FW: PIX -> ISA -> OWA Configuration

["Paul Melson" <psmelson () comcast net>]

Responses in-line, BBS style (who's grumpy and old now?).

-----Original Message-----
> Subject: RE: [fw-wiz] PIX -> ISA -> OWA Configuration
>
> Post order fixed, response inline.
>
> </whips out dusty cluestick...>
>
> > -----Original Message-----
> [Jason Gomes]
> [...]
> > What is the preferred placement for a OWA front-end server given 
> > these two possible network configurations and why?
> >
> > 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX 
> > Firewall] <==> [OWA] <==> [Internal Net w/Exchange Svr]
> >
> > 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==> 
> > [PIX Firewall] <==> [Internal Net w/Exchange Svr]
>
> [Paul Melson at least has courage of his convictions]
> > #1, definitely. 
>
> Wow, this may be the first time I recall disagreeing with you, Paul...
>
> [Sanford Reed hides behind Microsoft documentation ;]
> > Per MS (Using Microsoft Exchange 2000 Front-End Servers.pdf - 
> > available from MS TechNet) it is configuration 1).
>
> Once again proving that while MS have made a lot of progress in 
> security some of their authors still have no idea what they are doing. The
problem is that people get too excited about their architecture diagrams.

        I think maybe MS is finally eating their own dog food and
understanding
        where the vulnerabilities are in their products.  Which is why I
think
        some people on the list are having a hard time with this one.  See,
those
        that lean toward #2 may not already understand that placing a
firewall in
        between an OWA server and the rest of the AD/Exchange infrastructure
is
        pointless.  If you didn't have that piece of information (and it's
not in
         the product docs, at least not that bluntly), you would assume that
the
        application flow was:

        [client] -> [proxy] -> [websrv] -> [db]

        When in reality, it is:

        [client] -> [proxy] -> [mess]

        
> I always internally parse these diagrams as:
>
> [spaghetti] --> [hackable box] --> [pot of gold]
>
> In 1) there are no controls at all between the hackable box and the pot of
gold. In 2) there is.

        Correct logic applied to incorrect assumptions still yields
incorrect results. :-)
        You incorrectly assume that you can place controls between the
hackable box and
        the pot of gold, when in fact the whole analogy is wrong in this
case.  My analogy
        is that OWA, Exchange, and AD are conjoined triplets and they all
share one liver.  

        Because the OWA server must have Exchange installed on it and be a
member of
        AD, it must also be able to initiate RPC, DNS, HTTP, LDAP,
SMB/NetBIOS, and port 
        ranges ad nauseum for DCOM to a variety of internal servers.  All
you will 
        gain from forcing this traffic through a firewall is a jaded view of
Windows 
        networking and a throbbing headache.  Network security will not
improve.  
 
        So cut your losses, implement option #1 and enforce access controls
where you can,
        between the possibly-vulnerable proxy server and the t0t4lly-pwn4bl3
web server.     


> But hey, you could throw another firewall into 2) if you want. And maybe
an IPS as well. A red one, even.

        Appliances make it all better, especially brightly colored ones with
cool LED
        displays.  And don't forget to use the red cables so the bad packets
know where
        to stay.

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards