BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 01-24-2008, 04:12 PM   #1 (permalink)
New Member
 
Join Date: Jan 2008
Model: 8300
PIN: N/A
Carrier: AT&T
Posts: 1
Post Thanks: 0
Thanked 0 Times in 0 Posts
Cool Why is installing a BES server in the DMZ bad??? How to add Router to DMZ

Please Login to Remove!

I was told by management that the BES server need to be put in the DMZ to protect our devices from Malware attacks on our internal network. I have been reading forums and noticed a lot of people are saying not to put it in the DMZ. So why is it a problem???? How is putting the Router in the DMZ any safer??? How would I put the Router in the DMZ??? I'm in an Exchange 2003 enviroment.

Any help is much appriciated.

Thanks,

Scott030

Last edited by scott030 : 01-24-2008 at 04:32 PM.
Offline  
Old 01-24-2008, 04:20 PM   #2 (permalink)
BlackBerry Genius
 
hdawg's Avatar
 
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,632
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Welcome to the forums!!!

Which mail platform are you using? Domino / Exchange / GroupWise. There are different explanations based on the platform and I really don't want to go into all the details when they're explained in RIMs documentation. ... I'll explain whichever you're using.
Offline  
Old 01-24-2008, 04:26 PM   #3 (permalink)
BlackBerry Extraordinaire
 
gibson_hg's Avatar
 
Join Date: Dec 2007
Model: NA
PIN: 80081ES
Carrier: NA
Posts: 1,006
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I know that with Exchange you would need to open thousands of ports for MAPI communication. MAPI uses a random port when being used so you essentially turn the firewall separating the DMZ and your network into swiss cheese and vulnerable, defeating the purpose of the DMZ in the first place.

I had a customer that placed their DR BES in the DMZ and when the production BES went down their backup didn't work because MAPI couldn't communicate. After I explained why the network admin didn't like the router in the DMZ idea and said w=he would continue to fix the firewall and didn't think that opening thousands of ports for random communication was a security risk.

When you place the Router in the DMZ the BES will communicate with it using 1 port versus thousands.

Here is the info on the setup and reasons why it's not supported:

BlackBerry Search Results

I know that GroupWise works differently and all you need to condigure is Access Control Lists I think. BUt if you're in an Exchange environment it's nothing but issues and headaches.
Offline  
Old 01-25-2008, 07:38 AM   #4 (permalink)
BlackBerry Extraordinaire
 
CanuckBB's Avatar
 
Join Date: Feb 2006
Location: YYZ
Model: 9900
Carrier: Rogers
Posts: 1,183
Post Thanks: 0
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by scott030 View Post
I was told by management that the BES server need to be put in the DMZ to protect our devices from Malware attacks on our internal network. I have been reading forums and noticed a lot of people are saying not to put it in the DMZ. So why is it a problem???? How is putting the Router in the DMZ any safer??? How would I put the Router in the DMZ??? I'm in an Exchange 2003 enviroment.

Any help is much appriciated.

Thanks,

Scott030

Which actually makes no sense. Once the data makes it to the BES, it's passed on to the device. Where the BES is doesn't realy matter.

I always found current implementation of DMZ to be of dubious use. They still have open ports to your LAN. It's not going to stop a hacker. Slow them down maybe, but not stop them. If I can get through your firewall to gain control of a DMZ server, what makes you think I can't use it to go through the firewall again into your LAN?

BES on the LAN only requires outbound port 3101.
Offline  
Old 01-25-2008, 08:25 AM   #5 (permalink)
x14
BlackBerry Extraordinaire
 
Join Date: Jul 2005
Location: NYC
Model: 9800
OS: 6.0.0.546
Carrier: AT&T
Posts: 2,344
Post Thanks: 0
Thanked 17 Times in 16 Posts
Default

Quote:
Originally Posted by scott030 View Post
I was told by management that the BES server need to be put in the DMZ to protect our devices from Malware attacks on our internal network. I have been reading forums and noticed a lot of people are saying not to put it in the DMZ. So why is it a problem???? How is putting the Router in the DMZ any safer??? How would I put the Router in the DMZ??? I'm in an Exchange 2003 enviroment.
As everyone has said havin BES in a DMZ will still require connection from the BES to the mail servers in the LAN.

The idea of having the BES router in the DMZ is that BES (on LAN) make a connection to the Router then the Router will connect to the RIM infrastructure. This eliminate connection to the LAN. All connections are outbound.
__________________
Exchange 2007/BES 5.0.2 MR2
Offline  
Old 01-25-2008, 08:57 AM   #6 (permalink)
CrackBerry Addict
 
mahoward's Avatar
 
Join Date: May 2005
Model: 8900
Carrier: T-Mobile
Posts: 560
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

Remember last year when all the hype was about BBProxy? Our security team freaked out and wanted a meeting with us to discuss locking down BB apps and putting the BES servers in the DMZ. I basically told them 'No' to both and that I would shoulder the responsibility if BBProxy or a hacker infiltrated our network via our SRP connection.

Well it is now 1.5 years later and not a single issue has occured. I am still willing to risk my job over the huge hassle it would be to put my BES servers in the DMZ!

p.s. gibson_hg is also right in that this makes DR that much more complex, as a failed DR scenario is much more likely to cost me my job than a theoretical but impractical, overhyped, and unlikely security exploit!
__________________
BESX 4.1.7 on Exchange 2003: 65 Devices
BESX 5.0.3 on Exchange 2003: 2007 Devices
Offline  
Old 01-25-2008, 10:13 AM   #7 (permalink)
x14
BlackBerry Extraordinaire
 
Join Date: Jul 2005
Location: NYC
Model: 9800
OS: 6.0.0.546
Carrier: AT&T
Posts: 2,344
Post Thanks: 0
Thanked 17 Times in 16 Posts
Default

We use an appliance that does port forwarding to the SRP. So I didn't have to argue the DMZ issue.
__________________
Exchange 2007/BES 5.0.2 MR2
Offline  
Old 01-28-2008, 11:01 AM   #8 (permalink)
New Member
 
Join Date: Nov 2007
Model: 8700v
PIN: N/A
Carrier: Vodafone
Posts: 14
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

The following RIM document will provide more information on placing BB componets in segmented networks Livelink - Redirection

I have installed BES for Exchange in a segmented environment with the BES in one DMZ and the router in another.

To overcome the MAPI random ports issue, you need to tie down exchange to use specified port. See Exchange Server static port mappings

You will also need to open ports for domain authetication, assuming your BES is a Windows member server. See Service overview and network port requirements for the Windows Server system

I think the better option is to place your BES in your corporate LAN and place your BES Router in the DMZ. You then only need to open TCP 3101 from your BES to the BES Router, and your BES router to the RIM SRP address. This will be a lot easier to implement and support.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.