• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 214
  • Last Modified:

Advice required regarding conneting an exchange server behind a firewall and forwarding ports

Hi all,

In my quest for greater stupidity and knowledge, I am putting a proposal to my boss for new services and hardware.

What we run now:

Inet ---- cable modem --- Router ---- LAN --- PC's and w2k Server with exchange and SQL

What I want to do is bring our website in house, and bring our mail in as well using a DSL service and a second router.

Inet ---- cable modem --- Router 1 ---- LAN --- PC's and w2k Server with exchange and SQL

Inet ---- DSL modem ---- Router2 ---- LAN (forward ports on Router2 to the w2k server for mail in and out, maybe a webserer on Router 2 as well)

Some useful notes:

1. We have been running our current setup for approx 3-4 years. We have had no virii or other attacks on our w2k server.

2. The routers are only able to handle one ISP connection at a time. (I don't have a problem running two routers)

My questions are related to other people's experience similar to my proposed network:

Has any-one had any direct hacker or virus attacks on a windows server by having the mail port(s) forwarded per the diagram above? (I do not include Virii that are mail attachments to users on the network in this)

Or can any-one forsee potential harm? If need be, I will install a mail server on Router2 as well and have our exchange server collect mail via pop3 (current operation but pop3 server is not on our site)

  • 2
  • 2
2 Solutions
If you are just running a router that allows all traffic to your inside devices, you will probably get hit with your first attack within 30 minutes of connecting.  

The traditional approach here calls for a proper firewall in between the Inet and a DMZ, then a second firewall between the DMZ and your Internal network.  

That said, you can get by with a single firewall, so long as you are only pointing back to the specific servers you want to make available and allowing only the port traffic you want to make available.  (In this case port 25 and 80).

We've been running that sort of a setup for about 6 years and have yet to see a successful attack (or at least detect such an attack).  What it really comes down to is the equipment that you are using for your mail/web server.  If you keep it up to date (patchwise) and monitor it regularly, you stand a pretty fair chance of fending off whatever blind attacks may come at you.  

Remembering that most attacks on the net are those of opportunity, not malice, your goal is to make it hard for a casual attack (script kiddie) to succeed.  Convince them to go somewhere else because it's easier to get in there than here.  It's kinda like having a beware of dog sign up.  Maybe your dog doesn't bite.  Maybe you don't even have a dog.  But the burglar thinks to him self, "All that could be true, but I *know* the guy across the street doesn't even have a sign, so I'll rob him instead.".  

Now, that said, if someone really wants to get in -- with the setup you propose, he will have an easier time of it than if you did the double firewall routine.  He'll find some exploit for whatever you're running on your server and use it to get in.  From there he can go anywhere on your network, because he's on the inside.  If you are a company that people are likely to target, then this is probably not the solution for you.

The only other thing to watch out for in this scenario is a zero-day attack.  Really nasty zero-day attacks are a little more rare than in the past, but basically they are attacks where there is no patch currently available because no one except the attacker knew about the vulnerability.  There's not a lot you can do about those, but the nice thing is that no one can do much about them, so everyone is in the same boat.  Out of the thousands of infected and/or compromised machines, you can hope that you simply won't draw personal attention and be attacked.  (Assuming you survived the initial assault from the worm/virus/whatever.)

Bottom line.  This isn't the best way you can go, but if you're on a limited budget and are OK with being reasonably safe, you can do it.

Good luck.
John_McAuthor Commented:
Many thanks for the speedy answer.

Robin? - can you please have a look at my comments below and make some additional comments...

The Server we use is a w2k small business server with all updates and patches installed.

The boxes are a linux firewall/router (freesco) and will be the latest version. I have been running one at the office for three years or so, and there have been no attacks to date, and one at home for nearly a year, likewise. They did stop the Sasser virus getting into our office quite nicely too...

At the moment, our current internet connection is cable, which we will retain for general web browsing as it is a 4Mb connection, and I am proposing to get a 512/512 DSL for PPTP VPN access (VPN server on the Firewall / router with 30 character usernames and passwords - risk assessment deems this to be secure enough, besides, my w2k server won't vpn natively via the firewall - a good thing really) and migrating our domain to the new router/firewall DSL service (currently hosted elsewhere) for our website and to get mail to come in directly.

The router/firewall can also stealth ports as well. I propose to only have port 80 open for the web server, a port for a SSH server on the router (I have this now), a port for the VPN server and incoming port 25 for mail to come in on - only port 25 will be a port forward, everything else will terminate or be rejected at the firewall. Obviously the ssh and vpn ports are not standard port numbers.

Basically, the only port I will be forwarding inside the firewall will be for mail. Everything else will stop at the new firewall/router.

As far as the 'real hackers' goes, yes, they can exploit anything, I just try to minimise the risk. As far as Freesco goes, it seems to be good, and the team that look after it respond very quickly to any security issues. I haven't really tried other firewalls as they have been a pain to install, and have operated on the same principles anyway.

With all of this in mind, and the concept that I will not have a Windows server on the edge of my network (as a gateway) then I don't see too much of a problem, even with 0 day attacks. I figure that the Windows box is the most vulnerable due to the amount of hackers attacking windows boxes and that the linux box is inherently more secure because there are less hackers and less vulnerabilities.

Cheers and thanks

What you propose looks good.  Although I'm not a huge fan of freeware in the security world, Freesco has a good track record and should do the job well.

The only thing you haven't mentioned is what type of encryption you plan to use for your VPN.  Make sure you're up to latest with 3DES, AES or any of the strong encryption modes (assuming you live in a country where those are available.).

Other than that, I'd say you are good to go.  (An IDS may or may not be desireable, I'm not a huge fan of them though some others would say one is essential...  Your mileage may vary.)

Good luck!

John_McAuthor Commented:
Thanks very much for the reply again... The PPTP server will use MSChap V2, hence the really long usernames and passwords with random characters. Once again, I anm trying to keep the kiddies out, and make it as hard as possible for the serious hackers.

If we maintain a low profile on the internet, we should be ok as the freesco boxes will be stealthed and there are no holes that I know of. (which is why I will host the web server on the firewall itself and tighten the security to the point of ridiculuousness.)

The SSH uses 3DES and AES, so that is not a problem (I only use SSH2)

The only issues I have is that when I allow VPN access (I am trialling it myself at the moment) the username and password used when the person logs onto their machine and the machine name is passed by the VPN server to the W2k domain, regardless of the U/P used to log onto the VPN server. If the Machine is in the Active Directory but the logon name and password fail, the machine is automatically assigned to the security group 'everyone' in the AD, and they can map the c$ and several other folders that are not specifically restricted by removing the 'everyone' security group from the folder. I am trying to fix this at the moment, but it appears that Microsoft rely onthe 'everyone' access for access to the exchange server data stores and many other things (I haven't had a lot of time to look into this yet)

Once again, many thanks for the reply.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now