Exchange 2003 OWA compromise reached

[MHawkins () TULLIB COM]

Thanks to all for your answers to my questions regarding Exchange 2003 OWA.

The solution we have reached is this.

Since we also want to move our ftp server onto a separate DMZ away from our
web servers because ftp servers run a higher than average risk of
compromise. We are going set up a new DMZ that is considered even less
trusted than our existing web server dmz.

Then, we will attach the Microsoft ISA server outside interface to the
"VeryUntrustedDmz" and connect the ISA inside interface to the
"NotParticularlyTrustedMuchWebDmz". The ISA server will then talk to the
front end server that is located within our inside network.

So the Checkpoint firewall will be able to act like a dual firewall for the
ISA server. Performance should not be a problem because webmail is not
expected to be a high volume app for our user community anyway.

Once again, thanks to you all for the help I received. The discussion was
very heated at times but in the end the solution is satisfactory to me from
a risk perspective and it also corrals the ISA server within the confines of
the Checkpoint architecture.

You all have a great weekend and final thanks,

Mike Hawkins

-----Original Message-----
From: Smith, Aaron [mailto:SmithA () byui edu]
Sent: Wednesday, January 19, 2005 12:32 PM
To: Hawkins, Michael; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Exchange 2003 OWA security questions


> Our Microsoft admin wants to multihome an ISA server on our web dmz
with the
> other NIC connected to our internal network to allow the ISA to talk to
the
> internal MS OWA front end server which then talks to the exchange
server
> (sheesh!). All this to allow users on the internet to access exchange
via a
> web browser.
> I've read alot of the documentation on the whole Windows2003 Exchange
web
> pages solution and I think Microsoft is trying to bad mouth other
firewalls
> while touting their own proxy/packet firewall as good as or better than
> "the
> rest of the world". Problem is, checkpoint/Nokia is a far better
technical
> solution compared to MS ISA (MS bigots take a deep breath and count to
ten).

A MS consultant wanted to do the same thing here when our mail admins
upgraded the Exchange servers.  In his words, "a PIX is _only_ a layer 4
packet filter.  Sure it's fast, but it only filters up to layer 4."
Well, that's all it's marketed as, too!!  IMO, it's better to have a
fast, secure L4 filter than a slow, unsecured, buggy, bloated L7 filter.

> I asked the MS admin to single home his ISA or forget about ISA
altogether
> and just run a front end server in the web dmz. The idea of breaking
our
> Checkpoint architecture with an ISA that multihomes between the
internal
> network and our web dmz is just too much to ask a decent security admin
> don't you think. Now I need ammunition to press the point home.

After a few heated discussions and my insistence that we wouldn't be
replacing the PIX with ISA, the consultant decided not to install ISA.
My argument was that we only allow 1 point of entry into the
network--our firewall.  His rant was that ISA _is_ a firewall.
Whatever.

> i) If any of you run an ISA for tunneling for the front end server I'd
like
> to hear if you were able to do it using single homing (the doco says
it's
> possible but not recommended and our MS admin says he can't get it to
work.

Our guy said that ISA _requires_ 2 interfaces on different networks; it
won't do hairpinning.

> ii) Scrap the ISA server, I think the front end server should be on the
web
> dmz. Does everyone agree with this? Yes, I know I have to open up all
those
> nasty MS ports but atleast I can restrict it to talking to the DC's and
a
> few other boxes - those would be hardened machines anyways.

We opened up smtp, http, pop3, imap, and ms-exchange routing (tcp 691)
from the front-end DMZ box to the internal Exchange boxes, plus some
domain stuff.  Not pretty, but much prettier than trusting a MS box with
2 NICs.

> iii) I think the MS admin should just run a front end server internally
and
> also another front end server on the web dmz. That way, you can harden
the
> web dmz machine properly but don't have to worry about the one that's
only
> for internal use (ok not too much worry). Make sense?

Isn't that proper design, anyway?  Separate the Internet services from
the intranet services.

I had to fight long and hard to win this battle.  Ultimately, I think MS
is pushing their consultants to install ISA wherever they can.  In this
case, it only made the design more complex and less secure, yet he still
pushed to install it.  He was either trying to rack up the hours or he
drank an extra dose of ISAKoolaid that morning.  What we installed works
just fine without ISA cluttering up the picture.

@@ron Smith
"Disclaimer: This electronic mail is intended only for the use of the
addressee(s)named herein. Unless otherwise specifically stated, the views
contained and expressed in this electronic mail are strictly those of the
individual sender and are not the views of the Company or any of its
Directors or other employees. If you are not the intended recipient of this
electronic mail, you are hereby notified that any dissemination,
distribution or coping of this electronic mail is strictly prohibited. If
you received this electronic mail in error please immediately notify us by
return electronic mail and delete this electronic mail from your system."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards