I totally agree with your assessment, however, my question is to
determine the best theoretical placement for the back-end firewall no
matter what type of firewall is used.
If you had limited resources and were limited to using the devices
outlined below, what would be your preferred network topology?

Kevin wrote:
>>>-----Original Message-----
>>>What is the preferred placement for a OWA front-end server given these
>>>two possible network configurations and why?
>>>
>>>1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall]
>>><==> [OWA] <==> [Internal Net w/Exchange Svr]
>>>
>>>2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==>
>>>[PIX Firewall] <==> [Internal Net w/Exchange Svr]

>
>
> None of the above. Use a second, different firewall to control the
> Windows-protocol communication between the OWA server and your
> internal trusted network, like so:
>
> 3) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==>
> [OWA with Host-based IPS] <==> [Different Firewall] <==>
> [Internal Exchange Svr with Host-based IPS]
>
> In this scenario, any one element in the path can be vulnerable
> at any moment in time and the internal resources remain protected.
>
> Of course the next question is if you are going to this extreme,
> why involve the Microsoft ISA proxy at all? Why not just replace
> the " [PIX Firewall] <==> [ISA Proxy] <==>" part of the chain
> with a more complex firewall capable of handling the combined
> tasks of SSL acceleration and URL filtering?
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards