Re: DMZ and AD
From: Al Mulnick (amulnick_No_SPAM_at_ncDOTrr.com)
Date: 08/15/04
- Next message: Cary Shultz [A.D. MVP]: "Re: AD Replication Questions"
- Previous message: chemguy: "Re: "[strings] section is too long" error"
- In reply to: Oli Restorick [MVP]: "Re: DMZ and AD"
- Next in thread: Oli Restorick [MVP]: "Re: DMZ and AD"
- Reply: Oli Restorick [MVP]: "Re: DMZ and AD"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 14 Aug 2004 21:03:40 -0400
Sure.
I'm referring to the encryption (ESP) of ALL traffic from the DMZ host (this
case, the FE server) to the internal network hosts (this case, the DNS,
DC/GC, and Exchange hosts assuming that the problem of IPSec tunnels to
Exchange clusters is now recommended) with the intent of requiring fewer
permit rules on the firewall device.
I couldn't say if *all* IDS systems are unable to inspect IPSec traffic but
I wouldn't expect AH to prevent IDS systems from seeing the packet contents.
The point of the whole thing is that putting Exchange in the DMZ is not the
best idea. In practice, it can be difficult to properly configure the
security devices between the DMZ host and the internal infrastructure to
allow the FE server the communications with the Exchange and Active
Directory/DNS hosts especially when compared to permitting traffic from the
ISA server to the FE server. That only requires TCP 80 or TCP 443 traffic
between them depending on your configuration. That's a lot easier and more
reliable for starters. The ISA server's ability to bridge the SSL
conversation and check packets for intent is a good bonus unless security is
more of a concern and then it would be pretty much required, right?
Also, while ISA or some other layer-7 firewall has overhead of hardware and
OS and application, it's offloaded to a separate device. IPSec tunnels can
have unwanted overhead that impacts performance on the machine.
Does that answer the questions? Or was there something you were heading
toward? Maybe you've seen some information that can be useful here? Or
maybe you have a suggestion that would help him out? If so, I'd like to
hear it 'cause having extra hardware for a solution such as this is always a
tough sell.
Al
"Oli Restorick [MVP]" <oli@mvps.org> wrote in message
news:eGzbZijgEHA.704@TK2MSFTNGP09.phx.gbl...
> Can you clarify what you mean by an "IPSec tunnel"?
>
> Also, is it true that all IDS systems are unable to inspect IPSec traffic
if
> only AH is used (i.e. no ESP).
>
> Oli
>
>
> "Al Mulnick" <amulnick_No_SPAM@ncDOTrr.com> wrote in message
> news:%237BKIbigEHA.2812@tk2msftngp13.phx.gbl...
> > It is simpler, but it has no ability to check for malicious intent and
> > blocks your IDS from doing anything about it and they put added strain
on
> > your DC/GC's. I can't remember off the top of my head, but it used to
be
> > that you couldn't use an IPSec tunnel to an Exchange cluster, but that
may
> > have changed. IPSec tunnels do make it easier to traverse the firewall
> > though.
> >
> > The recommended way to deploy Exchange to the internet, for OWA,
HTTP/RPC,
> > AS, SMTP, IMAP, POP3, is to use a layer-7 firewall device that can
inspect
> > the packets as they go by. ISA Server is one such example of how to do
> > that. Makes it much more reliable as well since you don't have to worry
> > about punching enough holes in your firewall to make it similar to swiss
> > cheese and you won't have to worry about the latest IIS hack to have
> > somebody overrun your Exchange FE server and then have full,
uninterrupted
> > and undetected access to your internal network via IPSec tunnels.
> >
> > I've always recommended ISA since it was released for those reasons.
I've
> > deployed the IPSec tunnels as well and there are some utilities that
make
> > it
> > easier to deploy and troubleshoot which should be available at
> > http://www.microsoft.com/security
> >
> > For topology and click by click ways to deploy Exchange in this
scenario,
> > see http://www.microsoft.com/exchange/library and have a look at the
docs
> > there.
> >
> > Shame about that consultant though, her getting away before the job was
> > totally done and all ;)
> >
> > Al
> >
> >
> > "Dave Shaw [MVP]" <dhshaw@NoSpam.msn.com> wrote in message
> > news:%23Wr40hhgEHA.4092@TK2MSFTNGP10.phx.gbl...
> >> Make your life a little simpler ...
> >>
> >> Use IPSec filters on the firewalls to allow traffic to and from the
> >> messaging server to the domain. It's much more secure and uses many
> >> fewer
> >> ports.
> >>
> >> -ds
> >>
> >>
> >> "C Emmons" <anonymous@discussions.microsoft.com> wrote in message
> >> news:07ae01c48198$c3917b40$3a01280a@phx.gbl...
> >> >I am running Exchange 2003 SP1 on Windows Server 2003. I
> >> > am using the Front-End/Back-End Topology. The Exchange
> >> > Front-End passes request for mail to the Back-End. I
> >> > paid a consultant to come in and setup a DMZ in which the
> >> > Front-End now resides. As far as I can see, the
> >> > connectivity seems okay between the front and the back.
> >> > However, the front-end server will not work. I get the
> >> > following error:
> >> >
> >> > All DS Servers in domain are not responding.
> >> >
> >> > Outside the DMZ (IP changed back to my internal network) -
> >> > everyone works fine between front and back.
> >> >
> >> > I have two Domain Controllers running Windows 2003 Server
> >> > Enterprise (Clusters). The Exchange Server is of course
> >> > in the domain, but is not a domain controller.
> >> >
> >> > Can anyone please help - I am trying to meet a deadline
> >> > and the consultant has gone. Help much appeciated.
> >> > C Emmons
> >>
> >>
> >
> >
>
>
- Next message: Cary Shultz [A.D. MVP]: "Re: AD Replication Questions"
- Previous message: chemguy: "Re: "[strings] section is too long" error"
- In reply to: Oli Restorick [MVP]: "Re: DMZ and AD"
- Next in thread: Oli Restorick [MVP]: "Re: DMZ and AD"
- Reply: Oli Restorick [MVP]: "Re: DMZ and AD"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
