RE: [fw-wiz] PIX -> ISA -> OWA Configuration

From: Paul Melson (psmelson_at_comcast.net)
Date: 05/05/05

  • Next message: Vin McLellan: "[fw-wiz] InfoSec's Waterloo and it's implications"
    To: <woodsd001@hawaii.rr.com>
    Date: Thu, 5 May 2005 15:20:51 -0400
    
    

    Bring on the logic...

    while [ "$horse" = "dead" ]; do
            beat $horse
    done

    At the end of the day, everybody that expresses the opinion that #1 < #2 has
    missed the point of what a firewall can actually do for them. Perhaps they
    are wise to mistrust IIS, but not if it means trusting a larger number of
    other native Windows services. Let's break it down, and then I've gotta get
    off this thread because nobody pays me to worry about OWA/Exchange
    infrastructure anymore.

    PIX Firewalls offer access control at layer 3. This mitigates risk by
    reducing the number of possible attack vectors against a given system by
    only permitting that traffic which is necessary.

    An ISA Server, an OWA server, an Exchange server, and an AD domain
    controller all run on similar platforms, having similar numbers and types of
    attack vectors, give or take a few.

    If my OWA presence consists of an ISA Server doing reverse proxy to an OWA
    server, and like most organizations, my Exchange server is part of my
    production AD environment, then I can create a list that looks like this:

    ISA Attack Vectors OWA Attack Vectors AD Attack Vectors
    Total Attack Vectors
    ------------------ ------------------ -----------------
    --------------------
                    35 30 Exchange 26
    116
            
    AD DC 25

    I am using an arbitrary number (25) assigned to Windows boxes in an AD
    domain, but you could calculate this with a quick nmap of your production
    boxes. I'm then adding 10 proxy ports to ISA, 5 ports for IIS (ftp, http/s,
    smtp, etc.), and 1 port for Exchange (SMTP). In this case, I select to
    define an attack vector as allowed communication from network of lower
    "trust" to a network of higher "trust" (per the PIX interface model) - for
    example, traffic allowed from the Internet to the ISA Server is an attack
    vector, but traffic from the OWA server to the ISA Server is not. Then I
    subtract the attack vectors from my table and add them up, like so:

    ISA (#1) OWA (#1) AD (#1) Total (#1)
    -------- -------- ------- ----------
             1 1 26 53
                                         25

    ISA (#1) OWA (#1) AD (#1) Total (#1)
    -------- -------- ------- ----------
             1 30 21 72
                                         20

    Now you can get fancy with weighting your attack vector charts, perhaps
    using your risk assessment and mitigation policy to do so, and you can use
    the actual number of listening ports on your production systems, but you'll
    still come out with the same conclusion: #1 reduces the exposure of your
    ISA/OWA implementation more than #2 does.

    PaulM

    PS - How come nobody's come back with, "The most secure option is to not use
    OWA at all and make people check their e-mail from the office like normal
    human beings." ? If you apply that option to the risk valuation I use
    above, you get a sum of 0. Clearly better than the rest.

    -----Original Message-----
    Subject: [fw-wiz] PIX -> ISA -> OWA Configuration

    Option #1 would have to be the worst option for security, all you have to do
    is re-read Ben Nagy's response and think about it for a few more minutes.
    When you place the OWA server directly into your internal network without
    controls, you have no controls unless of course you truely believe that a
    Microsoft product is not considered a "Hackable device" and in this case we
    are talking about two Microsoft products - ISA Proxy Server and OWA.....
    [spaghetti] --> [hackable box] --> [hackable box] --> [pot of gold]

    Option #2 is the better solution since there is atleast on additional contol
    added in the diagram.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Vin McLellan: "[fw-wiz] InfoSec's Waterloo and it's implications"

    Relevant Pages

    • publish rpc/http, owa to cluster question...
      ... end server as an rpc proxy, and owa server. ... This ISA server will publish the OWA ... outside to the proxy, and then from the proxy to the front end exchange. ...
      (microsoft.public.isa.configuration)
    • How do i clear ARP cache from windows 2003 server
      ... i have a iSA server 2004 and exchange 2003 in different windows 2003 ... after updating the isa server SP2 i can't access my OWA server even i ... even though if i try to connect OWA server through the IP i can't. ... of the excange server machine but it's showing an error "Clearing tht ...
      (microsoft.public.isa.vpn)
    • Re: How to allow POP3 SSL connections w ISA 2004
      ... I am at SP3 for ISA Server 2004. ... Yes, you are correct, this is mostly an Outlook settings issue, you can try ... Please also help to gather the ISA logs: ...
      (microsoft.public.windows.server.sbs)
    • Re: How to allow POP3 SSL connections w ISA 2004
      ... the Outlook group as well. ... Firewall Client configuration for ISA Server 2004. ...
      (microsoft.public.windows.server.sbs)
    • RE: Simple ISA 2004 questions
      ... You'd better create a new GPO for IE proxy, ... Run "gpmc.msc" in SBS server, ... ISA Server 2004 Query can give you some help. ... In the Microsoft Internet Security and Acceleration Server 2004 console, ...
      (microsoft.public.windows.server.sbs)