One of the things InfoSec wants us to do is use a separate attachment server that is firewalled off. Looking at the RIM docs detailing the ports, I would need ports 1900 and 2000 open.


Any of you have a similar setup as described?

RedHaz does, I believe (I'll wait for him to respond). When the weekly PDF vulnerability updates were being released, this made a lot of sense - update a few servers with minimal downtime impact rather than all BES servers with major downtime impact. Nevertheless, I think it really depends on your environment. If you have 20 BES servers and a lot of overhead and load from attachment processing, then it may be a good idea to spin up 4-5 attachment servers. If you have 1-4 BES servers, you're effectively doubling your Microsoft licensing costs (and possibly hardware costs if VMs aren't available) to not really accomplish much at all.

__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.

Otto,

The InfoSec folks likely could care less about cost, they think it must be this way to be completely secure (separate and firewalled off allowing ports 1900 & 2000 back to the BES).

That said it would be VMware and we have an MS EA to cover OS costs.

But as you mention for some of our larger BES environments, one server would not be enough.

For their request of the router in the DMZ, and separate attachment server it will add minimum of 2 new boxes spun up in each environments... with some requiring more than that.

So far I haven't found (well besides cost and complexity) a compelling reason to give them to change their mind.

What about a separate MDS-CS installation, as well? I'd think that a little less secure than the Attachment Service. Of course, I'm being sarcastic towards your InfoSec group (at the same time, thanking my stars that ours isn't like that... yet). I would ask them what security risk are you being presented with by NOT installing it separately. I can't think of a compelling reason for having it separately installed (from a security perspective, that is).

__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.

On the MDS-CS, yes I thought of that, but I don't want to give them any ideas.

Althought their originally request was that all web browsing use the carrier browser, and not allow any web traffic back in at all, but lots of groups have intranet sites they must get to, so that plan was scratched. But as you can see they were likely thinking about web browsing issues so that request may indeed come. Currently though we do have default browser the MDS so it can hit our proxy and filter stuff.


But back on the router in DMZ and firewalled attachment server... On the router question.. If we have it setup to only allow outbound initiated connects to RIM's IPs on port 3101 only at the firewall, then how much more secure would putting it in the DMZ be? Wouldn't it require some theoretical exploit that included IP spoofing of RIM's IPs, and some yet unknown exploit of the router service? Let's just unplug everything and it will all be secure for sure.

And on the attachment server, as it only rendered select doc attachments, then we are down to the PDF type exploits like you mentioned. I dunno I'm still finding it hard to see a compelling reason for their setup, but also I can't find a good reason (again besides cost and complexity) to tell them no.

I think you pretty much summarized the compelling argument against the separate Attachment Service with your compelling argument against the MDS-CS service - you're likely protected prior to that step in the message flow (I would hope). If you push all traffic through a secure proxy to protect yourself from web-based exploits, then do you not do the same with regards to scanning inbound corporate email prior to the attachment distillers (within the mail environment(s))? This is our argument against even applying the security updates (after the third of five or six, it really made no sense provided our mail filters already scanned for the vulnerabilities, which they do (detection was added at those levels automatically and much quicker than RIM's patch releases, mind you)).

__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.

Yep we definitely have protection at multiple level... at the gateway, on each Exchange server, at the BES, etc. My question to them (with a smirk) was: Do you plan to completely firewall off each PC to this degree? Because there you have a much bigger chance of damage, than any theoretical exploit that specifically targets the BES.

On the router in the DMZ... Looks like we would have to have port 4101 open out to this router in the DMZ for least cost routing.

Most folks don't even know about this as they assume all traffic is wireless at all times (and they have unlimited wireless plans). Plus we don't typically deploy DTM out. But with all the needs for firmware upgrades and SMIME setups the use for such things is increasing. SO the question is, if we don't get poprt 4101 to router in the DMZ opened, what else (besides least cost routing) breaks? It is the only thing mentioned in the docs so hopefully it is the only issue. We still need for things like wired activations after a firmware upgrade to be possible.

We have 18 servers in our 4.1 environment and as Otto said it's a pain in the ass every time a stupid patch is released. So in my 5.0 environment (which I am still in the process of building out) I'm using what I am referring to as COM servers (which will be VM as well). Each one will have MDS-CS, Attachment and LCS and I'm not quite sure of the ratio yet, but I plan to have a total 5 for 13K users, which I'm still not sure yet if it will be overkill or not enough (I tested with 1k users and 1 COM server and everything was good, but you never in the real world, not everyone uses LCS on their BB, you don't download every attachment on your BB, etc).

My motivation is not performance as everyone seems to agree the difference of splitting these 3 things off is negligible. I am doing it for configuration and patching ease. So if I need to change a setting in MDS, or when we finally go to OCS from LCS or god forbid another PDF patch is released I only have 5 servers to change a setting on or reinstall (for the LCS to OCS).

__________________
Two months ago, I saw a provocative movie on cable TV. It was called The Net, with that girl from the bus.