RE: Ye Olde OWA Topic (Was RE: Website inside or outside domain)

From: Henry Sieff (hsieff@orthodon.com)
Date: 02/17/03

  • Next message: dave: "Defeating password cracking" 
    From: Henry Sieff <hsieff@orthodon.com>
To: 'shannong' <shannong@texas.net>, focus-ms@securityfocus.com
Date: Mon, 17 Feb 2003 09:29:43 -0600

    > -----Original Message-----
    > From: shannong [mailto:shannong@texas.net]
    > Sent: Saturday, February 15, 2003 12:09 PM
    > To: 'Henry Sieff'; focus-ms@securityfocus.com
    > Subject: RE: Ye Olde OWA Topic (Was RE: Website inside or outside
    > domain)
    >
    >
    > Of course, if you're using a VPN device then there's no need to deal
    > with any DMZs or any other separation of OWA from your inside network.
    > You just VPN to the network and then connect to OWA/Exchange which
    > resides "next" to Exchange. This of course requires client side
    > software and configuration.

    Depends on the level of security you are trying to achieve. I view the
    remote endpoint of the VPN as being on a different trust level then your
    internal network. Regardless of how good VPN technology gets, there is still
    the final element of physical security which cannot be enforced or verified
    when you deal with a remote client. So, in order to at least limit the
    danger, and monitor the traffic, I would put the VPN
    concentrator/whathaveyou on its own leg, fairly trusted, but not completely
    trusted.

    Obviously, you can always sacrifice this minimal gain in security, but the
    cost of the additional fw interface is not huge, either in equipment or
    configuration.

    Henry

    Relevant Pages

    • Re: VPN cant access internet whilst connected to VPN
      ... >>> The proper method should be to ask the Firewall people at your office ... >>> allow outbound HTTP access for VPN users. ... > But allowing access to the local home network is more of a security risk ...
      (microsoft.public.windowsxp.general)
    • RE: VPNs - Firewalls and Security
      ... we turned off sysopt connection permit ipsec and then added the ... VPN connections. ... VPN's - Firewall's and Security ... You had configured that vpn users access internal network, ...
      (Security-Basics)
    • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
      ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
      (Full-Disclosure)
    • RE: Secure remote access for users
      ... security it with RSA's SecurID at the most and an SSL cert at the VERY ... Cisco VPN Client 3.6x for the client software with like ... Network Engineer / Owner ...
      (Security-Basics)
    • TidBITS#792/15-Aug-05
      ... We also note the release of Security Update 2005-007, ... Macintosh FTP client, free for educational and charitable use. ... mentioned virtual private network (VPN) technologies. ...
      (comp.sys.mac.digest)