5

I've seen a few DMZ related questions here in the past, but wanted to ask one directly related to email. I've done some research on this, but wanted to ask the forums opinion.

I know it's best practice not to have anything externally hit your LAN directly, but I've seen implementations where external hosted email is being sent directly into the LAN towards the internal mail servers. My gut was telling me this was wrong, but how does putting an external load balancer, or reverse proxy server add additional security? Is it because it's cutting the connection and starting it again from within these system in the DMZ? I was having problems understanding why this would be more secure, even though I'm more comfortable with it happening. Should there be filtering of the requests occurring here?

Also, I know that the DMZ and LAN should never speak (in theory), but how are internal resources supposed to access external mail? I've read that it's more secure if there's a separate DMZ for mail and that the LAN users should only have access into the the DMZ, not the DMZ into the LAN.

Vilican
  • 2,703
  • 8
  • 21
  • 35
Contego
  • 145
  • 1
  • 5

2 Answers2

3

The theory is that traffic to the DMZ must be inbound. In that case, should something bad happen to the the DMZ host, the attack is contained within the DMZ.

This means that the connections from your LAN must be initiated in the LAN, which usually means some kind of push (to the DMZ) or pull (from the DMZ) operations. This is doable for mail but sometimes impracticable for other services.

In that case the DMZ is often seen as a "thin layer" which is in theory more robust (because it is lighter) and therefore potentially less prone to vulnerabilities (and hacks).

This is particularly true when you get the actual data from a mammoth service which should not be accessed directly. This extra layer also allows you to "break the protocol" (as you mentioned), which means that an attack which would have succeeded on the target host will not be doable on the exposed one (because of the architectural change which stops the payload on the first layer (which is not vulnerable to that attack)).

WoJ
  • 8,957
  • 2
  • 32
  • 51
  • Correct me if I'm wrong, but all mail clients or servers accessing mail should be coming from the LAN into the DMZ to stop anything from busting in directly from the internet. Also, would a reverse proxy assist with securing the input of data from the DMZ into the LAN? – Contego Jul 01 '15 at 17:49
  • @Contego: the mail could be accessed by users from LAN to DMZ (same for incoming and outgoing mail) or, better, pulled from the DMZ to the LAN by an MTA, which would be the server users would be pointing to. As for the reverse proxy -I am assuming http(s) proxy?) - it will not help much as it will forward the traffic directly to the LAN, possibly to whitelisted URLs, but maintaining the attack payload which would be avoided by an the intermediate service I mentioned in my answer. – WoJ Jul 02 '15 at 08:13
0

There are two aspects of email security w.r.t. the DMZ:

  1. SMTP Transport (inbound)
  2. Client connectivity

SMTP transport requires AV scanning and often requires DNS lookups, virus sandboxing, etc. If the SMTP processing is outsourced to Google, Microsoft, Proofpoint, then I see no issue in allowing it to relay directly in, as the 3rd party is the outsourced DMZ.

For client connectivity, Most load balancers I've seen require the target POP3, IMAP, HTTP, RPC/HTTPS to reside on the same subnet as the load balancer interface. In addition, analytics may be impacted depending on if the load balancer is the Gateway/router for each server (the server will see the GatewayIP instead of the client IP).

I can only speak to Microsoft implementations, as that is my expertise. Microsoft does not support putting a firewall between Front End and Back End servers. They used to in 2003 and earlier, but this is no longer the case.

My suggestion is to install Microsoft Office Server in the DMZ for web-rendering of email data, and turn off WebReady processing on the Exchange server in the LAN.

Web Ready documents is the only risk I can tell exists on the Microsoft Platform

Community
  • 1
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • So you feel comfortable with allowing a third party act as a DMZ into your network? – Contego Jul 06 '15 at 15:25
  • @Contego Depending on the context and risks involved. Yes, I would consider it. Above, I'm referring to using a 3rd party who specializes in a protocol (SMTP) do remove that burden. If the firewall is locked down completely, then the management overhead of DMZ-ing that data is unnecessary, and without logical benefit. – makerofthings7 Jul 06 '15 at 15:27