Which architecture is more secure?
Goto page 1, 2  Next  :||:
Networking/Security Forums -> Networking

Author: hajimesaito PostPosted: Wed Apr 27, 2005 5:42 am    Post subject: Which architecture is more secure?
    ----
Hello All,

Having a debate with my co-worker as to which architecture is more secure, and I would some of your input:

We have the choice of putting a mail server behing ouf firewall, or putting it on a DMZ and having ports open through the firewall to active directory. My co-worker thinks that having a machine with ports open to active directory is risky, and that if the DMZ were compromised, the whole directory structure could be compromised. I think you need to only open ports 389, 88, and 3268 to communicate with Active Directory. Are these ports even a cause for worry? Can someone explain how you could possibility exploit these open ports?

My co worker wants to put the mail server behind the firewall on the internal network. Even though only port 443 will be open imbound, it seems to be that this is not as secure as the DMZ design. I think he wants to do this for simplicity's sake.

Any thoughts?

Thanks!
Hajime

Author: hajimesaito PostPosted: Wed Apr 27, 2005 4:01 pm    Post subject:
    ----
Thanks mpkn3rd,

We are looking at Microsoft 2003 server. I don't think your suggestion will work, because we want to do RPC over HTTP.

The question I was really looking for an answer for is: Is it very risky to have ports 389, 88, and 3268 open from your mail host on the DMZ to the active directory server? Could the AD server be compromised? And, how would someone go about exploiting these ports?

Thanks!

Author: drenu PostPosted: Wed Apr 27, 2005 4:33 pm    Post subject:
    ----
Yup, he's right... They're both bad ideas, but being on the DMZ would probably be the lesser of the two evils... if the exchange box was to be compromised on the DMZ they wouldn't have complete access to your network right off hand, but if they WERE able to take control, it probably wouldn't be long until they could compromise one of the DCs inside the firewall. If the exchange box was to be inside the network and it was compromised they'd have acccess to the whole network right off the bat. No matter where the box is, if it were to get compromised, it would be over port 443, so the question would be, would you rather have it compromised behind the firewall, or in the DMZ? obvious answer is the DMZ.

Author: PheoLocation: London, United Kingdom PostPosted: Wed Apr 27, 2005 4:39 pm    Post subject:
    ----
why not use an ISA Server to 'publish' the internal server? thus no intrusion into the internal network is needed, as the ISA server handles all that?

Author: RoboGeekLocation: LeRoy, IL PostPosted: Wed Apr 27, 2005 5:04 pm    Post subject:
    ----
Couldn't you multihome the mail server, leaving one NIC on the DMZ with the bare minimum open, and the other NIC on the firewalled network, with all the AD info. Both networks would have access to the same server, but you could block the AD stuff from the unprotected side

Author: AragornLocation: Dallas TX PostPosted: Wed Apr 27, 2005 5:24 pm    Post subject:
    ----
Okay so what I hear you saying so far hajimesaito is that you want to know what will happen if your DMZ is compromised and ports 389, 88 and 3268 are open for said "explorer" to exploit?

On port 389 (LDAP) AD information is readily available with a 7 line script, youch! (For Linux fans that also means your LDAP information as AD is build upon LDAP technology) Not to mention the plethora of information available by running NMAP once in the DMZ.

So moving along to port 88 (Kerbos, WWW): This could, in theory, be exploited by sending packets that cause a buffer overrun or exploit a vulnerability in Microsoft's implementation of Kerberos.

Now to deal with possible issues for port 3268(Global Catalog communication is typically done on this port and it is set for listening, typically an Exchange server): With this port open and 389 open you are giving the world your AD information. In essence this would allow someone to enumerate your AD. Fun huh? *shivers*

So in short, as long as you have full confidence in your DMZ, it is monitored and you find those risks acceptable go ahead and go with the DMZ idea. Problem is that you would most likely be the first one on the proverbial "chopping block" if ever your DMZ was compromised as you are leaving two of the most critical communication items vulnerable. Both AD (the backbone of your network) and Exchange (probably the most counted on communication tool next to the phone and in some case more than the phone).

I'd take mpkn3rd suggestion and read up on front end/back end topology. It is the most secure way you have of protecting yourself.

Anything else I'm missing here? Am I off base anyone? To harsh?

Regards,

Author: delete852Location: Washington DC PostPosted: Wed Apr 27, 2005 6:11 pm    Post subject:
    ----
I don't see a reason for having your Exchange server in the DMZ. If any servers in the DMZ are compromised then your external firewall is pretty much useless, so I wouldn't count on that much.

Just the idea of having a domain controller in an unsecured area is disgusting to me. If that box is compromised then all your AD information will also be compromised and this will be the gateway into the internal LAN.

Correct me if I am wrong, but if that box is compromised and the attacker has a sence of "humor", but wouldn't he be able to just change passwords for all users and let this DC replicate the info to other DCs? So in the morning no one can log in Wink

Keep it inside the LAN

Author: hajimesaito PostPosted: Wed Apr 27, 2005 6:36 pm    Post subject: security
    ----
delete,

The domain controller isn't in an unsecured area; it's behind the firewall.

Aragorn,

Your explanation was more along the lines of what I was looking for. Thanks. Though I'm not sure if NMAP would turn up any useful information if run from inside the DMZ, since only certain ports from one host are allowed inside the firewall. The internal network is not completely open to the DMZ.

Pheo,

We are actually looking into buying ISA server, but that's still a few weeks out. I think that is the best solution.

mpkn3rd,

Thanks for your help. Wouldn't the exchange server on the inside need to have the same AD information as the one on the outside? I would think that that is an similar risk for both hosts.

Thanks to all for the great input. Glad I joined the forum!

