On Sunday, May 01, 2005 1:14 AM, Jason Gomes asked:

What is the preferred placement for a OWA front-end server given these two
possible network configurations and why?

Setup 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall]

<==> [OWA] <==> [Internal Net w/Exchange Svr]

Setup 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==>
[PIX Firewall] <==> [Internal Net w/Exchange Svr]


I don't think we are that far apart because I agree 100% with the need to
protect the OWA box with as many controls as possible. In Setup 1, we have:
1. Placed 2 FWs between the OWA box and the uncontrolled Internet
2. Restricted access to the ISA via FW-1 ACLs.
3. Restricted (Filtered) the required access to the OWA box to only HTTPS by
two devices. ISA & FW-2
4. Restricted the HTTPS access to only 'validated' domain addresses via the

I have always taken the position that if a Hacker gains access to one box on
at network subnet than he has the ability to gain access to all on that
I.E. in setup 2 - if he 'cracks' either the ISA OR the OWA then he gains a
map of that subnet and therefore can work on cracking the other boxes there.
Either from the box he already 'controls' or because he now 'knows' the
direct IP of the other boxes he can attack them directly. From there he can
move on to the next gateway device, etc, etc.....

Because in these cases he specifically stated that:

The ISA server is performing a reverse proxy for HTTPS connections.
In #1, the backend firewall will only allow port 443 through to OWA.
In #2, all ports required for OWA to communicate with the internal
Exchange server is allowed.

Setup 1 gives the 'best' option by having:
1. Configure the ISA Server exist as a stand alone box with 'no contact' to
the internal network by having it in its on domain that is NOT part of the
internal Active Directory (AD) tree.
2. Configuring the ISA Box to strictly passing any inbound traffic only to
the OWA interface via HTTPS thru the 'internal firewall.
3. Set the ISA box to restrict the HTTPS traffic to sources from a
'validated' domain addresses.
4. Set the FWs with very restricted inbound ACLs to support the ISA

He could also use the ISA to 'filter' outbound Internet access based on
various factors such as 'bad word' lists or prohibited domains. If he tries
to do any thing else such as Internet access control based on Active
Directory (AD) Security group membership all the rules change. As soon as he
does this he will have to open the AD Replication/Access ports to support
that access control thus making the situation almost as bad as putting the
OWA Server between the two firewalls. In that case I would have to rethink
the whole setup.

You are correct with the lock down of the Dynamic RPC ports. Cisco has a
'white paper' that discusses which ports to allow supporting 'limited'
access to AD thru a PIX. By moving the OWA behind FW-2 and restricting
access via only HTTPS we have reduced the 'exposure' to the minimum possible
risk level.

But I'm starting to ramble so I'll stop here. I hope you now understand my
reasoning for picking Setup 1.

-----Original Message-----
From: Ben Nagy [mailto:ben@iagu.net]
Sent: Tuesday, May 03, 2005 1:46 PM
To: sanford.reed@reed-assoc-llc.com
Subject: RE: [fw-wiz] PIX -> ISA -> OWA Configuration

OK, in that case we're on different planets. Any architecture with no
controls between the (as you say) hackable OWA box and the Internal network
is not one I'd subscribe to.

I've done all this before too, but a long time ago. Back then you could lock
down the dynamic RPC ports to a smallish range and so it was only the
SMB/CIFS/AD traffic to the domain controller to really fret about.

Oh well.



> -----Original Message-----
> From: Sanford Reed [mailto:sanford.reed@cox.net]
> Sent: Tuesday, May 03, 2005 6:18 PM
> To: 'Ben Nagy'
> Subject: RE: [fw-wiz] PIX -> ISA -> OWA Configuration
> I'm for Pix <=> ISA <=> PIX <=> Internal network (with OWA,
> etc)

> -----Original Message-----
> From: Ben Nagy [mailto:ben@iagu.net]

> Would adding a firewall to [2] between ISA and OWA make you happy?
> In other words, maybe we're arguing about the lesser of two evils...
> ben
> > -----Original Message-----
> > From: Sanford Reed [mailto:sanford.reed@cox.net]

> > I'm actually
> > assuming that the
> > OWA box is more hackable

firewall-wizards mailing list