RE: [fw-wiz] PIX -> ISA -> OWA Configuration
From: Jeremiah Cornelius (jeremiah_at_nur.net)
Date: 05/16/05
- Previous message: Chris Blask: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
- Maybe in reply to: woodsd001_at_hawaii.rr.com: "[fw-wiz] PIX -> ISA -> OWA Configuration"
- Next in thread: Victor Williams: "Re: [fw-wiz] PIX -> ISA -> OWA Configuration"
- Reply: Victor Williams: "Re: [fw-wiz] PIX -> ISA -> OWA Configuration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Thomas W Shinder" <tshinder@tacteam.net>, <firewall-wizards@honor.icsalabs.com> Date: Sun, 15 May 2005 23:10:08 -0700
> >I've found personally that a correctly implemented VPN solution is
1000
> >times better than trying to get OWA deployed and *safe*.
There is real foolishness in the VPN suggestion - offering all of layers
2 and 3 to remote clients for the sake of a single application. This is
weak science, and "architecture by anecdote".
Taken as a proposed method for limiting attack surface, I think that it
needs serious re-examination!
Give me a threat model for full network client access, vs. that of an
application inspection firewall, proxying SSL - such as ISA 2004. Good!
Notice anything? Now supply me with motivated attackers. OWA/ISA is the
safest bet for remote access of Exchange systems, and this can be
quantified using models, not by asserting a bias, or making category
generalizations.
The only people who should ever get full VPN access are systems and
network administrators, with a demonstrated need. They should be
subject to extensive logging, and a separate audit. There are
application-oriented solutions that meet the needs of other users,
without a "default allow" policy. I often despair, that we will spend
the next 20 years rolling-back the broad remote access that was granted
over the last 10.
Jeremiah Cornelius
CISSP, ISSAP, CCNA, MCSE+S
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-
> admin@honor.icsalabs.com] On Behalf Of Thomas W Shinder
> Sent: Friday, May 13, 2005 11:16 AM
> To: firewall-wizards@honor.icsalabs.com
> Subject: RE: [fw-wiz] PIX -> ISA -> OWA Configuration
>
> Since the ISA firewall was designed to protect OWA, what would be the
> rationale for not using an ISA firewall?
>
>
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Chris
> Blask
> Sent: Monday, May 09, 2005 8:44 PM
> To: vbwilliams@neb.rr.com; Paul Melson
> Cc: woodsd001@hawaii.rr.com; firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] PIX -> ISA -> OWA Configuration
>
> Hi folks!
>
> At 10:47 AM 5/7/2005, Victor Williams wrote:
> >Personally, I didn't see any reason to state the obvious when it was
> there
> >for everyone to see.
> >
> >There is no *safe* or *best* way to deploy that architecture as far
as
> I'm
> >concerned. The sooner everyone just accepts that, the better off
> everyone
> >will be.
>
> Everyone that counts (the folks who pay for all this stuff) don't give
a
>
> mongoose's hooter what architecture is used, they just want their apps
> to
> work where they need them. On this one I agree with them
> whole-heartedly:
> I'd like to be able to read my email displayed on the fannies of
> migratory
> waterfowl. I'll settle for bioptic HUD glasses that can overlay the
> text
> as opposed to actually laser-printing on loons, but it better be no
less
>
> secure than a workstation in a cube however it gets done.
>
> >I've found personally that a correctly implemented VPN solution is
1000
>
> >times better than trying to get OWA deployed and *safe*.
>
> The only problem with VPNs are kiosks and other Not-My-Computer
> situations. Webmail will be implemented (even, I shudder to say, OWA)
> because we haven't yet made VPNs fully portable.
>
> If you have to use OWA, I'd use one of the mail firewalls out there
> (BorderWare or IronMail, for example) in front of it. Something like
> that
> gives you a break in the chain between your MaxiSoft servers and the
> World,
> and a dev team to maintain it and pester when you feel antsy.
>
> -cheers!
>
> -chris
>
>
> Chris Blask
> chris@blask.org
> blaskworks.blogspot.com
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Chris Blask: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
- Maybe in reply to: woodsd001_at_hawaii.rr.com: "[fw-wiz] PIX -> ISA -> OWA Configuration"
- Next in thread: Victor Williams: "Re: [fw-wiz] PIX -> ISA -> OWA Configuration"
- Reply: Victor Williams: "Re: [fw-wiz] PIX -> ISA -> OWA Configuration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
