RE: PIX -> ISA -> OWA Configuration

["Ben Nagy" <ben () iagu net>]

OK, OK, OK.

I've just been slogging through some very very nasty Intel protected mode
architecture documentation, which may be making me tetchy, so apologies in
advance.

Don't get me wrong, I have read enough from both of you to know you have
bags full of clue, and I don't want this to come across ad hominem. However,
in the spirit of lively debate...

You're both crazy, and here's why. :P

1. You're assuming that ISA is more hackable than OWA. Last I checked OWA is
both a web application that takes user parameters and an application running
on top of IIS. If I had to place bets on which of those two boxes is going
to get hacked I will bet big on the OWA box. Assuming that the ISA box can
protect it from malicious web based traffic is whistling into the wind. The
one single port that you're leaving open is the exact same port that will be
carrying all of the attack traffic you're most worried about.

2. Besides, what's the impact if your ISA box gets hacked? You don't need to
give it _any_ access to the internal network (except for services other than
mail, which we're not really discussing).

Let's break it down.

ISA Box Owned
Scenario 1: No big deal
Scenario 2: No big deal

OWA Box Owned
Scenario 1: Hosed
Scenario 2: In big trouble, but not dead yet.

So your architecture can only be correct if the OWA box is _many_ times
harder to own in Scenario 1. The only security delta I can see is that
you're restricting a two stage attack (own ISA box, attack OWA box) to using
port 443 for the second stage. The direct attacks are unchanged. This is
not, IMO, sufficient security benefit. In fact, if it _really_ bothers you
then buy a $900 router and add another filter between ISA and OWA. Or
configure the IP filters on the OWA box. Buy Blink. Buy ZoneAlarm. Do
whatever.

Just don't give any hacker that finds a decent HTTP-tunneled command
execution bug in OWA a one shot kill.

Cheers,

ben


> -----Original Message-----
> From: Sanford Reed [mailto:sanford.reed () cox net] 
> Sent: Tuesday, May 03, 2005 4:35 PM
> To: 'Ben Nagy'; firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] PIX -> ISA -> OWA Configuration
>
> I hate to disagree but in 1 the [hackable box] is the ISA 
> Proxy which is
> 'protected' by the outer PIX. The 'pot-o-gold' as you put it 
> is behind the
> second PIX. Access to the internal network for this box is 
> very limited to
> only port 443.
>
> IN 2 you have out two MS boxes 'out there' for the Hackers to 
> get to and as
> Paul points out, having the [OWA] Server out there 'forces' 
> you to open many
> ports so that Active Directory can function. 
>
> I've tried it both ways and I strongly agreed with Paul AND 
> 9unfortunaly in
> this case) Microsoft 2 is a 'bad' choice due simply to the un-needed
> exposure of the additional ports by putting the [OWA] in the 'DMZ'. 
>
> Sanford Reed 
> (V) 757.406.7067
> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Ben Nagy
> Sent: Tuesday, May 03, 2005 7:54 AM
> To: firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] PIX -> ISA -> OWA Configuration
>
> Post order fixed, response inline.
>
> </whips out dusty cluestick...>
>
> > -----Original Message-----
> [Jason Gomes]
> [...]
> > What is the preferred placement for a OWA front-end server 
> > given these two possible network configurations and why?
> >
> > 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX 
> > Firewall] <==> [OWA] <==> [Internal Net w/Exchange Svr]
> >
> > 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] 
> > <==> [PIX Firewall] <==> [Internal Net w/Exchange Svr]
>
> [Paul Melson at least has courage of his convictions]
> > #1, definitely. 
>
> Wow, this may be the first time I recall disagreeing with you, Paul...
>
> [Sanford Reed hides behind Microsoft documentation ;]
> > Per MS (Using Microsoft Exchange 2000 Front-End Servers.pdf - 
> > available from MS TechNet) it is configuration 1).
>
> Once again proving that while MS have made a lot of progress 
> in security
> some of their authors still have no idea what they are doing. 
> The problem is
> that people get too excited about their architecture diagrams.
>
> I always internally parse these diagrams as:
>
> [spaghetti] --> [hackable box] --> [pot of gold]
>
> In 1) there are no controls at all between the hackable box 
> and the pot of
> gold. In 2) there is.
>
> Once you simplify things the choice becomes obvious.
>
> But hey, you could throw another firewall into 2) if you 
> want. And maybe an
> IPS as well. A red one, even.
>
> Cheers,
>
> ben
>
> (reliving the glory days of "grumpy old man" responses)
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards