Re: [fw-wiz] Exchange 2003 OWA security questions
From: Paul D. Robertson (paul_at_compuwar.net)
Date: 01/21/05
- Previous message: Crissup, John (MBNP is): "RE: [fw-wiz] PIX stateful failover and crossover cables"
- In reply to: Darryl Luff: "Re: [fw-wiz] Exchange 2003 OWA security questions"
- Next in thread: Shimon Silberschlag: "[fw-wiz] Multiple firewalls from different manufactureres"
- Reply: Shimon Silberschlag: "[fw-wiz] Multiple firewalls from different manufactureres"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Darryl Luff <darryl@snakegully.nu> Date: Fri, 21 Jan 2005 15:42:03 -0500 (EST)
On Wed, 19 Jan 2005, Darryl Luff wrote:
> Sorry, I haven't used ISA since it was Proxy Server 2, so I may have it
[Note that I'm not defending ISA here]
Proxy Server was mostly a different beast, I wouldn't put much value in
statements comparing the two.
> wrong. But if ISA is just proxying or port forwarding the connection to
> the internal server, it's really not providing any security value. It's
> still effectively plugging the incoming connection straight through to
> the internal server. The only way I could see it being of value is if
> its doing a first level authentication of connections before allowing
> the connection through, and it has it's own user database. At least then
> it's protecting your corporate user accounts from brute force attacks.
> But then people would need to authenticate twice to use it - once to ISA
> and again to the internal server.
That depends on how much is going on during the proxying- IMO (and I'm
certainly not an ISA expert, though I've dealt with them) ISA is better
for outbound proxying, given the socks-ish per-application stuff you can
do with it than it is for inbound proxying.
I certainly wouldn't put one out on the Internet on its own at this stage,
but that's mostly from general discomfort of how much "legacy" stuff ISA
seems to contain.
> I used the old MS Proxy 2 single homed, but was only using it as an
> outgoing web proxy then.
Still the best use for one IMO.
> >ii) Scrap the ISA server, I think the front end server should be on the web
> >dmz. Does everyone agree with this? Yes, I know I have to open up all those
> >nasty MS ports but atleast I can restrict it to talking to the DC's and a
> >few other boxes - those would be hardened machines anyways.
> >
> >
> But this exposes your corporate user accounts on the DMZ.
I agree, this is a VPN solution looking to happen.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Crissup, John (MBNP is): "RE: [fw-wiz] PIX stateful failover and crossover cables"
- In reply to: Darryl Luff: "Re: [fw-wiz] Exchange 2003 OWA security questions"
- Next in thread: Shimon Silberschlag: "[fw-wiz] Multiple firewalls from different manufactureres"
- Reply: Shimon Silberschlag: "[fw-wiz] Multiple firewalls from different manufactureres"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
