Solved

If you open an email server on the internal network to allow HTTPS traffic through the firewall only to that server, what are the risks?

Posted on 2009-05-13
4
273 Views
Last Modified: 2013-11-16
Looking at the dangers and risks of doing this - what sort of attacks can be launched againt the server?  How can you reduce these risks?

It is a Windows 2008 server running Exchange 2007 on a LAN.  The firewall is a checkpoint firewall which locks down to only web browsing, pop3/smtp to the exchange server.

We open a port for HTTPS, natting an external address to the internal IP.

I know it is not the best option for supplying Client Server portion to the users, but say it was the only way.
0
Comment
Question by:CaringIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 65

Accepted Solution

by:
Mestha earned 250 total points
ID: 24379817
IIS exclusive to Exchange hasn't been compromised since IIS6/Exchange 2003 was released. Exchange 2007/IIS7 is rock solid. You should already have a commercial SSL certificate on it, that is all you need to do. Lots of servers directly exposed without any problems.

The risks come down to the users. If the users can set their password as "password" or their name, then it can be abused. However if you have proper security purposes then it shouldn't be a problem.

Simon.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24382042
I agree with Mestha, in older versions it would involve the risk of IIS exploits that might give "hackers" access to your server and therefore access to your internal network but server 2008 with exch2007 is pretty secure. Just try to follow best practices for installation and configuration and you should be ok.
0
 
LVL 17

Expert Comment

by:ccomley
ID: 24382903
Agree with the above - added points.

- passwords - REALLY REALLY means it, and not just for ordinary users but for ANY account. Any guessable password/account name combo is a weak spot which can see you being spam central inside 24 hours.

If you want to be "more sure" then you can consider the following additional steps.

1) Deep Packet Inspection, Intrusion Detection/Prevention. Some firewalls don't just look at the Ip address and port number but actually look INSIDE the packet to make sure it *is* of the intended type, so no tricks can be played by using unusual port addresses, etc,. These systems also have "fingerprint" detection for the sorts of packets that an attempted abuse will send.

2) DMZ. Set up a *proper* DMZ and put the/a WAN facing OWA server there. That way, if anyone does compromise the OWA server, they're still outside your main network. This won't work with SBS, of course, where your OWA server is your only server, but if you can add a second Server2008/ES machine as a front-end box to the domain, and put THAT outside the LAN...

3) Consider an SSL-VPN solution, so that you don't expose the ES directly to the WAN, rather, legit users have access to the SSL-VPN appliance which then allows them to access the exchange server.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24394226
OWA in a DMZ doesn't help with network security at all. The only thing that can be placed in a DMZ is an ISA server. The only Exchange 2007 role supported in a DMZ is Edge, the CAS functionality is not.

Simon.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question