Front-end / Back-end Security Question

[-=gu=-]

Hello,
Currently we just have a single Exchange 2003 server, which is simply natted
to the outside world through our PIX. It is running OWA without a
certificate. We have no DMZ.
I was planning on installing a 2nd Exchange 2003 server with a Verisign
certificate and configure it to be a front-end server, so OWA will be https.
I spoke with someone the other day who put the fear of God in me by telling
me that by exposing my Exchange server without it being in a DMZ, it's not a
matter of if it will get hacked, it's a matter of when. He wasn't talking
about hacking Exchange, he was talking about hacking in as administrator and
getting the keys to the vault.
Without a DMZ, am I really getting any benifit or additional protection by
putting up a front-end server? It would be natted through the PIX instead of
the back-end server. Assuming my company won't fund a DMZ, should I forget
the front-end server, buy the cert and put it on my existing single server?
I've been mulling over this all weekend. Your input would be greatly
appreciated.
Thanks!

[Brian Desmond [MVP]]

You know, I've got a bridge for sale too.

I know of more than enough organizations which have their frontends nat'ed
back itnot he same subnet as backends, etc.

You'll be jsut fine NATing back through the PIX. Not knowing anything about
your network config, I'm not sure how expensive it would actually be to put
a DMZ in. I tmay just be a matter of a couple vlans and some trunked ports.

How many suers do you have and how much OWA activity is there amongst them?
That's what really defines whether or not you need a frontend in a single
backend config.

--
--Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

www.briandesmond.com


"-=gu=-" <gu@discussions.microsoft.com> wrote in message
news:98DE52B1-20D2-4554-815A-BF239A41A74B@microsoft.com...

Hello,
Currently we just have a single Exchange 2003 server, which is simply
natted
to the outside world through our PIX. It is running OWA without a
certificate. We have no DMZ.
I was planning on installing a 2nd Exchange 2003 server with a Verisign
certificate and configure it to be a front-end server, so OWA will be
https.
I spoke with someone the other day who put the fear of God in me by
telling
me that by exposing my Exchange server without it being in a DMZ, it's not
a
matter of if it will get hacked, it's a matter of when. He wasn't talking
about hacking Exchange, he was talking about hacking in as administrator
and
getting the keys to the vault.
Without a DMZ, am I really getting any benifit or additional protection by
putting up a front-end server? It would be natted through the PIX instead
of
the back-end server. Assuming my company won't fund a DMZ, should I forget
the front-end server, buy the cert and put it on my existing single
server?
I've been mulling over this all weekend. Your input would be greatly
appreciated.
Thanks!

[Al Mulnick]

I not only need to agree with Brian on this, but add that not having SSL
encryption for the traffic is a risk (intruders listening in on the client
to server conversation potentially revealing information) as is the use of
an application to secure access. But it's all levels of risk.

A DMZ is designed originally as a way to help control and mitigate risks to
the soft squishy and vulnerable core network. To be a real DMZ, it would
have to have hosts that accept conversation from inside and outside hosts
(respective of trusted networks AKA corporate network). With a FE server,
that's not possible and it breaks the best practice concept of not putting a
domain member on an untrusted or semi-trusted(DMZ) network.

Exchange FE servers were never ever intended as a security measure. They
weren't designed for that and generally suck at it. Rightfully so as that's
not the intended usage.

If you're going to invest in a second server, invest in ISA server vs.
Exchange FE server. If you only have one server, you don't really need a FE
server. It provides nothing in your situation based on what you posted. A
better bet is to deploy an application firewall and get a cheap certificate
(better than nothing at this point).


My $0.4 worth anyway.


"Brian Desmond [MVP]" <desmondb@payton.cps.k12.il.us> wrote in message
news:%23zc0rqWOFHA.2468@tk2msftngp13.phx.gbl...

You know, I've got a bridge for sale too.

I know of more than enough organizations which have their frontends nat'ed
back itnot he same subnet as backends, etc.

You'll be jsut fine NATing back through the PIX. Not knowing anything
about your network config, I'm not sure how expensive it would actually be
to put a DMZ in. I tmay just be a matter of a couple vlans and some
trunked ports.

How many suers do you have and how much OWA activity is there amongst
them? That's what really defines whether or not you need a frontend in a
single backend config.

--
--Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

www.briandesmond.com


"-=gu=-" <gu@discussions.microsoft.com> wrote in message
news:98DE52B1-20D2-4554-815A-BF239A41A74B@microsoft.com...
Hello,
Currently we just have a single Exchange 2003 server, which is simply
natted
to the outside world through our PIX. It is running OWA without a
certificate. We have no DMZ.
I was planning on installing a 2nd Exchange 2003 server with a Verisign
certificate and configure it to be a front-end server, so OWA will be
https.
I spoke with someone the other day who put the fear of God in me by
telling
me that by exposing my Exchange server without it being in a DMZ, it's
not a
matter of if it will get hacked, it's a matter of when. He wasn't talking
about hacking Exchange, he was talking about hacking in as administrator
and
getting the keys to the vault.
Without a DMZ, am I really getting any benifit or additional protection
by
putting up a front-end server? It would be natted through the PIX instead
of
the back-end server. Assuming my company won't fund a DMZ, should I
forget
the front-end server, buy the cert and put it on my existing single
server?
I've been mulling over this all weekend. Your input would be greatly
appreciated.
Thanks!

