John_Mc
asked on
Advice required regarding conneting an exchange server behind a firewall and forwarding ports
Hi all,
In my quest for greater stupidity and knowledge, I am putting a proposal to my boss for new services and hardware.
What we run now:
Inet ---- cable modem --- Router ---- LAN --- PC's and w2k Server with exchange and SQL
What I want to do is bring our website in house, and bring our mail in as well using a DSL service and a second router.
ie
Inet ---- cable modem --- Router 1 ---- LAN --- PC's and w2k Server with exchange and SQL
Inet ---- DSL modem ---- Router2 ---- LAN (forward ports on Router2 to the w2k server for mail in and out, maybe a webserer on Router 2 as well)
Some useful notes:
1. We have been running our current setup for approx 3-4 years. We have had no virii or other attacks on our w2k server.
2. The routers are only able to handle one ISP connection at a time. (I don't have a problem running two routers)
My questions are related to other people's experience similar to my proposed network:
Has any-one had any direct hacker or virus attacks on a windows server by having the mail port(s) forwarded per the diagram above? (I do not include Virii that are mail attachments to users on the network in this)
Or can any-one forsee potential harm? If need be, I will install a mail server on Router2 as well and have our exchange server collect mail via pop3 (current operation but pop3 server is not on our site)
Cheers,
In my quest for greater stupidity and knowledge, I am putting a proposal to my boss for new services and hardware.
What we run now:
Inet ---- cable modem --- Router ---- LAN --- PC's and w2k Server with exchange and SQL
What I want to do is bring our website in house, and bring our mail in as well using a DSL service and a second router.
ie
Inet ---- cable modem --- Router 1 ---- LAN --- PC's and w2k Server with exchange and SQL
Inet ---- DSL modem ---- Router2 ---- LAN (forward ports on Router2 to the w2k server for mail in and out, maybe a webserer on Router 2 as well)
Some useful notes:
1. We have been running our current setup for approx 3-4 years. We have had no virii or other attacks on our w2k server.
2. The routers are only able to handle one ISP connection at a time. (I don't have a problem running two routers)
My questions are related to other people's experience similar to my proposed network:
Has any-one had any direct hacker or virus attacks on a windows server by having the mail port(s) forwarded per the diagram above? (I do not include Virii that are mail attachments to users on the network in this)
Or can any-one forsee potential harm? If need be, I will install a mail server on Router2 as well and have our exchange server collect mail via pop3 (current operation but pop3 server is not on our site)
Cheers,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks very much for the reply again... The PPTP server will use MSChap V2, hence the really long usernames and passwords with random characters. Once again, I anm trying to keep the kiddies out, and make it as hard as possible for the serious hackers.
If we maintain a low profile on the internet, we should be ok as the freesco boxes will be stealthed and there are no holes that I know of. (which is why I will host the web server on the firewall itself and tighten the security to the point of ridiculuousness.)
The SSH uses 3DES and AES, so that is not a problem (I only use SSH2)
The only issues I have is that when I allow VPN access (I am trialling it myself at the moment) the username and password used when the person logs onto their machine and the machine name is passed by the VPN server to the W2k domain, regardless of the U/P used to log onto the VPN server. If the Machine is in the Active Directory but the logon name and password fail, the machine is automatically assigned to the security group 'everyone' in the AD, and they can map the c$ and several other folders that are not specifically restricted by removing the 'everyone' security group from the folder. I am trying to fix this at the moment, but it appears that Microsoft rely onthe 'everyone' access for access to the exchange server data stores and many other things (I haven't had a lot of time to look into this yet)
Once again, many thanks for the reply.
If we maintain a low profile on the internet, we should be ok as the freesco boxes will be stealthed and there are no holes that I know of. (which is why I will host the web server on the firewall itself and tighten the security to the point of ridiculuousness.)
The SSH uses 3DES and AES, so that is not a problem (I only use SSH2)
The only issues I have is that when I allow VPN access (I am trialling it myself at the moment) the username and password used when the person logs onto their machine and the machine name is passed by the VPN server to the W2k domain, regardless of the U/P used to log onto the VPN server. If the Machine is in the Active Directory but the logon name and password fail, the machine is automatically assigned to the security group 'everyone' in the AD, and they can map the c$ and several other folders that are not specifically restricted by removing the 'everyone' security group from the folder. I am trying to fix this at the moment, but it appears that Microsoft rely onthe 'everyone' access for access to the exchange server data stores and many other things (I haven't had a lot of time to look into this yet)
Once again, many thanks for the reply.
ASKER
Robin? - can you please have a look at my comments below and make some additional comments...
The Server we use is a w2k small business server with all updates and patches installed.
The boxes are a linux firewall/router (freesco) and will be the latest version. I have been running one at the office for three years or so, and there have been no attacks to date, and one at home for nearly a year, likewise. They did stop the Sasser virus getting into our office quite nicely too...
At the moment, our current internet connection is cable, which we will retain for general web browsing as it is a 4Mb connection, and I am proposing to get a 512/512 DSL for PPTP VPN access (VPN server on the Firewall / router with 30 character usernames and passwords - risk assessment deems this to be secure enough, besides, my w2k server won't vpn natively via the firewall - a good thing really) and migrating our domain to the new router/firewall DSL service (currently hosted elsewhere) for our website and to get mail to come in directly.
The router/firewall can also stealth ports as well. I propose to only have port 80 open for the web server, a port for a SSH server on the router (I have this now), a port for the VPN server and incoming port 25 for mail to come in on - only port 25 will be a port forward, everything else will terminate or be rejected at the firewall. Obviously the ssh and vpn ports are not standard port numbers.
Basically, the only port I will be forwarding inside the firewall will be for mail. Everything else will stop at the new firewall/router.
As far as the 'real hackers' goes, yes, they can exploit anything, I just try to minimise the risk. As far as Freesco goes, it seems to be good, and the team that look after it respond very quickly to any security issues. I haven't really tried other firewalls as they have been a pain to install, and have operated on the same principles anyway.
With all of this in mind, and the concept that I will not have a Windows server on the edge of my network (as a gateway) then I don't see too much of a problem, even with 0 day attacks. I figure that the Windows box is the most vulnerable due to the amount of hackers attacking windows boxes and that the linux box is inherently more secure because there are less hackers and less vulnerabilities.
Cheers and thanks