Re: Exchange 2003 OWA compromise reached

["Paul D. Robertson" <paul () compuwar net>]

On Fri, 21 Jan 2005 MHawkins () TULLIB COM wrote:

> The solution we have reached is this.
>
> Since we also want to move our ftp server onto a separate DMZ away from our
> web servers because ftp servers run a higher than average risk of
> compromise. We are going set up a new DMZ that is considered even less
> trusted than our existing web server dmz.

FTP servers seem to be the one place that MS has it over the competition,
they seem to have had less bugs per implementation than anyone- especially
once the user accounts are locked down.

> Then, we will attach the Microsoft ISA server outside interface to the
> "VeryUntrustedDmz" and connect the ISA inside interface to the
> "NotParticularlyTrustedMuchWebDmz". The ISA server will then talk to the
> front end server that is located within our inside network.

I'd still worry some about folks dictionary attacking your user
credentials, unless you're using strong one-time auth for those users.

> So the Checkpoint firewall will be able to act like a dual firewall for the
> ISA server. Performance should not be a problem because webmail is not
> expected to be a high volume app for our user community anyway.
>
> Once again, thanks to you all for the help I received. The discussion was
> very heated at times but in the end the solution is satisfactory to me from
> a risk perspective and it also corrals the ISA server within the confines of
> the Checkpoint architecture.

I'd really be looking at IPSec to the Checkpoint.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards