RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good

From: Ravdal, Stig (SRavdal_at_Quiznos.com)
Date: 11/17/05

  • Next message: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
    To: "Kim, Cameron" <CKim@mdea.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Thu, 17 Nov 2005 12:37:55 -0700
    
    

    Hi Cameron,

    I did find the FE/BE OWA discussion and I gleaned some nuggets from
    that. The ISA acting as a proxy in the DMZ is a good option I think
    because ISA is designed to work with OWA or is it the other way round.
    Coupled with a form of strong authentication (Token) it will at least
    make it harder - and hopefully take longer - to boost the ISA box and
    use that as a launching point against the LAN.

    Thanks,

    Stig

    -----Original Message-----
    From: Kim, Cameron [mailto:CKim@mdea.com]
    Sent: Thursday, November 17, 2005 12:35 PM
    To: Ravdal, Stig; firewall-wizards@honor.icsalabs.com
    Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access -
    a good

    If you go back a couple months, there should be a thread about FE/BE
    design, particularly whether you would want to put an FE exchange server
    in the DMZ or an ISA Server. That should provide you with some more
    info.

    Another idea is to put a ISA 2004 server in the DMZ (or if it is your
    perimeter firewall), use it to terminate the OWA connection (preferrably
    using SSL) and proxy the request back to the exchange server. Its safer
    that just tunneling the connection through and you have a bit of
    granular control.

    Cameron Kim

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Ravdal,
    Stig
    Sent: Thursday, November 17, 2005 9:43 AM
    To: Behm, Jeffrey L.; firewall-wizards@honor.icsalabs.com
    Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access -
    a good

    Thanks Jeff & others,

    No I won't let the admins have their insecure way about things. What I
    struggle with from time to time is having logical and factual reasons
    why this or that is more or less secure.

    But I am starting to put together a list of issues from what I have seen
    in the archives and some of the responses I have heard thus far.

    A new challenge with OWA on Windows 2003 is that you cannot lock down
    the ports that the front-end server needs to talk to the back-end
    system. I saw a different comment on the list suggesting that MS has
    done this to position ISA as the best (and only) solution for OWA in a
    DMZ - it is designed to "publish" MS products including MS CRM. We had
    another issue with that product and providing access to it via SSL-VPN
    where the pages broke because of mangled activeX or something to that
    effect - not very happy with MS approach to securing their products.

    Here's what I have so far for good strong arguments & solutions:

    From Paul:
    - It's a Web authentication application (easy to attack- lots of tools)
    - It uses the user's domain credentials (easy to escallate to more
      attacks)
    - Both of these are simple to do from a computer that's untrustworthy

    Jeff & Manuel:
    - CipherTrust's IronWebMail front end (that sits in a DMZ) or other
    capable reverse proxy such as apache and do auth up-front there (combine
    that with Token and it's strating to get better).

    Thanks guys,

    Stig

    -----Original Message-----
    From: Behm, Jeffrey L. [mailto:BehmJL@bvsg.com]
    Sent: Thursday, November 17, 2005 10:32 AM
    To: firewall-wizards@honor.icsalabs.com
    Cc: Ravdal, Stig
    Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access -
    a good

    The DMZ server (i.e. reverse proxy-type server) should be able to do
    more than just port filtering and *shouldn't* require all those ports to
    be open. It should be able to do various application level checks as
    well, before the request makes it into your network.

    Look at CipherTrust's IronWebMail front end (that sits in a DMZ) for
    example. It does more than just port filtering and doesn't require a ton
    of open ports through the firewall, just normal web traffic. Other
    "reverse-proxy" front ends should behave similarly, although perhaps not
    as robustly.

    *DON'T* let your MS admins dictate the security of the network. If you
    do, you'd be better off to just put the exchange servers directly on the
    Internet ;-)... <sarcasm>It'd be just as secure, faster (due to no
    firewall latency), and less configuration issues.</sarcasm>

    Jeff

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Ravdal,
    Stig
    Sent: Thursday, November 17, 2005 9:50 AM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a
    good

    Hi everyone,

    I hope that someone has been through this before and have some
    substantial arguments for/against:

    Our MS admins are proposing to implement single OWA/Exchange servers on
    the LAN and allow access directly to the server through the firewall.
    The primary reason for doing it this way is to reduce the cost of the
    front-end server that would otherwise reside in a DMZ. Their argument
    is that with OWA 2003 you have to have a bunch of ports open anyway and
    so what is the reason to put a front end server in the DMZ - if that
    server were compromised they would practically have access to the
    network anyway. With the OWA/Exchange server inside the firewall access
    from the Internet can be limited to 80 and/or 443 only.

    My concern is that with the next OWA vulnerability someone will own the
    server in the DMZ through a single exploit. However, I cannot find
    anything that suggests that the front end server solution is really any
    more secure. Yeah it's another hop but it would be an easy one as soon
    as the front end server is compromised.

    Thoughts?
     
    Thanks,
     
    Stig
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"

    Relevant Pages

    • Re: odd owa issue
      ... Since you access the OWA from external thru ... On the SBS 2003 Server open the Server Management console. ... Please open the ISA management console, ...
      (microsoft.public.windows.server.sbs)
    • RE: ISA Error ID 21174
      ... many remote services such as RDP, OWA and Companyweb no longer worked. ... in ISA server 2000 or 2004 web publishing rules. ... Which version is the ISA Server, ...
      (microsoft.public.windows.server.sbs)
    • Re: Where do I put Exchange Server?
      ... I'm not sure of OWA can be front-ended by a lone IIS server; again, the DMZ ... isn't the right place for it with ISA 2000. ... > its internal network only. ...
      (microsoft.public.isa.configuration)
    • Re: Netzschema
      ... Wir verfolgen seit ISA 2000 den Ansatz ohne DMZ und haben jeweils auf der Internet- als auch auf der LAN-Seite Snort Sensoren. ... Stell doch deinen OWA Server in die Domain und publishe SMTP und OWA durch den ISA Server. ...
      (microsoft.public.de.german.isaserver)
    • [fw-wiz] Exchange 2003 OWA compromise reached
      ... Thanks to all for your answers to my questions regarding Exchange 2003 OWA. ... Since we also want to move our ftp server onto a separate DMZ away from our ... we will attach the Microsoft ISA server outside interface to the ...
      (Firewall-Wizards)