Responses in-line, BBS style (who's grumpy and old now?).

-----Original Message-----
> Subject: RE: [fw-wiz] PIX -> ISA -> OWA Configuration
>
> Post order fixed, response inline.
>
>
>
> > -----Original Message-----

> [Jason Gomes]
> [...]
> >
> > What is the preferred placement for a OWA front-end server given
> > these two possible network configurations and why?
> >
> > 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX
> > Firewall] <==> [OWA] <==> [Internal Net w/Exchange Svr]
> >
> > 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==>
> > [PIX Firewall] <==> [Internal Net w/Exchange Svr]

>
> [Paul Melson at least has courage of his convictions]
> > #1, definitely.

>
> Wow, this may be the first time I recall disagreeing with you, Paul...
>
> [Sanford Reed hides behind Microsoft documentation ;]
> > Per MS (Using Microsoft Exchange 2000 Front-End Servers.pdf -
> > available from MS TechNet) it is configuration 1).

>
> Once again proving that while MS have made a lot of progress in
> security some of their authors still have no idea what they are doing. The

problem is that people get too excited about their architecture diagrams.

I think maybe MS is finally eating their own dog food and
understanding
where the vulnerabilities are in their products. Which is why I
think
some people on the list are having a hard time with this one. See,
those
that lean toward #2 may not already understand that placing a
firewall in
between an OWA server and the rest of the AD/Exchange infrastructure
is
pointless. If you didn't have that piece of information (and it's
not in
the product docs, at least not that bluntly), you would assume that
the
application flow was:

[client] -> [proxy] -> [websrv] -> [db]

When in reality, it is:

[client] -> [proxy] -> [mess]


> I always internally parse these diagrams as:
>
> [spaghetti] --> [hackable box] --> [pot of gold]
>
> In 1) there are no controls at all between the hackable box and the pot of

gold. In 2) there is.

Correct logic applied to incorrect assumptions still yields
incorrect results. :-)
You incorrectly assume that you can place controls between the
hackable box and
the pot of gold, when in fact the whole analogy is wrong in this
case. My analogy
is that OWA, Exchange, and AD are conjoined triplets and they all
share one liver.

Because the OWA server must have Exchange installed on it and be a
member of
AD, it must also be able to initiate RPC, DNS, HTTP, LDAP,
SMB/NetBIOS, and port
ranges ad nauseum for DCOM to a variety of internal servers. All
you will
gain from forcing this traffic through a firewall is a jaded view of
Windows
networking and a throbbing headache. Network security will not
improve.

So cut your losses, implement option #1 and enforce access controls
where you can,
between the possibly-vulnerable proxy server and the t0t4lly-pwn4bl3
web server.


> But hey, you could throw another firewall into 2) if you want. And maybe

an IPS as well. A red one, even.

Appliances make it all better, especially brightly colored ones with
cool LED
displays. And don't forget to use the red cables so the bad packets
know where
to stay.

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards