Solved

If you open an email server on the internal network to allow HTTPS traffic through the firewall only to that server, what are the risks?

Posted on 2009-05-13
4
272 Views
Last Modified: 2013-11-16
Looking at the dangers and risks of doing this - what sort of attacks can be launched againt the server?  How can you reduce these risks?

It is a Windows 2008 server running Exchange 2007 on a LAN.  The firewall is a checkpoint firewall which locks down to only web browsing, pop3/smtp to the exchange server.

We open a port for HTTPS, natting an external address to the internal IP.

I know it is not the best option for supplying Client Server portion to the users, but say it was the only way.
0
Comment
Question by:CaringIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 65

Accepted Solution

by:
Mestha earned 250 total points
ID: 24379817
IIS exclusive to Exchange hasn't been compromised since IIS6/Exchange 2003 was released. Exchange 2007/IIS7 is rock solid. You should already have a commercial SSL certificate on it, that is all you need to do. Lots of servers directly exposed without any problems.

The risks come down to the users. If the users can set their password as "password" or their name, then it can be abused. However if you have proper security purposes then it shouldn't be a problem.

Simon.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24382042
I agree with Mestha, in older versions it would involve the risk of IIS exploits that might give "hackers" access to your server and therefore access to your internal network but server 2008 with exch2007 is pretty secure. Just try to follow best practices for installation and configuration and you should be ok.
0
 
LVL 17

Expert Comment

by:ccomley
ID: 24382903
Agree with the above - added points.

- passwords - REALLY REALLY means it, and not just for ordinary users but for ANY account. Any guessable password/account name combo is a weak spot which can see you being spam central inside 24 hours.

If you want to be "more sure" then you can consider the following additional steps.

1) Deep Packet Inspection, Intrusion Detection/Prevention. Some firewalls don't just look at the Ip address and port number but actually look INSIDE the packet to make sure it *is* of the intended type, so no tricks can be played by using unusual port addresses, etc,. These systems also have "fingerprint" detection for the sorts of packets that an attempted abuse will send.

2) DMZ. Set up a *proper* DMZ and put the/a WAN facing OWA server there. That way, if anyone does compromise the OWA server, they're still outside your main network. This won't work with SBS, of course, where your OWA server is your only server, but if you can add a second Server2008/ES machine as a front-end box to the domain, and put THAT outside the LAN...

3) Consider an SSL-VPN solution, so that you don't expose the ES directly to the WAN, rather, legit users have access to the SSL-VPN appliance which then allows them to access the exchange server.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24394226
OWA in a DMZ doesn't help with network security at all. The only thing that can be placed in a DMZ is an ISA server. The only Exchange 2007 role supported in a DMZ is Edge, the CAS functionality is not.

Simon.
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
RDP Sonicwall 8 107
SQL Server Communications Audit 5 126
Internet link load balancer 6 118
Confirming a network firewall is blocking connections to a port 7 97
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question