Re: secure webmail and firewall issues...

[Brian J. Murrell]

Mikael Olsson <[EMAIL PROTECTED]> wrote:
> 
> This works just fine, but there is one small problem that usually
> proves to be a huge problem in organizations with many
> users. (Why do users always have to screw up our good ideas?) --
> how do you authenticate to the reverse proxy?

I would tend to issue client-side certs and authenticate them at the
reverse SSL proxy in addition any "server based" authentication that I
did at the web/mail server(s).  That way if there is a buffer overflow
or other authentication information driven attack in the web/mail
servers, they will not get exploited unless the cracker can satisfy the
reverse proxy with a certificate.

Now your only worry is attacks on the reverse proxy, and of course a
client-side certificate leak.  There is no reason that the proxy needs
to run with any privilleges at all.  Indeed a nice tidy little chroot()
jail sounds wonderful for that!  The other problem is social.  If you
have certificate leaks you need to terminate somebody's access
immediately!

b.


-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]