On Wed, 2 May 2001, Tom Fletcher wrote:
> I have a PIX ver 5.2(3) trying to get Outlook Web Access running thru it.
I'd think pretty long and hard about allowing inbound access to an
IIS server from the Internet at large. I'd also think pretty hard
about OWA due to an increased malcode threat from HTML-ized e-mail.
> All traffic is allowed outbound. All traffic is allowed inbound to the
> specific server address via a static translation. This does not allow me to
I'm no VPN fan, but you really should consider a VPN. Honestly. One good
server compromise and your network is toast, allowing unbounded external
access to an internal server negates the value of your firewall. When
that server is running IIS, it doesn't even tend to be challenging to the
kiddies.
If you're not completely patched (including hotfixes), following
the security guide letter for letter and if you don't have constant
maintenace windows for new hotfixes, patches and service packs you're
going to get hurt. Even then it isn't something I'd want to try.
> get onto the OWA server, although when I open up all ports to all addresses
> inbound it does allow for connection. The install of OWA was pretty much
> default and no other IP addresses seem to be in play.
>
> Should I start setting up the syslog server now, or can anyone throw any
> light?
It's probably NT authentication on the IIS server being on, a sniffer on
the server side is probbly the best way to figure it out though.
I'd be really surprised if you haven't been probed yet if that's your
company's domain.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
