| Author | Messages | |
rezuma
Posts:136
 | | 07/16/2008 7:57 PM |
| Hi,
I am trying to decide how to set up MS Exchange 2003.
1st option is to put it in the internal network, with an internal IP
address and do NAT for services like IMAP, SMTP and Webmail
2nd option is to put it in the DMZ, but for this it will need access to
a GC and I don't want to put a DC in the DMZ, can I install and ADAM
instead?
What is the preferred way of doing it?
Ramon
| | | |
| hcoleman
Posts:134
| | 07/16/2008 7:59 PM |
| Option 1
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Monday, June 09, 2008 2:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Hi,
I am trying to decide how to set up MS Exchange 2003.
1st option is to put it in the internal network, with an internal IP address and do NAT for services like IMAP, SMTP and Webmail
2nd option is to put it in the DMZ, but for this it will need access to a GC and I don't want to put a DC in the DMZ, can I install and ADAM instead?
What is the preferred way of doing it?
Ramon
| | | |
| jw1
Posts:0
| | 07/16/2008 7:59 PM |
| Well, I guess so.
My real-world take on it is, if you trust ISA/ Intrusion Prevention appliances/firewall with packet inspection/etc to do its job, then only valid requests are going to make it through to the DMZ box. It's not a simple port forward back into Exchange - there's a little more protection than that.
If you DON'T trust one of the above... then I guess it depends on your organization's policies. If someone goes to jail/prison when data security breaches happen - then never connect the thing directly or through a proxy for external access. If it's NOT that level of data protection, then document
your config and your exposure and see if it's approved.
If you work for an organization where management can approve a security practice or exception, but still fire you/fine you/etc. if the data is compromised - find a new employer.
--James
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Monday, June 09, 2008 3:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Well, but if someone uses a vulnerability to break into MS Exchange (not the first time this has happened and not the last one), that person could get access to the Exchange server that it would be connected to the internal network and attack it from there (DoS, etc).
But if it is in the DMZ all someone could break would be the Exchange server and any other server hosted in that DMZ.
Right?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kennedy, Jim
Sent: Monday, June 09, 2008 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Never in the DMZ. Inside with a proxy server in the dmz, such as ISA, for outside traffic like webmail and imap.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Monday, June 09, 2008 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Hi,
I am trying to decide how to set up MS Exchange 2003.
1st option is to put it in the internal network, with an internal IP address and do NAT for services like IMAP, SMTP and Webmail
2nd option is to put it in the DMZ, but for this it will need access to a GC and I don't want to put a DC in the DMZ, can I install and ADAM instead?
What is the preferred way of doing it?
Ramon
| | | |
| nicolasblank
Posts:20
| | 07/16/2008 7:59 PM |
| Longish answer
Unless a box is truly disconnected, buidling anythig that need
authentication and DC access into a DMZ is asking for a hiding.
Depends on how secure you want to go, I suggest you proxy all of these using
ISA to a front end farm. NLB or hardware based load ballancers doa really
good job here.
The "outside" should consist of either the ISA box listening to a public IP,
or a another firewall.
Exchange FE's don't fit into a DMZ without AD cleanly - by defenition that's
not a DMZ
Short answer - agree with Jim
Deployment guidance around this has been out for a while and is quite good.
Suggest you buy an ISA box !
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: 09 June 2008 10:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Well, but if someone uses a vulnerability to break into MS Exchange (not the
first time this has happened and not the last one), that person could get
access to the Exchange server that it would be connected to the internal
network and attack it from there (DoS, etc).
But if it is in the DMZ all someone could break would be the Exchange server
and any other server hosted in that DMZ.
Right?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kennedy, Jim
Sent: Monday, June 09, 2008 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Never in the DMZ. Inside with a proxy server in the dmz, such as ISA, for
outside traffic like webmail and imap.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Monday, June 09, 2008 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Hi,
I am trying to decide how to set up MS Exchange 2003.
1st option is to put it in the internal network, with an internal IP address
and do NAT for services like IMAP, SMTP and Webmail
2nd option is to put it in the DMZ, but for this it will need access to a
GC and I don't want to put a DC in the DMZ, can I install and ADAM instead?
