Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: PIX -> ISA -> OWA Configuration
From: Kevin <kkadow () gmail com>
Date: Tue, 3 May 2005 12:59:56 -0500
-----Original Message-----
What is the preferred placement for a OWA front-end server given these
two possible network configurations and why?

1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall]
<==> [OWA] <==> [Internal Net w/Exchange Svr]

2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==>
[PIX Firewall] <==> [Internal Net w/Exchange Svr]


None of the above.  Use a second, different firewall to control the
Windows-protocol communication between the OWA server and your
internal trusted network, like so:

3) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==>
[OWA with Host-based IPS] <==> [Different Firewall] <==>
[Internal Exchange Svr with Host-based IPS]

In this scenario, any one element in the path can be vulnerable
at any moment in time and the internal resources remain protected.

Of course the next question is if you are going to this extreme,
why involve the Microsoft ISA proxy at all?  Why not just replace
the " [PIX Firewall] <==> [ISA Proxy] <==>" part of the chain
with a more complex firewall capable of handling the combined
tasks of SSL acceleration and URL filtering?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]