Mikael Olsson wrote:
>If you do not authenticate at the reverse proxy, what is the reason for it?
>To protect against HTTP and/or SSL layer vulnerabilities in IIS? (I don't
>think this is the main problem, really, but I guess every little bit helps
>-- I'm just worried about the complexity
>increasing disproportionatelly to the security gained)
The reverse proxy provides an added level of security, it allows us to keep
the OWA behind another firewall, ie if we didn't have the reverse proxy then
the OWA box would have to be running SSL, and external user would be
directly connect through the firewall to the OWA server. As the OWA server
uses DCOM to communicate with exchange it would have to be on the same
network as exchange and suddenly you've lost a layer of security. You no
longer have two layers (ie external >> firewall >> sslrelay >> firewall >>
owa), but only have one (ie external >> firewall >> owa). On top of this in
the one layer security model the firewall has to have port 443 open, which
you can't have any protocol level filtering on. This is also true in the two
layer security model, however in the second layer (sslrelay >> firewall >>
owa) the http transactions are no longer encrypted (and don't need to be as
they are no longer on a public network) so protocol level filtering can be
enabled on the second firewall, so that only valid http requests can be sent
through.
If you have good active and passive IDS monitoring each layer of security
provides you with additional time to react to compromises, thus to increase
your security all you need to do is to add more layers to your security
model, because there is no 100% secure system that will work in one layer
security. No system is 100% secure, but each layer buys you time before your
internal network is compromised, and in that time hopefully you can react.
As you said there comes a point where the added complexity of your security
system and processes no longer justifies the security that it provides, it
ends up needing to be assed on a case by case basis how much security you
require.
Cheers,
Alex
-----Original Message-----
From: Mikael Olsson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 12 July 2000 11:40
To: Alex Hague
Cc: [EMAIL PROTECTED]
Subject: Re: secure webmail and firewall issues...
Alex Hague wrote:
>
>You don't need to authenticate to the reverse proxy as OWA will do all the
>authentication using NTLM. In the event that a buffer overflow vunerability
>exists in one of the OWA pages you will still
>need to be authenticated to execute the vunerability, thus only your users
>could execute it....
Well, the only problem I'm getting at is the old KISS rule, really.
If you do not authenticate at the reverse proxy, what is the reason
for it? To protect against HTTP and/or SSL layer vulnerabilities in
IIS? (I don't think this is the main problem, really, but I guess
every little bit helps -- I'm just worried about the complexity
increasing disproportionatelly to the security gained)
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
