Firewall Wizards mailing list archives
RE: Outlook Web Access - Paranoid?
From: Joseph Steinberg <Joseph () whale-com com>
Date: Thu, 5 Dec 2002 10:50:32 -0500
On the Whale web site there is good documentation about the security flaws inherent in many OWA implementations - so, regardless of whether you want to consider <ad>the solution that Whale markets</ad>, you may want to check out the white paper available at: http://www.whalecommunications.com/whitepapers It describes OWA security issues in detail including some problems not alluded to in this thread or the other recent threads about OWA security. It also discusses solutions. For example, to address the issue of buffer-overflow attacks, a positive-logic based filtering engine could be used. If the engine is OWA aware, it can block any request that is not known to be valid OWA usage. Such filtering should protect not only against attacks utilizing known attack techniques, but from attacks based on exploits not yet publicized and for which no patch has yet been issued. BTW: Besides the issues of opening ports and potential buffer-overflow attacks that are discussed in this thread, there are issues related to the fact that OWA is often used from untrusted locations. HTTP Basic Authentication - which is how users authenticate to OWA - and the corresponding logout mechanism - suffer from security vulnerabilities; someone can often "restart" a user's session after the user walks away from the browser. Inactivity timeouts - intended to prevent indefinite risk from users who neglect to log out - are often implemented in an intrusive manner; users typing long emails in browser windows lose their work as the server is unaware of activity taking place on the client machines. As a result, timeout thresholds are often set high - rendering the timeouts less effective from a security standpoint. Of course, the issue of authentication is also significant. To achieve strong authentication some organizations have added plug-in software onto Exchange/OWA servers - which could create issues when patching or upgrading the servers. Joseph Steinberg Director of Technical Services Whale Communications _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Outlook Web Access - Paranoid? Matt Wilbur (Nov 30)
- Re: Outlook Web Access - Paranoid? Devdas Bhagat (Dec 01)
- Re: Outlook Web Access - Paranoid? Mikael Olsson (Dec 01)
- IP/HTTP from the internet to internal network Shimon Silberschlag (Dec 02)
- Re: IP/HTTP from the internet to internal network Paul D. Robertson (Dec 02)
- Message not available
- Re: IP/HTTP from the internet to internal network Dave Piscitello (Dec 04)
- Re: Outlook Web Access - Paranoid? Mikael Olsson (Dec 01)
- Re: Outlook Web Access - Paranoid? Luca Berra (Dec 02)
- Re: Outlook Web Access - Paranoid? Devdas Bhagat (Dec 01)
- <Possible follow-ups>
- RE: Outlook Web Access - Paranoid? Stefan Norberg (Dec 03)
- RE: Outlook Web Access - Paranoid? Joseph Steinberg (Dec 05)