Firewall Wizards mailing list archives
Re: Exchange 2003 OWA security questions
From: Darryl Luff <darryl () snakegully nu>
Date: Wed, 19 Jan 2005 22:50:34 +1100
MHawkins () TULLIB COM wrote:
This sort of stuff is easier to fight if you have a strong, documented architecture and security policy etc etc. You can point to your own companies rules then. But it's obvious that more parallel paths into an organisation = more possible ways of entry. By adding another path you've doubled the chance that someone could get in one way or the other.Hi guys and gals, We use CheckPoint/Nokia with multiple DMZ's including a web server farm DMZ. Our Microsoft admin wants to multihome an ISA server on our web dmz with the other NIC connected to our internal network to allow the ISA to talk to the internal MS OWA front end server which then talks to the exchange server (sheesh!). All this to allow users on the internet to access exchange via a web browser.
Sorry, I haven't used ISA since it was Proxy Server 2, so I may have it wrong. But if ISA is just proxying or port forwarding the connection to the internal server, it's really not providing any security value. It's still effectively plugging the incoming connection straight through to the internal server. The only way I could see it being of value is if its doing a first level authentication of connections before allowing the connection through, and it has it's own user database. At least then it's protecting your corporate user accounts from brute force attacks. But then people would need to authenticate twice to use it - once to ISA and again to the internal server.... I asked the MS admin to single home his ISA or forget about ISA altogether and just run a front end server in the web dmz. The idea of breaking our Checkpoint architecture with an ISA that multihomes between the internal network and our web dmz is just too much to ask a decent security admin don't you think. Now I need ammunition to press the point home.
I used the old MS Proxy 2 single homed, but was only using it as an outgoing web proxy then.A few questions: i) If any of you run an ISA for tunneling for the front end server I'd like to hear if you were able to do it using single homing (the doco says it's possible but not recommended and our MS admin says he can't get it to work.
ii) Scrap the ISA server, I think the front end server should be on the web dmz. Does everyone agree with this? Yes, I know I have to open up all those nasty MS ports but atleast I can restrict it to talking to the DC's and a few other boxes - those would be hardened machines anyways.
But this exposes your corporate user accounts on the DMZ. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Exchange 2003 OWA security questions MHawkins (Jan 19)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 19)
- Re: Exchange 2003 OWA security questions Darryl Luff (Jan 21)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 26)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 26)
- Re: Multiple firewalls from different manufactureres Kevin (Jan 27)
- Re: Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 27)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Re: Multiple firewalls from different manufactureres Devdas Bhagat (Jan 27)
- Application-level Attacks Crispin Cowan (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)