Re: [fw-wiz] Exchange 2003 OWA compromise reached

From: Paul D. Robertson (
Date: 01/21/05

  • Next message: Victor Williams: "Re: [fw-wiz] Once again..appliance firewall input requested"
    To: MHawkins@TULLIB.COM
    Date: Fri, 21 Jan 2005 15:48:50 -0500 (EST)

    On Fri, 21 Jan 2005 MHawkins@TULLIB.COM wrote:

    > The solution we have reached is this.
    > Since we also want to move our ftp server onto a separate DMZ away from our
    > web servers because ftp servers run a higher than average risk of
    > compromise. We are going set up a new DMZ that is considered even less
    > trusted than our existing web server dmz.

    FTP servers seem to be the one place that MS has it over the competition,
    they seem to have had less bugs per implementation than anyone- especially
    once the user accounts are locked down.

    > Then, we will attach the Microsoft ISA server outside interface to the
    > "VeryUntrustedDmz" and connect the ISA inside interface to the
    > "NotParticularlyTrustedMuchWebDmz". The ISA server will then talk to the
    > front end server that is located within our inside network.

    I'd still worry some about folks dictionary attacking your user
    credentials, unless you're using strong one-time auth for those users.

    > So the Checkpoint firewall will be able to act like a dual firewall for the
    > ISA server. Performance should not be a problem because webmail is not
    > expected to be a high volume app for our user community anyway.
    > Once again, thanks to you all for the help I received. The discussion was
    > very heated at times but in the end the solution is satisfactory to me from
    > a risk perspective and it also corrals the ISA server within the confines of
    > the Checkpoint architecture.

    I'd really be looking at IPSec to the Checkpoint.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact."
    firewall-wizards mailing list

  • Next message: Victor Williams: "Re: [fw-wiz] Once again..appliance firewall input requested"

    Relevant Pages

    • Re: libfetch ftp patch for less latency
      ... All ftp servers I've ever seen support a full path when changing down ... This might be a DOS ftp server thing however. ... If the pathname fails it only adds one more CWD, but reduces the time on the successful cases. ...
    • Re: Formatting ASCII to be read by Windows NotePad
      ... "While it is common to use ASCII mode one should still take care, ... know that no server ever tells the client that. ... If you have a logical argument that Mac FTP servers are more prone to ...
    • Re: Formatting ASCII to be read by Windows NotePad
      ... problem with Mac FTP servers, just say so - I use a Mac every day and ... todl you before that I don't remember what client or server software it ...
    • Re: Symantec VPN 200R opinions, reviews, or substitutions needed
      ... internet server settings for FTP servers, ... The reviews that I'm referring to are user reviews ...
    • please help: strange ftp problem!
      ... Recently I bought a DSL router for my home network. ... connected directly to the DSL modem from my computer. ... into my remote linux server. ... other FTP servers just fine, using both passive and active mode! ...