• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 432
  • Last Modified:

DMZ for exchange and IIS how can I use them!!??

my network has main domain controller with 1 network card.

I have an ISA server with 3 network card.
LAN, WAN, DMZ
exchange and IIS server both with 2 network card
LAN, DMZ

what is the best configration to configer my exchange and IIS to configer them with DMZ, and what the benefit i will get it if i did so?

is tehre any things I need to care about when I configer DMZ?
regards
0
al_ghamdi
Asked:
al_ghamdi
  • 2
  • 2
2 Solutions
 
meverestCommented:
Hi,

having a server with both DMZ and LAN interfaces pretty much defeats the purpose of having a DMZ at all.

the idea of DMZ is that not only is there a firewall between your server and the internet to protect the server against attacks, but the firewall is also between the server and you LAN, thus protecting your LAN against the DMZ server just in case the server is compromised.

putting the DMZ servers direct to your lan takes away the second benefit.  If your dmz server is compromised, then your entire lan becomes open to attack.

Cheers.
0
 
bsmith80Commented:
You will want to connect your Exchange and IIS machine to the DMZ segment of the network ONLY. You can then allow certain administrative access from the LAN to the DMZ machines in the ISA server.  You'll also need to configure certain ports open from the DMZ to the DC on the LAN back through the ISA server for authentication, etc. Let me know if you need more detail on the ports and I will post.
0
 
al_ghamdiAuthor Commented:
Hi,
can i have more information about that?

meverest: you said :  If your dmz server is compromised, then your entire lan becomes open to attack.

i need more details please.

Also, bsmith80:
can i have more details what are the best and high security i can confirget for my network?

regards.
0
 
bsmith80Commented:
meverest: you said :  If your dmz server is compromised, then your entire lan becomes open to attack.

If you directly connect your DMZ machines to the LAN with the other NIC, then it defeats the purpose of the DMZ. If the DMZ machine gets compromised, the attackers have a direct connection to the LAN via the other NIC. You really don't want to connect the 2nd NIC to the LAN.

Ideally, you'll want to keep your backend Exchange mail server on the LAN, and have a front-end only Exchange box in the DMZ. The following link has lots of documentation dealing with how to set it all  up:

http://technet.microsoft.com/en-us/library/aa996980.aspx

If you have other questions, please let me know.
0
 
meverestCommented:
an interesting example I saw a few years ago.  a client called comlaining their printers were going very slow.  it turned out that one of their developers opened his workstation to the internet to host his web site.  It got infected by a code red, which then immediately started searhing for other web servers on the network.  not only did it infect all the other developer desktops (which all has IIS running for their dev work) but since the HP printers also had a web server running for configuration and admin, the code red was effectively acting as a denial of service.

A dual homed web server on both DMZ and LAN may as well be on the LAN with a port forwarding on the router, and so defeats the whole purpose of a DMZ entirely.

Think, also, about a root-kit compromise.  If someone manages to install a rootkit on your web server, then the are free to roam your LAN looking for other exploits.  i.e. BAD IDEA! ;-)

Cheers.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now