Barret, from 'low' to 'high' security: packet filters, server publishing and web publishing. In fact, if you do web publishing, the requests are going to a reverse proxy server. So the connection is effectively broken up into two total different connections: client to proxy and proxy to web server. Server publishing is doing protocol checks (sanity check on the protocol level, not on the content) and redirect the incoming request to the specified server. Packet filters checks only ip header information (ip-addresses, next protocol TCP/UDP en portnumbers). From what I'm reading, it is *not* adviced to publish the native Exchange server (RPC protocol). However you can publish POP3/IMAP4/SMTP access to the exchange server, but then you loose functionality. Therefore, when you plan to use the full blown exchange client, it is highly recommended to use a VPN. The purpose of creating a DMZ is to split your network in different security zones with very limited or no communication between them. So, if someone hack your webserver (i.e. at the application level) and get root access (security flaw in web server) and that webserver is in a DMZ, he has to overcome a second security wall to get into your internal network. However, if the webserver is published, he has *no* second security wall and got full access to your internal lan. Stefaan -----Original Message----- From: Barrett Fowler [mailto:bfowler@xxxxxxxxxxxxxx] Sent: donderdag 27 december 2001 23:30 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Web and Email servers... to DMZ or not to DMZ http://www.ISAserver.org Stefaan, Thanks for the advice. Allow me to get a little more general. If I publish my web and email servers without a DMZ what kind of security risks do I assume? In other words how secure is publishing? -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] Sent: Thursday, December 27, 2001 4:22 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Web and Email servers... to DMZ or not to DMZ http://www.ISAserver.org Barret, OK, the use of a VPN for client access to Exchange and the internal network is the best choice you can make. I assume that you will use PPTP as VPN client. The best security you can get with PPTP is to use EAP-TLS (smartcard) authentication. However this requires at the moment a W2K client machine for the users and a W2K Active Directory on your internal network. If that isn't visible use MS-CHAPV2 as authentication with a very strong password policy. More info at http://www.microsoft.com/windows2000/technologies/communications/vpn/default .asp. Because the website must be accessible for a greater user population and contains very sensitive information, your primary defence is a strong user authentication. I assume you will use SSL/HTTPS as transport protocol. For different DMZ scenario's have a look at the learning zone at www.isaserver.org and/or view the webcast at http://support.microsoft.com/servicedesks/webcasts/wc110801/wcblurb110801.as p. Watch out: there are some problems if you want to web publish a SSL website. The solution seems to be to publish a SSL website through server publishing. In a 3-homed scenario, the webserver is only protected by packet filters. You should be able to publish the internal SQL server only to the webserver in the DMZ. In a back-to-back scenario you can better protect the webserver by publishing him in the outer ISA. However, this scenario will create problems to implement the VPN. The VPN gateway should be sitting on your inner ISA and it is problematic to get the VPN through the outer ISA. One possible solution is described in http://www.isaserver.org/ubb/Forum13/HTML/000334.html. Not my favorite setup ;-) In my opinion you can get the best protection for the internal network if it is possible to work with a shadow SQL server in the DMZ. Of course, it's the kind of application who will tell if this is a possible scenario. Hope this helps you, Stefaan -----Original Message----- From: Barrett Fowler [mailto:bfowler@xxxxxxxxxxxxxx] Sent: donderdag 27 december 2001 22:25 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Web and Email servers... to DMZ or not to DMZ http://www.ISAserver.org Stefaan, Thanks for the reply. When I said users I was talking about everyone with a private IP. As far as external users, I will have two types: 1. VPN over dial-up connections (employees) who will access Exchange and the internal network, and 2. People who will access the website (80 & 443). Hope this helps. -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] Sent: Thursday, December 27, 2001 3:11 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Web and Email servers... to DMZ or not to DMZ http://www.ISAserver.org Hi Barrett, you are talking about very sensitive information on your SQL server and you want to use the full blown Exchange client. Whatever firewall you choose this always a tricky problem. Before I can give you some advice, what is the scope of the user population? Should those services be available to the general public or only to a very well defined user population (i.e. internal users who work from the outside)? Can you elaborate on that? I ask that question because the full blown Exchange client is not very firewall friendly at the protocol level. Also, because the webserver need access to very sensitive information, you'll have to shield that server as much as possible. Regards, Stefaan -----Original Message----- From: Barrett Fowler [mailto:bfowler@xxxxxxxxxxxxxx] Sent: donderdag 27 december 2001 20:08 To: [ISAserver.org Discussion List] Subject: [isalist] Web and Email servers... to DMZ or not to DMZ http://www.ISAserver.org I would just like some advice. I am doing some planning before purchasing ISA as a firewall/proxy/cache server. I have a webserver and an email server that I thought I might like to put into a DMZ. The webserver must make requests to a SQL server, this would violate my internal network assuming my SQL server is on the internal network. The SQL data is very sensitive and must remain inside the internal network. Should I just publish my web and email servers and forget the DMZ? How secure is publishing compared to a DMZ? I would also like my users to be able to use the full blown Exchange client. Thanks in advance for all of your help. Cheers, Barrett ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bfowler@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bfowler@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')