RE: [fw-wiz] PIX -> ISA -> OWA Configuration

From: Frank Knobbe (frank_at_knobbe.us)
Date: 05/04/05

  • Next message: Mark Tinberg: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 03 May 2005 17:41:19 -0500
    
    
    

    On Tue, 2005-05-03 at 09:06 -0400, Paul Melson wrote:
    > Definitely.

    I'd say definitely not. But oh, well, to each his own...

    > In #1, if the ISA server is configured via the OWA publishing
    > wizard, it will create ACL's that prevent requests that don't match
    > /exchange/* from being passed to IIS.

    That's fine. There were (and perhaps still are) holes in script
    beyond /exchange that can be exploited....

    > In #2, the same thing applies, but should the ISA server be compromised say
    > via buffer overflow, then there is no protection for the internal AD domain,
    > since those holes must be punched straight through the firewall (and they
    > are BIG holes).

    How is that different from when the OWA server gets hacked sitting right
    on the inside? At least you have *some* constraints you can enforce.
    while AD related ports are open, an attacker can not... say... scan for
    and exploit vulnerable FTP servers. Or attack any system other than your
    AD servers, like worming it's way through vulnerable workstations.

    I think you put way too much trust in ISA server.

    Why is that when we don't trust an application (OWA), we don't try to
    secure that, but instead add *another* application (ISA) server in
    attempts to secure the first app? The strength of a chain is determined
    by the weakest link. So why do we keep on adding links, increasing the
    risk of reduction of strength?

      layers of security number of chains
    ---------------------- X ---------------------------- = some
    security index
     layers of complexity number or links in a chain

    If you firmly believe in solution 1, than please do as Ben suggested and
    buy one of them shiny red boxes and put that in the same rack....

    Regards,
    Frank

    
    

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



  • Next message: Mark Tinberg: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"

    Relevant Pages

    • Re: Recommended Windows Hosts
      ... Windows is also a much bigger target since holes that appear ... All those holes in MSIE would not be a concern on a server if MS ... insurance company has to pay out, ...
      (microsoft.public.frontpage.client)
    • Re: Replicate AD through a DMZ. what ports to open?
      ... "Dave Harry" wrote in message news:%23$Gcrv4REHA.808@tk2msftngp13.phx.gbl... ... server to be added as a Member Server? ... Before you decide to open up holes to your internal network from the ... How-to: Windows 2000 DNS: ...
      (microsoft.public.windows.server.networking)
    • Re: Is there any way to move hiberfil.sys to another partition,..
      ... There are no patches issued for NT4, so the holes won't be ... I still have a Windows NT 4.0 running as a file server ... kidding,...i wont shutdown the system, for sentimentally ... Thats why i think i wont stop it running. ...
      (microsoft.public.win32.programmer.kernel)
    • Re: Ebaying - Comparisons
      ... enlarging a few holes for the hard disk screws "modification". ... > server point of view. ... Real decent machine, knock ...
      (comp.unix.solaris)
    • Re: smtp and iptables
      ... The INPUT chain defines rules coming IN to the box, ... If this is the incoming mail server, then this is what you want ... Connect to your debian box using SSH (port 22) ...
      (comp.os.linux.networking)