• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 274
  • Last Modified:

thoughts and justification of implementing a front-end Exchange server into a DMZ network

I need some input on justifying moving an Exchange front-end server into a DMZ network.  

When implementing a front-end Exchange server in a DMZ network you only have to open ports 25 and 443 from the internet to the DMZ network.  You then have to open a series of ports from the DMZ network to the DC.  When running without a DMZ network the front-end server has full access to the LAN network and DC, not just specified ports.  How is running an Exchange front-end server in a DMZ network less secure than running it with the other severs in the LAN network?  It seems to be more secure for it can only attack the DC and nothing else on the LAN network.  The same amount of ports are open from the internet to the front-end server regarless of it being in a DMZ network, or, being in the LAN network.  Now, given the ports open from the DMZ network to the DC allows an attack from the front-end server to the DC regardless of it being in a DMZ network.  It almost seems pointless, but I wouldn’t say less secure.  If the front-end server is compromised it can only attack the DC, not the whole LAN network.  So, basically, it seems the benefits of the front-end server being in a DMZ network is that it can only attack the DC.  However, the front-end server NOT being in the DMZ network will allow an attack on ANYTHING on the LAN network, this includes the DC.  It seems to be a little more secure, but not a whole lot.

What are everyone’s thoughts?  It almost doesn’t seem worth it, or, of much value placing the front-end server in a DMZ network for it only protects attacks on your LAN network and not the DC.
0
gopher_49
Asked:
gopher_49
  • 4
  • 4
1 Solution
 
SembeeCommented:
I would suggest that you go and look at my blog.
http://www.sembee.co.uk/archive/2006/02/23/3.aspx

You need a few more ports than you have indicated in your posting.

A DMZ is NOT the place for a member of your production domain. A frontend server needs to be a member of the production domain.

Simon.
0
 
gopher_49Author Commented:
Simon,

These ports are only open from the DMZ network to the LAN network, their not open from the internet to the DMZ.  If someone was to compromise the front-end exchange server when there was no DMZ they would have access to the whole LAN, not just the DC.  It seems that if the front-end server is compromised it will have access to the DC regardless of a DMZ, or no DMZ.  I really don't like changing the dynamic port configuration to static, however, if the front-end server was compromised wouldn't it be able to attack or take control of the DC regardless of it using dynamic or static ports?  
0
 
SembeeCommented:
The point is - a DMZ is supposed to be less secure than the production network. The compromise is could come in from something else in the DMZ - a web server, SQL server etc.

The policy that I operate is the least number of ports open to production from a less secure network. Whether that less secure network is the DMZ or the Internet.
What I am looking to to is reduce the attack vector. It is far easier to monitor two ports coming in to a production than the myriad of ports that would be coming in from a DMZ.

I have deployed Exchange in to a number of financial institutions, where there are often more security people than IT. In every one of those sites, when I show them the ports required, I am immediately told that it isn't going to happen.

With the amount of holes required to go between the DMZ and production, you may as well not bother have a firewall, as it will not be blocking very much.

The reason you have to change the ports from dynamic to static is to go through the firewall.

The bottom line is that by putting a frontend server in to the DMZ you are exposing too much - particularly the domain information. Microsoft have addressed this with E12, where there is a special installation of Exchange that doesn't require domain membership designed to sit in a DMZ (or perimeter network in Microsoft speak).

Simon.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
gopher_49Author Commented:
Simon,

Is E12 the upcoming version of Exchange?  Also, currently I have a Cisco PIX firewall sitting in front of my LAN.  My LAN contains my DC, Exchange server, email gateway, and all of my workstations.  The same amount of ports are open from the internet to my LAN on my Cisco PIX would be the same same amount of ports being open when using a DMZ.  These being port 25 and 443.  Now, the only server that would be in the DMZ is the email gateway.  How is my current configration more secure than placing the email gateway in the DMZ?  Currently if the email gateway is compromised it has access to ANYTHING on the LAN, if it's in a DMZ it can only attack the DC for I'll have static access-list to only allow those ports to communicate to a specified host.  This specified host being the DC.  It seems to be a little more secure for if it's compromised it can only attack the DC, not the whole network.  

