Firewall Wizards mailing list archives
Re: PIX -> ISA -> OWA Configuration
From: Victor Williams <vbwilliams () neb rr com>
Date: Tue, 17 May 2005 19:03:33 -0500
Rhetorical questions to that long-winded wrong assumption...When did a "correctly implemented VPN solution" include all of layers 2 and 3? Who said anything about "full VPN access"?
You know what assumptions make right? Victor Williams Jeremiah Cornelius wrote:
I've found personally that a correctly implemented VPN solution is1000times better than trying to get OWA deployed and *safe*.There is real foolishness in the VPN suggestion - offering all of layers 2 and 3 to remote clients for the sake of a single application. This is weak science, and "architecture by anecdote". Taken as a proposed method for limiting attack surface, I think that it needs serious re-examination! Give me a threat model for full network client access, vs. that of an application inspection firewall, proxying SSL - such as ISA 2004. Good! Notice anything? Now supply me with motivated attackers. OWA/ISA is the safest bet for remote access of Exchange systems, and this can be quantified using models, not by asserting a bias, or making category generalizations. The only people who should ever get full VPN access are systems and network administrators, with a demonstrated need. They should be subject to extensive logging, and a separate audit. There are application-oriented solutions that meet the needs of other users, without a "default allow" policy. I often despair, that we will spend the next 20 years rolling-back the broad remote access that was granted over the last 10. Jeremiah Cornelius CISSP, ISSAP, CCNA, MCSE+S
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX -> ISA -> OWA Configuration, (continued)
- PIX -> ISA -> OWA Configuration woodsd001 (May 05)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 05)
- Re: PIX -> ISA -> OWA Configuration Michael Brown (May 08)
- RE: PIX -> ISA -> OWA Configuration Mark Tinberg (May 08)
- Re: PIX -> ISA -> OWA Configuration Victor Williams (May 08)
- Re: PIX -> ISA -> OWA Configuration Chris Blask (May 12)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 05)
- PIX -> ISA -> OWA Configuration woodsd001 (May 05)
- RE: PIX -> ISA -> OWA Configuration Behm, Jeffrey L. (May 08)
- RE: PIX -> ISA -> OWA Configuration Thomas W Shinder (May 15)
- Message not available
- RE: PIX -> ISA -> OWA Configuration Chris Blask (May 17)
- Message not available
- Re: PIX -> ISA -> OWA Configuration Victor Williams (May 18)