Hajime

Author: RickWLocation: Pennsylvania PostPosted: Wed Apr 27, 2005 10:02 pm    Post subject: Two security architecture scenarios
    ----
Okay so what you're debating on, is which one is safer:



And like you mentioned, in order for it to work in the DMZ, you will need AD ports open both ways. The Exchange server needs access to DNS and the Global Catalog. If the DMZ is infiltrated, the attacker will have these resources at their exposal, including the entire datastore. The DMZ is meant to separate the domain resources from the perimeter resources - an Exchange server is a domain resource, which put into the DMZ actually destroys the point of the DMZ while increasing the hassle of setup.

You need option 3 - some sort of mail relay goes into the DMZ. Inbound email on port 25 in tunneled to the relay, which then checks for spam and viruses and whatever other content you want to block, then relays that email again through port 25 to the mail server. This completely severs the Exchange server from the oustide world (and prevents exploits that could have been run via port 25).

Even if you setup an Exchange Front-End server in the DMZ to protect the datastore, you'd still have to query AD so that won't help.

So go with ISA like someone else mentioned, or even an inexpensive hardware appliance like MailFoundry. ePrism costs a little more, but you can use it as an OWA Proxy too. Besides the dmz, it's good to use inbetween servers that are not Windows based because that adds another level of difficulty to penetration.

Author: delete852Location: Washington DC PostPosted: Wed Apr 27, 2005 11:43 pm    Post subject:
    ----
i still don't understand the reasoning behind putting a exchange server (which might I add has had a lot of security problems in the past) into the DMZ, versus the intranet which is a lot more secure.

Author: RickWLocation: Pennsylvania PostPosted: Thu Apr 28, 2005 2:12 am    Post subject: Re: security
    ----
hajimesaito wrote:
delete,

The domain controller isn't in an unsecured area; it's behind the firewall.

Hajime


What delete was saying, is that by allowing communications between exchange and the domain controller, you essentially expose the domain controller.

Author: delete852Location: Washington DC PostPosted: Thu Apr 28, 2005 3:51 pm    Post subject:
    ----
I believe you have a false sence of security, by thinking of your firewall. I am not sure about how you guys have it set up, and obviously I can be wrong depending our your set up, but all it takes is for one server behind it to be compromised for the whole firewall to be useless.

They can use so many utilities to get pass firewalls for example even ssh or http tunnels.

Author: RickWLocation: Pennsylvania PostPosted: Thu Apr 28, 2005 9:03 pm    Post subject:
    ----
delete852 wrote:
I believe you have a false sence of security, by thinking of your firewall. I am not sure about how you guys have it set up, and obviously I can be wrong depending our your set up, but all it takes is for one server behind it to be compromised for the whole firewall to be useless.

They can use so many utilities to get pass firewalls for example even ssh or http tunnels.


Right, and that's where the DMZ comes in. Now you have two firewalls to break through. So that is where you put your most vulnerable servers - if they're broken into, they're contained and the domain is protected. But in the case of the Exchange server, the domain is exposed, which is why you don't put it in the DMZ. Instead, you put in a relay like ISA or some other email gateway.

And there are two ways to setup a DMZ depending on budget. One way is to have a dedicated switch connected to a designated interface on the firewall, and the routing it handled with the config. The other way is to have the outer firewall plugged into a switch, and then an inner firewall plugged into that switch. In this case, it is adviced to use another vendor/model for this 2nd firewall. That way if it has an exploit, it can't be used twice.

And then someone else mentioned setting up a multihomed server - I think is also called a "bastian host". This works by having two network cards, and each one is plugged into a different side of the network (one is dmz and one is private). You have to be careful with creating loops, and doesn't really add security if the host is breached. I do use this approach for our proxy appliance, but it's a transparent bridge and was designed that way... now I'm just getting off the subject. Razz

Author: larsmhansenLocation: Boston, MA, USA PostPosted: Thu Apr 28, 2005 9:48 pm    Post subject:
    ----
Exposing an Exchange server is dangerous no matter where it is. Since it does rely on AD in order to receive e-mail, even when in the DMZ the Exchange server will need to be connected to the DCs on the LAN, and can as such be an easy entry point.

We used to have mail relay servers in the DMZ. Simply SMTP servers with a list of accepted e-mail addresses, and it would forward all accepted mail from the DMZ to the Exchange server. In the event that the mail relay was hacked, the only way for it to get to the Exchange server would be through the SMTP service; all other avenues would be blocked by the firewall.

The problem arrises when there's more to a mail server than simply SMTP. If the Exchange server is also used to host web-mail (OWA), then it doesn't really matter if it's in the DMZ or the LAN, because either option would technically expose the LAN to a successful hacker.

The use of an application proxy will limit your exposure in both cases, assuming that it actually does validate SMTP and HTTP(S) protocols. This should prevent illegal commands to be passed from the internet to the protected machine on the inside.

Author: AragornLocation: Dallas TX PostPosted: Thu May 05, 2005 2:31 pm    Post subject:
    ----
LOL

Okay okay. I think that we have answered hajimesaito question and are now bickering amongst ourselves.

As for OWA this is where the front end/back end architecture comes into play with several other options already mentioned through out this thread.

hajimesaito - First to address the NMAP query you had in response to my earlier post, as delete852 pointed out, once behind the firewall (in the DMZ) your FW is mostly pointless as once in they can do more damage once it is know what ports are|are not open and where to go from there. However, please let us know if there is any more questions we can help with.

(Note: Check the IOS versions if running Cisco and ensure you are at least close to being up to date.)



Networking/Security Forums -> Networking


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Goto page 1, 2  Next  :||:
Page 1 of 2

Powered by phpBB 2.0.x © 2001 phpBB Group