• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 241
  • Last Modified:

Opening HTTPS to send HTTPS traffic direct to Exchange server (with public static IP) - Is this a bad security threat?

Hi there,

****Summary of question****
IS it bad to open the HTTPS port so that HTTPS traffic is sent directly to the Exchange server (for OWA access). (as we recently had a UDP flood on the local network).

****Full details****

Please help as this could be an urgent issue.

I have recently turned on Outlook Web Access for a company. This means that in the firewall for the company I opened the HTTPS port so that all HTTPS traffic is sent directly to the server running exchange (which has a public static IP address).

the server always has a static public IP address and received its mail via SMTP.


However, about a week ago the company has a new telephone system installed which included I believe allowed features such as VOIP and I think the phones have an IP address from the server.

After about 4 days the telephone system went down and the telephone system people were called in. He said the reason was that the network had been flooded with UDP packets.

My concern is could that have anything to do with me opening the HTTPS port to allow for OWA to work? Is this a bad thing and is one meant to do something else rather then just open up this port?

This is very serious for me as if it turns out that it is my fault the phone system went down I will resign my position as someone who has recently taken responsibility to handle these matters

Thanks in advance.
0
afflik1923
Asked:
afflik1923
5 Solutions
 
redseatechnologiesCommented:
Hi afflik1923,

UDP has absolutely nothing to do with HTTPS.

HTTPS is TCP port 443 - different protocol altogether.

If it happened at about the same time, make sure that there is nothing else that was changed on the firewall/router

Generally, there is nothing you can do about these kinds of DoS attacks

Hope that helps,

-red
0
 
redseatechnologiesCommented:
afflik1923,

Oh, and there is nothing wrong with having 443 open to your exchange server - I have this and 25 open to all my exchange servers, as do the other exchange admins I know

-red
0
 
afflik1923Author Commented:
Ok that is comforting to know. I'm going in there today leaving in a moment.

One engineer said to me it is very bad to just leave the exchange server (Which has a local LAN ip address (e.g. 10.0.0.1) and  a public staic IP address (Which is used for OWA).


If anyone can think of anything else that could have bought down the telephone network. The finger of blame is very much trying to be pointed and the telephone company are saying that it is something wrong with the IT.


0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
redseatechnologiesCommented:
It is very bad to leave exchange server wide open to the internet - but with 443 and 25 ONLY being accessible, it is far from wide open.


If the telephone company is trying to point the finger, the onus should be on them to provide proof.  Are there any logs?  How do you know it was a UDP flood?

-red
0
 
prueconsultingCommented:
The only issue I would see with leaving 443 and 25 directly open from the internet is ensuring that your patches stay up to date and all IIS sample configuration is removed and the IIS instance hardened.. Other than that it does not pose a direct threat..

More than likely it was some of the phone equipment which caused a UDP storm and took down the network.
0
 
Keith AlabasterEnterprise ArchitectCommented:
The point regarding ports open/ports closed is a seperate topic and we could discuss the pro's & con's to death. Red Sea is spot on in respect to the question asked; udp has no part in the traffic regarding the changes you have indicated.

The bigger question is 'could you have accidentally opened other ports at the same time? Secondly, are you sure that the extra UDP traffic is originating fronm outside of your network?

Something like ethereal (a free sniffer) may assist in tracking down the source.

0
 
LBACISCommented:
I would definitly try to add a SMTP relay proxy (exchange proxy) in a DMZ zone this will give your users OWA access and increase you security by segmenting your unscanned non-fully trusted traffic.
0
 
redseatechnologiesCommented:
You aren't suggesting an Exchange server in the DMZ are you?

Because that is the worst idea floating around at the moment, and will reduce security - not increase it.

You will need to open a bucket load of hole between that server and the backend servers, as opposed to TWO for the OWA server - You will also have a domain member in the DMZ, which is never a good idea.

http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21256625.html

The above link is Sembee's stance on doing this, if you want an SMTP relay, use Windows 2003 NOT exchange

-red
0
 
mahe2000Commented:
it's not a good idea to open ports directly to your internal network. i recomend you to put a relay server on a dmz to receive mails (smtp) and forward them to the exchange server and use a reverse proxy on a dmz to publish owa.
0
 
afflik1923Author Commented:
What is the risk of opening up the port directly.

Would it be complicated for one to learn about what you have suggested mahe2000?

does it also mean I need to buy another box to act as the relay server?

Bearing that in mind is it really necessary. In closer to laymans terms, what typical advantages does it give to me and what threats am I open to by not having it.

Thanks
0
 
redseatechnologiesCommented:
The risk with opening ports (all you really need is 25 and 443) is that if there is a vulnerability that is discovered, the machine could be compromised.  Staying on top of your patches is a good start, but if someone had the motivation and the skill, and most importantly, the reason to target you, then you could have a problem on your hands.

Running a relay in the DMZ will require another box, and it is basically the silent link between the outside nasties, and the inside network.  If it get's compromised and destroyed - so be it, reformat and reconfigure it - while fixing whatever mistakes got it compromised.

Reverse proxy is similar (and could be on the same box) it is the middleman, outside people will talk to it, and it will talk to your inside network.

In laymans terms, doing it this way is like having a fuse - if something dangerous comes along, the fuse blows before it has a chance to damage something more important.

While this would be a great way to set things up, it does make your entire configuration very complicated.  Depending on your skill level, or resources available, this can actually work against you - it will be more difficult to find problems (as there are more links in the chain) and it may cause some things to simply not work (how RPC/HTTPS would deal with a reverse proxy, i really don't know)

-red
0
 
afflik1923Author Commented:
OK thanks,

Good comments and well explained. Considering my level of expertease I think the reverse proxy is not a great idea for us. This is assuming there are many people who are out there who are also running OWA by opeining the relevant port (in our case only the HTTPS port (I believe).

At least if there are lots of other people doing what we are doing that will make me feel better at least and I assume the way we are doing it is the way the majority are doing it. OK no defence against a milicous attack, but a level of comfort.

Thanks again
0
 
redseatechnologiesCommented:
I have port 25 and 443 open to all my clients exchange servers, as does Sembee (the top expert on this site).

You have to look at computer security the same as you look at physical security (of say, your home).

Locks are not meant to stop anyone - they are only meant to slow people down enough to be deterrent.  Alarms are not meant to stop people - they are only meant to draw attention to them a scare them off.

The point I am trying to make is that the only way to be safe on the internet is to do what ASIO do (the Australia intelligence network).  They simply do not receive external email, or have external internet access.  That level of security is akin to not having doors or windows to keep burglars out of your house - it is the only thing that would work for sure, but look at the cost :)

I should just add though that I am very security conscious - security is inversely proportional to ease of use - our job as network professionals, is to enforce as much security onto the users as possible, before they will attempt to subvert the system (or complain about it)

-red
0
 
redseatechnologiesCommented:
I was going to spell check that - now my secret is out! :))
0
 
afflik1923Author Commented:
Thanks for all the input on this matter. I gave the point to Red on this for his detailed and regular comments on the subject.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now