Solved

If you open an email server on the internal network to allow HTTPS traffic through the firewall only to that server, what are the risks?

Posted on 2009-05-13
4
270 Views
Last Modified: 2013-11-16
Looking at the dangers and risks of doing this - what sort of attacks can be launched againt the server?  How can you reduce these risks?

It is a Windows 2008 server running Exchange 2007 on a LAN.  The firewall is a checkpoint firewall which locks down to only web browsing, pop3/smtp to the exchange server.

We open a port for HTTPS, natting an external address to the internal IP.

I know it is not the best option for supplying Client Server portion to the users, but say it was the only way.
0
Comment
Question by:CaringIT
  • 2
4 Comments
 
LVL 65

Accepted Solution

by:
Mestha earned 250 total points
ID: 24379817
IIS exclusive to Exchange hasn't been compromised since IIS6/Exchange 2003 was released. Exchange 2007/IIS7 is rock solid. You should already have a commercial SSL certificate on it, that is all you need to do. Lots of servers directly exposed without any problems.

The risks come down to the users. If the users can set their password as "password" or their name, then it can be abused. However if you have proper security purposes then it shouldn't be a problem.

Simon.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24382042
I agree with Mestha, in older versions it would involve the risk of IIS exploits that might give "hackers" access to your server and therefore access to your internal network but server 2008 with exch2007 is pretty secure. Just try to follow best practices for installation and configuration and you should be ok.
0
 
LVL 16

Expert Comment

by:ccomley
ID: 24382903
Agree with the above - added points.

- passwords - REALLY REALLY means it, and not just for ordinary users but for ANY account. Any guessable password/account name combo is a weak spot which can see you being spam central inside 24 hours.

If you want to be "more sure" then you can consider the following additional steps.

1) Deep Packet Inspection, Intrusion Detection/Prevention. Some firewalls don't just look at the Ip address and port number but actually look INSIDE the packet to make sure it *is* of the intended type, so no tricks can be played by using unusual port addresses, etc,. These systems also have "fingerprint" detection for the sorts of packets that an attempted abuse will send.

2) DMZ. Set up a *proper* DMZ and put the/a WAN facing OWA server there. That way, if anyone does compromise the OWA server, they're still outside your main network. This won't work with SBS, of course, where your OWA server is your only server, but if you can add a second Server2008/ES machine as a front-end box to the domain, and put THAT outside the LAN...

3) Consider an SSL-VPN solution, so that you don't expose the ES directly to the WAN, rather, legit users have access to the SSL-VPN appliance which then allows them to access the exchange server.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24394226
OWA in a DMZ doesn't help with network security at all. The only thing that can be placed in a DMZ is an ISA server. The only Exchange 2007 role supported in a DMZ is Edge, the CAS functionality is not.

Simon.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question