RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good

From: Paul Melson (pmelson_at_gmail.com)
Date: 11/17/05

  • Next message: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
    To: "'Thomas W Shinder'" <tshinder@tacteam.net>, "'Ravdal, Stig'" <SRavdal@Quiznos.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Thu, 17 Nov 2005 14:35:01 -0500
    
    

    -----Original Message-----
    > Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a
    good
    >
    > Hi Stig,
    >
    > The front-end/back-end Exchange Server topology was *never* about
    security, it was about
    > load balancing and routing.
    >
    > You can put the FE Exchange Server in a authenticated access DMZ, as I've
    done many times,
    > but there's no point to putting the FE Exchange Server in an anonymous
    access DMZ.
    >
    >
    > > -----Original Message-----
    > > Subject: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a
    good
    > >
    > > My concern is that with the next OWA vulnerability someone will own
    > > the server in the DMZ through a single exploit. However, I cannot
    > > find anything that suggests that the front end server solution is
    > > really any more secure. Yeah it's another hop but it would be an easy
    > > one as soon as the front end server is compromised.

    I agree w/ Dr. Tom on this. The kind of stuff you have to open between
    internal Exchange servers and AD domain controllers and the front-end OWA
    server makes the DMZ almost pointless. You expose your internal network so
    much to the OWA front-end that if it's broken into, the other servers will
    fall quickly thereafter.

    A better solution, in my opinion (and I must say, I am surprised that Tom
    doesn't mention this) is to put ISA Server in the DMZ as a reverse proxy.
    At least this way you can offload SSL and authentication to the ISA Server
    in the DMZ and only open up 1 or 2 ports from it to the internal network.
    The other advantage is that you can use ISA Server's web publishing rules to
    restrict access to the OWA server's IIS instance to only the OWA
    application, greatly reducing the attack surface of the OWA server. (If you
    do this, it is worth noting that the default URLScan rules will break OWA
    2003.)

    PaulM

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"

    Relevant Pages