From: Wiedemann, Adrian (Adrian.Wiedemann@rz.uni-karlsruhe.de)
Date: Wed Apr 11 2007 - 13:50:43 EDT
Hi,
> My concern would be a 0-day exploit for the service that is exposed.> An
> internal MS Exchange server responding to public internet traffic,
> seems
> less secure than say... a postfix server in the DMZ and a MS Exchange
> server on the internal network.at least in this situation you would
> need
> two services to be exploitable (Postfix SMTP and MS Exchange) rather
> than
> just MS Exchange.
Ok, two things. First, Preventing against a 0day is always hard - regardless
of the system. Second, what do you define as internal? Is the MS Exchange is
only used internally (no RPC-over-HTTPS, no OWA, etc.), then a port forward
is not necessary. If not, the MS Exchange is not internal, and some more
work has to be done than just using an exim as a SMTP proxy and forwarding
the ports.
If there is only a single MS Exchange Server used, then - I have to agree -
exposing this server (holding the mailbox-storage) to the internet is nuts.
But If this is the scenario, major faults happened when the MS Exchange
infrastructure was planned.
> Is this an over paranoid stance? What if the company falls under
> "Executive Order on Critical Infrastructure Protection"?
The risk hast to be evaluated - and proper arrangements have to be done.
Just having the ports forwarded without an essential reason is not an
option.
Regards, Adrian
ret
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:43 EDT