And how precisely is the PIX going to prevent a directory traversal?
Also, with an ISA firewall interprosed, how could a directory traversal
attack be possible?=20


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Jason
Gomes
Sent: Tuesday, May 03, 2005 12:59 AM
To: Paul Melson
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] PIX -> ISA -> OWA Configuration

Definitely? Under #1 it seems like something as simple as a directory=20
traversal attack against IIS/OWA that manages to get through ISA leaves=20
your entire internal network exposed. Under #2 it appears to me that an

attacker would need at the very least a second exploit to gain further=20
access to the trusted network.

Paul Melson wrote:
> #1, definitely. The whole reason to use ISA proxy with a

front-end/back-end
> OWA setup is to reduce the amount of holes that must be punched in the
> firewall. Since the OWA server must be a member of the domain, it

requires
> an exhaustive list of ports be open between itself and the Exchange

server
> as well as at least one domain controller. With the ISA proxy, it's

443 in,
> 443 out (or 80 out if you don't want/need to encrypt the traffic

between the
> ISA and OWA servers).
>=20
> PaulM
>=20
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Jason

Gomes
> Sent: Sunday, May 01, 2005 2:14 AM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] PIX -> ISA -> OWA Configuration
>=20
> What is the preferred placement for a OWA front-end server given these

two
> possible network configurations and why?
>=20
> 1) [Internet] <=3D=3D> [PIX Firewall] <=3D=3D> [ISA Proxy] <=3D=3D> =

[PIX Firewall]
<=3D=3D>
> [OWA] <=3D=3D> [Internal Net w/Exchange Svr]
>=20
> 2) [Internet] <=3D=3D> [PIX Firewall] <=3D=3D> [ISA Proxy] <=3D=3D> =

[OWA] <=3D=3D>
[PIX
> Firewall] <=3D=3D> [Internal Net w/Exchange Svr]
>=20
> Notes:
> The ISA server is performing a reverse proxy for HTTPS connections.
> In #1, the backend firewall will only allow port 443 through to OWA.
> In #2, all ports required for OWA to communicate with the internal

exchange
> server is allowed.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/li...rewall-wizards
>=20
>=20

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards