RE: Web and Email servers... to DMZ or not to DMZ
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 28 Dec 2001 01:15:55 +0100
Barret,
from 'low' to 'high' security: packet filters, server publishing and web
publishing.
In fact, if you do web publishing, the requests are going to a reverse proxy
server. So the connection is effectively broken up into two total different
connections: client to proxy and proxy to web server.
Server publishing is doing protocol checks (sanity check on the protocol
level, not on the content) and redirect the incoming request to the
specified server.
Packet filters checks only ip header information (ip-addresses, next
protocol TCP/UDP en portnumbers).
From what I'm reading, it is *not* adviced to publish the native Exchange
server (RPC protocol). However you can publish POP3/IMAP4/SMTP access to the
exchange server, but then you loose functionality. Therefore, when you plan
to use the full blown exchange client, it is highly recommended to use a
VPN.
The purpose of creating a DMZ is to split your network in different security
zones with very limited or no communication between them. So, if someone
hack your webserver (i.e. at the application level) and get root access
(security flaw in web server) and that webserver is in a DMZ, he has to
overcome a second security wall to get into your internal network. However,
if the webserver is published, he has *no* second security wall and got full
access to your internal lan.
Stefaan
-----Original Message-----
From: Barrett Fowler [mailto:bfowler@xxxxxxxxxxxxxx]
Sent: donderdag 27 december 2001 23:30
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Web and Email servers... to DMZ or not to DMZ
http://www.ISAserver.org
Stefaan,
Thanks for the advice. Allow me to get a little more general. If I publish
my web and email servers without a DMZ what kind of security risks do I
assume? In other words how secure is publishing?
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx]
Sent: Thursday, December 27, 2001 4:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Web and Email servers... to DMZ or not to DMZ
http://www.ISAserver.org
Barret,
OK, the use of a VPN for client access to Exchange and the internal network
is the best choice you can make. I assume that you will use PPTP as VPN
client. The best security you can get with PPTP is to use EAP-TLS
(smartcard) authentication. However this requires at the moment a W2K client
machine for the users and a W2K Active Directory on your internal network.
If that isn't visible use MS-CHAPV2 as authentication with a very strong
password policy. More info at
http://www.microsoft.com/windows2000/technologies/communications/vpn/default
.asp.
Because the website must be accessible for a greater user population and
contains very sensitive information, your primary defence is a strong user
authentication. I assume you will use SSL/HTTPS as transport protocol. For
different DMZ scenario's have a look at the learning zone at
www.isaserver.org and/or view the webcast at
http://support.microsoft.com/servicedesks/webcasts/wc110801/wcblurb110801.as
p.
Watch out: there are some problems if you want to web publish a SSL website.
The solution seems to be to publish a SSL website through server publishing.
In a 3-homed scenario, the webserver is only protected by packet filters.
You should be able to publish the internal SQL server only to the webserver
in the DMZ.
In a back-to-back scenario you can better protect the webserver by
publishing him in the outer ISA. However, this scenario will create problems
to implement the VPN. The VPN gateway should be sitting on your inner ISA
and it is problematic to get the VPN through the outer ISA. One possible
solution is described in
http://www.isaserver.org/ubb/Forum13/HTML/000334.html. Not my favorite setup
;-)
In my opinion you can get the best protection for the internal network if it
is possible to work with a shadow SQL server in the DMZ. Of course, it's the
kind of application who will tell if this is a possible scenario.
Hope this helps you,
Stefaan
-----Original Message-----
From: Barrett Fowler [mailto:bfowler@xxxxxxxxxxxxxx]
Sent: donderdag 27 december 2001 22:25
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Web and Email servers... to DMZ or not to DMZ
http://www.ISAserver.org
Stefaan,
Thanks for the reply. When I said users I was talking about everyone with a
private IP. As far as external users, I will have two types: 1. VPN over
dial-up connections (employees) who will access Exchange and the internal
network, and 2. People who will access the website (80 & 443). Hope this
helps.
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx]
Sent: Thursday, December 27, 2001 3:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Web and Email servers... to DMZ or not to DMZ
http://www.ISAserver.org
Hi Barrett,
you are talking about very sensitive information on your SQL server and you
want to use the full blown Exchange client. Whatever firewall you choose
this always a tricky problem.
Before I can give you some advice, what is the scope of the user population?
Should those services be available to the general public or only to a very
well defined user population (i.e. internal users who work from the
outside)? Can you elaborate on that?
I ask that question because the full blown Exchange client is not very
firewall friendly at the protocol level. Also, because the webserver need
access to very sensitive information, you'll have to shield that server as
much as possible.
Regards,
Stefaan
-----Original Message-----
From: Barrett Fowler [mailto:bfowler@xxxxxxxxxxxxxx]
Sent: donderdag 27 december 2001 20:08
To: [ISAserver.org Discussion List]
Subject: [isalist] Web and Email servers... to DMZ or not to DMZ
http://www.ISAserver.org
I would just like some advice. I am doing some planning before purchasing
ISA as a firewall/proxy/cache server. I have a webserver and an email
server that I thought I might like to put into a DMZ. The webserver must
make requests to a SQL server, this would violate my internal network
assuming my SQL server is on the internal network. The SQL data is very
sensitive and must remain inside the internal network. Should I just
publish my web and email servers and forget the DMZ? How secure is
publishing compared to a DMZ? I would also like my users to be able to use
the full blown Exchange client. Thanks in advance for all of your help.
Cheers,
Barrett
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bfowler@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bfowler@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
