before accessing the website)
Outlook 2000/XP is the client on the LAN.
I read in another question that is tricky to place the Exchange Server in the DMZ zone, due to the need for domain logon authentication for LAN users, etc.
This firewall will also server as user's general internet access, and I anticipate using NAT.
At this time, there is only the one server in question.
That opens the debate. Is it "too risky" placing the server on the trusted interface, and only directing the needed ports from the untrusted side to the exchange server? If so, is it possible to get things working properly with the Exchange Server in the DMZ zone?
My personal context is I'm an MCSE, so good with NT servers and such. I do not have much experience with firewalls (I've owned and managed two Netscreen lower end devices, I'm completely new to Cisco's offerings). I understand the basics of routing, but it's not my cup-of-tea. I will be purchasing tech support for the chosen firewall, so I will have some technical help there when the time comes.
I will be purchasing a firewall, probably either a Cisco PIX 515E, or Netscreen 25.
On an internet T1 line. I have an Exchange Server 5.5 on NT4 member server. This server is providing SMTP, IIS Web for Outlook Web Access only, and I am doing light traffic with IIS's ftp server (logging only into local logon accounts on the member server for ftp). Eventually the ftp services may move to another software package yet to be eval'd.
The OWA website is using CHAP (you are asked for your logon credentials first, before accessing the website)
Outlook 2000/XP is the client on the LAN.
I read in another question that is tricky to place the Exchange Server in the DMZ zone, due to the need for domain logon authentication for LAN users, etc.
This firewall will also server as user's general internet access, and I anticipate using NAT.
At this time, there is only the one server in question.
That opens the debate. Is it "too risky" placing the server on the trusted interface, and only directing the needed ports from the untrusted side to the exchange server? If so, is it possible to get things working properly with the Exchange Server in the DMZ zone?
My personal context is I'm an MCSE, so good with NT servers and such. I do not have much experience with firewalls (I've owned and managed two Netscreen lower end devices, I'm completely new to Cisco's offerings). I understand the basics of routing, but it's not my cup-of-tea. I will be purchasing tech support for the chosen firewall, so I will have some technical help there when the time comes.
ASKER
Thanks for your response. It's a bit to think about (especially since I'm not real good at the firewall configuration aspect yet).
I'm ending up with more questions, that I'll need to pose separately.
Did I not assign enough points (80)?
Based on my thoughts and this one response, it seems I'd be a little better off placing the server in the DMZ zone. I thought I remember reading that it is a grueling configuration to set up. Going that route, I'm certain I'd start a new question thread.
I'm ending up with more questions, that I'll need to pose separately.
Did I not assign enough points (80)?
Based on my thoughts and this one response, it seems I'd be a little better off placing the server in the DMZ zone. I thought I remember reading that it is a grueling configuration to set up. Going that route, I'm certain I'd start a new question thread.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
lrmoore's comment regarding position is correct. A system configured according to UK GSI recommendations has three distinct networks - the inner clean network, a DMZ (the 'dirty' network), and the untrusted external network (e.g. rest of world). A full blown implementation has 'clean' mail, web cache, news (etc) servers on the inner clean network. The DMZ hosts public facing servers (e.g. internet web site, mail and news servers). Routers and bastion hosts ['firewalls'] are used to segregate networks and route traffic. One or more servers may be used to host the services in the DMZ.
In this example, incomming mail is sent to the 'dirty' mail server. This is used as a relay to the inner mail server. Outgoing mail goes from clean mail server to dirty mail server, and the bastion host [e.g. a Pix, Firewall-1, whatever firewall] policy will only allow mail traffic to flow between these systems, and check data packets match IP packet type.
The entire system, from outer screening router to inner screening router is a firewall, hence it is a misnomner to say the "firewall" routes and controls mail flow. However, as the term firewall is accepted to mean a single box as opposed to a DMZ system, I feel an explanation is needed.
How could you replicate? Without the abillity to post a picture, its difficult to describe the physical architecture, but the easiest method would be to build small Linux box, remove ALL unneccesary services (e.g. harden the box), and run only sendmail, receiving external mail and forwarding to your Exchange server, and receiving mail from Exchange and sending onwards. ACL's on the internet facing router 'protect' this box (but it's dirty and hence untrusted anyway, and considered 'expendable'. Make a good backup once the system is up and seal it away!).
