RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good

From: Ravdal, Stig (SRavdal_at_Quiznos.com)
Date: 11/21/05

  • Next message: Roelof JT Jonkman: "Re: [fw-wiz] NFS and Cisco"
    To: "Patrick M. Hausen" <hausen@punkt.de>
    Date: Mon, 21 Nov 2005 08:36:28 -0700
    
    

    Hi Patrick and thanks for your comments.

    Our firewall is certainly more than a packet filter - we use the border
    router for basic packet filtering of bogus/spoofed traffic. The
    firewall we use is one of the market leaders and operates on layers 2-7,
    stateful and all that. However, I don't have enough hands-on experience
    with it to be confident about how well it does the upper layers, how
    many protocols and applications it has support of and the depth of
    inspection.

    Firewalls are certainly evolving beyond ports and addresses and we see
    more and more specialized firewalls (e.g. XML firewall) that can do
    application inspection. Furthermore, the Inline IPS devices in some
    cases are smart enough to know what hosts and vulnerabilities exist on
    the network and can respond accordingly. No, we're beyond packet
    filtering, ports and IP addresses at this point.

    In this respect I believe that the ISA firewall acting as the front-end
    to OWA may do a better job at least for OWA/Exchange. As you suggest if
    you can address authentication (token/smart card/etc) before hitting the
    OWA/Exchange box than the hurdle to overcome is most likely so
    substantial that an attacker will go elsewhere and a script should fail.

    I think as long as there are several hurdles to tackle - defense in
    depth - it buys you time to detect what's going on in one of those
    systems before the compromise is complete or successful.

    Cheers and thanks,

    Stig

    -----Original Message-----
    From: Patrick M. Hausen [mailto:hausen@punkt.de]
    Sent: Monday, November 21, 2005 7:33 AM
    To: Ravdal, Stig
    Cc: firewall-wizards@honor.icsalabs.com
    Subject: Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access -
    a good

    Hello!

    Stig wrote:

    > Our MS admins are proposing to implement single OWA/Exchange servers
    > on the LAN and allow access directly to the server through the
    firewall.

    IMHO this depends entirely on your definition of "firewall".

    If the "firewall" in question is nothing more than a stupid
    packet filtering device, then your network will be at a big risk.

    If the firewall can do things like control what happens inside
    the HTTP traffic for OWA, terminate SSL on the firewall for that
    purpose, provide strong token based authentication _before_
    the connection even hits your exchange server ... then I'd say
    the benefits might outweigh the remaining risk.

    Somehow most admins have been brain washed to believe that
    "firewalls" are all about "port numbers". IMNSHO they are not.
    They are choke points for policy enforcment. And policy includes
    much more than just ports.

    Regards, HTH,

    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit

    -- 
    punkt.de GmbH         Internet - Dienstleistungen - Beratung
    Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe       http://punkt.de
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Roelof JT Jonkman: "Re: [fw-wiz] NFS and Cisco"