Security Sanity Check - Email server in DMZ or VPN Access

The headquarters of my company wants to take over all email for the subsidiaries. They are proposing an exchange server (located in Europe) behind a firewall so remote users would need to authenticate (using a SecureID token) to check email. This seems a bit over the top to me.

We are located in the USA and currently have a mail server in a DMZ which allows POP3 and SMTP traffic to the mail server. This setup works very well and I have tuned the spam filtering to the point that I don't think it could be any better. Our parent company has made questionable decisions in the past and don't seem to have a clue about the US market. We wouldn't consider having phone calls routed to Germany and I think email is just as important.

Long story short here...what are some thoughts about having mail servers located in a DMZ vs. located behind a firewall. Some arguments for my way of thinking:

  1. Email is not secure by its nature and having to authenticate to check email adds an unnecessary inconvenience factor especially if you need to supply a random token.

  1. The DMZ option is more secure for the internal network. True?

  2. If something fails, I have a chance to fix it quick. If everything is in Europe and the Europeans are gone for the weekend we're screwed.

Any comments on my points or other arguments for or against?

TIA,

-jeff

Reply to
-jeff
Loading thread data ...

On Tue, 23 Nov 2004 19:21:17 -0500, -jeff spoketh

Wrong. Authentication to your e-mail server is cleartext, which exposes both user name and password to anyone who really wants to have a look. This means other people may be able to use someone else credentials to send/receive e-mail and/or even hack into your system.

Wrong. See above.

Yeah, right. Come on, any network admin works 24/7 regardless of which country they are in. Europeans are no more likely to go home for the weekend and take the phone of the hook than anyone else...

It's not about securing the content of the messages, but securing access to potentially vulnerable servers. Also, internal e-mails have never been exposed to the internet, and may even be encrypted. Downloading these messages via an unsecured pop3 connection could potentially leak confidential information to people who are listening in.

Lars M. Hansen

formatting link
'badnews' with 'news' in e-mail address)

Reply to
Lars M. Hansen

OK, I hadn't thought of the cleartext for the user name and password. In your opinion is it a bad idea to put a mail server in a DMZ?

This I don't get. How is the internal network not secure if there is no route from the DMZ into the network?

Didn't mean to bash the Europeans, but my company does not have 24/7 network admins in Europe. My comment about the Europeans was strictly an issue of time zones and having no email would be more unacceptable to the USA then to my European office.

Does it make a difference that only POP3 and SMTP traffic is allowed? Where are the most likely points that someone would listen in?

Go Red Sox!

Reply to
-jeff

On Tue, 23 Nov 2004 20:47:24 -0500, -jeff spoketh

No, it's not a bad idea. It does limit avenues of attack, and if your mail server is hacked, the hacker still doesn't have access to your LAN.

Well, "wrong" is probably a little harsh. As I said above, if your mail server (in the DMZ) is hacked, the hacker isn't on your LAN (yet). But, since you are exposing usernames and passwords in clear text, there may be other ways the hacker can get either from the internet into your LAN or through the DMZ. It really depends on how much stuff you have in the DMZ.

All network admins are 24/7, whether it's in their job description or not. If something as essential as e-mail goes down, whoever is responsible for the e-mail system is supposed to get notified and rectify the situation immediately.

Raise your concerns with some higher-ups in your US office, and make sure that the European office is made aware of how critical you feel the e-mail system is. You may be able to get them to give in a little bit and perhaps put an Exchange box in the US as well...

You are only allowing pop3 and smtp to/from the mail server, so that's the only thing someone could listen in on... for that server. I don't know what else you are running, but many other companies have web-based e-mail, web portals, extranets and various other means to connect to the inside from the outside. With the usernames and passwords already exposed in cleartext, these other services could also be tested using the same username/password combination.

Lars M. Hansen

formatting link
'badnews' with 'news' in e-mail address)

Reply to
Lars M. Hansen

Uhm, why in gods name are you using cleartext authentication with your e-mail servers?

Reply to
Eirik Seim

Allow me to elaborate slightly. There exists options for both secure (SSL/TLS-based) transport and delivery of email. All based on open and free standards, SMTP (via STARTTLS), SSL IMAP (or "imaps") and SSL POP3 (or "pop3s"). They're there, why not use them?

Reply to
Eirik Seim

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.