- 12 myths about how the Internet works
- Smartphone smackdown: Storm vs. iPhone
- IETF: Should we ignore the Kaminsky bug?
- Top 10 wicked cool algorithms
- How to recession-proof yourself
With Exchange 2007, Microsoft has introduced the concept of an Edge Transport server which is the outward-facing messaging component for handling SMTP network traffic.
An Exchange 2007 server in this role can send and receive Internet mail for the Exchange network (and do such things as blocking viruses and spam) but isn’t joined to the Active Directory domain. With this in place, Microsoft claims you can minimize security exposure.
We performed an initial security evaluation of the Edge Transport mode of Exchange as you would in an enterprise while doing the initial research on what it would take to deploy and defend Exchange 2007.
The first thing you notice is that the Edge Transport is definitely not the only thing at the edge. Outlook Web Access services and direct connections from Outlook clients and mobile devices still talk directly to Exchange servers that are fully part of the trusted inner circle. So the Edge Transport server handles strictly SMTP-based communications, which is only a part of the potential attack surface.
Current attack strategies often focus on Microsoft’s RPC mechanisms, IIS Web server transaction, and on vulnerable behavior of the email client, such as Outlook. SMTP attacks are simply not all that popular today. The Edge Transport is a sort of a Maginot Line in that Microsoft has put a lot of effort into defending something that may well not be where the attacks come from.
The Edge Transport uses a lightweight interface to Active Directory, ADAM (Active Directory Application Mode), to tie into the larger Exchange 2007 network. This limits the amount of directory information present near the edge to the minimum needed, the email addresses to be accepted.
The Edge Transport enforces email and security policies through message header inspection, content inspection and blacklist/whitelist management for all email traffic. Microsoft’s layers its anti-virus/anti-spam product Forefront Security on top of the Edge Transport server to block inappropriate email. Microsoft offers some protections in the communication between the Edge Transport server and the rest of the Exchange network to ensure that spam and virus verdicts cannot be faked by an attacker.
Another issue lies in the fact that there isn’t really documentation on Exchange 2007 security deployment and internals.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
SMART Steps Toward Consolidated Workload Automation
Consolidating job scheduling into a single, comprehensive workload automation solution is a critical first step to effective workload automation (WLA).
White paper on WLA here
A Comprehensive Approach to Practicing ITIL Change Management
Read a compelling whitepaper by EMA, Inc. to learn best practices for integrating workload automation.
Whitepaper here
2 Minutes to IT workload automation
BMC CONTROL-M can put money back into your IT budget and strip the complexity and risk from workload automation.
View video here
Gain a faster, cheaper way to manage workload
BMC CONTROL-M can help you migrate to a workload automation solution to meet your organization’s goals.
Listen here for more info
Comment