Security Basics mailing list archives
Re: OWA security
From: Michael Gale <michael () bluesuperman com>
Date: Tue, 13 Jan 2004 21:39:34 -0700
Hello, I am now M$ expert (thank God) but I believe the ISA server is supposed to be some form of security and authentication server. So you can have multiple OWA servers to handle load and such things. Then the ISA server is like a proxy between exchange, for authentication and security. I think. Michael. On Tue, 13 Jan 2004 13:13:32 -0500 "Kollman, Christopher" <Christopher.Kollman () phlx com> wrote:
A question and small note. What is the purpose of the ISA server and why is it connected to the internal network and the DMZ. Any requests should route through the PIX server. The port 80 internal rule should only allow outbound access to the webserver from the internal network, so the exposure is not as great as the inbound access from the Internet to the web server. -----Original Message----- From: Martin K. Lee - XML Consulting [mailto:martin.lee () xmlconsulting com au] Sent: Monday, January 12, 2004 9:47 PM To: Beverly Kittens Cc: security-basics () securityfocus com Subject: RE: OWA security Hi Beverly, If you are serious about security you shouldn't use HTTP for OWA access in the first place. HTTPS would help in this case (Well be aware of DoS though). Well if you are adding a separate web server into the network, I would suggest a firewall for separating the web server and the internal network. You may like to consider removing the connection of the PIX to the internal network and make a DMZ for the web server. My 2 cents... Martin K. Lee -----Original Message----- From: Beverly Kittens [mailto:beverlykittens () hotmail com] Sent: Wednesday, December 17, 2003 12:43 AM To: MDunn () sscincorporated com Cc: security-basics () securityfocus com Subject: RE: OWA security Thanks Mike In fact we are using and ISA server. Proposed config looks like this. Internet | +------+ +------------------+ | PIX |-----+----- | OWA Server | +------+ | +------------------+ | | | +---------------+ | | ISA Server | | +---------------+ | | ----------------------------+--- internal network | +----------------------+ | Xchange server | +----------------------+ I'm trying to determine if this is a sensible architecture, and I'm still rather unclear about the function of the ISA server in this context. On a somewhat related topic: What stops an attacker compromising the web server then using it to attack an internal system? Port 80 is open from the Internet to the web server, and from the web server to the internal systems. Isn't this a huge security hole?From: "Michael Dunn" <MDunn () sscincorporated com> To: "Beverly Kittens" <beverlykittens () hotmail com> CC: <security-basics () securityfocus com> Subject: RE: OWA security Date: Mon, 15 Dec 2003 14:38:40 -0500 Check out isaserver.org. You may or may not be using ISA server as your firewall, but in either case, there are several articles on 'best practices' for securing an IIS/OWA server. Regards, -Mike -----Original Message----- From: Beverly Kittens [mailto:beverlykittens () hotmail com] Sent: Monday, December 15, 2003 10:32 AM To: security-basics () securityfocus com Subject: OWA security Hello list My company is currently implementing OWA to provide users with access to email from any Internet machine. I'd like to see the OWA server in a DMZ, but this is currently up for discussion. Sometimes operational stuff gets in the way of security.... Can anyone point me at a paper that describes the security implicationsof OWA, particularly the network related issues please. I'd also be interested to learn the difference between OWA and POP architecture. Thank you _________________________________________________________________ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger -------------------------------------------------------------------- ------- -------------------------------------------------------------------- ---------------------------------------------------------------------------- ------- -------------------------------------------------------------------- --------_________________________________________________________________ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger --------------------------------------------------------------------- ------ --------------------------------------------------------------------- ------- --------------------------------------------------------------------- ------ Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! --------------------------------------------------------------------- ------- --------------------------------------------------------------------- ------ Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! --------------------------------------------------------------------- -------
-- Hand over the Slackware CD's and back AWAY from the computer, your geek rights have been revoked !!! Michael Gale Slackware user :) Bluesuperman.com --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- RE: OWA security Martin K. Lee - XML Consulting (Jan 13)
- <Possible follow-ups>
- RE: OWA security Kollman, Christopher (Jan 13)
- Re: OWA security Michael Gale (Jan 14)
- RE: OWA security DeGennaro, Gregory (Jan 14)
- RE: OWA security Nicholas Diotte (Jan 15)
- RE: OWA security UK Bajan (Jan 16)