What is the preferred way of doing it?
Ramon
| | | |
| kevinbrunson
Posts:75
| | 07/16/2008 8:01 PM |
| That attack is probably a bad example, since in that link it tells how to use ISA server to prevent the attack.
If you are using a standard SPI firewall, then no it probably won't be able to catch stuff like this. But if you are using a firewall that has the ability to filter application layer, then it will really help.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Monday, June 09, 2008 4:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
You are saying that ISA or a PIX could be able to detect vulnerabilities like this?
http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx
I don’t think so.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Wells, James Arthur
Sent: Monday, June 09, 2008 5:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
No - there are plenty of solutions that know valid IMAP traffic from IMAP traffic trying to explot a buffer exploit, for example.
The decision is whether or not to trust that solution.
--James
-----Original Message-----
From: "Ramon Linan" <Ramon.Linan@gst.com>
To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Sent: 6/9/08 3:58 PM
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
If there is a vulnerability that exploit the IMAP port to take control
over the machine, it does not matter if you put a firewall there or not,
because the firewall is allowing traffic to that port, and anything that
goes to that port is legal, right? So it is not a question of trusting
CISCO PIX, ASA, etc.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Wells, James
Arthur
Sent: Monday, June 09, 2008 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Well, I guess so.
My real-world take on it is, if you trust ISA/ Intrusion Prevention
appliances/firewall with packet inspection/etc to do its job, then only
valid requests are going to make it through to the DMZ box. It's not a
simple port forward back into Exchange - there's a little more
protection than that.
If you DON'T trust one of the above... then I guess it depends on your
organization's policies. If someone goes to jail/prison when data
security breaches happen - then never connect the thing directly or
through a proxy for external access. If it's NOT that level of data
protection, then document your config and your exposure and see if it's
approved.
If you work for an organization where management can approve a security
practice or exception, but still fire you/fine you/etc. if the data is
compromised - find a new employer.
--James
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Monday, June 09, 2008 3:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Well, but if someone uses a vulnerability to break into MS Exchange (not
the first time this has happened and not the last one), that person
could get access to the Exchange server that it would be connected to
the internal network and attack it from there (DoS, etc).
But if it is in the DMZ all someone could break would be the Exchange
server and any other server hosted in that DMZ.
Right?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kennedy, Jim
Sent: Monday, June 09, 2008 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Never in the DMZ. Inside with a proxy server in the dmz, such as ISA,
for outside traffic like webmail and imap.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Monday, June 09, 2008 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Hi,
I am trying to decide how to set up MS Exchange 2003.
1st option is to put it in the internal network, with an internal IP
address and do NAT for services like IMAP, SMTP and Webmail
2nd option is to put it in the DMZ, but for this it will need access to
a GC and I don't want to put a DC in the DMZ, can I install and ADAM
instead?
What is the preferred way of doing it?
Ramon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
��b��!��� 0i�b��b��������)ĸ��P���i��0��-�����+����@A�)ĸ���܆+ކ�i��0��-�����+����ןj�mj�q
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| beads
Posts:32
| | 07/16/2008 8:01 PM |
| No PIX/ASA would not pick up a malform error as the software, essentially
the same for both without the add-on(s) the ASA provides. Its not there
job(s) to do so, either. The IPS add on would pick up on many of the
malformed frame errors but PIX/ASA is nothing more than a deep packet
inspection firewall with NAT and some router capabilities. The
TippingPoint series starts off as strictly an IPS but can be upgraded to
include a firewall depending on the model.
There are certainly valid reasons to choose a dedicated DMZ model over
simply connecting an Exchange box to 'Net but this is sounding more and
more like a price consideration than anything else. Given this assumption
you can use many routers for NAT and some basic firewalling in lieu of a
dedicated FW solution but its rarely recommended as bad network design. A
router infront of an ISA box is yet another option for NAT/PAT and some
protection but as I said above not nessesarily a very robust option at
that.
