Firewall Wizards mailing list archives

RE: Single Exchange/OWA on LAN with Internet Access - a good

From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 17 Nov 2005 14:35:01 -0500

-----Original Message-----

Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a

good


Hi Stig,

The front-end/back-end Exchange Server topology was *never* about

security, it was about

load balancing and routing.

You can put the FE Exchange Server in a authenticated access DMZ, as I've

done many times,

but there's no point to putting the FE Exchange Server in an anonymous

access DMZ.

-----Original Message-----
Subject: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a

good


My concern is that with the next OWA vulnerability someone will own 
the server in the DMZ through a single exploit.  However, I cannot 
find anything that suggests that the front end server solution is 
really any more secure.  Yeah it's another hop but it would be an easy 
one as soon as the front end server is compromised.



I agree w/ Dr. Tom on this.  The kind of stuff you have to open between
internal Exchange servers and AD domain controllers and the front-end OWA
server makes the DMZ almost pointless.  You expose your internal network so
much to the OWA front-end that if it's broken into, the other servers will
fall quickly thereafter.  

A better solution, in my opinion (and I must say, I am surprised that Tom
doesn't mention this) is to put ISA Server in the DMZ as a reverse proxy.
At least this way you can offload SSL and authentication to the ISA Server
in the DMZ and only open up 1 or 2 ports from it to the internal network.
The other advantage is that you can use ISA Server's web publishing rules to
restrict access to the OWA server's IIS instance to only the OWA
application, greatly reducing the attack surface of the OWA server.  (If you
do this, it is worth noting that the default URLScan rules will break OWA
2003.)

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 17)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Paul D. Robertson (Nov 17)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Patrick M. Hausen (Nov 28)
- <Possible follow-ups>
- RE: Single Exchange/OWA on LAN with Internet Access - a good Thomas W Shinder (Nov 17)
  - RE: Single Exchange/OWA on LAN with Internet Access - a good Paul Melson (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Behm, Jeffrey L. (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Kim, Cameron (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Matt Bazan (Nov 21)
  - Re: Single Exchange/OWA on LAN with Internet Access - a good Julian M D (Nov 28)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 28)
  - Message not available
    - RE: Single Exchange/OWA on LAN with Internet Access - a good Marcus J. Ranum (Nov 28)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 28)

(Thread continues...)