Firewall Wizards mailing list archives

Re: Exchange 2003 OWA security questions

From: "Paul D. Robertson" <paul () compuwar net>
Date: Fri, 21 Jan 2005 15:42:03 -0500 (EST)

On Wed, 19 Jan 2005, Darryl Luff wrote:

Sorry, I haven't used ISA since it was Proxy Server 2, so I may have it


[Note that I'm not defending ISA here]

Proxy Server was mostly a different beast, I wouldn't put much value in
statements comparing the two.

wrong. But if ISA is just proxying or port forwarding the connection to
the internal server, it's really not providing any security value. It's
still effectively plugging the incoming connection straight through to
the internal server. The only way I could see it being of value is if
its doing a first level authentication of connections before allowing
the connection through, and it has it's own user database. At least then
it's protecting your corporate user accounts from brute force attacks.
But then people would need to authenticate twice to use it - once to ISA
and again to the internal server.


That depends on how much is going on during the proxying- IMO (and I'm
certainly not an ISA expert, though I've dealt with them) ISA is better
for outbound proxying, given the socks-ish per-application stuff you can
do with it than it is for inbound proxying.

I certainly wouldn't put one out on the Internet on its own at this stage,
but that's mostly from general discomfort of how much "legacy" stuff ISA
seems to contain.

I used the old MS Proxy 2 single homed, but was only using it as an
outgoing web proxy then.


Still the best use for one IMO.

ii) Scrap the ISA server, I think the front end server should be on the web
dmz. Does everyone agree with this? Yes, I know I have to open up all those
nasty MS ports but atleast I can restrict it to talking to the DC's and a
few other boxes - those would be hardened machines anyways.

But this exposes your corporate user accounts on the DMZ.


I agree, this is a VPN solution looking to happen.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Exchange 2003 OWA security questions MHawkins (Jan 19)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 19)
- Re: Exchange 2003 OWA security questions Darryl Luff (Jan 21)
  - Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
    - Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 26)
    - Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 26)
    - Re: Multiple firewalls from different manufactureres Kevin (Jan 27)
    - Re: Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 27)
    - Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
    - Re: Multiple firewalls from different manufactureres Devdas Bhagat (Jan 27)
    - Application-level Attacks Crispin Cowan (Jan 28)
    - Re: Application-level Attacks Adam Shostack (Jan 28)
    - Re: Application-level Attacks Devdas Bhagat (Jan 28)
    - Re: Application-level Attacks Adam Shostack (Jan 28)

(Thread continues...)