Re: PIX -> ISA -> OWA Configuration

[Victor Williams <vbwilliams () neb rr com>]

Rhetorical questions to that long-winded wrong assumption...

When did a "correctly implemented VPN solution" include all of layers 2 
and 3?  Who said anything about "full VPN access"?

You know what assumptions make right?

Victor Williams


Jeremiah Cornelius wrote:

> > > I've found personally that a correctly implemented VPN solution is
> > >      
> 1000
>  
>
> > > times better than trying to get OWA deployed and *safe*.
> > >      
>
> There is real foolishness in the VPN suggestion - offering all of layers
> 2 and 3 to remote clients for the sake of a single application. This is
> weak science, and "architecture by anecdote".
>
> Taken as a proposed method for limiting attack surface, I think that it
> needs serious re-examination!
>
> Give me a threat model for full network client access, vs. that of an
> application inspection firewall, proxying SSL - such as ISA 2004.  Good!
> Notice anything? Now supply me with motivated attackers.  OWA/ISA is the
> safest bet for remote access of Exchange systems, and this can be
> quantified using models, not by asserting a bias, or making category
> generalizations.
>
> The only people who should ever get full VPN access are systems and
> network administrators, with a demonstrated need.  They should be
> subject to extensive logging, and a separate audit. There are
> application-oriented solutions that meet the needs of other users,
> without a "default allow" policy.  I often despair, that we will spend
> the next 20 years rolling-back the broad remote access that was granted
> over the last 10.
>
> Jeremiah Cornelius
> CISSP, ISSAP, CCNA, MCSE+S
>
>  

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards