RE: OWA security

From: Kollman, Christopher (Christopher.Kollman_at_phlx.com)
Date: 01/13/04

  • Next message: Mike Hoskins: "Re: Auditing / Logging"
    To: "'Martin K. Lee - XML Consulting'" <martin.lee@xmlconsulting.com.au>, Beverly Kittens <beverlykittens@hotmail.com>
    Date: Tue, 13 Jan 2004 13:13:32 -0500
    
    

    A question and small note. What is the purpose of the ISA server and why is
    it connected to the internal network and the DMZ. Any requests should route
    through the PIX server. The port 80 internal rule should only allow outbound
    access to the webserver from the internal network, so the exposure is not as
    great as the inbound access from the Internet to the web server.

    -----Original Message-----
    From: Martin K. Lee - XML Consulting
    [mailto:martin.lee@xmlconsulting.com.au]
    Sent: Monday, January 12, 2004 9:47 PM
    To: Beverly Kittens
    Cc: security-basics@securityfocus.com
    Subject: RE: OWA security

    Hi Beverly,

    If you are serious about security you shouldn't use HTTP for OWA access
    in the first place. HTTPS would help in this case (Well be aware of DoS
    though).

    Well if you are adding a separate web server into the network, I would
    suggest a firewall for separating the web server and the internal
    network. You may like to consider removing the connection of the PIX to
    the internal network and make a DMZ for the web server.

    My 2 cents...

    Martin K. Lee

    -----Original Message-----
    From: Beverly Kittens [mailto:beverlykittens@hotmail.com]
    Sent: Wednesday, December 17, 2003 12:43 AM
    To: MDunn@sscincorporated.com
    Cc: security-basics@securityfocus.com
    Subject: RE: OWA security

    Thanks Mike

    In fact we are using and ISA server. Proposed config looks like this.

    Internet
        |
    +------+ +------------------+
    | PIX |-----+----- | OWA Server |
    +------+ | +------------------+
       | |
       | +---------------+
       | | ISA Server |
       | +---------------+
       | |
    ----------------------------+---
    internal network |
                        +----------------------+
                        | Xchange server |
                        +----------------------+

    I'm trying to determine if this is a sensible architecture, and I'm
    still
    rather unclear about the function of the ISA server in this context.

    On a somewhat related topic: What stops an attacker compromising the
    web
    server then using it to attack an internal system? Port 80 is open from
    the
    Internet to the web server, and from the web server to the internal
    systems.
      Isn't this a huge security hole?

    >From: "Michael Dunn" <MDunn@sscincorporated.com>
    >To: "Beverly Kittens" <beverlykittens@hotmail.com>
    >CC: <security-basics@securityfocus.com>
    >Subject: RE: OWA security
    >Date: Mon, 15 Dec 2003 14:38:40 -0500
    >
    >
    >Check out isaserver.org.
    >
    >You may or may not be using ISA server as your firewall, but in either
    >case, there are several articles on 'best practices' for securing an
    >IIS/OWA server.
    >
    >Regards,
    >
    >-Mike
    >
    >-----Original Message-----
    >From: Beverly Kittens [mailto:beverlykittens@hotmail.com]
    >Sent: Monday, December 15, 2003 10:32 AM
    >To: security-basics@securityfocus.com
    >Subject: OWA security
    >
    >
    >
    >Hello list
    >
    >My company is currently implementing OWA to provide users with access
    >to email from any Internet machine. I'd like to see the OWA server in
    >a DMZ, but this is currently up for discussion. Sometimes operational
    >stuff gets in the way of security....
    >
    >Can anyone point me at a paper that describes the security implications

    >of OWA, particularly the network related issues please. I'd also be
    >interested to learn the difference between OWA and POP architecture.
    >
    >Thank you
    >
    >_________________________________________________________________
    >Use MSN Messenger to send music and pics to your friends
    >http://www.msn.co.uk/messenger
    >
    >
    >-----------------------------------------------------------------------
    >----
    >-----------------------------------------------------------------------
    -----
    >
    >
    >-----------------------------------------------------------------------
    >----
    >-----------------------------------------------------------------------
    -----
    >
    >

    _________________________________________________________________
    It's fast, it's easy and it's free. Get MSN Messenger today!
    http://www.msn.co.uk/messenger

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
    course! All of our class sizes are guaranteed to be 10 students or less. 
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
    and many other technical hands on courses. 
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
    any course!  
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
    course! All of our class sizes are guaranteed to be 10 students or less. 
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
    and many other technical hands on courses. 
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
    any course!  
    ----------------------------------------------------------------------------
    

  • Next message: Mike Hoskins: "Re: Auditing / Logging"

    Relevant Pages

    • Re: ISA 2006 Basic Configuration
      ... Does the AD/DNS Server have the ISP's DNS properly configured as a Forwarder? ... Microsoft Internet Security & Acceleration Server: ... Microsoft ISA Server Partners: Partner Hardware Solutions ... The routing table for the network adapter Internal includes IP address ranges that are not defined in the array-level network Internal, ...
      (microsoft.public.isa.configuration)
    • RE: Accessing WSS3 internally and via RWW and Companyweb
      ... you should publish WSS 3.0 site to internet and change the link on the ... should not change the Web Server Certificate during running CEICW.) ... Do not change current Web server certificate. ... Click Start, point to Programs, point to Microsoft ISA Server, and then ...
      (microsoft.public.windows.server.sbs)
    • Re: Still having firewall issues
      ... How many subnets are in your SBS internal network? ... > 4) Click Add Adapter and then select Server Local Area Connection. ... No default gateway difined. ... > to the same internal default gateway address as the ISA Server computer. ...
      (microsoft.public.windows.server.sbs)
    • RE: 403 forbidden with new server
      ... if you add the windows server 2003 to your SBS 2003 ... How to install Small Business Server 2003 in an existing Active Directory ... How to configure Internet access in Windows Small Business Server 2003 ... configure ISA server as your Proxy ...
      (microsoft.public.windows.server.sbs)
    • Re: Accessing the published webpage behind a router.
      ... created a network object - URL Set and put the FQDN in there. ... Microsoft Internet Security & Acceleration Server: ... Deployment Guidelines for ISA Server 2004 Enterprise Edition ...
      (microsoft.public.isa)