Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 276
  • Last Modified:

If you open an email server on the internal network to allow HTTPS traffic through the firewall only to that server, what are the risks?

Looking at the dangers and risks of doing this - what sort of attacks can be launched againt the server?  How can you reduce these risks?

It is a Windows 2008 server running Exchange 2007 on a LAN.  The firewall is a checkpoint firewall which locks down to only web browsing, pop3/smtp to the exchange server.

We open a port for HTTPS, natting an external address to the internal IP.

I know it is not the best option for supplying Client Server portion to the users, but say it was the only way.
0
CaringIT
Asked:
CaringIT
  • 2
1 Solution
 
MesthaCommented:
IIS exclusive to Exchange hasn't been compromised since IIS6/Exchange 2003 was released. Exchange 2007/IIS7 is rock solid. You should already have a commercial SSL certificate on it, that is all you need to do. Lots of servers directly exposed without any problems.

The risks come down to the users. If the users can set their password as "password" or their name, then it can be abused. However if you have proper security purposes then it shouldn't be a problem.

Simon.
0
 
OriNetworksCommented:
I agree with Mestha, in older versions it would involve the risk of IIS exploits that might give "hackers" access to your server and therefore access to your internal network but server 2008 with exch2007 is pretty secure. Just try to follow best practices for installation and configuration and you should be ok.
0
 
ccomleyCommented:
Agree with the above - added points.

- passwords - REALLY REALLY means it, and not just for ordinary users but for ANY account. Any guessable password/account name combo is a weak spot which can see you being spam central inside 24 hours.

If you want to be "more sure" then you can consider the following additional steps.

1) Deep Packet Inspection, Intrusion Detection/Prevention. Some firewalls don't just look at the Ip address and port number but actually look INSIDE the packet to make sure it *is* of the intended type, so no tricks can be played by using unusual port addresses, etc,. These systems also have "fingerprint" detection for the sorts of packets that an attempted abuse will send.

2) DMZ. Set up a *proper* DMZ and put the/a WAN facing OWA server there. That way, if anyone does compromise the OWA server, they're still outside your main network. This won't work with SBS, of course, where your OWA server is your only server, but if you can add a second Server2008/ES machine as a front-end box to the domain, and put THAT outside the LAN...

3) Consider an SSL-VPN solution, so that you don't expose the ES directly to the WAN, rather, legit users have access to the SSL-VPN appliance which then allows them to access the exchange server.
0
 
MesthaCommented:
OWA in a DMZ doesn't help with network security at all. The only thing that can be placed in a DMZ is an ISA server. The only Exchange 2007 role supported in a DMZ is Edge, the CAS functionality is not.

Simon.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now