RE: Firewall / Security Design Question

From: Anthony Macaluso (tmmacaluso@msn.com)
Date: Thu Dec 11 2003 - 13:10:10 GMT-3

• Next message: Kurt Bergsbaken: "RE: SoftPhone - one way voice over VPN (good src addr)"
• Previous message: Kurt Bergsbaken: "RE: SoftPhone - one way voice over VPN (good src addr)"
• Maybe in reply to: Kenneth Wygand: "Firewall / Security Design Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Kenneth,

I have implemented this several times with success (Front-End/Back-End
Exchange Topology) with a Pix as the firewall. In my opinion, it is safer
to never open internal ports to the outside (allowing TCP 25 to internal
network).
Make sure on the Exchange servers that you use SP3. The first setup I did
was pre-SP1. SP2 broke the front-end/back-end topology and the Pix had to
be reconfigured (different ports were required). SP3 completely overhauled
the communications between front-end servers and any DCs that are internal.
Since then, this setup has worked flawlessly.
Again, why expose any internal machines directly to the outside if you don't
have to...

Tony Macaluso

>From: "Kenneth Wygand" <KWygand@customonline.com>
>Reply-To: "Kenneth Wygand" <KWygand@customonline.com>
>To: <ccielab@groupstudy.com>
>Subject: Firewall / Security Design Question
>Date: Thu, 11 Dec 2003 09:47:20 -0500
>
>All you security buffs out there!!!
>
>
>
>This design relates to a Pix 515 with three interfaces b 1 outside, 1
>inside, 1 DMZ.
>
>
>
>I am looking for opinions and bbest practiceb sources on where to place a
>mail server when there is no "front end / back end" considerations (where
>the front-end server would go in the DMZ and the back-end server would go
>internally). When a single mail server (say, Exchange 2000) is placed in
>the DMZ that needs to integrate with AD, several (between 8 and 12, I
>believe) ports need to be opened to allow AD communication to take place.
>
>
>
>The implications of putting the mail server in the DMZ includes allowing
>SMTP and HTTP traffic from anyone on the outside to that particular server
>(DMZ). Additionally, all 8 to 12 AD-related ports (depending on the role
>of the server) must be opened from the mail server in the DMZ to the AD
>server(s) internally.
>
>
>
>The implications of putting the mail server internally include allowing
>SMTP and HTTP traffic from anyone on the outside to that particular server
>(internal).
>
>
>
>Is putting the mail server in the DMZ is a more secure solution, thinking
>like a hacker? Some feel that leaving all the AD ports open from the DMZ
>to the inside leaves a more insecure solution. I have searched for
>Microsoftbs and NSAbs bBest Practicesb but havenbt been able to find
>anything just yet.
>
>
>
>Any and all suggestions are welcome!
>
>
>
>Thanks!
>
>Ken
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Kurt Bergsbaken: "RE: SoftPhone - one way voice over VPN (good src addr)"
• Previous message: Kurt Bergsbaken: "RE: SoftPhone - one way voice over VPN (good src addr)"
• Maybe in reply to: Kenneth Wygand: "Firewall / Security Design Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:39 GMT-3