Firewall Wizards: Re: Exchange 2003 OWA security questions

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

Re: Exchange 2003 OWA security questions

From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 18 Jan 2005 21:32:27 -0500 (EST)

On Tue, 18 Jan 2005 MHawkins () TULLIB COM wrote:

Our Microsoft admin wants to multihome an ISA server on our web dmz with the
other NIC connected to our internal network to allow the ISA to talk to the
internal MS OWA front end server which then talks to the exchange server
(sheesh!). All this to allow users on the internet to access exchange via a
web browser.


This also potentially allows attackers on the Internet to access exchange
via the Internet...

I've read alot of the documentation on the whole Windows2003 Exchange web
pages solution and I think Microsoft is trying to bad mouth other firewalls
while touting their own proxy/packet firewall as good as or better than "the
rest of the world". Problem is, checkpoint/Nokia is a far better technical
solution compared to MS ISA (MS bigots take a deep breath and count to ten).


All firewalls have issues, ISA and Checkpoint included (neither would be
on my list of preferred generic solutions, but I could see using either
for specific point cases.)

I asked the MS admin to single home his ISA or forget about ISA altogether
and just run a front end server in the web dmz. The idea of breaking our
Checkpoint architecture with an ISA that multihomes between the internal
network and our web dmz is just too much to ask a decent security admin
don't you think. Now I need ammunition to press the point home.


Your security policy should address what gets dual homed, and what
characteristics, administrator and functionality it should have.

If it doesn't then you need to update your security policy.

A few questions:

ii) Scrap the ISA server, I think the front end server should be on the web
dmz. Does everyone agree with this? Yes, I know I have to open up all those
nasty MS ports but atleast I can restrict it to talking to the DC's and a
few other boxes - those would be hardened machines anyways.


I wouldn't put OWA on the Internet without some sort of 3rd party
protection.  A VPN, external firewall authentication...

iii) I think the MS admin should just run a front end server internally and
also another front end server on the web dmz. That way, you can harden the
web dmz machine properly but don't have to worry about the one that's only
for internal use (ok not too much worry). Make sense?


Dictionary attacks are still an issue.  I'm sure there are other issues,
but that's fundamentally major enough to stop there IMO>

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

By Date By Thread

Current thread:

Exchange 2003 OWA security questions MHawkins (Jan 19)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 19)
- Re: Exchange 2003 OWA security questions Darryl Luff (Jan 21)
  - Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
    - Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 26)
    - Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 26)
    - Re: Multiple firewalls from different manufactureres Kevin (Jan 27)