Well, Thank you all for the brainstorm! it was really elucidating.
i'd like to share a synthesis and make some questions:
1) Use Basic auth over ssl [Shawn Kelly]
why: encrypt pass and traffic
2) Make RPC between owa/exchange uses static ports [Jeff Jarmoc]
why: hole between dmz/internal net smaller
3) "Plug proxy" tool to port-forwarding to owa [Grant Vine]
why: if your owa is in internal net
4) Is it ok to let SSL thru firewall ? [Eddy Kallen]
5) Yes, ssl cant be sniffed and the problem arent HTTP headers,
but the querystrings on owa scripts [Mikael Olsson]
6) Never put exchange in dmz, put a secure mail forwarder [M. Olsson]
why: weaknesses like RPC/API calls, huge code (with lots of bugs?)
7) Same to iis/owa (asp code, api calls, lots of weak points)
8) Internal net security? chuck owa,exchange,pdc into a dmz [M.olsson]
why: its isolated from internal net (but without mail security)
9) If you dont need all exchange code, IMP may be good, but is IMP
scripts still weak ? [Mikael Olsson]
10)Owa and exchange in internal net, separated NT domains, one-way
trust to exchange domain [Brian Steele]
why: owa can get to exchange, but exchange cant get anywhere ?
11)Any vuln. in owa-ssl can only be executed by authd users [A.Hague]
12)SSL relay & reverse-proxy on dmz with communication between
reverse-proxy/firewall/owa unencrypted [Alex Hague]
why: protocol level filtering permits only valid http requests
13)Issue client-side certs. [Brian J.Murrell]
why: cracker must auth before exploit, but certs may leak.
why not: malicious code may break certs
Client-side certs problem is User OS security [Paul D.R.]
14)SSL relay may run without privileges and chrooted [Brian]
15)Net and host IDS add security and provide time to react [various]
16)Owa in dmz = pain. open n ports and n-1 clients will be able to
connect (nt4sp3) [K.Evangelinos]
17)SecureID helps shoulder surfers and password guesses [Mikael,Jason]
18)NT acl to restrict owa access [Ben Quinata]
sorry if i missed something,
ok, now the doubts:
a)is item 10 "why:" part right ?
b)is item 11 right ? if so, this is just a password security issue ?
c)how can protocol level fitering permit only valid http requests ?
d)is item 16 true yet ?
Thanks a lot.
Fernando,
MailBR - O e-mail do Brasil -- http://www.mailbr.com.br
Fa�a j� o seu. � gratuito!!!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
