RE: (no subject)

["Paul D. Robertson" <proberts () patriot net>]

On Tue, 26 Nov 2002, Nieveler, Juergen wrote:

> As I might face a similar situation soon, how about this scenario:
>
> Put the OWA in the LAN, and a reverse Proxy (Squid prefered, but ISA-server
> if necessary) in the DMZ?
>
> After all, OWA should only need port 80 and/or 443, shouldn't it?

I'm completely against letting external users on to the internal network.  
Since most proxies don't do significant data inspection, and since most 
IIS and OWA issues in the past have been in-band attacks, I probably 
wouldn't go this route.  Something that requires strong authentication, 
such as a VPN server, and some form of compartmentalization is a good 
thing.  If I had to do it though, I'd choose different components- both 
because they wouldn't need to be hooked into my core infrastructre quite 
as well, and because I could then use an authentication infrastructure 
that had to do with a single e-mail account, and not every resource that 
particular user has access to.  

I think OWA has *way* too much baggage associated with it on the server, 
requires too much trust into the authentication infrastructure, and is too 
difficult to protect.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards