[fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good

From: Ravdal, Stig (SRavdal_at_Quiznos.com)
Date: 11/17/05

Next message: Jerry Gardner: "[fw-wiz] 7.x on PIX 506E?"

Previous message: Paul D. Robertson: "Re: [fw-wiz] Question about setting up PIX firewall"
Next in thread: Paul D. Robertson: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Reply: Paul D. Robertson: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Thomas W Shinder: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Behm, Jeffrey L.: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Kim, Cameron: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Matt Bazan: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Reply: Patrick M. Hausen: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Marcus J. Ranum: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Thu, 17 Nov 2005 08:50:15 -0700

Hi everyone,

I hope that someone has been through this before and have some
substantial arguments for/against:

Our MS admins are proposing to implement single OWA/Exchange servers
on the LAN and allow access directly to the server through the firewall.
The primary reason for doing it this way is to reduce the cost of the
front-end server that would otherwise reside in a DMZ. Their argument
is that with OWA 2003 you have to have a bunch of ports open anyway
and so what is the reason to put a front end server in the DMZ - if
that server were compromised they would practically have access to the
network anyway. With the OWA/Exchange server inside the firewall
access from the Internet can be limited to 80 and/or 443 only.

My concern is that with the next OWA vulnerability someone will own
the server in the DMZ through a single exploit. However, I cannot
find anything that suggests that the front end server solution is
really any more secure. Yeah it's another hop but it would be an easy
one as soon as the front end server is compromised.

Thoughts?

Thanks,

Stig
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Jerry Gardner: "[fw-wiz] 7.x on PIX 506E?"

Previous message: Paul D. Robertson: "Re: [fw-wiz] Question about setting up PIX firewall"
Next in thread: Paul D. Robertson: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Reply: Paul D. Robertson: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Thomas W Shinder: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Behm, Jeffrey L.: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Kim, Cameron: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Matt Bazan: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Reply: Patrick M. Hausen: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Maybe reply: Marcus J. Ranum: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: fedora-list Digest, Vol 6, Issue 266
... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ...
(Fedora)
RE: Webserver on a DMZ still needed?
... Certainly your suggestion to have a email server in a DMZ but still have ... having the exchange server on the internal LAN with only the smtp ports ... Talking of the financial cost of setup by the book vs the security cost ...
(Security-Basics)
Re: Man gets nine years for spamming
... > I don't think we've ever had web access. ... > connect to an inner server where you logged in and actually did stuff. ... We have 12 DMZ interfaces. ... the DMZs and in between the Internet routers and the first ...
(alt.computer.security)
RE: [fw-wiz] Backup exec agent in dmz
... named.conf file and the zonefiles off the the NT box in the DMZ. ... on the Apache server, ... backup tape library in this DMZ and backup all your servers to the new DMZ. ... what do you really need to back up on the DNS and web servers? ...
(Firewall-Wizards)
RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good
... The ISA acting as a proxy in the DMZ is a good option I think ... because ISA is designed to work with OWA or is it the other way round. ... in the DMZ or an ISA Server. ...
(Firewall-Wizards)