Firewall Wizards mailing list archives
Re: Exchange 2003 OWA security questions
From: "Paul D. Robertson" <paul () compuwar net>
Date: Fri, 21 Jan 2005 15:42:03 -0500 (EST)
On Wed, 19 Jan 2005, Darryl Luff wrote:
Sorry, I haven't used ISA since it was Proxy Server 2, so I may have it
[Note that I'm not defending ISA here] Proxy Server was mostly a different beast, I wouldn't put much value in statements comparing the two.
wrong. But if ISA is just proxying or port forwarding the connection to the internal server, it's really not providing any security value. It's still effectively plugging the incoming connection straight through to the internal server. The only way I could see it being of value is if its doing a first level authentication of connections before allowing the connection through, and it has it's own user database. At least then it's protecting your corporate user accounts from brute force attacks. But then people would need to authenticate twice to use it - once to ISA and again to the internal server.
That depends on how much is going on during the proxying- IMO (and I'm certainly not an ISA expert, though I've dealt with them) ISA is better for outbound proxying, given the socks-ish per-application stuff you can do with it than it is for inbound proxying. I certainly wouldn't put one out on the Internet on its own at this stage, but that's mostly from general discomfort of how much "legacy" stuff ISA seems to contain.
I used the old MS Proxy 2 single homed, but was only using it as an outgoing web proxy then.
Still the best use for one IMO.
ii) Scrap the ISA server, I think the front end server should be on the web dmz. Does everyone agree with this? Yes, I know I have to open up all those nasty MS ports but atleast I can restrict it to talking to the DC's and a few other boxes - those would be hardened machines anyways.But this exposes your corporate user accounts on the DMZ.
I agree, this is a VPN solution looking to happen. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Exchange 2003 OWA security questions MHawkins (Jan 19)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 19)
- Re: Exchange 2003 OWA security questions Darryl Luff (Jan 21)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 26)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 26)
- Re: Multiple firewalls from different manufactureres Kevin (Jan 27)
- Re: Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 27)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Re: Multiple firewalls from different manufactureres Devdas Bhagat (Jan 27)
- Application-level Attacks Crispin Cowan (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)