RE: [fw-wiz] PIX -> ISA -> OWA Configuration
From: Frank Knobbe (frank_at_knobbe.us)
To: firstname.lastname@example.org Date: Tue, 03 May 2005 17:41:19 -0500
On Tue, 2005-05-03 at 09:06 -0400, Paul Melson wrote:
I'd say definitely not. But oh, well, to each his own...
> In #1, if the ISA server is configured via the OWA publishing
> wizard, it will create ACL's that prevent requests that don't match
> /exchange/* from being passed to IIS.
That's fine. There were (and perhaps still are) holes in script
beyond /exchange that can be exploited....
> In #2, the same thing applies, but should the ISA server be compromised say
> via buffer overflow, then there is no protection for the internal AD domain,
> since those holes must be punched straight through the firewall (and they
> are BIG holes).
How is that different from when the OWA server gets hacked sitting right
on the inside? At least you have *some* constraints you can enforce.
while AD related ports are open, an attacker can not... say... scan for
and exploit vulnerable FTP servers. Or attack any system other than your
AD servers, like worming it's way through vulnerable workstations.
I think you put way too much trust in ISA server.
Why is that when we don't trust an application (OWA), we don't try to
secure that, but instead add *another* application (ISA) server in
attempts to secure the first app? The strength of a chain is determined
by the weakest link. So why do we keep on adding links, increasing the
risk of reduction of strength?
layers of security number of chains
---------------------- X ---------------------------- = some
layers of complexity number or links in a chain
If you firmly believe in solution 1, than please do as Ben suggested and
buy one of them shiny red boxes and put that in the same rack....
firewall-wizards mailing list
- application/pgp-signature attachment: This is a digitally signed message part