Re: [fw-wiz] Exchange 2003 OWA compromise reached
From: Mark Tinberg (mtinberg_at_securepipe.com)
Date: 01/24/05
- Previous message: Greymagick: "[fw-wiz] Double firewall setup (long)"
- In reply to: Victor Williams: "Re: [fw-wiz] Exchange 2003 OWA compromise reached"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Victor Williams <vbwilliams@neb.rr.com> Date: Mon, 24 Jan 2005 12:37:22 -0600 (CST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 21 Jan 2005, Victor Williams wrote:
> My question basically revolves around why all this is necessary just to access
> webmail.
That's a question that doesn't seem to be asked as often as necessary.
It's quite likely however that the answer will be that they want not only
webmail, but calandering as well to be available to road-warriors. I
don't know of any software that will get mail and calander via a web
interface to an MS Exchange box except for MS OWA.
If you can get the requirements to not include calandering, etc. then any
webmail software would work over IMAP and SMTP to the Exchange box, which
is much easier to filter and inspect. You would also have your choice of
OS platform to run the internet-facing components on, which can be a big
win.
IMHO businesses often have BS "requirements" that dictate one vendor or
implementation over another where the actuall business requirements would
allow for a much wider field of competition.
> Doesn't make a lot of sense to me. I've never understood passing
> traffic through 17 different media and calling it secure. The worst
> configured device in the mix kind of negates all that work you did to the
> other 16.
It's called damage control 8^) Many organizations have invested in MS
Exchange from way back, and they aren't about to rip out their
infrastructure to put in something else, even if it is better across the
board. For OWA it is better to at least put in some authentication in
front of it (A VPN or even an authenticating proxy) so that the next
random OWA or IIS worm doesn't get it.
> To me, this is obscurity and just breeds confusion for the admins.
> ISA server is nothing but a proxy. It's not needed with OWA at all if another
> firewall already exists.
I believe the one plus point for MS ISA is that it has stateful filtering
for MS-RPC traffic, something that not all the firewall vendors have. I
don't know how much protocol inspection it does, but it does keep you from
having to completely wide-open the packet filter. This obviously doesn't
protect you from RPC exploits but at least the traffic does have to look
like RPC rather than, for example, VNC.
- --
Mark Tinberg <MTinberg@securepipe.com>
Network Administrator, SecurePipe Inc.
Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQFB9UBjFu7F5OUjbGcRAmKuAJ401mw30JEOYEnwNbLDVnGx5gnNkwCfca/k
qHeyg7wkrN+DQX2puEjdCwI=
=hZlD
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Greymagick: "[fw-wiz] Double firewall setup (long)"
- In reply to: Victor Williams: "Re: [fw-wiz] Exchange 2003 OWA compromise reached"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
