Re: [fw-wiz] PIX -> ISA -> OWA Configuration
From: Jason Gomes (greyline_at_phreaker.net)
To: Paul Melson <firstname.lastname@example.org> Date: Tue, 03 May 2005 21:53:13 -1000
It sounds like you would completely and solely trust ISA to protect OWA
and your entire internal network.
In #2 if either the ISA or OWA server is compromised, wouldn't the
back-end firewall limit the potential damage that could be done to the
Internal Network? ACLs would dictate which of those AD ports would be
allowed open and to specific, hardened, back-end servers.
In #1, a single exploit against OWA (ignoring any protection ISA may
provide which would be available in both scenarios) would allow an
attacker free reign to target anything internally without restriction.
Paul Melson wrote:
> Definitely. In #1, if the ISA server is configured via the OWA publishing
> wizard, it will create ACL's that prevent requests that don't match
> /exchange/* from being passed to IIS. You can also run urlscan at the ISA
> server (though it requires some tweaking to keep from breaking some of OWA's
> In #2, the same thing applies, but should the ISA server be compromised say
> via buffer overflow, then there is no protection for the internal AD domain,
> since those holes must be punched straight through the firewall (and they
> are BIG holes).
> -----Original Message-----
> Subject: Re: [fw-wiz] PIX -> ISA -> OWA Configuration
> Definitely? Under #1 it seems like something as simple as a directory
> traversal attack against IIS/OWA that manages to get through ISA leaves your
> entire internal network exposed. Under #2 it appears to me that an attacker
> would need at the very least a second exploit to gain further access to the
> trusted network.
>>What is the preferred placement for a OWA front-end server given these
>>two possible network configurations and why?
>>1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall]
>><==> [OWA] <==> [Internal Net w/Exchange Svr]
>>2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==>
>>[PIX Firewall] <==> [Internal Net w/Exchange Svr]
firewall-wizards mailing list