Now,

I think I read a post of yours stating that putting a mail relay in the DMZ to relay SMTP to the front end server is a good idea. This is really good idea for I could place a linux box in the DMZ and relay mail to the front-end server.  It's harder to compromise and I could void opening the various ports from the DMZ to the LAN.  The only port open from the DMZ to the LAN would be port 25.  I could also use ISA server in the DMZ too, however, my comments in the above paragraphs makes me still questions if putting the email gateway in the DMZ is more secure, or less secure.    
0
 
SembeeCommented:
E12 is the next version of Exchange, Exchange 2007 I think it is called now.

Answer this though... how is putting an Exchange server in the DMZ MORE secure?

It isn't.

All it has done though is make it easier for an attacker, because all they have to do is follow the traffic.

I appreciate that some people have a problem with Exchange directly facing the Interent. That is understandable. What I have a problem with is a domain member being in the DMZ - in fact any domain member being separated by a firewall.
Therefore a server in the DMZ that is in a workgroup acting as proxy - so either a Linux machine or ISA if you want OWA as well, makes a good compromise. Once configured, take an image and then you are ready to drop the machine in the event that it is attacked.

Simon.
0
 
gopher_49Author Commented:
If an attacker compromises the domain member server within the DMZ it will know which ports are  being used to communicate to the DC.  This is bad, however, if an attacker is already in the DMZ network they can easily sniff the traffic regardless of the server using dynamic or static ports.  That information will be pretty easy to acquire.  Now, if the attacker compromises the domain member server within the DMZ it will be able to communicate with the DC regardless of dynamic or static ports.  

I would think that a mail gateway server being in a DMZ network is more secure for it can only attack the DC.  It cannot attack any other host within the LAN network.  When it's NOT in the DMZ it can attack any host within the LAN network.  This would then allow the attacker to launch a DoS attack to the whole LAN network.  It also would allow the attacker to have more hosts to compromise.  You then have to worry about the security of every single computer within the LAN, not just the DC.  It's easier to manage the security of one server verses many servers and workstations.  There's no doubt that it's a security risk, however, a domain member being in a DMZ can only attack the DC, not the whole network.  Exposing your DC to a possible attack is bad, however, exposing your whole network is even worse.  If I was to setup static port mapping only the specified host would be in danger, verses, every host on the network.  Currently my mail gateway server is in the LAN so if it's compromised it can attack anything within the LAN.  If I move it to a DMZ, it can then only attack the host that I have the static port mapping enabled to.

I'm stuck in the middle here and I really appreciate your extremely valuable information.  I think I need to look into placing ISA server in the DMZ, or placing a SMTP relay server in the DMZ.  If I place a SMTP relay server in the DMZ I'll make sure it's not a Microsoft server.

Let me know your thoughts and we'll close this topic for I think we've discussed both sides of the thought process.  

And again, thanks for your valuable input.  

0
 
SembeeCommented:
Once I have your DC, thats game over. Who cares about the rest of the network. The DC is the crown jewel. With a compromised DC I can do what I like - change the domain administrator password for example. That lets me get in to everything else.

There is this perception that everything internet facing should be in the DMZ. Or that the DMZ is the right place for certain things - like mail servers. When challenged why, no one has yet to give me a valid reason. I just get er and um.
You have come pretty close, and given me a very good run for my money on justifying the stance, but I stand my ground.

DMZs have their place in network security, I don't deny that, and have deployed them in the past. However they are not the only defence mechanism for a network, which some people think they are. If anything they aren't a weapon, because a DMZ in the strict meaning is a demilitarised zone - no weapons.

As with everything in network and security design, you use the right tool or technique for the job. Sometimes that is a DMZ, sometimes it is not.

Simon.
0
 
gopher_49Author Commented:
What you say makes sense, however, I look at it like this.  Why give an attacker more hosts to compromise when you can give them only one.  Currently if my email gateway server is compromised ANY host on my network is vunerable, however, with a DMZ only one host is vunerable.  Given taking control of the DC is as bad as it gets, however, when not using a DMZ they have many more options in regards to compromising a network.  It only increases their odds of success.  Currently ALL hosts on my LAN are vunerable, verses, with a DMZ only one is.

Thanks for your input and I value your knowledge.  I think I'll look into implementing ISA server, or, placing a linux mail relay in the DMZ.

thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now