Re: [fw-wiz] Exchange 2003 OWA compromise reached
From: Victor Williams (vbwilliams_at_neb.rr.com)
Date: 01/21/05
- Previous message: Victor Williams: "Re: [fw-wiz] Once again..appliance firewall input requested"
- In reply to: Paul D. Robertson: "Re: [fw-wiz] Exchange 2003 OWA compromise reached"
- Next in thread: Mark Tinberg: "Re: [fw-wiz] Exchange 2003 OWA compromise reached"
- Reply: Mark Tinberg: "Re: [fw-wiz] Exchange 2003 OWA compromise reached"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Jan 2005 15:45:40 -0600
My question basically revolves around why all this is necessary just to access
webmail. Doesn't make a lot of sense to me. I've never understood passing
traffic through 17 different media and calling it secure. The worst configured
device in the mix kind of negates all that work you did to the other 16. To me,
this is obscurity and just breeds confusion for the admins. ISA server is
nothing but a proxy. It's not needed with OWA at all if another firewall
already exists.
And it's not necessary to have more than one interface in that ISA server to
make this whole deal work. If your firewall is worth the $, it should be able
to do all this cross-zone/cross-subnet stuff you're trying to do.
www.isaserver.org
Paul D. Robertson wrote:
> On Fri, 21 Jan 2005 MHawkins@TULLIB.COM wrote:
>
>
>>The solution we have reached is this.
>>
>>Since we also want to move our ftp server onto a separate DMZ away from our
>>web servers because ftp servers run a higher than average risk of
>>compromise. We are going set up a new DMZ that is considered even less
>>trusted than our existing web server dmz.
>
>
> FTP servers seem to be the one place that MS has it over the competition,
> they seem to have had less bugs per implementation than anyone- especially
> once the user accounts are locked down.
>
>
>>Then, we will attach the Microsoft ISA server outside interface to the
>>"VeryUntrustedDmz" and connect the ISA inside interface to the
>>"NotParticularlyTrustedMuchWebDmz". The ISA server will then talk to the
>>front end server that is located within our inside network.
>
>
> I'd still worry some about folks dictionary attacking your user
> credentials, unless you're using strong one-time auth for those users.
>
>
>>So the Checkpoint firewall will be able to act like a dual firewall for the
>>ISA server. Performance should not be a problem because webmail is not
>>expected to be a high volume app for our user community anyway.
>>
>>Once again, thanks to you all for the help I received. The discussion was
>>very heated at times but in the end the solution is satisfactory to me from
>>a risk perspective and it also corrals the ISA server within the confines of
>>the Checkpoint architecture.
>
>
> I'd really be looking at IPSec to the Checkpoint.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Victor Williams: "Re: [fw-wiz] Once again..appliance firewall input requested"
- In reply to: Paul D. Robertson: "Re: [fw-wiz] Exchange 2003 OWA compromise reached"
- Next in thread: Mark Tinberg: "Re: [fw-wiz] Exchange 2003 OWA compromise reached"
- Reply: Mark Tinberg: "Re: [fw-wiz] Exchange 2003 OWA compromise reached"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