The reasons are plentiful and have nothing to do with AD but the prime
example for including the FW and/or ISA box would be protection from MitM
(Man in the Middle) attacks. Its would be child's play to use tools like
"Ettercap" to take over your session(s) and have my way with your network.
The router wouldn't care - not its job. A deep inspection FW and ISA to a
lesser extent would give you a great deal more protection in the long run.
Brent Eads
Employee Technology Solutions, Inc.
The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology
Solutions, Inc.) does not warrant that the contents of any electronically
transmitted information will remain confidential. If the reader of this
email is not the intended recipient you are hereby notified that any use,
reproduction, disclosure or distribution of the information contained in
the email in error, please reply to us immediately and delete the
document.
Viruses, Malware, Phishing and other known and unknown electronic threats:
It is the recipient/client's duties to perform virus scans and otherwise
test the information provided before loading onto any computer system. No
warranty is made that this material is free from computer virus or any
other defect.
Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.
"Wells, James Arthur" <jw1@bcm.tmc.edu>
Sent by: ActiveDir-owner@mail.activedir.org
06/09/2008 04:33 PM
Please respond to
ActiveDir@mail.activedir.org
To
<ActiveDir@mail.activedir.org>
cc
Subject
RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Maybe not those solutions (I honestly don't know), but there are some that
can - see TippingPoint, for example. The vulnerability you referenced
uses MALFORMED requests to trigger the buffer exploit. There are IPS
systems that can tell the difference between malformed and valid requests.
Once you start adding features to a service that is eventually exposed to
the Internet, security is suddenly no longer black and white.
There are choices to be made in how you will configure your environment to
mitigate threats.
This isn't an Exchange or a data protection list, but we're still
offering feedback based on our experience. If you don't like our answers,
I suggest you try an Exchange or data protection/firewall community.
--James
-----Original Message-----
From: "Ramon Linan" <Ramon.Linan@gst.com>
To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Sent: 6/9/08 4:23 PM
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
You are saying that ISA or a PIX could be able to detect vulnerabilities
like this?
http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx
I don?t think so.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Wells, James
Arthur
Sent: Monday, June 09, 2008 5:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
No - there are plenty of solutions that know valid IMAP traffic from IMAP
traffic trying to explot a buffer exploit, for example.
The decision is whether or not to trust that solution.
--James
-----Original Message-----
From: "Ramon Linan" <Ramon.Linan@gst.com>
To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Sent: 6/9/08 3:58 PM
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
If there is a vulnerability that exploit the IMAP port to take control
over the machine, it does not matter if you put a firewall there or not,
because the firewall is allowing traffic to that port, and anything that
goes to that port is legal, right? So it is not a question of trusting
CISCO PIX, ASA, etc.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Wells, James
Arthur
Sent: Monday, June 09, 2008 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Well, I guess so.
My real-world take on it is, if you trust ISA/ Intrusion Prevention
appliances/firewall with packet inspection/etc to do its job, then only
valid requests are going to make it through to the DMZ box. It's not a
simple port forward back into Exchange - there's a little more
protection than that.
If you DON'T trust one of the above... then I guess it depends on your
organization's policies. If someone goes to jail/prison when data
security breaches happen - then never connect the thing directly or
through a proxy for external access. If it's NOT that level of data
protection, then document your config and your exposure and see if it's
approved.
If you work for an organization where management can approve a security
practice or exception, but still fire you/fine you/etc. if the data is
compromised - find a new employer.
--James
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Monday, June 09, 2008 3:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Well, but if someone uses a vulnerability to break into MS Exchange (not
the first time this has happened and not the last one), that person
could get access to the Exchange server that it would be connected to
the internal network and attack it from there (DoS, etc).
But if it is in the DMZ all someone could break would be the Exchange
server and any other server hosted in that DMZ.
Right?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kennedy, Jim
Sent: Monday, June 09, 2008 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Never in the DMZ. Inside with a proxy server in the dmz, such as ISA,
for outside traffic like webmail and imap.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Monday, June 09, 2008 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Hi,
I am trying to decide how to set up MS Exchange 2003.
