Re: [fw-wiz] Exchange 2003 OWA security questions

From: Darryl Luff (darryl_at_snakegully.nu)
Date: 01/19/05

  • Next message: dave: "Re: [fw-wiz] PIX stateful failover and crossover cables"
    To: MHawkins@TULLIB.COM
    Date: Wed, 19 Jan 2005 22:50:34 +1100
    
    

    MHawkins@TULLIB.COM wrote:

    >Hi guys and gals,
    >
    >We use CheckPoint/Nokia with multiple DMZ's including a web server farm DMZ.
    >
    >
    >Our Microsoft admin wants to multihome an ISA server on our web dmz with the
    >other NIC connected to our internal network to allow the ISA to talk to the
    >internal MS OWA front end server which then talks to the exchange server
    >(sheesh!). All this to allow users on the internet to access exchange via a
    >web browser.
    >
    >
    >
    This sort of stuff is easier to fight if you have a strong, documented
    architecture and security policy etc etc. You can point to your own
    companies rules then. But it's obvious that more parallel paths into an
    organisation = more possible ways of entry. By adding another path
    you've doubled the chance that someone could get in one way or the other.

    >...
    >
    >I asked the MS admin to single home his ISA or forget about ISA altogether
    >and just run a front end server in the web dmz. The idea of breaking our
    >Checkpoint architecture with an ISA that multihomes between the internal
    >network and our web dmz is just too much to ask a decent security admin
    >don't you think. Now I need ammunition to press the point home.
    >
    >
    Sorry, I haven't used ISA since it was Proxy Server 2, so I may have it
    wrong. But if ISA is just proxying or port forwarding the connection to
    the internal server, it's really not providing any security value. It's
    still effectively plugging the incoming connection straight through to
    the internal server. The only way I could see it being of value is if
    its doing a first level authentication of connections before allowing
    the connection through, and it has it's own user database. At least then
    it's protecting your corporate user accounts from brute force attacks.
    But then people would need to authenticate twice to use it - once to ISA
    and again to the internal server.

    >A few questions:
    >
    >i) If any of you run an ISA for tunneling for the front end server I'd like
    >to hear if you were able to do it using single homing (the doco says it's
    >possible but not recommended and our MS admin says he can't get it to work.
    >
    >
    I used the old MS Proxy 2 single homed, but was only using it as an
    outgoing web proxy then.

    >ii) Scrap the ISA server, I think the front end server should be on the web
    >dmz. Does everyone agree with this? Yes, I know I have to open up all those
    >nasty MS ports but atleast I can restrict it to talking to the DC's and a
    >few other boxes - those would be hardened machines anyways.
    >
    >
    But this exposes your corporate user accounts on the DMZ.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: dave: "Re: [fw-wiz] PIX stateful failover and crossover cables"