Solved

Opening HTTPS to send HTTPS traffic direct to Exchange server (with public static IP) - Is this a bad security threat?

Posted on 2006-10-21
15
216 Views
Last Modified: 2011-10-03
Hi there,

****Summary of question****
IS it bad to open the HTTPS port so that HTTPS traffic is sent directly to the Exchange server (for OWA access). (as we recently had a UDP flood on the local network).

****Full details****

Please help as this could be an urgent issue.

I have recently turned on Outlook Web Access for a company. This means that in the firewall for the company I opened the HTTPS port so that all HTTPS traffic is sent directly to the server running exchange (which has a public static IP address).

the server always has a static public IP address and received its mail via SMTP.


However, about a week ago the company has a new telephone system installed which included I believe allowed features such as VOIP and I think the phones have an IP address from the server.

After about 4 days the telephone system went down and the telephone system people were called in. He said the reason was that the network had been flooded with UDP packets.

My concern is could that have anything to do with me opening the HTTPS port to allow for OWA to work? Is this a bad thing and is one meant to do something else rather then just open up this port?

This is very serious for me as if it turns out that it is my fault the phone system went down I will resign my position as someone who has recently taken responsibility to handle these matters

Thanks in advance.
0
Comment
Question by:afflik1923
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 39

Assisted Solution

by:redseatechnologies
redseatechnologies earned 500 total points
ID: 17779212
Hi afflik1923,

UDP has absolutely nothing to do with HTTPS.

HTTPS is TCP port 443 - different protocol altogether.

If it happened at about the same time, make sure that there is nothing else that was changed on the firewall/router

Generally, there is nothing you can do about these kinds of DoS attacks

Hope that helps,

-red
0
 
LVL 39

Assisted Solution

by:redseatechnologies
redseatechnologies earned 500 total points
ID: 17779215
afflik1923,

Oh, and there is nothing wrong with having 443 open to your exchange server - I have this and 25 open to all my exchange servers, as do the other exchange admins I know

-red
0
 

Author Comment

by:afflik1923
ID: 17779243
Ok that is comforting to know. I'm going in there today leaving in a moment.

One engineer said to me it is very bad to just leave the exchange server (Which has a local LAN ip address (e.g. 10.0.0.1) and  a public staic IP address (Which is used for OWA).


If anyone can think of anything else that could have bought down the telephone network. The finger of blame is very much trying to be pointed and the telephone company are saying that it is something wrong with the IT.


0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 39

Assisted Solution

by:redseatechnologies
redseatechnologies earned 500 total points
ID: 17779265
It is very bad to leave exchange server wide open to the internet - but with 443 and 25 ONLY being accessible, it is far from wide open.


If the telephone company is trying to point the finger, the onus should be on them to provide proof.  Are there any logs?  How do you know it was a UDP flood?

-red
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 17780516
The only issue I would see with leaving 443 and 25 directly open from the internet is ensuring that your patches stay up to date and all IIS sample configuration is removed and the IIS instance hardened.. Other than that it does not pose a direct threat..

More than likely it was some of the phone equipment which caused a UDP storm and took down the network.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17780697
The point regarding ports open/ports closed is a seperate topic and we could discuss the pro's & con's to death. Red Sea is spot on in respect to the question asked; udp has no part in the traffic regarding the changes you have indicated.

The bigger question is 'could you have accidentally opened other ports at the same time? Secondly, are you sure that the extra UDP traffic is originating fronm outside of your network?

Something like ethereal (a free sniffer) may assist in tracking down the source.

0
 
LVL 4

Expert Comment

by:LBACIS
ID: 17807474
I would definitly try to add a SMTP relay proxy (exchange proxy) in a DMZ zone this will give your users OWA access and increase you security by segmenting your unscanned non-fully trusted traffic.
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17807828
You aren't suggesting an Exchange server in the DMZ are you?

Because that is the worst idea floating around at the moment, and will reduce security - not increase it.

You will need to open a bucket load of hole between that server and the backend servers, as opposed to TWO for the OWA server - You will also have a domain member in the DMZ, which is never a good idea.

http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21256625.html

The above link is Sembee's stance on doing this, if you want an SMTP relay, use Windows 2003 NOT exchange

-red
0
 
LVL 3

Expert Comment

by:mahe2000
ID: 17817735
it's not a good idea to open ports directly to your internal network. i recomend you to put a relay server on a dmz to receive mails (smtp) and forward them to the exchange server and use a reverse proxy on a dmz to publish owa.
0
 

Author Comment

by:afflik1923
ID: 17825798
What is the risk of opening up the port directly.

Would it be complicated for one to learn about what you have suggested mahe2000?

does it also mean I need to buy another box to act as the relay server?

Bearing that in mind is it really necessary. In closer to laymans terms, what typical advantages does it give to me and what threats am I open to by not having it.

Thanks
0
 
LVL 39

Accepted Solution

by:
redseatechnologies earned 500 total points
ID: 17827105
The risk with opening ports (all you really need is 25 and 443) is that if there is a vulnerability that is discovered, the machine could be compromised.  Staying on top of your patches is a good start, but if someone had the motivation and the skill, and most importantly, the reason to target you, then you could have a problem on your hands.

Running a relay in the DMZ will require another box, and it is basically the silent link between the outside nasties, and the inside network.  If it get's compromised and destroyed - so be it, reformat and reconfigure it - while fixing whatever mistakes got it compromised.

Reverse proxy is similar (and could be on the same box) it is the middleman, outside people will talk to it, and it will talk to your inside network.

In laymans terms, doing it this way is like having a fuse - if something dangerous comes along, the fuse blows before it has a chance to damage something more important.

While this would be a great way to set things up, it does make your entire configuration very complicated.  Depending on your skill level, or resources available, this can actually work against you - it will be more difficult to find problems (as there are more links in the chain) and it may cause some things to simply not work (how RPC/HTTPS would deal with a reverse proxy, i really don't know)

-red
0
 

Author Comment

by:afflik1923
ID: 17827195
OK thanks,

Good comments and well explained. Considering my level of expertease I think the reverse proxy is not a great idea for us. This is assuming there are many people who are out there who are also running OWA by opeining the relevant port (in our case only the HTTPS port (I believe).

At least if there are lots of other people doing what we are doing that will make me feel better at least and I assume the way we are doing it is the way the majority are doing it. OK no defence against a milicous attack, but a level of comfort.

Thanks again
0
 
LVL 39

Assisted Solution

by:redseatechnologies
redseatechnologies earned 500 total points
ID: 17827237
I have port 25 and 443 open to all my clients exchange servers, as does Sembee (the top expert on this site).

You have to look at computer security the same as you look at physical security (of say, your home).

Locks are not meant to stop anyone - they are only meant to slow people down enough to be deterrent.  Alarms are not meant to stop people - they are only meant to draw attention to them a scare them off.

The point I am trying to make is that the only way to be safe on the internet is to do what ASIO do (the Australia intelligence network).  They simply do not receive external email, or have external internet access.  That level of security is akin to not having doors or windows to keep burglars out of your house - it is the only thing that would work for sure, but look at the cost :)

I should just add though that I am very security conscious - security is inversely proportional to ease of use - our job as network professionals, is to enforce as much security onto the users as possible, before they will attempt to subvert the system (or complain about it)

-red
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17827240
I was going to spell check that - now my secret is out! :))
0
 

Author Comment

by:afflik1923
ID: 17877339
Thanks for all the input on this matter. I gave the point to Red on this for his detailed and regular comments on the subject.
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question