Firewall Wizards: RE: PIX -> ISA -> OWA Configuration

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

RE: PIX -> ISA -> OWA Configuration

From: Mark Tinberg <mtinberg () securepipe com>
Date: Tue, 3 May 2005 18:25:52 -0500 (CDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 3 May 2005, Ben Nagy wrote:

-----Original Message-----

[Jason Gomes]
[...]


What is the preferred placement for a OWA front-end server 
given these two possible network configurations and why?

1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX 
Firewall] <==> [OWA] <==> [Internal Net w/Exchange Svr]

2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] 
<==> [PIX Firewall] <==> [Internal Net w/Exchange Svr]

I always internally parse these diagrams as:

[spaghetti] --> [hackable box] --> [pot of gold]

In 1) there are no controls at all between the hackable box and the pot of
gold. In 2) there is.


I ask the question, are the security controls between OWA -> Internal 
DC/Exchange really helpful?  Depending on the filtering you have available 
there may be very little benefit to having the OWA box on one of the other 
side of the PIX, as the OWA box needs to be a domain member and have legit 
access to the "pot of gold".  Without an MS-RPC proxy you're basically 
giving OWA full access to Exchange and the DC anyway, but you are making a 
lot of pomp and circumstance with a bunch of firewall rules to support it.

It'd be better (although the original poster probably can't sell this to 
his management) to drop the "requirement" for OWA in the first place.  
Find out what the users really _need_ to do, if they don't need remote 
access then it's easy, if all they really really need is mail then find 
another (better) webmail client that runs over IMAP which may be easier to 
proxy and monitor.

- -- 
Mark Tinberg <MTinberg () securepipe com>
Network Administrator, SecurePipe Inc.
Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFCeAiAFu7F5OUjbGcRAkCxAJ4+7J+rNXPiDaM/7xqnVrHpYmqQhACfTTBF
gwLJ1scpph7zde+KslUmtQg=
=gNgO
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

By Date By Thread

Current thread:

RE: PIX -> ISA -> OWA Configuration, (continued)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 02)
  - RE: PIX -> ISA -> OWA Configuration Ben Nagy (May 03)
    - RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 05)
    - RE: PIX -> ISA -> OWA Configuration Ben Nagy (May 05)
    - RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 05)
    - RE: PIX -> ISA -> OWA Configuration Mark Tinberg (May 05)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 02)
- Re: PIX -> ISA -> OWA Configuration Danny (May 05)
- Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 03)
  - RE: PIX -> ISA -> OWA Configuration Paul Melson (May 03)
    - Re: PIX -> ISA -> OWA Configuration Kevin (May 05)