Firewall Wizards mailing list archives

RE: PIX -> ISA -> OWA Configuration

From: "Sanford Reed" <sanford.reed () cox net>
Date: Tue, 3 May 2005 10:34:50 -0400

I hate to disagree but in 1 the [hackable box] is the ISA Proxy which is
'protected' by the outer PIX. The 'pot-o-gold' as you put it is behind the
second PIX. Access to the internal network for this box is very limited to
only port 443.

IN 2 you have out two MS boxes 'out there' for the Hackers to get to and as
Paul points out, having the [OWA] Server out there 'forces' you to open many
ports so that Active Directory can function. 

I've tried it both ways and I strongly agreed with Paul AND 9unfortunaly in
this case) Microsoft 2 is a 'bad' choice due simply to the un-needed
exposure of the additional ports by putting the [OWA] in the 'DMZ'. 

Sanford Reed 
(V) 757.406.7067
-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Ben Nagy
Sent: Tuesday, May 03, 2005 7:54 AM
To: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] PIX -> ISA -> OWA Configuration

Post order fixed, response inline.

</whips out dusty cluestick...>

-----Original Message-----

[Jason Gomes]
[...]


What is the preferred placement for a OWA front-end server 
given these two possible network configurations and why?

1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX 
Firewall] <==> [OWA] <==> [Internal Net w/Exchange Svr]

2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] 
<==> [PIX Firewall] <==> [Internal Net w/Exchange Svr]


[Paul Melson at least has courage of his convictions]

#1, definitely.


Wow, this may be the first time I recall disagreeing with you, Paul...

[Sanford Reed hides behind Microsoft documentation ;]

Per MS (Using Microsoft Exchange 2000 Front-End Servers.pdf - 
available from MS TechNet) it is configuration 1).


Once again proving that while MS have made a lot of progress in security
some of their authors still have no idea what they are doing. The problem is
that people get too excited about their architecture diagrams.

I always internally parse these diagrams as:

[spaghetti] --> [hackable box] --> [pot of gold]

In 1) there are no controls at all between the hackable box and the pot of
gold. In 2) there is.

Once you simplify things the choice becomes obvious.

But hey, you could throw another firewall into 2) if you want. And maybe an
IPS as well. A red one, even.

Cheers,

ben

(reliving the glory days of "grumpy old man" responses)



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX -> ISA -> OWA Configuration Jason Gomes (May 02)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 02)
  - RE: PIX -> ISA -> OWA Configuration Ben Nagy (May 03)
    - RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 05)
    - RE: PIX -> ISA -> OWA Configuration Ben Nagy (May 05)
    - RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 05)
    - RE: PIX -> ISA -> OWA Configuration Mark Tinberg (May 05)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 02)
- Re: PIX -> ISA -> OWA Configuration Danny (May 05)
- <Possible follow-ups>
- Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 03)
  - RE: PIX -> ISA -> OWA Configuration Paul Melson (May 03)
    - Re: PIX -> ISA -> OWA Configuration Kevin (May 05)
    - Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 05)
    - RE: PIX -> ISA -> OWA Configuration Frank Knobbe (May 05)

(Thread continues...)