Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Just how secure is this setup---->
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
Just how secure is this setup----> - 7.Nov.2003 6:45:00 PM
|
|
|
jazzman42379
Posts: 17
Joined: 22.May2003
From: Montana
Status: offline
|
Hi Everyone,
I'm wanting to know if this is a secure setup for my exchange/web server, and would really like some opinions....
On my 1 public IP I have Astaro Security Linux...a wonderful firewall, that I think (hope) is keeping me quite secure. Internally, I use private IP addresses, and have only the internal network...no DMZ. I have 1 Windows 2003 DC that also hosts the internal DNS, WINS, DHCP, etc...but is not accessible from the outside at all...no rules set up to allow it. My Exchange 2003 box is the only server with public access. I NAT web and mail traffic to it.
The reason I'm thinking that this is a secure setup is that HTTP and HTTPS are the ONLY ports that are directly forwarded in. Also, most outgoing traffic is proxied. Astaro proxies external DNS querries so nothing comes back in to the DC, is it a SMTP smarthost for exchange (both incoming and outgoing), and is a proxy for POP from the inside. I don't have IMAP or POP or FTP accessible through the firewall.
The reason for this post is that I'm considering putting the Exchange/Web Server into a DMZ by itself. What I've read is that this isn't so hot of an idea due to the amount of connections that would need to be open for it to talk to the DC. Also, i've found that using the private IPs for it on the internal network, and only NATing the bare minimum to it, seems to be a pretty secure environment. I will be adding an instance of SQL Server soon, and don't want that to be on the same server as the web/exchange.
Thanks in advance...any thoughts/suggestions would be greatly appreciated.
John
|
|
|
|
RE: Just how secure is this setup----> - 9.Nov.2003 10:59:00 PM
|
|
|
Ricky
Posts: 135
Joined: 7.Oct.2003
From: South Africa
Status: offline
|
God day John,
Secure is only as secure as the configuration that you are proposing and the question you ask is very ambiguous as you are going to be opening ports on the firewall that will allow direct access to the machine from the web this means if an exploit is discovered your machine will be compromised as there is no intermediary between itself and the web. I would add an application layer firewall that does state full packet inspection that is able to see what traffic is passing through and what application is using the passing traffic. In this way you will mitigate your risk and reduce potential threats. Mail delivery and reception should be done by some sort of antivirus server or firewall and the packets should then be forwarded to your mail server. in other words the intruders will only hack you firewall or antivirus machine and you will get that up and running much quicker than you will get a mail server up.
hope this helps if you need more help mail me
Rickm@fastennet.com
regards
RM
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
