Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Exchange 2003 OWA security questions

Re: Exchange 2003 OWA security questions

From: Paul D. Robertson <paul_at_compuwar.net>
Date: Tue, 18 Jan 2005 21:32:27 -0500 (EST)

On Tue, 18 Jan 2005 MHawkins_at_TULLIB.COM wrote:

> Our Microsoft admin wants to multihome an ISA server on our web dmz with the
> other NIC connected to our internal network to allow the ISA to talk to the
> internal MS OWA front end server which then talks to the exchange server
> (sheesh!). All this to allow users on the internet to access exchange via a
> web browser.

This also potentially allows attackers on the Internet to access exchange
via the Internet...

> I've read alot of the documentation on the whole Windows2003 Exchange web
> pages solution and I think Microsoft is trying to bad mouth other firewalls
> while touting their own proxy/packet firewall as good as or better than "the
> rest of the world". Problem is, checkpoint/Nokia is a far better technical
> solution compared to MS ISA (MS bigots take a deep breath and count to ten).

All firewalls have issues, ISA and Checkpoint included (neither would be
on my list of preferred generic solutions, but I could see using either
for specific point cases.)

> I asked the MS admin to single home his ISA or forget about ISA altogether
> and just run a front end server in the web dmz. The idea of breaking our
> Checkpoint architecture with an ISA that multihomes between the internal
> network and our web dmz is just too much to ask a decent security admin
> don't you think. Now I need ammunition to press the point home.
>

Your security policy should address what gets dual homed, and what
characteristics, administrator and functionality it should have.

If it doesn't then you need to update your security policy.

> A few questions:
>
> ii) Scrap the ISA server, I think the front end server should be on the web
> dmz. Does everyone agree with this? Yes, I know I have to open up all those
> nasty MS ports but atleast I can restrict it to talking to the DC's and a
> few other boxes - those would be hardened machines anyways.

I wouldn't put OWA on the Internet without some sort of 3rd party
protection. A VPN, external firewall authentication...

> iii) I think the MS admin should just run a front end server internally and
> also another front end server on the web dmz. That way, you can harden the
> web dmz machine properly but don't have to worry about the one that's only
> for internal use (ok not too much worry). Make sense?

Dictionary attacks are still an issue. I'm sure there are other issues,
but that's fundamentally major enough to stop there IMO>

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul_at_compuwar.net which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jan 20 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos