Firewall Wizards mailing list archives
Re: Exchange 2003 OWA compromise reached
From: "Paul D. Robertson" <paul () compuwar net>
Date: Fri, 21 Jan 2005 15:48:50 -0500 (EST)
On Fri, 21 Jan 2005 MHawkins () TULLIB COM wrote:
The solution we have reached is this. Since we also want to move our ftp server onto a separate DMZ away from our web servers because ftp servers run a higher than average risk of compromise. We are going set up a new DMZ that is considered even less trusted than our existing web server dmz.
FTP servers seem to be the one place that MS has it over the competition, they seem to have had less bugs per implementation than anyone- especially once the user accounts are locked down.
Then, we will attach the Microsoft ISA server outside interface to the "VeryUntrustedDmz" and connect the ISA inside interface to the "NotParticularlyTrustedMuchWebDmz". The ISA server will then talk to the front end server that is located within our inside network.
I'd still worry some about folks dictionary attacking your user credentials, unless you're using strong one-time auth for those users.
So the Checkpoint firewall will be able to act like a dual firewall for the ISA server. Performance should not be a problem because webmail is not expected to be a high volume app for our user community anyway. Once again, thanks to you all for the help I received. The discussion was very heated at times but in the end the solution is satisfactory to me from a risk perspective and it also corrals the ISA server within the confines of the Checkpoint architecture.
I'd really be looking at IPSec to the Checkpoint. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Exchange 2003 OWA compromise reached MHawkins (Jan 21)
- Re: Exchange 2003 OWA compromise reached Paul D. Robertson (Jan 21)
- Re: Exchange 2003 OWA compromise reached Victor Williams (Jan 21)
- Re: Exchange 2003 OWA compromise reached Mark Tinberg (Jan 25)
- Re: Exchange 2003 OWA compromise reached Victor Williams (Jan 21)
- Re: Exchange 2003 OWA compromise reached Paul D. Robertson (Jan 21)