RE: Outlook Web Access - Paranoid?

["Paul D. Robertson" <proberts () patriot net>]

On Wed, 27 Nov 2002, Steve Evans wrote:

> One opinion I will express is that if you're going to use OWA (which I
> have no opinion on) putting it in the DMZ is useless.  The reason you
> put things in the DMZ is so if they are compromised they still have a
> firewall to go through to get to the good stuff.  Let me tell you, the
> ports you have to open are the good stuff.

Deploying Internet-facing systems that sit on the internal can nullify the 
firewall.  Do that with either the wrong product at the wrong time, or too 
many products, and there's no point in _having_ the firewall.

> And one more opinion.  Exchange security isn't as bad as everyone is
> making it out to be.  Is it good, no, it's a Microsoft product.  But

> From an MTA perspective, it's certainly worse than qmail or postfix.  I 
can find at least half a dozen security bulletins on Exhcange 2k and OWA- 
and while most of them are DoS issues, it doesn't give me any 
confidence at all that these systems were engineered to be placed where 
external users could potentially attack them.  

If you're going to provide the sorts of services that, say an ISP provides 
on the open Internet, it's really worth the time to look at systems which 
have stood the test of time, the real-world attacks and scalability that 
goes with lots of users and lots of attackers.  

> Exchange 2000 is really one of Microsofts more secure products.  Proper
> planning can mitigate most of the risk.  Really it's a decision for the
> suits to make, not us.  If the security is good enough though, is a
> question that only you can answer.

This is exactly what puts people into positions they can't get out of.  
"The suits" should *not* be making product decisions- they should be 
providing business requirements.  Implementation details are best left to 
_technical_ people, who should know better than to build architectures 
which allow direct access to their core networks.  Everyone's been 
focusing on the unknown remote attacker here- and it's a valid concern, 
but probably half of the cases I've investigated this year are of the 
"internal user, or former user with access to lots of credentials goes 
bad" variety.  Recovering from thost attacks normally averages several 
hundred thousand dollars (Last FBI figure I heard was ~$1.4M USD)- even if 
catching the bad guy is easy, there's no way you're going to recover 
costs, let alone data- the attacker normally just got unemployed.

The worst network compromise I've ever seen was a site where "the suits" 
made the decisions about firewall rules.  External attackers took 
advantage of that in a major and big way.  I've never seen so many 
compromised machines.

I've done a fair ammount of computer crime investigation, and there are 
two categories of badness that come into play more than others- 1.  
Management making what should be technical decisions, and 2. Inexperienced 
technical people dealing with risk factors they don't understand.  Even 
with insider abuse, those and people who "just don't have time" to do the 
right thing come down to 99.9% of badness.

My boss isn't even close to stupid- knows a fair ammount about security, 
and has access to more security experts than most- I still wouldn't let 
him make an implementation decision about what product to deploy for a 
particular requirement.     

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards