RE: Single Exchange/OWA on LAN with Internet Access - a good

["Ravdal, Stig" <SRavdal () Quiznos com>]

Thanks Paul,

We do have an ISA server setup as a proxy for other purposes and I think
combining that with an ACS or other Radius solution and a token would be
a less risky front end server than OWA by itself.  So unless I hear
something else I think that is my best option at this point.

Thanks again for the comments and suggestsions.

Stig

-----Original Message-----
From: Paul Melson [mailto:pmelson () gmail com] 
Sent: Thursday, November 17, 2005 12:35 PM
To: 'Thomas W Shinder'; Ravdal, Stig;
firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access -
a good

-----Original Message-----
> Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access
- a
good
> Hi Stig,
>
> The front-end/back-end Exchange Server topology was *never* about
security, it was about 
> load balancing and routing.
>
> You can put the FE Exchange Server in a authenticated access DMZ, as
I've
done many times, 
> but there's no point to putting the FE Exchange Server in an anonymous
access DMZ.
> > -----Original Message-----
> > Subject: [fw-wiz] Single Exchange/OWA on LAN with Internet Access -
a
good
> > My concern is that with the next OWA vulnerability someone will own 
> > the server in the DMZ through a single exploit.  However, I cannot 
> > find anything that suggests that the front end server solution is 
> > really any more secure.  Yeah it's another hop but it would be an
easy 
> > one as soon as the front end server is compromised.


I agree w/ Dr. Tom on this.  The kind of stuff you have to open between
internal Exchange servers and AD domain controllers and the front-end
OWA
server makes the DMZ almost pointless.  You expose your internal network
so
much to the OWA front-end that if it's broken into, the other servers
will
fall quickly thereafter.  

A better solution, in my opinion (and I must say, I am surprised that
Tom
doesn't mention this) is to put ISA Server in the DMZ as a reverse
proxy.
At least this way you can offload SSL and authentication to the ISA
Server
in the DMZ and only open up 1 or 2 ports from it to the internal
network.
The other advantage is that you can use ISA Server's web publishing
rules to
restrict access to the OWA server's IIS instance to only the OWA
application, greatly reducing the attack surface of the OWA server.  (If
you
do this, it is worth noting that the default URLScan rules will break
OWA
2003.)

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards