RE: Exchange 2003 OWA security questions

["Smith, Aaron" <SmithA () byui edu>]

> Our Microsoft admin wants to multihome an ISA server on our web dmz
with the
> other NIC connected to our internal network to allow the ISA to talk to
the
> internal MS OWA front end server which then talks to the exchange
server
> (sheesh!). All this to allow users on the internet to access exchange
via a
> web browser.
> I've read alot of the documentation on the whole Windows2003 Exchange
web
> pages solution and I think Microsoft is trying to bad mouth other
firewalls
> while touting their own proxy/packet firewall as good as or better than
> "the
> rest of the world". Problem is, checkpoint/Nokia is a far better
technical
> solution compared to MS ISA (MS bigots take a deep breath and count to
ten).

A MS consultant wanted to do the same thing here when our mail admins
upgraded the Exchange servers.  In his words, "a PIX is _only_ a layer 4
packet filter.  Sure it's fast, but it only filters up to layer 4."
Well, that's all it's marketed as, too!!  IMO, it's better to have a
fast, secure L4 filter than a slow, unsecured, buggy, bloated L7 filter.

> I asked the MS admin to single home his ISA or forget about ISA
altogether
> and just run a front end server in the web dmz. The idea of breaking
our
> Checkpoint architecture with an ISA that multihomes between the
internal
> network and our web dmz is just too much to ask a decent security admin
> don't you think. Now I need ammunition to press the point home.

After a few heated discussions and my insistence that we wouldn't be
replacing the PIX with ISA, the consultant decided not to install ISA.
My argument was that we only allow 1 point of entry into the
network--our firewall.  His rant was that ISA _is_ a firewall.
Whatever.

> i) If any of you run an ISA for tunneling for the front end server I'd
like
> to hear if you were able to do it using single homing (the doco says
it's
> possible but not recommended and our MS admin says he can't get it to
work.

Our guy said that ISA _requires_ 2 interfaces on different networks; it
won't do hairpinning.

> ii) Scrap the ISA server, I think the front end server should be on the
web
> dmz. Does everyone agree with this? Yes, I know I have to open up all
those
> nasty MS ports but atleast I can restrict it to talking to the DC's and
a
> few other boxes - those would be hardened machines anyways.

We opened up smtp, http, pop3, imap, and ms-exchange routing (tcp 691)
from the front-end DMZ box to the internal Exchange boxes, plus some
domain stuff.  Not pretty, but much prettier than trusting a MS box with
2 NICs.

> iii) I think the MS admin should just run a front end server internally
and
> also another front end server on the web dmz. That way, you can harden
the
> web dmz machine properly but don't have to worry about the one that's
only
> for internal use (ok not too much worry). Make sense?

Isn't that proper design, anyway?  Separate the Internet services from
the intranet services.

I had to fight long and hard to win this battle.  Ultimately, I think MS
is pushing their consultants to install ISA wherever they can.  In this
case, it only made the design more complex and less secure, yet he still
pushed to install it.  He was either trying to rack up the hours or he
drank an extra dose of ISAKoolaid that morning.  What we installed works
just fine without ISA cluttering up the picture.

@@ron Smith
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards