Firewall Wizards mailing list archives
RE: Single Exchange/OWA on LAN with Internet Access - a good
From: "Ravdal, Stig" <SRavdal () Quiznos com>
Date: Mon, 21 Nov 2005 08:36:28 -0700
Hi Patrick and thanks for your comments. Our firewall is certainly more than a packet filter - we use the border router for basic packet filtering of bogus/spoofed traffic. The firewall we use is one of the market leaders and operates on layers 2-7, stateful and all that. However, I don't have enough hands-on experience with it to be confident about how well it does the upper layers, how many protocols and applications it has support of and the depth of inspection. Firewalls are certainly evolving beyond ports and addresses and we see more and more specialized firewalls (e.g. XML firewall) that can do application inspection. Furthermore, the Inline IPS devices in some cases are smart enough to know what hosts and vulnerabilities exist on the network and can respond accordingly. No, we're beyond packet filtering, ports and IP addresses at this point. In this respect I believe that the ISA firewall acting as the front-end to OWA may do a better job at least for OWA/Exchange. As you suggest if you can address authentication (token/smart card/etc) before hitting the OWA/Exchange box than the hurdle to overcome is most likely so substantial that an attacker will go elsewhere and a script should fail. I think as long as there are several hurdles to tackle - defense in depth - it buys you time to detect what's going on in one of those systems before the compromise is complete or successful. Cheers and thanks, Stig -----Original Message----- From: Patrick M. Hausen [mailto:hausen () punkt de] Sent: Monday, November 21, 2005 7:33 AM To: Ravdal, Stig Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good Hello! Stig wrote:
Our MS admins are proposing to implement single OWA/Exchange servers on the LAN and allow access directly to the server through the
firewall. IMHO this depends entirely on your definition of "firewall". If the "firewall" in question is nothing more than a stupid packet filtering device, then your network will be at a big risk. If the firewall can do things like control what happens inside the HTTP traffic for OWA, terminate SSL on the firewall for that purpose, provide strong token based authentication _before_ the connection even hits your exchange server ... then I'd say the benefits might outweigh the remaining risk. Somehow most admins have been brain washed to believe that "firewalls" are all about "port numbers". IMNSHO they are not. They are choke points for policy enforcment. And policy includes much more than just ports. Regards, HTH, Patrick M. Hausen Leiter Netzwerke und Sicherheit -- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Single Exchange/OWA on LAN with Internet Access - a good, (continued)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Patrick M. Hausen (Nov 28)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Thomas W Shinder (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Paul Melson (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Behm, Jeffrey L. (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Kim, Cameron (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Matt Bazan (Nov 21)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Julian M D (Nov 28)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 28)
- Message not available
- RE: Single Exchange/OWA on LAN with Internet Access - a good Marcus J. Ranum (Nov 28)
- Message not available
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 28)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Julian M D (Nov 28)