Question : Is a DMZ necessary on our network?

Hi,
Architecture question. I work for a medium sized charity. We're running a traditional network:
Internet->Firewall (smoothwall)->Servers & Exchange

We're currently on 2000 server and exchange 2000, shortly upgrading to 2003 servers and exchange 2003. I'm looking at a DMZ as an option for the following;

1. For hosting a front end exchange 2k3 server for OWA access
2. To host a NAC server for managing internal connections

Any other reasons I should be looking at setting up a DMZ? From your experience, are they necessary? I've read conflicting views on this. We are secure and have had no problems, but I'm looking for some advice on best practice setup. Ports currently open on our firewall are;

- 25, open to one IP address (we use SMTP forwarding for spam/av/greylisting before doing our own spam/av). Forwarded to our mail server (smart host mailmarshal -> Exchange 2000)
- 80, open to all external IPs (OWA, forwarded to our mail server)
- 3389, open to specific IP addresses (forwarded to server & a couple of clients)
- 1433, open to one IP address (our web hosting provider, forwarded to our SQL server)

Any insights/thoughts/recommendations appreciated.
Regards,
Chris.

Answer : Is a DMZ necessary on our network?

My 2 cents...

<If it ain't broke, don't fix it.

Putting an exchange in a DMZ is not a good idea. Sembe has preached this many times.....I'd always recommend his advise.
http://www.experts-exchange.com/Security/Misc/Q_22673697.html?sfQueryTermInfo=1+dmz+simon
http://www.sembee.co.uk/archive/2006/02/23/7.aspx

When I went to college, there were some text books that said to put an exchange server in a DMZ. I often wondered why....Personally, I'd rather take the advice of a Microsoft exchange MVP


I hope this helps!
Random Solutions  
 
programming4us programming4us