1st option is to put it in the internal network, with an internal IP
address and do NAT for services like IMAP, SMTP and Webmail
2nd option is to put it in the DMZ, but for this it will need access to
a GC and I don't want to put a DC in the DMZ, can I install and ADAM
instead?
What is the preferred way of doing it?
Ramon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
.+w?B+v*rz+v*k}
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
Message scanned by TrendMicro
Message scanned by TrendMicro
| | | |
| rezuma
Posts:136
| | 07/16/2008 8:07 PM |
| Actually, I am really learning from your answers, I am sorry if it sounded like I was not happy with your answer, I was just trying to make sure I have an answer to the questions I am going to get asked.
I really appreciate your reply and sorry for the misunderstanding.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Wells, James Arthur
Sent: Monday, June 09, 2008 5:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Maybe not those solutions (I honestly don't know), but there are some that can - see TippingPoint, for example. The vulnerability you referenced uses MALFORMED requests to trigger the buffer exploit. There are IPS systems that can tell the difference between malformed and valid requests.
Once you start adding features to a service that is eventually exposed to the Internet, security is suddenly no longer black and white.
There are choices to be made in how you will configure your environment to mitigate threats.
This isn't an Exchange or a data protection list, but we're still offering feedback based on our experience. If you don't like our answers, I suggest you try an Exchange or data protection/firewall community.
--James
-----Original Message-----
From: "Ramon Linan" <Ramon.Linan@gst.com>
To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Sent: 6/9/08 4:23 PM
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
You are saying that ISA or a PIX could be able to detect vulnerabilities like this?
http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx
I don’t think so.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Wells, James Arthur
Sent: Monday, June 09, 2008 5:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
No - there are plenty of solutions that know valid IMAP traffic from IMAP traffic trying to explot a buffer exploit, for example.
The decision is whether or not to trust that solution.
--James
-----Original Message-----
From: "Ramon Linan" <Ramon.Linan@gst.com>
To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Sent: 6/9/08 3:58 PM
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
If there is a vulnerability that exploit the IMAP port to take control
over the machine, it does not matter if you put a firewall there or not,
because the firewall is allowing traffic to that port, and anything that
goes to that port is legal, right? So it is not a question of trusting
CISCO PIX, ASA, etc.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Wells, James
Arthur
Sent: Monday, June 09, 2008 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Well, I guess so.
My real-world take on it is, if you trust ISA/ Intrusion Prevention
appliances/firewall with packet inspection/etc to do its job, then only
valid requests are going to make it through to the DMZ box. It's not a
simple port forward back into Exchange - there's a little more
protection than that.
If you DON'T trust one of the above... then I guess it depends on your
organization's policies. If someone goes to jail/prison when data
security breaches happen - then never connect the thing directly or
through a proxy for external access. If it's NOT that level of data
protection, then document your config and your exposure and see if it's
approved.
If you work for an organization where management can approve a security
practice or exception, but still fire you/fine you/etc. if the data is
compromised - find a new employer.
--James
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Monday, June 09, 2008 3:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Well, but if someone uses a vulnerability to break into MS Exchange (not
the first time this has happened and not the last one), that person
could get access to the Exchange server that it would be connected to
the internal network and attack it from there (DoS, etc).
But if it is in the DMZ all someone could break would be the Exchange
server and any other server hosted in that DMZ.
Right?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kennedy, Jim
Sent: Monday, June 09, 2008 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Never in the DMZ. Inside with a proxy server in the dmz, such as ISA,
for outside traffic like webmail and imap.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Monday, June 09, 2008 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MS EXCHANGE 2003 NAT VS DMZ
Hi,
I am trying to decide how to set up MS Exchange 2003.
1st option is to put it in the internal network, with an internal IP
address and do NAT for services like IMAP, SMTP and Webmail
2nd option is to put it in the DMZ, but for this it will need access to
a GC and I don't want to put a DC in the DMZ, can I install and ADAM
instead?
What is the preferred way of doing it?
Ramon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
.+w֧B+v*rz+v*k}
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
|
|