Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 274
  • Last Modified:

Hmm...what makes my exchange2k3 server anymore secure than my web port 80 server?

I hope this is not a dumb question but here goes.  There are no internal users on our network.  Everyone works in the field in different locations around the country.  

GIVEN that, the web server is behind a firewall in a DMZ and allows port 80 thru to itself.  The exchange server is behind a second firewall and allows 443 thru to itself and SMTP 25 both ways.  Both are ports(just open holes in a firewall), both are accessible.  So why does it make the back office network any more secure but putting a web server in a DMZ and not making it part of the internal network?
0
Sp0cky
Asked:
Sp0cky
2 Solutions
 
hangelesCommented:
Hey Sp0cky,

Imagine a wall between your "protected"(internal) network and your "less protected"(DMZ) network. Now lets say your web server is comprimised in your DMZ. The theory is that the "Wall" will make it more difficult for the rest of your network to also be comprimised.

It should seem pretty obvious why the webserver and the mail exchanger are are seen as more of a danger than a normal workstation, and need to be "walled" off. These are setup for outside access which, nowadays, seem to beg for some poking and proding by the curious and the malicious.

Your title asks what makes your exchange server more secure than your web server in this situation. Not much. But the rest of your lan is better off by having these walled off.  
0
 
Sp0ckyAuthor Commented:
Thanks hangeles.  Anyone else?
0
 
jhanceCommented:
The term in favor these days is "attack surface".  Think of that is the total "surface" of all available services on your server that might be attacked.  Some have known vulnerabilities that can and should be patched.  Others have unknown vulnerabilities that will come to light at some point in the future.  You're most worried about the UNKNOWN vulnerabilities since there is no fix for them.

By blocking everything but what you need, in this case, 25, 80, 443, you greatly reduce your exposure to any other vulnerability that might show up.  Yes, these ports and their services are still vulnerable but that's it.

By using a firewall that is configured to "block everything but the few services you permit" you reduce your "attack surface" and reduce your vulnerability to successful attack.

BTW, in addition to the hardware firewall, I think it's also prudent to employ the excellent software firewall on Windows 2003 Server.  Set it up to only permit the services in that you want as well.  Then you have two lines of defense.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now