Firewall Wizards mailing list archives
RE: Exchange Questions
From: Russ <Russ.Cooper () rc on ca>
Date: Tue, 18 May 1999 02:53:21 -0400
Frank W. Keeney ced;
IMHO all host with services accessible from the Internet should be in the DMZ (or service network). Windows NT hosts such as Exchange or web servers should be in their own MS Domain. Then setup a one way MS
Domain
trust so the external domains trust the internal domains but not the other way around.
FYI. NT Domain Trusts require password changes on a regular basis (i.e. 15 days). This password change is for the Trust alone. l0phtcrack could sniff and decrypt it, particularly if LanMan hashes have not been disabled. It also introduces an oft complained about issue in WAN environments, namely, if for any reason the new password process fails, the Trust is down'd, and must be created anew. I would ask anyone who is paranoid of SMTP to explain why that paranoia is believed to be applicable to MS Exchange Server. IMO, there is no known translation of known SMTP vulnerabilities against MS Exchange Server. I would be happy to hear of any I'm unaware of. SMTP Relay is the only issue I can think of, and a DMZ does nothing to assist with it. If the issue is the stability of an MS NT TCP/IP stack against malformed packets, this should be dealt with by the FW-1 box irregardless of DMZ. I can fully appreciate the "by-the-book" approach to putting such servers in a DMZ, but when the question is specific, the answer should be more than "well, that's how I've always seen it done before". IMNSHO, a DMZ'd MS Exchange Server (in a different NT domain or otherwise) does absolutely nothing but add to the complexity of an already complex FW-1 installation. It also adds to the overall cost of the implementation, as well as the complexity of the Exchange installation. Cost is added due to a 2nd, totally unnecessary, Exchange Server license. Installation complexity comes as a result of maintaining a Site Connector (since, we assume, the DMZ'd box is going to also be in an different Exchange Site). While this list is probably the best resource for getting information on the pros and cons of FW-1 DMZ usage, its certainly not the best place to get MS Exchange Server advice. The MS Exchange Server mailing list can be found through <http://www.msexchange.org>. Given MS Exchange Server's current lack of Sendmail-like vulnerabilities, one must also be extremely wary about introducing such possibilities by placing something in front of the Exchange Server's SMTP connector. *THIS IS DEFINITELY NOT A REFERENCE TO CYBERWALL/PLUS*, but instead a reference to ideas that some sort of SMTP forwarding server be placed in the DMZ instead of an Exchange Server. Be very careful that the layers of the onion you're trying to create don't make you cry to much...;-] Cheers, Russ - NTBugtraq Editor
Current thread:
- Exchange Questions Rex Murphy (May 13)
- <Possible follow-ups>
- RE: Exchange Questions Danny Walker (May 16)
- RE: Exchange Questions Russ (May 16)
- RE: Exchange Questions cschuttg (May 16)
- RE: Exchange Questions Frank W. Keeney (May 16)
- RE: Exchange Questions sean . kelly (May 17)
- RE: Exchange Questions Frank W. Keeney (May 17)
- RE: Exchange Questions Russ (May 18)
- RE: Exchange Questions Frank W. Keeney (May 18)