|
jazzman42379 -> Just how secure is this setup----> (7.Nov.2003 6:45:00 PM)
|
Hi Everyone,
I'm wanting to know if this is a secure setup for my exchange/web server, and would really like some opinions....
On my 1 public IP I have Astaro Security Linux...a wonderful firewall, that I think (hope) is keeping me quite secure. Internally, I use private IP addresses, and have only the internal network...no DMZ. I have 1 Windows 2003 DC that also hosts the internal DNS, WINS, DHCP, etc...but is not accessible from the outside at all...no rules set up to allow it. My Exchange 2003 box is the only server with public access. I NAT web and mail traffic to it.
The reason I'm thinking that this is a secure setup is that HTTP and HTTPS are the ONLY ports that are directly forwarded in. Also, most outgoing traffic is proxied. Astaro proxies external DNS querries so nothing comes back in to the DC, is it a SMTP smarthost for exchange (both incoming and outgoing), and is a proxy for POP from the inside. I don't have IMAP or POP or FTP accessible through the firewall.
The reason for this post is that I'm considering putting the Exchange/Web Server into a DMZ by itself. What I've read is that this isn't so hot of an idea due to the amount of connections that would need to be open for it to talk to the DC. Also, i've found that using the private IPs for it on the internal network, and only NATing the bare minimum to it, seems to be a pretty secure environment. I will be adding an instance of SQL Server soon, and don't want that to be on the same server as the web/exchange.
Thanks in advance...any thoughts/suggestions would be greatly appreciated.
John
|
|
|
|