Firewall Wizards mailing list archives
RE: Single Exchange/OWA on LAN with Internet Access - a good
From: "Behm, Jeffrey L." <BehmJL () bvsg com>
Date: Thu, 17 Nov 2005 11:31:42 -0600
The DMZ server (i.e. reverse proxy-type server) should be able to do more than just port filtering and *shouldn't* require all those ports to be open. It should be able to do various application level checks as well, before the request makes it into your network. Look at CipherTrust's IronWebMail front end (that sits in a DMZ) for example. It does more than just port filtering and doesn't require a ton of open ports through the firewall, just normal web traffic. Other "reverse-proxy" front ends should behave similarly, although perhaps not as robustly. *DON'T* let your MS admins dictate the security of the network. If you do, you'd be better off to just put the exchange servers directly on the Internet ;-)... <sarcasm>It'd be just as secure, faster (due to no firewall latency), and less configuration issues.</sarcasm> Jeff -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Ravdal, Stig Sent: Thursday, November 17, 2005 9:50 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good Hi everyone, I hope that someone has been through this before and have some substantial arguments for/against: Our MS admins are proposing to implement single OWA/Exchange servers on the LAN and allow access directly to the server through the firewall. The primary reason for doing it this way is to reduce the cost of the front-end server that would otherwise reside in a DMZ. Their argument is that with OWA 2003 you have to have a bunch of ports open anyway and so what is the reason to put a front end server in the DMZ - if that server were compromised they would practically have access to the network anyway. With the OWA/Exchange server inside the firewall access from the Internet can be limited to 80 and/or 443 only. My concern is that with the next OWA vulnerability someone will own the server in the DMZ through a single exploit. However, I cannot find anything that suggests that the front end server solution is really any more secure. Yeah it's another hop but it would be an easy one as soon as the front end server is compromised. Thoughts? Thanks, Stig _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 17)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Paul D. Robertson (Nov 17)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Patrick M. Hausen (Nov 28)
- <Possible follow-ups>
- RE: Single Exchange/OWA on LAN with Internet Access - a good Thomas W Shinder (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Paul Melson (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Behm, Jeffrey L. (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Kim, Cameron (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Matt Bazan (Nov 21)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Julian M D (Nov 28)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 28)
- Message not available
- RE: Single Exchange/OWA on LAN with Internet Access - a good Marcus J. Ranum (Nov 28)
- Message not available
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 28)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Julian M D (Nov 28)