[-=gu=-]

Brian and Al, thanks for your responses.

To follow up and give a little more information, we have around 40 employees
and perhaps 4 or 5 of them use OWA as their full time email client, the rest
use Outlook 2003 either internally or from outside locations using VPN. I
fully understand and realize that I am exposed to ears on the wire without
running https. That is what is driving all this.

We actually do own a Cisco DMZ switch, and it's never been used. However, I
don't have an interface on my PIX 515 to plug it in. Before my time, the
company downsized and ended up subletting space to another company. So the 2
interface PIX has been configured for two separate networks, one for my
company's LAN and one for the other company. Both share the same T1 internet
bandwidth through this configuration.

These are what I see as my options, comments are welcome:
a) call Cisco presales and see what a 3 interface PIX would run so I could
utilize my DMZ hardware. I honestly don't know if a 3 interface model is
made, but if I were to be able to keep the two networks separate AND set up a
DMZ then I would be able to procede with putting up an Exchange FE server in
the DMZ. We also have a couple of web IIS servers which I would then put in
the DMZ as well.
b) barring the funds to purchase replacement Cisco equipment and put up a
DMZ, I could instead put up an ISA server (help me out here...) to
authenticate the OWA traffic (?). In that circumstance I suppose my cert
would go on the single Exchange 2003 server? I'm not sure how I would utilize
this.

Finally adding insult to injury, we actually have an old ISA 2000 server in
place (currently natted through the pix) which is there to authenticate the
VPN traffic. My predicessor scared the bejesus out of me when I spoke with
him, he told me it took a really long time to set up and his advice was to
ghost it to disk and leave it alone, which I have done. I don't know if this
could be used for the above or not. I also believe that being a MS partner,
our program allows us to run a copy of ISA server. Could I build a new ISA
server and use it for both VPN and OWA traffic purposes?

Obviously I don't have a great handle on this technology and I appreciate
any help and suggestions you may have. Thanks in advance!

[Brian Desmond [MVP]]

Hi there,

I'll reply inline.

--
--Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

www.briandesmond.com


"-=gu=-" <gu@discussions.microsoft.com> wrote in message
news:5E599A97-412F-4C9A-A7A2-6855BE99AA2B@microsoft.com...

Brian and Al, thanks for your responses.

To follow up and give a little more information, we have around 40
employees
and perhaps 4 or 5 of them use OWA as their full time email client, the
rest
use Outlook 2003 either internally or from outside locations using VPN. I
fully understand and realize that I am exposed to ears on the wire without
running https. That is what is driving all this.

Yeah so a frontend makes absolutely no sense here. Just get an ssl cert from
thawte or somebody (just don't go with verisin) and install it on your
backend. That's a big big plus.

We actually do own a Cisco DMZ switch, and it's never been used. However,
I
don't have an interface on my PIX 515 to plug it in. Before my time, the
company downsized and ended up subletting space to another company. So the
2
interface PIX has been configured for two separate networks, one for my
company's LAN and one for the other company. Both share the same T1
internet
bandwidth through this configuration.

I've never heard of a cisco dmz switch. I don't know PIX at all, but you
can't trunk the switchport going to it and run multiple vlans off the
interface?

These are what I see as my options, comments are welcome:
a) call Cisco presales and see what a 3 interface PIX would run so I could
utilize my DMZ hardware. I honestly don't know if a 3 interface model is
made, but if I were to be able to keep the two networks separate AND set
up a
DMZ then I would be able to procede with putting up an Exchange FE server
in
the DMZ. We also have a couple of web IIS servers which I would then put
in
the DMZ as well.
b) barring the funds to purchase replacement Cisco equipment and put up a
DMZ, I could instead put up an ISA server (help me out here...) to
authenticate the OWA traffic (?). In that circumstance I suppose my cert
would go on the single Exchange 2003 server? I'm not sure how I would
utilize
this.

So I don't know why you want to build this DMZ so badly. I don't think it's
useful at all in your situation. The ISA04 box to be a gateway to your LAN
for OWA, VPN, etc would be fine. I think Al knows more about ISA94 than I do
(I know enought to install it), so I'll leave any ISA stuff to him.

Finally adding insult to injury, we actually have an old ISA 2000 server
in
place (currently natted through the pix) which is there to authenticate
the
VPN traffic. My predicessor scared the bejesus out of me when I spoke with
him, he told me it took a really long time to set up and his advice was to
ghost it to disk and leave it alone, which I have done. I don't know if
this
could be used for the above or not. I also believe that being a MS
partner,
our program allows us to run a copy of ISA server. Could I build a new ISA
server and use it for both VPN and OWA traffic purposes?

See above. ISA2000 box needs to go esp given this information.

Obviously I don't have a great handle on this technology and I appreciate
any help and suggestions you may have. Thanks in advance!

No problemo.