> -----Original Message----- > From: Mikael Olsson [mailto:mikael.olssonat_private] > Sent: Sunday, February 06, 2000 11:22 AM > To: Michael Borkin > Cc: firewall-wizardsat_private > Subject: Re: DMZ design - Exchange, SQL, & DCOM > > > > > Michael Borkin wrote: > > > > Mikael Olsson wrote: > > > I'd recommend placing a mail forwarder with content screening > > > capabilities in a SEPARATE DMZ, and the Exchange server on > > > the internal network. > > > > Why do you recommend a seperate DMZ just for mail forwarding? > > I recommed separate segments for just about everything :-) You really need to weigh the risks, imo. > The reason for the separate DMZ is that you don't want to expose > your mail forwarder to your web server. The risk that someone > will hack your web server through the firewall is much greater > than the risk of someone hacking your mail forwarder through the > firewall. However, with the two placed on the same LAN, hacking > the mail forwarder most likely becomes a simple task. > No; if you have properly hardened both boxen, it shouldn't really be an issue. Your mailforwarder can be set to refuse connections from other machines in the DMZ (it realy should only talk to your internal mail server and to the DMZ NIC anyways.) I mean, if you REALLY want to, you can set up separate DMZ's for all components, but IMO your adding administrative overhead and cost without gaining much by way of security. > Also, by placing the mail forwarder in a separate DMZ, you > can be reasonably sure that the SMTP traffic going into > your exchange server is actually coming from the mail forwarder, > and not from the web server doing some serious IP and/or > MAC spoofing. If someone gains that degree of access to your web server (to the point where they could start spoofing ip and mac addresses), you're pretty screwed already; SMTP relay hijacking will be the least of your worries. Henry
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:36 PDT