Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Exchange 2003 OWA security questions

Re: Exchange 2003 OWA security questions

From: Paul D. Robertson <paul_at_compuwar.net>
Date: Fri, 21 Jan 2005 15:42:03 -0500 (EST)

On Wed, 19 Jan 2005, Darryl Luff wrote:

> Sorry, I haven't used ISA since it was Proxy Server 2, so I may have it

[Note that I'm not defending ISA here]

Proxy Server was mostly a different beast, I wouldn't put much value in
statements comparing the two.

> wrong. But if ISA is just proxying or port forwarding the connection to
> the internal server, it's really not providing any security value. It's
> still effectively plugging the incoming connection straight through to
> the internal server. The only way I could see it being of value is if
> its doing a first level authentication of connections before allowing
> the connection through, and it has it's own user database. At least then
> it's protecting your corporate user accounts from brute force attacks.
> But then people would need to authenticate twice to use it - once to ISA
> and again to the internal server.

That depends on how much is going on during the proxying- IMO (and I'm
certainly not an ISA expert, though I've dealt with them) ISA is better
for outbound proxying, given the socks-ish per-application stuff you can
do with it than it is for inbound proxying.

I certainly wouldn't put one out on the Internet on its own at this stage,
but that's mostly from general discomfort of how much "legacy" stuff ISA
seems to contain.

> I used the old MS Proxy 2 single homed, but was only using it as an
> outgoing web proxy then.

Still the best use for one IMO.

> >ii) Scrap the ISA server, I think the front end server should be on the web
> >dmz. Does everyone agree with this? Yes, I know I have to open up all those
> >nasty MS ports but atleast I can restrict it to talking to the DC's and a
> >few other boxes - those would be hardened machines anyways.
> >
> >
> But this exposes your corporate user accounts on the DMZ.

I agree, this is a VPN solution looking to happen.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul_at_compuwar.net which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jan 21 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos