This is not directly related to any Cisco product but rather a general question regarding placement of servers, open ports etc. Hopefully someone can shed some light on this for me.
I understand the concept of the DMZ, to isolate those servers that need exposure to the internet from the internal network. But here is the what if:
With an Exchange server for instance, without running front end and back end servers, just a single Exchange Box. Exchange needs to be a domain memmber and have access to Domain Controllers sitting inside on the LAN. Off the top of my head, I know LDAP needs to be opened with several others. Would it not be adivsable in this situation, to have the Exchange Server sitting inside on the LAN with a single port (25) opened to the outside. In my mind, this is a much more secure setting than having it in the DMZ causing 4 ports to be opened instead.
If anyone could shed some light on this for me, I'd appreciate it.
There are always different approaches to the same thing and you may get a number of different answers to your question.
My opinion is in an ideal world you would not have any machine in the DMZ initiating connections to the inside network but this is not always possible.
You say it is much more secure to have only port 25 opened to the outside than having to open up 4 ports. But bear in mind that you are not opening up 4 ports to the outside. If you place your server on a DMZ you still only open up one port to the outside. You then allow the server to connect through to the inside on those 4 ports. But no connections from the outside can be made on those 4 ports.
Now lets say your server gets hacked. On the DMZ you have still limited what a person can do from that server. If you place it on the inside and the server is hacked that person now has full unrestricted access to the rest of your internal network.
So i would argue you still get more security by placing it in the DMZ. That is a general answer to your question. In the particular case of an Exchange server you could argue that as it needs to be a domain member if the box gets hacked the game is pretty much up anyway.
Thanks for your input. I realize that there are more than 1 way to get this done. I fell under some scrutiny lately on my choices and want to get a feel for what other people are doing and thinking.
My thought though was this. If my mail server is sitting in the DMZ with port 25 open, and it get's hacked, the hacker will use what's available on that box to garnish information and tools to hack further into the network.
With ports open to DC's on the LAN, these would act as conduits to get where they want to go.
I agree with what you say, it's preferable to have all of your exposed servers in the DMZ. My choice to sit my Exchange box inside drew some rather harsh and in my opinion, unwarranted criticism.
My personal policy is that there should be no *interactive* traffic from the outside directly to the inside. That is HTTP/HTTPS, FTP. Telnet etc. SMTP is not an interactive protocol, I know it is possible to telnet to port 25 but with fixup the banners are hidden and commands limited. I have put devices, which required domain authentication in a DMZ before, and the number of ports that have to be opened for correct operation does defeat the objective somewhat.
In an ideal world, you would have a mail relay in the DMZ which does not require domain membership, maybe an anti-spam device.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...