Re: [fw-wiz] PIX -> ISA -> OWA Configuration

• Previous message: Paul Melson: "RE: [fw-wiz] Backup Checkpoint Firewall"
• In reply to: Jeremiah Cornelius: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Jeremiah Cornelius <jeremiah@nur.net>
Date: Tue, 17 May 2005 19:03:33 -0500

Rhetorical questions to that long-winded wrong assumption...

When did a "correctly implemented VPN solution" include all of layers 2
and 3? Who said anything about "full VPN access"?

You know what assumptions make right?

Victor Williams

Jeremiah Cornelius wrote:

>>>I've found personally that a correctly implemented VPN solution is
>>>
>>>
>1000
>
>
>>>times better than trying to get OWA deployed and *safe*.
>>>
>>>
>
>There is real foolishness in the VPN suggestion - offering all of layers
>2 and 3 to remote clients for the sake of a single application. This is
>weak science, and "architecture by anecdote".
>
>Taken as a proposed method for limiting attack surface, I think that it
>needs serious re-examination!
>
>Give me a threat model for full network client access, vs. that of an
>application inspection firewall, proxying SSL - such as ISA 2004. Good!
>Notice anything? Now supply me with motivated attackers. OWA/ISA is the
>safest bet for remote access of Exchange systems, and this can be
>quantified using models, not by asserting a bias, or making category
>generalizations.
>
>The only people who should ever get full VPN access are systems and
>network administrators, with a demonstrated need. They should be
>subject to extensive logging, and a separate audit. There are
>application-oriented solutions that meet the needs of other users,
>without a "default allow" policy. I often despair, that we will spend
>the next 20 years rolling-back the broad remote access that was granted
>over the last 10.
>
>Jeremiah Cornelius
>CISSP, ISSAP, CCNA, MCSE+S
>
>
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul Melson: "RE: [fw-wiz] Backup Checkpoint Firewall"
• In reply to: Jeremiah Cornelius: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: [fw-wiz] PIX -> ISA -> OWA Configuration ... >>I've found personally that a correctly implemented VPN solution is ... There is real foolishness in the VPN suggestion - offering all of layers ... the next 20 years rolling-back the broad remote access that was granted ... > rationale for not using an ISA firewall? ... (Firewall-Wizards) Re: Encryption layer(s) in VPN ? ... that goes through the VPN. ... > encryption, and encryption can be implemented at many different layers ... > layer-PGP, transport layer-SSL, network layer-IPSec, Datalink layer-L2PT). ... (microsoft.public.windowsxp.security_admin) RE: Remote access recurrent disconnection ... My VPN and RWW is already configured as you have described below. ... server and rerun the CEICW for the remote access to work. ... As from then every 3 hours I have to run this wizard for remote access to ... (microsoft.public.windows.server.sbs) Re: RAS server denied accesss ... Posting on MS newsgroup will benefit all readers and you may get more help. ... Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on ... >> When attempting to start the Routing and Remote Access Service, ... (microsoft.public.win2000.ras_routing) RRASWiz ... I have several client installations of SBS2003 Std and one Premium. ... I recently changed a site VPN access using the Configure Remote Access ... Checking whether RRAS is already running returned OK ... (microsoft.public.windows.server.sbs)