Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

RE: Exchange Questions
From: "Frank W. Keeney" <FKeeney () hsa com>
Date: Tue, 18 May 1999 08:41:29 -0700
All your points are well understood. There is not one architecture that
is correct for everyone.

I'm extremely paranoid. The fact that there are no "known"
vulnerabilities does not make me feel any better. I'll always place any
internal system that has direct access to/from the Internet on a DMZ. In
the case of FW1 I use a third or fourth NIC. With Gauntlet or Sidewinder
I place the server behind the Firewall since these firewalls reliably
relay mail. In many circumstances I'll place a UNIX host in the DMZ (or
Service Network) of a third NIC with FW1 to relay all the mail in and
out to/from the Exchange server. 



+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Frank Keeney, Network Services, Home Savings of America
+1 626-814-5080 mailto:fkeeney () hsa com
+++++++++++++++++++++++++++++++++++++++++++++++++++++++


        ----------
        From:  Russ [SMTP:Russ.Cooper () rc on ca]
        Sent:  Monday, May 17, 1999 11:53 PM
        To:  'Frank W. Keeney'; firewall-wizards () nfr net
        Subject:  RE: Exchange Questions


        I would ask anyone who is paranoid of SMTP to explain why that
paranoia
        is believed to be applicable to MS Exchange Server. IMO, there
is no
        known translation of known SMTP vulnerabilities against MS
Exchange
        Server. I would be happy to hear of any I'm unaware of. SMTP
Relay is
        the only issue I can think of, and a DMZ does nothing to assist
with it.

        I can fully appreciate the "by-the-book" approach to putting
such
        servers in a DMZ, but when the question is specific, the answer
should
        be more than "well, that's how I've always seen it done before".

        IMNSHO, a DMZ'd MS Exchange Server (in a different NT domain or
        otherwise) does absolutely nothing but add to the complexity of
an
        already complex FW-1 installation.

        It also adds to the overall cost of the implementation, as well
as the
        complexity of the Exchange installation. Cost is added due to a
2nd,
        totally unnecessary, Exchange Server license. Installation
complexity
        comes as a result of maintaining a Site Connector (since, we
assume, the
        DMZ'd box is going to also be in an different Exchange Site).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]