Look Ma, no data center

by Volker Weber

I have heard this Microsoft "push mail"* story often enough now. "You don't need to send your mails through an intermediary server." Of course you do. Your server is on a private network (at least I hope it is) and your handheld is on the operator's private network. If they want to talk to each other, they need somebody to call. The difference is: With a Blackberry, RIM operates this data center. With MS "push mail", your admins do it. They host a frontend server in your DMZ, and this server must be able to talk to your private net. Two questions:

  1. Do you allow a publicly accessible server in your DMZ to talk to your private network?
  2. Do you trust your administrators to secure a server more than you trust RIM's?

If you can answer both questions with "yes", you may consider Exchange "push mail". And you can do this of course if you are just running your Exchange server with direct access from the Internet.

*) I call it "push mail" instead of push mail, since the handheld polls your server for mail. At least every 20 minutes. And when it gets a new IP. And when it loses the connection.

2006-08-23 :: email :: twitter :: qr code

Comments

Well, it is not just about whether you trust your own admins more than RIMs. Most german enterprises have banned (or are about to ban) Blackberrys because they cannot control who accesses RIMs data centers. Just to mention the NSA, who does not only terror defense but a lot of other "research work" which might help to put the US industry into a front position in some cases.
Another side of this story is of course control of data flow in the operators networks - the same issue might occur here.
If you want to secure data - keep it in your brains.

Axel Koerv, 2006-08-23

1. yes. That's basic setup for 2tier apps, e.g. webserver in DMZ, database server internal, firewall in between. Even the Onebridge/ExtendedSystems/iAnywhere solution works that way.

2. of course! (I'm the admin :-)

Helmut Weiss, 2006-08-23

Most german enterprises have banned (or are about to ban)

Axel, that is a pretty bold claim. Can I have some numbers? Frankly, I find this hard to believe just by sampling the queue when boarding an aircraft. I know all the FUD around RIM's infrastructure. But all the research I have seen so far has proven it as what it is: Unsubstantiated FUD.

Volker Weber, 2006-08-23

See the url for something I wouldn't consider FUD.

If they use ImageMagick, they are by definition insecure.

And the answer to question 2) is yes by all means.
The answer to question 1) depends. I like to keep all email in the internal network and block any kind of forwarding, web-access and so on except for VPN for some trusted users.

But if there was strong demand for push mail, opening port 443 to the mobile network and establishing a stronger password policy for all users that use those Exchange-features like DirectPush, OWA and HTTPS-RPC would be the way to go.

Sad there's no way to block keyboard-logging internet cafes and other nightmares

Alexander Jakob, 2006-08-23

RIM is Canadain company no a US company... We don't have the NSA or anything like it

rob potvin, 2006-08-24

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Paypal vowe