Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good
From: Julian M D (julianmd_at_gmail.com)
Date: 11/22/05
- Previous message: Roelof JT Jonkman: "Re: [fw-wiz] NFS and Cisco"
- In reply to: Matt Bazan: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- Next in thread: Patrick M. Hausen: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Matt Bazan <Mbazan@onelegal.com> Date: Mon, 21 Nov 2005 21:27:02 -0500
Instead of placing the ISA box in PIX's DMZ, create a second DMZ by placing
ISA between the PIX's inside interface and the LAN, filtering the noise at
the PIX level, and then just publish the Exchange services you need. You
cold always use the RADIUS with any kind of secondary authentication (RSA
cips)
-------------------
|PIX ---DMZ1 |
-------------------
|
|-DMZ2
|
|
------------
|ISA |
------------
|
|
|LAN
|
|
Exchange
Pros? Cons?
Thanks,
On 11/18/05, Matt Bazan <Mbazan@onelegal.com> wrote:
>
> OWA front ended by ISA 2003 is solid. Requires either port 80 or 443 or
> one/other depending on your requirements. Authentication is not handled
> by OWA box.
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Ravdal,
> Stig
> Sent: Thursday, November 17, 2005 9:43 AM
> To: Behm, Jeffrey L.; firewall-wizards@honor.icsalabs.com
> Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access -
> a good
>
>
> Thanks Jeff & others,
>
> No I won't let the admins have their insecure way about things. What I
> struggle with from time to time is having logical and factual reasons
> why this or that is more or less secure.
>
> But I am starting to put together a list of issues from what I have seen
> in the archives and some of the responses I have heard thus far.
>
> A new challenge with OWA on Windows 2003 is that you cannot lock down
> the ports that the front-end server needs to talk to the back-end
> system. I saw a different comment on the list suggesting that MS has
> done this to position ISA as the best (and only) solution for OWA in a
> DMZ - it is designed to "publish" MS products including MS CRM. We had
> another issue with that product and providing access to it via SSL-VPN
> where the pages broke because of mangled activeX or something to that
> effect - not very happy with MS approach to securing their products.
>
> Here's what I have so far for good strong arguments & solutions:
>
> From Paul:
> - It's a Web authentication application (easy to attack- lots of tools)
> - It uses the user's domain credentials (easy to escallate to more
> attacks)
> - Both of these are simple to do from a computer that's untrustworthy
>
> Jeff & Manuel:
> - CipherTrust's IronWebMail front end (that sits in a DMZ) or other
> capable reverse proxy such as apache and do auth up-front there (combine
> that with Token and it's strating to get better).
>
> Thanks guys,
>
> Stig
>
>
> -----Original Message-----
> From: Behm, Jeffrey L. [mailto:BehmJL@bvsg.com]
> Sent: Thursday, November 17, 2005 10:32 AM
> To: firewall-wizards@honor.icsalabs.com
> Cc: Ravdal, Stig
> Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access -
> a good
>
> The DMZ server (i.e. reverse proxy-type server) should be able to do
> more than just port filtering and *shouldn't* require all those ports to
> be open. It should be able to do various application level checks as
> well, before the request makes it into your network.
>
> Look at CipherTrust's IronWebMail front end (that sits in a DMZ) for
> example. It does more than just port filtering and doesn't require a ton
> of open ports through the firewall, just normal web traffic. Other
> "reverse-proxy" front ends should behave similarly, although perhaps not
> as robustly.
>
> *DON'T* let your MS admins dictate the security of the network. If you
> do, you'd be better off to just put the exchange servers directly on the
> Internet ;-)... <sarcasm>It'd be just as secure, faster (due to no
> firewall latency), and less configuration issues.</sarcasm>
>
> Jeff
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Ravdal,
> Stig
> Sent: Thursday, November 17, 2005 9:50 AM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a
> good
>
> Hi everyone,
>
> I hope that someone has been through this before and have some
> substantial arguments for/against:
>
> Our MS admins are proposing to implement single OWA/Exchange servers
> on the LAN and allow access directly to the server through the firewall.
> The primary reason for doing it this way is to reduce the cost of the
> front-end server that would otherwise reside in a DMZ. Their argument
> is that with OWA 2003 you have to have a bunch of ports open anyway
> and so what is the reason to put a front end server in the DMZ - if
> that server were compromised they would practically have access to the
> network anyway. With the OWA/Exchange server inside the firewall
> access from the Internet can be limited to 80 and/or 443 only.
>
> My concern is that with the next OWA vulnerability someone will own
> the server in the DMZ through a single exploit. However, I cannot
> find anything that suggests that the front end server solution is
> really any more secure. Yeah it's another hop but it would be an easy
> one as soon as the front end server is compromised.
>
> Thoughts?
>
> Thanks,
>
> Stig
> _______________________________________________
> firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Roelof JT Jonkman: "Re: [fw-wiz] NFS and Cisco"
- In reply to: Matt Bazan: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- Next in thread: Patrick M. Hausen: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
