Firewall Wizards mailing list archives
Re: Single Exchange/OWA on LAN with Internet Access - a good
From: Julian M D <julianmd () gmail com>
Date: Tue, 22 Nov 2005 21:24:45 -0500
Makes sense. I have always said that you are as secured as your policies are. Right now, what it's really coming down to is how much exposure you'd like to have taking certain amount of risk. Can you find the balance?...well you're that much secure.There's no cookbook for every instance of how to have a safe, reliable, scalable, redundant, and cheap solution for one's setup.Everything depends on the tolerance to the risk one is prepared to accept and deal with. Thanks everyone for the input, sharing is knowledge, and knowledge is power.... Julian On 11/22/05, Ravdal, Stig <SRavdal () quiznos com> wrote:
Hi Julian, I think what you suggest is certainly an option. I have seen it done both this way and where the traffic goes to the LAN via the firewall. VPNs are sometimes terminated in this way. I believe that what you loose is the firewall "inspection" of the unencrypted traffic if the SSL connection is terminated on ISA. If you pass the traffic back through the firewall to the LAN then the firewall could potentially block something bad or log it - but it depends on the capabilities of your firewall. In some cases firewalls may not provide support for the twice-pass option. In the case of ISA acting as the proxy it is at least a firewall and is capable of performing some inspection. If all you have is a reverse-proxy and authentication you have created a bypass of the firewall at least for the allowable protocols, and to the firewall some traffic could be encrypted. Thanks, Stig ________________________________________ From: Julian M D [mailto:julianmd () gmail com] Sent: Monday, November 21, 2005 7:27 PM To: Matt Bazan Cc: Ravdal, Stig; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good Instead of placing the ISAboxin PIX's DMZ, create a second DMZ by placing ISAbetween the PIX's inside interfaceand the LAN, filtering the noise at the PIX level, and then just publish the Exchange services you need. You cold always use the RADIUS with any kind of secondary authentication (RSA cips) ------------------- |PIX ---DMZ1 | ------------------- | |-DMZ2 | | ------------ |ISA | ------------ | | |LAN | | Exchange Pros? Cons? Thanks, On 11/18/05, Matt Bazan <Mbazan () onelegal com> wrote: OWA front ended by ISA 2003 is solid.Requires either port 80 or 443 or one/other depending on your requirements.Authentication is not handled by OWA box. -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto: firewall-wizards-admin () honor icsalabs com] On Behalf Of Ravdal, Stig Sent: Thursday, November 17, 2005 9:43 AM To: Behm, Jeffrey L.; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good Thanks Jeff & others, No I won't let the admins have their insecure way about things.What I struggle with from time to time is having logical and factual reasons why this or that is more or less secure. But I am starting to put together a list of issues from what I have seen in the archives and some of the responses I have heard thus far. A new challenge with OWA on Windows 2003 is that you cannot lock down the ports that the front-end server needs to talk to the back-end system.I saw a different comment on the list suggesting that MS has done this to position ISA as the best (and only) solution for OWA in a DMZ - it is designed to "publish" MS products including MS CRM.We had another issue with that product and providing access to it via SSL-VPN where the pages broke because of mangled activeX or something to that effect - not very happy with MS approach to securing their products. Here's what I have so far for good strong arguments & solutions: From Paul: - It's a Web authentication application (easy to attack- lots of tools) - It uses the user's domain credentials (easy to escallate to more attacks) - Both of these are simple to do from a computer that's untrustworthy Jeff & Manuel: - CipherTrust's IronWebMail front end (that sits in a DMZ) or other capable reverse proxy such as apache and do auth up-front there (combine that with Token and it's strating to get better). Thanks guys, Stig -----Original Message----- From: Behm, Jeffrey L. [mailto:BehmJL () bvsg com] Sent: Thursday, November 17, 2005 10:32 AM To: firewall-wizards () honor icsalabs com Cc: Ravdal, Stig Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good The DMZ server ( i.e. reverse proxy-type server) should be able to do more than just port filtering and *shouldn't* require all those ports to be open. It should be able to do various application level checks as well, before the request makes it into your network. Look at CipherTrust's IronWebMail front end (that sits in a DMZ) for example. It does more than just port filtering and doesn't require a ton of open ports through the firewall, just normal web traffic. Other "reverse-proxy" front ends should behave similarly, although perhaps not as robustly. *DON'T* let your MS admins dictate the security of the network. If you do, you'd be better off to just put the exchange servers directly on the Internet ;-)... <sarcasm>It'd be just as secure, faster (due to no firewall latency), and less configuration issues.</sarcasm> Jeff -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Ravdal, Stig Sent: Thursday, November 17, 2005 9:50 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good Hi everyone, I hope that someone has been through this before and have some substantial arguments for/against: Our MS admins are proposing to implement single OWA/Exchange servers on the LAN and allow access directly to the server through the firewall. The primary reason for doing it this way is to reduce the cost of the front-end server that would otherwise reside in a DMZ. Their argument is that with OWA 2003 you have to have a bunch of ports open anyway and so what is the reason to put a front end server in the DMZ - if that server were compromised they would practically have access to the network anyway.With the OWA/Exchange server inside the firewall access from the Internet can be limited to 80 and/or 443 only. My concern is that with the next OWA vulnerability someone will own the server in the DMZ through a single exploit.However, I cannot find anything that suggests that the front end server solution is really any more secure.Yeah it's another hop but it would be an easy one as soon as the front end server is compromised. Thoughts? Thanks, Stig _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Single Exchange/OWA on LAN with Internet Access - a good, (continued)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Behm, Jeffrey L. (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Kim, Cameron (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Matt Bazan (Nov 21)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Julian M D (Nov 28)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 28)
- Message not available
- RE: Single Exchange/OWA on LAN with Internet Access - a good Marcus J. Ranum (Nov 28)
- Message not available
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 28)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Julian M D (Nov 28)