[EMAIL PROTECTED] wrote:
> [OWA woes - where to place servers, and should I go with IMP
> instead?]
In this Microsoft world, this is one of the most common questions
that I get regarding firewall setups. (The most common one is
probably "where do I put my Exchange server", and the answer
is "NOT in the DMZ. Put it on the internal network and put a
SECURE mail forwarder in the DMZ.")
Considering the huge and clunky RPC API that OWA uses to communicate
with Exchange, I'd consider that a big problem in and of itself, no
matter which ports you manage to restrict the RPC calls to.
Weak spots are:
* The ISS+OWA server (lots of ASP code, lots of API calls,
lots of places to screw up)
* The communications layer, if the web server is r00ted (RPC
calls... ewwww. I wonder how many undiscovered buffer overruns
lay lurking in those marshal/unmarshal calls, especially
since we've seen them in the COM interfaces)
If all we're worried about is internal network compromise, I'd
be tempted to say "chuck all of it into a DMZ; OWA, Exchange
and PDC all". But it's never that easy is it? We need to
ensure the security of the mail storage too, since there is
usually a LOT of sensitive information in people's mail boxes.
Then there are the issues of password synchronization with
the internal domain and ... yeah.
So, IF you do not require all the Exchange magic (address book,
calendar, etc etc), your IMP solution looks pretty good.
However, there are a few known weaknesses in the IMP scripts;
better check those out before deciding (has it been fixed?).
This is based on the assumption that you can harden that BSD/Linux
web server with IMP farther than you can ISS+OWA.
* Put your web server with IMP in the DMZ
* Require SSL connections to the web server
* Allow IMAP to the Exchange server on the internal network
This limits the communications channel between the web server
and the exchange server to IMAP, which is good in my humble
opinion. However, as I said, the fancy stuff won't work.
Otherwise, your best bet is to place the IIS+OWA in the DMZ,
apply port restrictions to the exchange server so that you don't
have to open up every port in the 1024-65535 span. Then
make damn sure that you've restricted access to the OWA interface
by ways of SSL and HTTP authentication. It doesn't matter a whole
lot which authentication you use once inside SSL, as far as I know,
since it's all encrypted anyways.
I guess I ought to add a disclaimer:
I know next to nothing about the security of IMP. Maybe it's
not the best solution, maybe there is a better-written
email-web-access-via-IMAP package. Then again, maybe it's
good enough. I'm hoping other people will contribute with their
knowledge here :-)
Regards,
Mikael Olsson
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
