Re: [fw-wiz] Exchange 2003 OWA security questions
From: Darryl Luff (darryl_at_snakegully.nu)
To: MHawkins@TULLIB.COM Date: Wed, 19 Jan 2005 22:50:34 +1100
>Hi guys and gals,
>We use CheckPoint/Nokia with multiple DMZ's including a web server farm DMZ.
>Our Microsoft admin wants to multihome an ISA server on our web dmz with the
>other NIC connected to our internal network to allow the ISA to talk to the
>internal MS OWA front end server which then talks to the exchange server
>(sheesh!). All this to allow users on the internet to access exchange via a
This sort of stuff is easier to fight if you have a strong, documented
architecture and security policy etc etc. You can point to your own
companies rules then. But it's obvious that more parallel paths into an
organisation = more possible ways of entry. By adding another path
you've doubled the chance that someone could get in one way or the other.
>I asked the MS admin to single home his ISA or forget about ISA altogether
>and just run a front end server in the web dmz. The idea of breaking our
>Checkpoint architecture with an ISA that multihomes between the internal
>network and our web dmz is just too much to ask a decent security admin
>don't you think. Now I need ammunition to press the point home.
Sorry, I haven't used ISA since it was Proxy Server 2, so I may have it
wrong. But if ISA is just proxying or port forwarding the connection to
the internal server, it's really not providing any security value. It's
still effectively plugging the incoming connection straight through to
the internal server. The only way I could see it being of value is if
its doing a first level authentication of connections before allowing
the connection through, and it has it's own user database. At least then
it's protecting your corporate user accounts from brute force attacks.
But then people would need to authenticate twice to use it - once to ISA
and again to the internal server.
>A few questions:
>i) If any of you run an ISA for tunneling for the front end server I'd like
>to hear if you were able to do it using single homing (the doco says it's
>possible but not recommended and our MS admin says he can't get it to work.
I used the old MS Proxy 2 single homed, but was only using it as an
outgoing web proxy then.
>ii) Scrap the ISA server, I think the front end server should be on the web
>dmz. Does everyone agree with this? Yes, I know I have to open up all those
>nasty MS ports but atleast I can restrict it to talking to the DC's and a
>few other boxes - those would be hardened machines anyways.
But this exposes your corporate user accounts on the DMZ.
firewall-wizards mailing list