RE: [fw-wiz] (no subject)

From: Paul D. Robertson (proberts@patriot.net)
Date: 11/26/02 

From: "Paul D. Robertson" <proberts@patriot.net>
To: "Nieveler, Juergen" <Juergen.Nieveler@akzonobeldeco.de>
Date: Tue Nov 26 08:00:34 2002

On Tue, 26 Nov 2002, Nieveler, Juergen wrote:

> As I might face a similar situation soon, how about this scenario:
>
> Put the OWA in the LAN, and a reverse Proxy (Squid prefered, but ISA-server
> if necessary) in the DMZ?
>
> After all, OWA should only need port 80 and/or 443, shouldn't it?

I'm completely against letting external users on to the internal network.
Since most proxies don't do significant data inspection, and since most
IIS and OWA issues in the past have been in-band attacks, I probably
wouldn't go this route. Something that requires strong authentication,
such as a VPN server, and some form of compartmentalization is a good
thing. If I had to do it though, I'd choose different components- both
because they wouldn't need to be hooked into my core infrastructre quite
as well, and because I could then use an authentication infrastructure
that had to do with a single e-mail account, and not every resource that
particular user has access to.

I think OWA has *way* too much baggage associated with it on the server,
requires too much trust into the authentication infrastructure, and is too
difficult to protect.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation