Firewall Wizards mailing list archives
RE: PIX -> ISA -> OWA Configuration
From: "Paul Melson" <psmelson () comcast net>
Date: Tue, 3 May 2005 09:06:34 -0400
Definitely. In #1, if the ISA server is configured via the OWA publishing wizard, it will create ACL's that prevent requests that don't match /exchange/* from being passed to IIS. You can also run urlscan at the ISA server (though it requires some tweaking to keep from breaking some of OWA's functionality). In #2, the same thing applies, but should the ISA server be compromised say via buffer overflow, then there is no protection for the internal AD domain, since those holes must be punched straight through the firewall (and they are BIG holes). PaulM -----Original Message----- Subject: Re: [fw-wiz] PIX -> ISA -> OWA Configuration Definitely? Under #1 it seems like something as simple as a directory traversal attack against IIS/OWA that manages to get through ISA leaves your entire internal network exposed. Under #2 it appears to me that an attacker would need at the very least a second exploit to gain further access to the trusted network.
-----Original Message----- What is the preferred placement for a OWA front-end server given these two possible network configurations and why? 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall] <==> [OWA] <==> [Internal Net w/Exchange Svr] 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==> [PIX Firewall] <==> [Internal Net w/Exchange Svr]
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX -> ISA -> OWA Configuration Jason Gomes (May 02)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 02)
- RE: PIX -> ISA -> OWA Configuration Ben Nagy (May 03)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 05)
- RE: PIX -> ISA -> OWA Configuration Ben Nagy (May 05)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 05)
- RE: PIX -> ISA -> OWA Configuration Ben Nagy (May 03)
- RE: PIX -> ISA -> OWA Configuration Mark Tinberg (May 05)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 02)
- <Possible follow-ups>
- Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 03)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 03)
- Re: PIX -> ISA -> OWA Configuration Kevin (May 05)
- Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 05)
- RE: PIX -> ISA -> OWA Configuration Frank Knobbe (May 05)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 03)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 05)
- Re: PIX -> ISA -> OWA Configuration Michael Brown (May 08)