How risky to open RPC, LDAP, DNS in Intranet firewall? 3

[rpast]

Hello –

Can someone help me get through the hype? I am migrating Exchange 5.5 to 2003, have a Pix 515 (w/ dmz) and have reviewed many Microsoft scenarios, all of which recommend ISA over a FE Server-in-dmz / BE Server-in-lan scenario. The only reason I can see for using ISA in my case is to limit lan exposure via LDAP, RPC, DNS etc. But I haven’t seen any documentation on how risky it actually is to have those ports open. The hacker would have to get in through the Pix via 80 or 443. Has anyone ever had their lan attacked with this setup?

Working for a small, cost-conscious company is even causing me to consider putting the corporate web server and FES on the same dual-homed box (2 globals, one accepting SSL, one HTTP) in the dmz.

Any thoughts? Thank you.

 

[anawrocki]

My personal oppinion is that the MS recomended way of putting the FE in a DMZ and opening LDAP ports from DMZ into inside is just as risky, if not more so then just opening 443 to the inside. I see no reason to open port 80 to the inside for OWA. End users just need to be trained to use the full

https://url.

I have a site with this exact setup using a PIX firewall and have discussed it with severl cisco folks and they all concur. An SSL proxy in the DMZ could make this even better.

MS would love to sell you an ISA lic or two, however, you could still use their concepts using a PIX firewall if you felt stongly about putting the FE in a DMZ.

As far as combining with other web server functions I would shy away from it and place a seperate web server in the DMZ for anything else.

 

[PScottC]

You can run your Exchange server just fine with any firewall. Just remember that MS is trying to sell its ISA firewall product.

Here's the list of ports you will want to open...
=========================
[blue]Outside --> DMZ[/blue]
80/TCP
443/TCP

[blue]DMZ --> Outside[/blue]
80/TCP
443/TCP

[blue]DMZ --> Inside[/blue]
53/TCP/UDP (DNS)
80/TCP (HTTP)
88/TCP/UDP (Kerberos)
135/TCP/UDP (RPC Portmapper)
137/TCP/UDP (NetBIOS Name Service -- OPTIONAL)
138/UDP (NetBIOS Datagram Service -- OPTIONAL)
139/TCP (NetBIOS Session Service -- OPTIONAL)
389/TCP (LDAP)
445/TCP/UDP (SMB)
636/TCP (OPTIONAL--LDAPS)
3268/TCP (LDAP GC)

[blue]Inside --> DMZ[/blue]
80/TCP (HTTP)
88/TCP/UDP (Kerberos)
135/TCP/UDP (RPC Portmapper)
137/TCP/UDP (NetBIOS Name Service -- OPTIONAL)
138/UDP (NetBIOS Datagram Service -- OPTIONAL)
139/TCP (NetBIOS Session Service -- OPTIONAL)
443/TCP (HTTPS)
445/TCP/UDP (SMB)
=========================

One last port... Windows uses dynamic port assignments for RPC calls and can range from 1025 to 65535 TCP. Here are a couple of links for ways of controlling which ports are used:
[URL unfurl="true"]http://support.microsoft.com/default.aspx?scid=kb;en-us;154596[/url]
[URL unfurl="true"]http://support.microsoft.com/kb/832017[/url]

This last link is to a white paper which tells you which services you can shut down once you have the FE box setup.
[URL unfurl="true"]http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/febetop.mspx[/url]

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[rpast]

Thank you both. Mr. Anawrocki, in your scenario, do you eliminate all RPC traffic then, as well as LDAP and HTTP?

 

[PScottC]

He's recommending putting the FE server on your inside network and cutting a port 443 hole directly from outside to inside.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[rpast]

I see. So in your estimation, with the dmz, opening those ports isn’t such a big risk to the inside. (I haven’t read your links yet)

 

[anawrocki]

PScottC is correct. Because it is inside no need to worry about the other traffic. Not necessarily a recomendaion, just a possibilty to consider.

In this one of many possible scenarios I am putting the exchange server (does not necessatrily need to be a FE server if only a single exchange server is needed) on the inside. The theory is I only have to then open one port (443) versus the many needed for LDAP and RPC (and the hassels and security risks of making RPC ports static) to put it in the DMZ.

Depending what all is going on within your DMZ, 1 port from outside to inside seems safer to me then opening a boatload of ports from the DMZ to the inside.

Personally I would not use ISA if it were free, but that is just my preference, not gosple.

This is a good solution for a small shop without a ton of $$$. I don't know if this is an acceptable solution for your situation.

With unlimited dollars there are more secure ways to do this but this works well for my scenario.

 

[rpast]

Thanks for the follow-up. I hate to gratuitously brain-pick, but you bring up another good point. With your scenario, do I even need an FE? Except for making the BEs redundant, I’d guess not. But even for redundancy, couldn’t a Load Distribution-type NAT load balance the BEs instead? – although I’m not sure if the Pix does that kind of NAT. I may be missing something; but with one BE currently (and maybe 2 for failover), and only OWA coming in from the outside (no POP or IMAP), I don’t see the need for a FE. I’d be interested in your opinion.

Also, although the point might become academic, I guess the conclusion re: FE-in-dmz (per PScottC) minus ISA, is that that scenario is mostly Microsoft scare tactics. Or maybe there are some documented cases of hackers getting in that way (through two firewalls). To me, I see a bigger risk of having the ISA box (which basically usurps the Pix dmz anyway) compromised and bringing down the lan.

 

[rpast]

Never mind, I’m an idiot – should be home sleeping – forgot that I’m also bringing our Internet email hosting in-house, which means smtp --- and there goes Mr. Anawrocki’s scenario – thought it sounded too easy.--- which brings me back to the original question re: hacking through two firewalls.

Thank you anawrocki and PScottC, and to anyone who is patient enough to still be listening.

 

[anawrocki]

You are going to need to get your smtp traffic in one way or another anyhow. That is a given with any solution you choose. We run ours through a weshield appliance in the DMZ to scan for viruses/spam and then into the inside. However it could be on any flavor server in the DMZ that handles smtp traffic and could also be sent straight in depending upon risk tollerance (Not recomended).

Read up on locking down SMTP relays before you start on your project........

You do need a FE for owa if you have more then one BE and you want a single url for owa. Bottom line, IMHO, a FE is a waste if you only need one mail server for a small shop.