Maybe this willhelp give you some ammo. http://www.zdnet.com/anchordesk/stories/story/0,10738,2701566,00.html
-----Original Message----- From: Aaron Kennedy [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 14, 2001 4:11 PM To: [EMAIL PROTECTED] Subject: RE: Specific vulnerabilities I've been down that road. It's not an option. OWA is not exactly what they want, so they want no part of it. I've explained to them that 2k is a huge improvement over 5.5 and they have used it as a fall-back at times (which never happened on 5.5), but it's just not what they want... And when you're talking about executives, they get what they want, or we don't continue supporting them! I just want to be able to say to them: "Here are # reasons why I need to close this hole in the firewall and you guys will need to bite the bullet either with OWA or Outlook over VPN." As I said, they are intelligent people and don't want to put their network at risk, I just can't seem to find anything that says: "here are some risks with opening port 135"... And without that proof, they won't consider the alternatives. -Aaron -----Original Message----- From: Steve Smith [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 14, 2001 3:05 PM To: Aaron Kennedy; [EMAIL PROTECTED] Subject: RE: Specific vulnerabilities Just for grins.....why are they not using Outlook Web Access? If the server is running Exch 2K than the functionallity is the same. They should be able to do 99% of what they do in outlook. When SP2 is out they will be able to do 100%. I know the OWA in 5.5 was very limited but 2000 is a HUGE improvment. regards, Steve -----Original Message----- From: Aaron Kennedy [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 14, 2001 3:54 PM To: [EMAIL PROTECTED] Subject: Specific vulnerabilities All, I'm sort of barging into the list here as I haven't really even have much of a chance to lurk yet, but I'm looking for an answer to a specific problem and hope I could get some definitive answers. A client of ours had an MS Exchange 5.5 server. A few of the executives travel frequently and their previous IT support guy had setup their Firewall to pass traffic directly through to the Exchange server (port 135, plus the static ports as set in the registry). They liked this solution because they said it was much faster than VPN for accessing their email. We have supported this company for more than a year now, and they have since been upgraded to Exchange 2k. I tried to take this opportunity to force the executives to a VPN solution, as it made me nervous to open those ports on the firewall (especially 135), but they said the performance simply wasn't what they wanted, and the extra step of authenticating through the VPN first was too much trouble... (Comments not needed on that... I hear everyone's pain, but my hands are tied. I've tried... really.) That being said, they are generally a reasonable lot and would be willing to change if it was shown that there was a credible security risk. The problem is I cannot seem to locate any specific vulnerabilities which are opened by allowing traffic over ports 135, 1026 (for authentication) and the 3 preset static ports for the Exchange services. The other problem is that because the users are mobile and are using a number of different internet connections, I can't feasibly restrict incoming traffic on those ports to certain addresses or subnets. Can anyone offer some definitive "this is bad because" points, or offer what kind of information or risk there is in keeping port 135 open? Much appreciated. -Aaron _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
