Security Basics mailing list archives
RE: Remote Web Workplace security
From: "Dana Epp" <dana () vulscan com>
Date: Thu, 9 Mar 2006 13:50:09 -0800
So apply two factor authentication to auth against the inbound connection before prompted for the RWW login session. That's exactly what we do. We use Cryptocard tokens against a Sonicwall TZ170 in front of the SBS machine. The firewall communicates with the authentication server on the SBS box via RADIUS, authorizing RWW, Sharepoint and TS/RDP only after authing the incoming user. Even if the incoming machine had hostile code capturing the credentials it is USELESS to them in a follow up session since the OTP (one time password) is dead. They can't even touch the Active Directory as the firewall won't let them in. RWW has other benefits over traditional VPN. First off, you aren't providing a layer 3 connection to the network. Everything is proxied through RWW. You have a PASSIVE connection to Outlook Web Access, and require secondary auth to the corporate intranet, if you need it. And you don't have to configure ANY software to use it. No VPN client setup required at all. RWW is one of the hidden golden gems Microsoft has... And its only available in Small Business Server. For mobile users it is a much safer connection than worrying about VPN issues. Regards, Dana Epp [Microsoft Security MVP] http://silverstr.ufies.org/blog/ -----Original Message----- From: Paul Halliday [mailto:paul.halliday () gmail com] Sent: Thursday, March 09, 2006 3:42 AM To: ROB DIXON Cc: davidj () comparto com au; security-basics () securityfocus com Subject: Re: Remote Web Workplace security My reasoning is that the semantics of the connection method are not as important as the trust relationship between the connecting host and the workplace. The pipe to your workplace (regardless of the method that you use to secure it) is not the weakest link; the connecting party is. From a due diligence perspective it only makes sense to use a VPN to connect to your workplace. However, this does not eliminate the more common threat, which would be a compromised host establishing the connection. If I rolled something like this out, my last concern would be someone trying to attack the tunnel itself; this is why we have IDS/IPS. But if someone makes off with the credentials of the connecting party, or if the connecting party is no longer in control of their machine, we have no way to detect or prevent it. Unless you can insure a trust relationship between the VPN and all machines that will ever connect to it, worrying about the details of the connection method are the least of your worries. On 3/7/06, ROB DIXON <RDIXON () workforcewv org> wrote:
Hi David, Without of course illustrating an attack, could you explain your comment regarding "I would fire a keylogger onto your machine far
quicker than attempting to MITM your rdp session."?
In other words, which connection method are you stating is more
vulnerable to which attack?
Thanks Robert L. Dixon, CSO CHFI A+ State of West Virginia's West Virginia Office of Techonology Infrastructure Applications Netware/GroupWise Administrator Telephone: (304)-558-5472 ex.4225 Email:rdixon () workforcewv org"Paul Halliday" <paul.halliday () gmail com> >>>On 3 Mar 2006 02:09:31 -0000, davidj () comparto com au <davidj () comparto com au> wrote:My fellow Sys Admin has been pushing the 'Remote Web Workplace' as
the remote connection option to our clients. Where I prefer the Remote Desktop through VPN whenever possible.
I understand the straight Remote Desktop has RC4 security which is
rather weak. I dont believe this has been improved when using the 'Remote Web Workplace' method? Any I wrong?
I want to make it policy that Remote Desktop connections via a VPN
must always be used before the 'Remote Web Workplace', whenever possible.
Am I being paranoid?Yes you are. I would fire a keylogger onto your machine far quicker than attempting to MITM your rdp session.Thanks Dave J -------------------------------------------------------------------- ------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched
consulting experience.
Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital
Investigations.
http://www.msia.norwich.edu/secfocus -------------------------------------------------------------------- ----------------------------------------------------------------------------- ----- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting
experience.
Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital
Investigations.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------- -----
------------------------------------------------------------------------ --- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Remote Web Workplace security davidj (Mar 03)
- Re: Remote Web Workplace security Paul Halliday (Mar 06)
- <Possible follow-ups>
- Re: Remote Web Workplace security barcajax (Mar 06)
- Re: Remote Web Workplace security ROB DIXON (Mar 08)
- Re: Remote Web Workplace security Paul Halliday (Mar 09)
- RE: Remote Web Workplace security Dana Epp (Mar 10)
- Re: Remote Web Workplace security ROB DIXON (Mar 10)