The firewall (in this case a box), seperates this box from the inner clean network, and routes traffic between Linux and Exchange, checking that the traffic is SMTP (perhaps some X.400 as well, if needed) and only goes from box to box).
If you are UK, you can request the UK Government security architecture manuals which detail the architecture. The US Govt has similar guidelines. Although low level classified, they are nothing secret, merely info commercially available re-written in government lingo ;)
Brgds
Alan
In this example, incomming mail is sent to the 'dirty' mail server. This is used as a relay to the inner mail server. Outgoing mail goes from clean mail server to dirty mail server, and the bastion host [e.g. a Pix, Firewall-1, whatever firewall] policy will only allow mail traffic to flow between these systems, and check data packets match IP packet type.
The entire system, from outer screening router to inner screening router is a firewall, hence it is a misnomner to say the "firewall" routes and controls mail flow. However, as the term firewall is accepted to mean a single box as opposed to a DMZ system, I feel an explanation is needed.
How could you replicate? Without the abillity to post a picture, its difficult to describe the physical architecture, but the easiest method would be to build small Linux box, remove ALL unneccesary services (e.g. harden the box), and run only sendmail, receiving external mail and forwarding to your Exchange server, and receiving mail from Exchange and sending onwards. ACL's on the internet facing router 'protect' this box (but it's dirty and hence untrusted anyway, and considered 'expendable'. Make a good backup once the system is up and seal it away!).
The firewall (in this case a box), seperates this box from the inner clean network, and routes traffic between Linux and Exchange, checking that the traffic is SMTP (perhaps some X.400 as well, if needed) and only goes from box to box).
If you are UK, you can request the UK Government security architecture manuals which detail the architecture. The US Govt has similar guidelines. Although low level classified, they are nothing secret, merely info commercially available re-written in government lingo ;)
Brgds
Alan
ASKER
lrmoore, yes it would be easier if the box was only an Exchange Server. But as you said earlier, we also use that darn Outlook Web Access, hence the need to use IIS as well. That's what is leaning be towards placing it in the DMZ.
It is great information using an SMTP relay. I did a cursory search, but didn't find a good one for Windows that looked appealing. I know nothing about Linux, but it would be a good excuse to start. But time to implementation and workload will not permit that solution out of the gate.
Any other comments to support or refute where we are so far?
It is great information using an SMTP relay. I did a cursory search, but didn't find a good one for Windows that looked appealing. I know nothing about Linux, but it would be a good excuse to start. But time to implementation and workload will not permit that solution out of the gate.
Any other comments to support or refute where we are so far?
Even with OWA as long as you are using SSL, you only have to open one additional port through the firewall.
Check out eSafe as a SMTP gateway:
http://www.esafe.com/esafe/appliance.asp?cf=tl
Check out eSafe as a SMTP gateway:
http://www.esafe.com/esafe/appliance.asp?cf=tl
Linux install is easy. Just say NO to every service, except sendmail. Check out various FAQ's and readme's for configuration
ASKER
Thank you very much lrmoore and alewisa for your added comments. I'm evaluating either trying my first Linux box and Sendmail for a cheap SMTP gateway, and I'm beginning to look into Esafe. Thanks again!
ASKER
There is no one right answer to the question I realize. Thanks to all for their input, it WILL be used!
Since you are using the OWA, (using ssl, I hope), putting the Exchange server into the DMZ may help protect your internal LAN if the server was compromised by an exploit of POP3/OWA (still depends on the swiss-cheese IIS), and smtp.
Just don't let putting the server into a DMZ lull you into a false sense of security. You still must maintain vigilance to keep all the security patches up to date and keep the server "locked down". I would suggest a host-based intrusion detection system, well established firewall rules, and locking down the external router to make a secure first line of defense.
If your Exchange server becomes the lifeblood of communications and collaboration within your organization, then it is a business critical system that should have NO direct outside connectivity. Setup a 2nd server in the DMZ that can serve the remote clients, and serve as a relay host.