Chapter 5: Protection 75

 

 

 

 

 

 

Source

Destination

Service

Protocol and port

 

Screened Subnet

Internal/Private Network

HTTP

TCP 80

 

 

 

 

 

 

Screened Subnet

Internal/Private Network

RPC EP Mapper

TCP 135

 

 

 

 

 

 

Screened Subnet

Internal/Private Network

KERBEROS

TCP UDP 88

 

 

 

 

 

 

Screened Subnet

Internal/Private Network

LDAP

TCP 389

 

 

 

 

 

 

Screened Subnet

Internal/Private Network

NETLOGON

TCP 445

 

 

 

 

 

 

Screened Subnet

Internal/Private Network

DSAccess (GC)

TCP 3268

 

 

 

 

 

 

Screened Subnet

Internal/Private Network

TCP High Ports

TCP 1024+

 

 

 

 

 

You should regularly check your firewalls to ensure that the settings have not been altered to allow traffic that should not pass. The outside firewall should only be allowing traffic on port 443 specifically to the front-end servers, and only these front-end servers should be allowed to communicate with the back-end servers on the ports you have defined. You may also want to perform network monitoring to monitor the nature of the traffic that goes through the firewall.

Monitoring Against Hacker Intrusion

No matter how good your firewall setup is, there is still a risk that a hacker may manage to infiltrate it. You should ensure that you have a good intrusion detection system in place to notify you of any firewall breach, and you should make sure that you always have the ability to shut down services if necessary.

Dealing With Security Breaches

In the event of security breach, your priority should be to protect the system. In the majority of corporate e-mail systems, the stores will contain extremely sensitive informa- tion and should be protected. This means that, in the case of a security risk, the initial response may be to prevent access to the internal network from the outside world. Pro- vided you manage to catch the intrusion early enough, you will still in most cases be able to allow internal mail to flow.

Once you have contained the breach, you should inform firewall vendors and/or Microsoft about the nature of the breach, so that they can come up with a fix. At this point you can revert the system to its state prior to the breach and apply the fixes supplied.

Anti-Virus Measures

As part of your planning and deployment of Exchange 2000, you will have put in place appropriate measures against virus attack. However, regardless of how much protection you put in place, it is quite possible that viruses may affect Exchange. It is therefore very important that you have measures to deal with this possibility.

Page 83
Image 83
Microsoft 1 manual Anti-Virus Measures, Monitoring Against Hacker Intrusion, Dealing With Security Breaches