Re: Securing webmail - changing a port necessary to ensure security?

[Chris <choypoy () mpl com au>]

Webmail is supposed to be easy to access, and somewhat secure.

Using HTTPS really just protects the traffic in transit - if an
interceptor is sitting between you, they can see the traffic, and can
then work out the port number anyway. HTTPS just means they have to
sweat a bit to work out whats going on. 

Security through obscurity (as in this case, "hiding" the default port)
is only really going to protect against a script-kiddy like attack on
that port (IMHO). If the application is well-designed, these attacks
will probably be quite obvious, and probably pretty senseless anyway. 

Thus, IMHO, obscuring the port is not really protecting against much,
and if a typical userbase is involved then the support issues caused by
having to explain to use "webmail.server.com:20000" will far outweigh
any advantage you might have in hiding the application in this manner. 

If the application is vulnerable to some kind of direct attack (ie one
where an attacker does not need to "intercept" the traffic) then it
might be a different case - but given the number of webmail servers
available these days.. ;) 

(possibly more likely that the attacks will be directed against the
actual server-container, ie IIS or apache, itself, rather then the
application. Again, they are in common enough use, and I don't think
that changing ports is any real protection.. better to be able to fix
the problem then just use a temporary fix). 

my 2c. 

//Chris Hoy Poy

On Thu, 2004-02-12 at 00:02, Jennifer Fountain wrote:
> I am going back and forth on this one with a consultant on this one and
> need an expert opinion.  So, I turn to you :)  When configuring webemail
> (such as owa) that is using https, is it better to change the default
> port (443) to an uncommon port (20000)for security reasons?  Does it
> secure it further by doing this?  Wouldn't it cause more issues than
> anything if you try to access that site from inside an org that only
> allows port 80/443 and 21 out?  
>
> Thank you in advance for any opinions you may share.
>
> Kind Regards,
>
> Jennifer Fountain
>
> ---------------------------------------------------------------------------
> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
> Protect your network with the comprehensive security solution that
> integrates six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at:
> http://www.astaro.com/php/contact/securityfocus.php
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------