RE: Single Exchange/OWA on LAN with Internet Access - a good

["Kim, Cameron" <CKim () mdea com>]

If you go back a couple months, there should be a thread about FE/BE
design, particularly whether you would want to put an FE exchange server
in the DMZ or an ISA Server. That should provide you with some more
info.

Another idea is to put a ISA 2004 server in the DMZ (or if it is your
perimeter firewall), use it to terminate the OWA connection (preferrably
using SSL) and proxy the request back to the exchange server. Its safer
that just tunneling the connection through and you have a bit of
granular control.

Cameron Kim

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Ravdal,
Stig
Sent: Thursday, November 17, 2005 9:43 AM
To: Behm, Jeffrey L.; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access -
a good

Thanks Jeff & others,

No I won't let the admins have their insecure way about things.  What I
struggle with from time to time is having logical and factual reasons
why this or that is more or less secure.  

But I am starting to put together a list of issues from what I have seen
in the archives and some of the responses I have heard thus far.

A new challenge with OWA on Windows 2003 is that you cannot lock down
the ports that the front-end server needs to talk to the back-end
system.  I saw a different comment on the list suggesting that MS has
done this to position ISA as the best (and only) solution for OWA in a
DMZ - it is designed to "publish" MS products including MS CRM.  We had
another issue with that product and providing access to it via SSL-VPN
where the pages broke because of mangled activeX or something to that
effect - not very happy with MS approach to securing their products.

Here's what I have so far for good strong arguments & solutions:

> From Paul:
- It's a Web authentication application (easy to attack- lots of tools)
- It uses the user's domain credentials (easy to escallate to more
  attacks)
- Both of these are simple to do from a computer that's untrustworthy

Jeff & Manuel:
- CipherTrust's IronWebMail front end (that sits in a DMZ) or other
capable reverse proxy such as apache and do auth up-front there (combine
that with Token and it's strating to get better).

Thanks guys,

Stig


-----Original Message-----
From: Behm, Jeffrey L. [mailto:BehmJL () bvsg com]
Sent: Thursday, November 17, 2005 10:32 AM
To: firewall-wizards () honor icsalabs com
Cc: Ravdal, Stig
Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access -
a good

The DMZ server (i.e. reverse proxy-type server) should be able to do
more than just port filtering and *shouldn't* require all those ports to
be open. It should be able to do various application level checks as
well, before the request makes it into your network.

Look at CipherTrust's IronWebMail front end (that sits in a DMZ) for
example. It does more than just port filtering and doesn't require a ton
of open ports through the firewall, just normal web traffic. Other
"reverse-proxy" front ends should behave similarly, although perhaps not
as robustly.

*DON'T* let your MS admins dictate the security of the network. If you
do, you'd be better off to just put the exchange servers directly on the
Internet ;-)... <sarcasm>It'd be just as secure, faster (due to no
firewall latency), and less configuration issues.</sarcasm>

Jeff

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Ravdal,
Stig
Sent: Thursday, November 17, 2005 9:50 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a
good

Hi everyone,

I hope that someone has been through this before and have some
substantial arguments for/against:

Our MS admins are proposing to implement single OWA/Exchange servers on
the LAN and allow access directly to the server through the firewall.
The primary reason for doing it this way is to reduce the cost of the
front-end server that would otherwise reside in a DMZ.   Their argument
is that with OWA 2003 you have to have a bunch of ports open anyway and
so what is the reason to put a front end server in the DMZ - if that
server were compromised they would practically have access to the
network anyway.  With the OWA/Exchange server inside the firewall access
from the Internet can be limited to 80 and/or 443 only.

My concern is that with the next OWA vulnerability someone will own the
server in the DMZ through a single exploit.  However, I cannot find
anything that suggests that the front end server solution is really any
more secure.  Yeah it's another hop but it would be an easy one as soon
as the front end server is compromised.

Thoughts?
 
Thanks,
 
Stig
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards