RE: [fw-wiz] PIX -> ISA -> OWA Configuration

From: Ben Nagy (ben_at_iagu.net)
Date: 05/03/05

Next message: Paul Melson: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"

Previous message: Kevin Sheldrake: "Re: [fw-wiz] Hopefully not too OT"
In reply to: Sanford Reed: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
Next in thread: Sanford Reed: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
Reply: Sanford Reed: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
Reply: Mark Tinberg: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Tue, 3 May 2005 14:54:11 +0200

Post order fixed, response inline.

</whips out dusty cluestick...>

> -----Original Message-----
[Jason Gomes]
[...]
>
> What is the preferred placement for a OWA front-end server
> given these two possible network configurations and why?
>
> 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX
> Firewall] <==> [OWA] <==> [Internal Net w/Exchange Svr]
>
> 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA]
> <==> [PIX Firewall] <==> [Internal Net w/Exchange Svr]

[Paul Melson at least has courage of his convictions]
> #1, definitely.

Wow, this may be the first time I recall disagreeing with you, Paul...

[Sanford Reed hides behind Microsoft documentation ;]
> Per MS (Using Microsoft Exchange 2000 Front-End Servers.pdf -
> available from MS TechNet) it is configuration 1).

Once again proving that while MS have made a lot of progress in security
some of their authors still have no idea what they are doing. The problem is
that people get too excited about their architecture diagrams.

I always internally parse these diagrams as:

[spaghetti] --> [hackable box] --> [pot of gold]

In 1) there are no controls at all between the hackable box and the pot of
gold. In 2) there is.

Once you simplify things the choice becomes obvious.

But hey, you could throw another firewall into 2) if you want. And maybe an
IPS as well. A red one, even.

Cheers,

ben

(reliving the glory days of "grumpy old man" responses)

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Paul Melson: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"

Previous message: Kevin Sheldrake: "Re: [fw-wiz] Hopefully not too OT"
In reply to: Sanford Reed: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
Next in thread: Sanford Reed: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
Reply: Sanford Reed: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
Reply: Mark Tinberg: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]