Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX -> ISA -> OWA Configuration

From: Jason Gomes <greyline () phreaker net>
Date: Tue, 03 May 2005 22:01:59 -1000
I totally agree with your assessment, however, my question is to determine the best theoretical placement for the back-end firewall no matter what type of firewall is used. If you had limited resources and were limited to using the devices outlined below, what would be your preferred network topology? 

Kevin wrote:

-----Original Message-----
What is the preferred placement for a OWA front-end server given these
two possible network configurations and why?

1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall]
<==> [OWA] <==> [Internal Net w/Exchange Svr]

2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==>
[PIX Firewall] <==> [Internal Net w/Exchange Svr]



None of the above.  Use a second, different firewall to control the
Windows-protocol communication between the OWA server and your
internal trusted network, like so:

3) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==>
[OWA with Host-based IPS] <==> [Different Firewall] <==>
[Internal Exchange Svr with Host-based IPS]

In this scenario, any one element in the path can be vulnerable
at any moment in time and the internal resources remain protected.

Of course the next question is if you are going to this extreme,
why involve the Microsoft ISA proxy at all?  Why not just replace
the " [PIX Firewall] <==> [ISA Proxy] <==>" part of the chain
with a more complex firewall capable of handling the combined
tasks of SSL acceleration and URL filtering?


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: