At Tuesday, May 16, 2006 10:39 AM, timpacalypse@yahoo.com wrote:
I guess what I'm trying to do is get the most secure option with
what I have. I'm at the point now where I think no matter what I'm
kinda screwed unless I get ISA or something like it implemented.
Remember that security isn't a discipline of perfection; it's about
identifying and managing your risks.
I'm under the impression that IF someone does get pass the external
firewall they'll be able to sniff for credentials/messages or whatever
because the FE/BE communicate via clear text. So if I secure the
communication between FE/BE via IPSEC then IF the front end server
is compromised then we're screwed once again.
How likely is it that someone gets past your firewall?
In order to accurately assess that option, you need to figure out what
the most likely avenues of attack are.
Most likely: services you have exposed or published through the
firewall. These most likely live in your DMZ. Your FE server is one of
them. Looks like you need to make sure those services are properly
configured and the hosts are hardened.
Yes, the FE and BE communicate in the clear. What will it take for
someone to listen to that communication channel? What hosts could they
do it from? Easiest would be the FE server itself -- which is why the IP
tunnel option, even if it's technically feasible, isn't going to protect
you against the real risk. Any process on that server will make use of
the tunnel.
I submit that if you have someone behind your firewall, you've probably
got bigger problems than them sniffing your FE->BE communications. Maybe
it's time to document that risk, note the chain of events that have to
happen in order for it to be a risk, and document the cost involved in
fixing that risk -- then bounce it up the chain of command for them to
decide if they think it's enough of a risk to justify the cost of
installing ISA.
So what's the better of my options? Someone suggested using
m0n0wall or another linux/bsd alternative for ISA.
Not an alternative in the application proxy sense, but as an alternative
to your current NAT firewall. The key to resolving your troubles here is
telling your current NAT firewall/router to *NOT* perform NAT
translation between your interior network and your DMZ network, but just
to route the packets back and forth. If you can do that, then you can
use strict IPsec communications between your FE and the rest of your
Exchange servers.
--
Devin L. Ganger Email: deving@3sharp.com
3Sharp LLC Phone: 425.882.1032 x 109
15311 NE 90th Street Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.702.8455
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/
---------------------------------------------------------------------------
---------------------------------------------------------------------------
