|
Firewall Wizards
mailing list archives
Re: PIX -> ISA -> OWA Configuration
From: Victor Williams <vbwilliams () neb rr com>
Date: Tue, 17 May 2005 19:03:33 -0500
Rhetorical questions to that long-winded wrong assumption...
When did a "correctly implemented VPN solution" include all of layers 2
and 3? Who said anything about "full VPN access"?
You know what assumptions make right?
Victor Williams
Jeremiah Cornelius wrote:
I've found personally that a correctly implemented VPN solution is
1000
times better than trying to get OWA deployed and *safe*.
There is real foolishness in the VPN suggestion - offering all of layers
2 and 3 to remote clients for the sake of a single application. This is
weak science, and "architecture by anecdote".
Taken as a proposed method for limiting attack surface, I think that it
needs serious re-examination!
Give me a threat model for full network client access, vs. that of an
application inspection firewall, proxying SSL - such as ISA 2004. Good!
Notice anything? Now supply me with motivated attackers. OWA/ISA is the
safest bet for remote access of Exchange systems, and this can be
quantified using models, not by asserting a bias, or making category
generalizations.
The only people who should ever get full VPN access are systems and
network administrators, with a demonstrated need. They should be
subject to extensive logging, and a separate audit. There are
application-oriented solutions that meet the needs of other users,
without a "default allow" policy. I often despair, that we will spend
the next 20 years rolling-back the broad remote access that was granted
over the last 10.
Jeremiah Cornelius
CISSP, ISSAP, CCNA, MCSE+S
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
- Re: PIX -> ISA -> OWA Configuration, (continued)
|
Intro
