RE: [fw-wiz] PIX -> ISA -> OWA Configuration
From: Thomas W Shinder (tshinder_at_tacteam.net)
Date: 05/03/05
- Previous message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Hopefully not too OT"
- Maybe in reply to: Jason Gomes: "[fw-wiz] PIX -> ISA -> OWA Configuration"
- Next in thread: Paul Melson: "FW: [fw-wiz] PIX -> ISA -> OWA Configuration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Tue, 3 May 2005 09:14:48 -0500
And how precisely is the PIX going to prevent a directory traversal?
Also, with an ISA firewall interprosed, how could a directory traversal
attack be possible?
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Jason
Gomes
Sent: Tuesday, May 03, 2005 12:59 AM
To: Paul Melson
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] PIX -> ISA -> OWA Configuration
Definitely? Under #1 it seems like something as simple as a directory
traversal attack against IIS/OWA that manages to get through ISA leaves
your entire internal network exposed. Under #2 it appears to me that an
attacker would need at the very least a second exploit to gain further
access to the trusted network.
Paul Melson wrote:
> #1, definitely. The whole reason to use ISA proxy with a
front-end/back-end
> OWA setup is to reduce the amount of holes that must be punched in the
> firewall. Since the OWA server must be a member of the domain, it
requires
> an exhaustive list of ports be open between itself and the Exchange
server
> as well as at least one domain controller. With the ISA proxy, it's
443 in,
> 443 out (or 80 out if you don't want/need to encrypt the traffic
between the
> ISA and OWA servers).
>
> PaulM
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Jason
Gomes
> Sent: Sunday, May 01, 2005 2:14 AM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] PIX -> ISA -> OWA Configuration
>
> What is the preferred placement for a OWA front-end server given these
two
> possible network configurations and why?
>
> 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall]
<==>
> [OWA] <==> [Internal Net w/Exchange Svr]
>
> 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==>
[PIX
> Firewall] <==> [Internal Net w/Exchange Svr]
>
> Notes:
> The ISA server is performing a reverse proxy for HTTPS connections.
> In #1, the backend firewall will only allow port 443 through to OWA.
> In #2, all ports required for OWA to communicate with the internal
exchange
> server is allowed.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Hopefully not too OT"
- Maybe in reply to: Jason Gomes: "[fw-wiz] PIX -> ISA -> OWA Configuration"
- Next in thread: Paul Melson: "FW: [fw-wiz] PIX -> ISA -> OWA Configuration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
