Firewall / Security Design Question

From: Kenneth Wygand (KWygand@customonline.com)
Date: Thu Dec 11 2003 - 11:47:20 GMT-3

All you security buffs out there!!!

 

This design relates to a Pix 515 with three interfaces b 1 outside, 1 inside, 1 DMZ.

 

I am looking for opinions and bbest practiceb sources on where to place a mail server when there is no "front end / back end" considerations (where the front-end server would go in the DMZ and the back-end server would go internally). When a single mail server (say, Exchange 2000) is placed in the DMZ that needs to integrate with AD, several (between 8 and 12, I believe) ports need to be opened to allow AD communication to take place.

 

The implications of putting the mail server in the DMZ includes allowing SMTP and HTTP traffic from anyone on the outside to that particular server (DMZ). Additionally, all 8 to 12 AD-related ports (depending on the role of the server) must be opened from the mail server in the DMZ to the AD server(s) internally.

 

The implications of putting the mail server internally include allowing SMTP and HTTP traffic from anyone on the outside to that particular server (internal).

 

Is putting the mail server in the DMZ is a more secure solution, thinking like a hacker? Some feel that leaving all the AD ports open from the DMZ to the inside leaves a more insecure solution. I have searched for Microsoftbs and NSAbs bBest Practicesb but havenbt been able to find anything just yet.

 

Any and all suggestions are welcome!

 

Thanks!

Ken

This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:39 GMT-3