-=v00d00=- -> RE: Discussion for ISA Server Exchange Kit Topologies article (20.Nov.2003 3:59:00 PM)
|
OK security gurus, there are two schools of thought on ISA topology and I would like to get as much information on behalf of an Enterprise client of mine that I am currently the PM / Consultant for concerning an ISA / OWA install.
1. Microsoft recommends Front-End Exchange server IN the DMZ hosting OWA and port 80/443 open to the Back-End Exchange server as well as port 3268 for GC/authentication. That seems totally wrong from a port perspective. What about DNS, RPC, SMTP, LDAP and others?
2. Tom Shinder recommends NEVER putting the front end in the DMZ because it is joined to the domain and and presents a domain rights issue and valid security risks. However conventional wisdom says to NEVER put a webserver (OWA) no matter how secured anywhere but in a DMZ due to the substantial risk of Nimbda / Code Red type attacks as well as the myriad other web exploits. Frankly, as a security professional I'm inclined to side with Tom on this issue.
My client topology is as follows:
Windows 2000 Server / Exchange 2000 / IIS 5.0
1. F5 BIG IP 1000 Load Balancer on the front end. 2. Cisco PIX 515 as the perimeter security w/ DMZ 3. Front-End OWA currently running on corporate LAN, but can be moved to the DMZ if necessary. 4. Surf Control device (can be made redundant by ISA I know) inside Corporate LAN for filtering content to clients.
Large healthcare facility with HIPAA compliance and all and I'm just looking for any feedback as to any and all solutions to properly mitigate risk in good faith / due diligence. Thanks for your input guys. I know I'm asking the best brains out there!
Regards, [ November 20, 2003, 05:15 PM: Message edited by: -=v00d00=- ]
|
|
|
|