I would work on selling them on the idea of using an Outlook WebAccess bastion host to gain access to their corporate mail while on the road. They should have it configured to allow connect via http, but immediately redirect to SSL required.
This will prevent them from needing to deploy vpn software, gives them security of data while in transport, and prevents their STORE from being completely accessible/compromisable via the Internet. If the OWA server gets hacked, you just restore from an Image stored on CD-ROM. (this can be automated to the point you just reboot server and clean image is reloaded). How long does it take to rebuild an Exchange server after a compromise????? These clients of yours are blissfully ignorant. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Aaron Kennedy > Sent: Wednesday, November 14, 2001 4:54 PM > To: [EMAIL PROTECTED] > Subject: Specific vulnerabilities > > > All, > > I'm sort of barging into the list here as I haven't really even have > much of a chance to lurk yet, but I'm looking for an answer to a > specific problem and hope I could get some definitive answers. > > A client of ours had an MS Exchange 5.5 server. A few of the > executives > travel frequently and their previous IT support guy had setup their > Firewall to pass traffic directly through to the Exchange server (port > 135, plus the static ports as set in the registry). They liked this > solution because they said it was much faster than VPN for accessing > their email. > > We have supported this company for more than a year now, and they have > since been upgraded to Exchange 2k. I tried to take this > opportunity to > force the executives to a VPN solution, as it made me nervous to open > those ports on the firewall (especially 135), but they said the > performance simply wasn't what they wanted, and the extra step of > authenticating through the VPN first was too much trouble... > (Comments > not needed on that... I hear everyone's pain, but my hands are tied. > I've tried... really.) > > That being said, they are generally a reasonable lot and would be > willing to change if it was shown that there was a credible security > risk. The problem is I cannot seem to locate any specific > vulnerabilities which are opened by allowing traffic over ports 135, > 1026 (for authentication) and the 3 preset static ports for > the Exchange > services. The other problem is that because the users are mobile and > are using a number of different internet connections, I can't feasibly > restrict incoming traffic on those ports to certain addresses or > subnets. > > Can anyone offer some definitive "this is bad because" > points, or offer > what kind of information or risk there is in keeping port 135 open? > > Much appreciated. > > -Aaron > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
