Solved

Opening HTTPS to send HTTPS traffic direct to Exchange server (with public static IP) - Is this a bad security threat?

Posted on 2006-10-21
15
194 Views
Last Modified: 2011-10-03
Hi there,

****Summary of question****
IS it bad to open the HTTPS port so that HTTPS traffic is sent directly to the Exchange server (for OWA access). (as we recently had a UDP flood on the local network).

****Full details****

Please help as this could be an urgent issue.

I have recently turned on Outlook Web Access for a company. This means that in the firewall for the company I opened the HTTPS port so that all HTTPS traffic is sent directly to the server running exchange (which has a public static IP address).

the server always has a static public IP address and received its mail via SMTP.


However, about a week ago the company has a new telephone system installed which included I believe allowed features such as VOIP and I think the phones have an IP address from the server.

After about 4 days the telephone system went down and the telephone system people were called in. He said the reason was that the network had been flooded with UDP packets.

My concern is could that have anything to do with me opening the HTTPS port to allow for OWA to work? Is this a bad thing and is one meant to do something else rather then just open up this port?

This is very serious for me as if it turns out that it is my fault the phone system went down I will resign my position as someone who has recently taken responsibility to handle these matters

Thanks in advance.
0
Comment
Question by:afflik1923
15 Comments
 
LVL 39

Assisted Solution

by:redseatechnologies
redseatechnologies earned 500 total points
Comment Utility
Hi afflik1923,

UDP has absolutely nothing to do with HTTPS.

HTTPS is TCP port 443 - different protocol altogether.

If it happened at about the same time, make sure that there is nothing else that was changed on the firewall/router

Generally, there is nothing you can do about these kinds of DoS attacks

Hope that helps,

-red
0
 
LVL 39

Assisted Solution

by:redseatechnologies
redseatechnologies earned 500 total points
Comment Utility
afflik1923,

Oh, and there is nothing wrong with having 443 open to your exchange server - I have this and 25 open to all my exchange servers, as do the other exchange admins I know

-red
0
 

Author Comment

by:afflik1923
Comment Utility
Ok that is comforting to know. I'm going in there today leaving in a moment.

One engineer said to me it is very bad to just leave the exchange server (Which has a local LAN ip address (e.g. 10.0.0.1) and  a public staic IP address (Which is used for OWA).


If anyone can think of anything else that could have bought down the telephone network. The finger of blame is very much trying to be pointed and the telephone company are saying that it is something wrong with the IT.


0
 
LVL 39

Assisted Solution

by:redseatechnologies
redseatechnologies earned 500 total points
Comment Utility
It is very bad to leave exchange server wide open to the internet - but with 443 and 25 ONLY being accessible, it is far from wide open.


If the telephone company is trying to point the finger, the onus should be on them to provide proof.  Are there any logs?  How do you know it was a UDP flood?

-red
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
The only issue I would see with leaving 443 and 25 directly open from the internet is ensuring that your patches stay up to date and all IIS sample configuration is removed and the IIS instance hardened.. Other than that it does not pose a direct threat..

More than likely it was some of the phone equipment which caused a UDP storm and took down the network.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
The point regarding ports open/ports closed is a seperate topic and we could discuss the pro's & con's to death. Red Sea is spot on in respect to the question asked; udp has no part in the traffic regarding the changes you have indicated.

The bigger question is 'could you have accidentally opened other ports at the same time? Secondly, are you sure that the extra UDP traffic is originating fronm outside of your network?

Something like ethereal (a free sniffer) may assist in tracking down the source.

0
 
LVL 4

Expert Comment

by:LBACIS
Comment Utility
I would definitly try to add a SMTP relay proxy (exchange proxy) in a DMZ zone this will give your users OWA access and increase you security by segmenting your unscanned non-fully trusted traffic.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 39

Expert Comment

by:redseatechnologies
Comment Utility
You aren't suggesting an Exchange server in the DMZ are you?

Because that is the worst idea floating around at the moment, and will reduce security - not increase it.

You will need to open a bucket load of hole between that server and the backend servers, as opposed to TWO for the OWA server - You will also have a domain member in the DMZ, which is never a good idea.

http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21256625.html

The above link is Sembee's stance on doing this, if you want an SMTP relay, use Windows 2003 NOT exchange

-red
0
 
LVL 3

Expert Comment

by:mahe2000
Comment Utility
it's not a good idea to open ports directly to your internal network. i recomend you to put a relay server on a dmz to receive mails (smtp) and forward them to the exchange server and use a reverse proxy on a dmz to publish owa.
0
 

Author Comment

by:afflik1923
Comment Utility
What is the risk of opening up the port directly.

Would it be complicated for one to learn about what you have suggested mahe2000?

does it also mean I need to buy another box to act as the relay server?

Bearing that in mind is it really necessary. In closer to laymans terms, what typical advantages does it give to me and what threats am I open to by not having it.

Thanks
0
 
LVL 39

Accepted Solution

by:
redseatechnologies earned 500 total points
Comment Utility
The risk with opening ports (all you really need is 25 and 443) is that if there is a vulnerability that is discovered, the machine could be compromised.  Staying on top of your patches is a good start, but if someone had the motivation and the skill, and most importantly, the reason to target you, then you could have a problem on your hands.

Running a relay in the DMZ will require another box, and it is basically the silent link between the outside nasties, and the inside network.  If it get's compromised and destroyed - so be it, reformat and reconfigure it - while fixing whatever mistakes got it compromised.

Reverse proxy is similar (and could be on the same box) it is the middleman, outside people will talk to it, and it will talk to your inside network.

In laymans terms, doing it this way is like having a fuse - if something dangerous comes along, the fuse blows before it has a chance to damage something more important.

While this would be a great way to set things up, it does make your entire configuration very complicated.  Depending on your skill level, or resources available, this can actually work against you - it will be more difficult to find problems (as there are more links in the chain) and it may cause some things to simply not work (how RPC/HTTPS would deal with a reverse proxy, i really don't know)

-red
0
 

Author Comment

by:afflik1923
Comment Utility
OK thanks,

Good comments and well explained. Considering my level of expertease I think the reverse proxy is not a great idea for us. This is assuming there are many people who are out there who are also running OWA by opeining the relevant port (in our case only the HTTPS port (I believe).

At least if there are lots of other people doing what we are doing that will make me feel better at least and I assume the way we are doing it is the way the majority are doing it. OK no defence against a milicous attack, but a level of comfort.

Thanks again
0
 
LVL 39

Assisted Solution

by:redseatechnologies
redseatechnologies earned 500 total points
Comment Utility
I have port 25 and 443 open to all my clients exchange servers, as does Sembee (the top expert on this site).

You have to look at computer security the same as you look at physical security (of say, your home).

Locks are not meant to stop anyone - they are only meant to slow people down enough to be deterrent.  Alarms are not meant to stop people - they are only meant to draw attention to them a scare them off.

The point I am trying to make is that the only way to be safe on the internet is to do what ASIO do (the Australia intelligence network).  They simply do not receive external email, or have external internet access.  That level of security is akin to not having doors or windows to keep burglars out of your house - it is the only thing that would work for sure, but look at the cost :)

I should just add though that I am very security conscious - security is inversely proportional to ease of use - our job as network professionals, is to enforce as much security onto the users as possible, before they will attempt to subvert the system (or complain about it)

-red
0
 
LVL 39

Expert Comment

by:redseatechnologies
Comment Utility
I was going to spell check that - now my secret is out! :))
0
 

Author Comment

by:afflik1923
Comment Utility
Thanks for all the input on this matter. I gave the point to Red on this for his detailed and regular comments on the subject.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now