RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good

From: Ravdal, Stig (
Date: 11/21/05

  • Next message: Roelof JT Jonkman: "Re: [fw-wiz] NFS and Cisco"
    To: "Patrick M. Hausen" <>
    Date: Mon, 21 Nov 2005 08:36:28 -0700

    Hi Patrick and thanks for your comments.

    Our firewall is certainly more than a packet filter - we use the border
    router for basic packet filtering of bogus/spoofed traffic. The
    firewall we use is one of the market leaders and operates on layers 2-7,
    stateful and all that. However, I don't have enough hands-on experience
    with it to be confident about how well it does the upper layers, how
    many protocols and applications it has support of and the depth of

    Firewalls are certainly evolving beyond ports and addresses and we see
    more and more specialized firewalls (e.g. XML firewall) that can do
    application inspection. Furthermore, the Inline IPS devices in some
    cases are smart enough to know what hosts and vulnerabilities exist on
    the network and can respond accordingly. No, we're beyond packet
    filtering, ports and IP addresses at this point.

    In this respect I believe that the ISA firewall acting as the front-end
    to OWA may do a better job at least for OWA/Exchange. As you suggest if
    you can address authentication (token/smart card/etc) before hitting the
    OWA/Exchange box than the hurdle to overcome is most likely so
    substantial that an attacker will go elsewhere and a script should fail.

    I think as long as there are several hurdles to tackle - defense in
    depth - it buys you time to detect what's going on in one of those
    systems before the compromise is complete or successful.

    Cheers and thanks,


    -----Original Message-----
    From: Patrick M. Hausen []
    Sent: Monday, November 21, 2005 7:33 AM
    To: Ravdal, Stig
    Subject: Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access -
    a good


    Stig wrote:

    > Our MS admins are proposing to implement single OWA/Exchange servers
    > on the LAN and allow access directly to the server through the

    IMHO this depends entirely on your definition of "firewall".

    If the "firewall" in question is nothing more than a stupid
    packet filtering device, then your network will be at a big risk.

    If the firewall can do things like control what happens inside
    the HTTP traffic for OWA, terminate SSL on the firewall for that
    purpose, provide strong token based authentication _before_
    the connection even hits your exchange server ... then I'd say
    the benefits might outweigh the remaining risk.

    Somehow most admins have been brain washed to believe that
    "firewalls" are all about "port numbers". IMNSHO they are not.
    They are choke points for policy enforcment. And policy includes
    much more than just ports.

    Regards, HTH,

    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit

    -- GmbH         Internet - Dienstleistungen - Beratung
    Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe
    firewall-wizards mailing list

  • Next message: Roelof JT Jonkman: "Re: [fw-wiz] NFS and Cisco"

    Relevant Pages

    • Re: How to close the unnecessary Ports
      ... >> necessary ports for a homeuser and how to close the rest of the ports? ... I assume you are running a hostbased firewall with no server ports ... > know whether it is a statefull or a packet filtering firewall as the ... makes decisions based on the connection as well as the rule base. ...
    • Re: ipnat.conf - map and rdr wont work!
      ... You've got two competing firewall solutions loaded at the same time. ... so you say you use ipnat for redirect and map and ipfw for packet filtering. ... ipfilter wraps around the kernel and takes over all packet handling. ... All that traffic shaping you've done have no effect at all. ...
    • Re: Packet Filtering on Win 2K server
      ... I agree completely [netscreen, bsd firewall, ipsec] ... server, as it could introduce certain risks. ... > IE should not depend on having ports open. ... > IPsec is a better choiuce for packet filtering, ...
    • Re: suggestions on router w/firewall
      ... of using NAT, even with SPI, as a firewall method. ... describe standard NAT as a firewall service. ... That sentence refers to four concepts: NAT, router, simple packet filtering, ... created port table to packet header info, and NAT does change the packet. ...
    • RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
      ... Once you turn on the packet filtering, you either allow all, or deny all ... XP's "firewall" has several pre-defined higher layer protocols that ... #Full-Disclosure - We believe in it. ... in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system. ...