Solved

If you open an email server on the internal network to allow HTTPS traffic through the firewall only to that server, what are the risks?

Posted on 2009-05-13
4
268 Views
Last Modified: 2013-11-16
Looking at the dangers and risks of doing this - what sort of attacks can be launched againt the server?  How can you reduce these risks?

It is a Windows 2008 server running Exchange 2007 on a LAN.  The firewall is a checkpoint firewall which locks down to only web browsing, pop3/smtp to the exchange server.

We open a port for HTTPS, natting an external address to the internal IP.

I know it is not the best option for supplying Client Server portion to the users, but say it was the only way.
0
Comment
Question by:CaringIT
  • 2
4 Comments
 
LVL 65

Accepted Solution

by:
Mestha earned 250 total points
Comment Utility
IIS exclusive to Exchange hasn't been compromised since IIS6/Exchange 2003 was released. Exchange 2007/IIS7 is rock solid. You should already have a commercial SSL certificate on it, that is all you need to do. Lots of servers directly exposed without any problems.

The risks come down to the users. If the users can set their password as "password" or their name, then it can be abused. However if you have proper security purposes then it shouldn't be a problem.

Simon.
0
 
LVL 17

Expert Comment

by:OriNetworks
Comment Utility
I agree with Mestha, in older versions it would involve the risk of IIS exploits that might give "hackers" access to your server and therefore access to your internal network but server 2008 with exch2007 is pretty secure. Just try to follow best practices for installation and configuration and you should be ok.
0
 
LVL 16

Expert Comment

by:ccomley
Comment Utility
Agree with the above - added points.

- passwords - REALLY REALLY means it, and not just for ordinary users but for ANY account. Any guessable password/account name combo is a weak spot which can see you being spam central inside 24 hours.

If you want to be "more sure" then you can consider the following additional steps.

1) Deep Packet Inspection, Intrusion Detection/Prevention. Some firewalls don't just look at the Ip address and port number but actually look INSIDE the packet to make sure it *is* of the intended type, so no tricks can be played by using unusual port addresses, etc,. These systems also have "fingerprint" detection for the sorts of packets that an attempted abuse will send.

2) DMZ. Set up a *proper* DMZ and put the/a WAN facing OWA server there. That way, if anyone does compromise the OWA server, they're still outside your main network. This won't work with SBS, of course, where your OWA server is your only server, but if you can add a second Server2008/ES machine as a front-end box to the domain, and put THAT outside the LAN...

3) Consider an SSL-VPN solution, so that you don't expose the ES directly to the WAN, rather, legit users have access to the SSL-VPN appliance which then allows them to access the exchange server.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
OWA in a DMZ doesn't help with network security at all. The only thing that can be placed in a DMZ is an ISA server. The only Exchange 2007 role supported in a DMZ is Edge, the CAS functionality is not.

Simon.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now