Eddy Kalem wrote:
>
> Excuse the ignorance but is it a good practice to let SSL through your
> Firewall?
Why not? We're talking inbound SSL to a web server here.
There's nothing any firewall can do to secure something as big
as Outlook Web Access, no matter what.
The problems aren't in the HTTP headers. They're in the querystrings,
form posts, etc etc, and no firewall in the world knows what a "properly
formatted Outlook Web Access querystring" looks like -- so any
"protection"
is useless anyway.
The gain here is that we can restrict access to the web server in
a way that (theoretically) cannot be sniffed. Unless ofcourse
someone exploits the invalid certificate recognition bugs in IE and
fools a user into revealing his/her login and password to a fake
web server. Let us all hope that the attackers are cooperative and
refrain from doing that :-P
$.02
/Mike
Basic definition of a firewall: "Allow only services that are known
to be secure, deny everything else."
Probably the most common rule pair in today's firewalls: "Allow all
HTTP from the internal network to the outside, and allow all
HTTP from the outside to our web server".
Does anyone see the contradiction here?
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
