Re: [fw-wiz] Exchange 2003 OWA compromise reached

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 01/21/05

  • Next message: Victor Williams: "Re: [fw-wiz] Once again..appliance firewall input requested"
    To: MHawkins@TULLIB.COM
    Date: Fri, 21 Jan 2005 15:48:50 -0500 (EST)
    
    

    On Fri, 21 Jan 2005 MHawkins@TULLIB.COM wrote:

    > The solution we have reached is this.
    >
    > Since we also want to move our ftp server onto a separate DMZ away from our
    > web servers because ftp servers run a higher than average risk of
    > compromise. We are going set up a new DMZ that is considered even less
    > trusted than our existing web server dmz.

    FTP servers seem to be the one place that MS has it over the competition,
    they seem to have had less bugs per implementation than anyone- especially
    once the user accounts are locked down.

    > Then, we will attach the Microsoft ISA server outside interface to the
    > "VeryUntrustedDmz" and connect the ISA inside interface to the
    > "NotParticularlyTrustedMuchWebDmz". The ISA server will then talk to the
    > front end server that is located within our inside network.

    I'd still worry some about folks dictionary attacking your user
    credentials, unless you're using strong one-time auth for those users.

    > So the Checkpoint firewall will be able to act like a dual firewall for the
    > ISA server. Performance should not be a problem because webmail is not
    > expected to be a high volume app for our user community anyway.
    >
    > Once again, thanks to you all for the help I received. The discussion was
    > very heated at times but in the end the solution is satisfactory to me from
    > a risk perspective and it also corrals the ISA server within the confines of
    > the Checkpoint architecture.

    I'd really be looking at IPSec to the Checkpoint.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Victor Williams: "Re: [fw-wiz] Once again..appliance firewall input requested"