Firewall Wizards mailing list archives
FW: PIX -> ISA -> OWA Configuration
From: "Paul Melson" <psmelson () comcast net>
Date: Tue, 3 May 2005 17:18:09 -0400
Responses in-line, BBS style (who's grumpy and old now?). -----Original Message-----
Subject: RE: [fw-wiz] PIX -> ISA -> OWA Configuration Post order fixed, response inline. </whips out dusty cluestick...>-----Original Message-----[Jason Gomes] [...]What is the preferred placement for a OWA front-end server given these two possible network configurations and why? 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall] <==> [OWA] <==> [Internal Net w/Exchange Svr] 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==> [PIX Firewall] <==> [Internal Net w/Exchange Svr][Paul Melson at least has courage of his convictions]#1, definitely.Wow, this may be the first time I recall disagreeing with you, Paul... [Sanford Reed hides behind Microsoft documentation ;]Per MS (Using Microsoft Exchange 2000 Front-End Servers.pdf - available from MS TechNet) it is configuration 1).Once again proving that while MS have made a lot of progress in security some of their authors still have no idea what they are doing. The
problem is that people get too excited about their architecture diagrams. I think maybe MS is finally eating their own dog food and understanding where the vulnerabilities are in their products. Which is why I think some people on the list are having a hard time with this one. See, those that lean toward #2 may not already understand that placing a firewall in between an OWA server and the rest of the AD/Exchange infrastructure is pointless. If you didn't have that piece of information (and it's not in the product docs, at least not that bluntly), you would assume that the application flow was: [client] -> [proxy] -> [websrv] -> [db] When in reality, it is: [client] -> [proxy] -> [mess]
I always internally parse these diagrams as: [spaghetti] --> [hackable box] --> [pot of gold] In 1) there are no controls at all between the hackable box and the pot of
gold. In 2) there is. Correct logic applied to incorrect assumptions still yields incorrect results. :-) You incorrectly assume that you can place controls between the hackable box and the pot of gold, when in fact the whole analogy is wrong in this case. My analogy is that OWA, Exchange, and AD are conjoined triplets and they all share one liver. Because the OWA server must have Exchange installed on it and be a member of AD, it must also be able to initiate RPC, DNS, HTTP, LDAP, SMB/NetBIOS, and port ranges ad nauseum for DCOM to a variety of internal servers. All you will gain from forcing this traffic through a firewall is a jaded view of Windows networking and a throbbing headache. Network security will not improve. So cut your losses, implement option #1 and enforce access controls where you can, between the possibly-vulnerable proxy server and the t0t4lly-pwn4bl3 web server.
But hey, you could throw another firewall into 2) if you want. And maybe
an IPS as well. A red one, even. Appliances make it all better, especially brightly colored ones with cool LED displays. And don't forget to use the red cables so the bad packets know where to stay. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: PIX -> ISA -> OWA Configuration, (continued)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 05)
- RE: PIX -> ISA -> OWA Configuration Mark Tinberg (May 05)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 02)
- Re: PIX -> ISA -> OWA Configuration Danny (May 05)
- Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 03)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 03)
- Re: PIX -> ISA -> OWA Configuration Kevin (May 05)
- Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 05)
- RE: PIX -> ISA -> OWA Configuration Frank Knobbe (May 05)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 03)
- RE: PIX -> ISA -> OWA Configuration Thomas W Shinder (May 05)
- FW: PIX -> ISA -> OWA Configuration Paul Melson (May 05)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 05)
- Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 05)
- PIX -> ISA -> OWA Configuration woodsd001 (May 05)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 05)
- Re: PIX -> ISA -> OWA Configuration Michael Brown (May 08)
- RE: PIX -> ISA -> OWA Configuration Mark Tinberg (May 08)
- Re: PIX -> ISA -> OWA Configuration Victor Williams (May 08)
- Re: PIX -> ISA -> OWA Configuration Chris Blask (May 12)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 05)