Firewall Wizards mailing list archives
RE: Outlook Web Access - Paranoid?
From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 28 Nov 2002 10:14:55 -0500 (EST)
On Wed, 27 Nov 2002, Steve Evans wrote:
One opinion I will express is that if you're going to use OWA (which I have no opinion on) putting it in the DMZ is useless. The reason you put things in the DMZ is so if they are compromised they still have a firewall to go through to get to the good stuff. Let me tell you, the ports you have to open are the good stuff.
Deploying Internet-facing systems that sit on the internal can nullify the firewall. Do that with either the wrong product at the wrong time, or too many products, and there's no point in _having_ the firewall.
And one more opinion. Exchange security isn't as bad as everyone is making it out to be. Is it good, no, it's a Microsoft product. But
From an MTA perspective, it's certainly worse than qmail or postfix. I
can find at least half a dozen security bulletins on Exhcange 2k and OWA- and while most of them are DoS issues, it doesn't give me any confidence at all that these systems were engineered to be placed where external users could potentially attack them. If you're going to provide the sorts of services that, say an ISP provides on the open Internet, it's really worth the time to look at systems which have stood the test of time, the real-world attacks and scalability that goes with lots of users and lots of attackers.
Exchange 2000 is really one of Microsofts more secure products. Proper planning can mitigate most of the risk. Really it's a decision for the suits to make, not us. If the security is good enough though, is a question that only you can answer.
This is exactly what puts people into positions they can't get out of. "The suits" should *not* be making product decisions- they should be providing business requirements. Implementation details are best left to _technical_ people, who should know better than to build architectures which allow direct access to their core networks. Everyone's been focusing on the unknown remote attacker here- and it's a valid concern, but probably half of the cases I've investigated this year are of the "internal user, or former user with access to lots of credentials goes bad" variety. Recovering from thost attacks normally averages several hundred thousand dollars (Last FBI figure I heard was ~$1.4M USD)- even if catching the bad guy is easy, there's no way you're going to recover costs, let alone data- the attacker normally just got unemployed. The worst network compromise I've ever seen was a site where "the suits" made the decisions about firewall rules. External attackers took advantage of that in a major and big way. I've never seen so many compromised machines. I've done a fair ammount of computer crime investigation, and there are two categories of badness that come into play more than others- 1. Management making what should be technical decisions, and 2. Inexperienced technical people dealing with risk factors they don't understand. Even with insider abuse, those and people who "just don't have time" to do the right thing come down to 99.9% of badness. My boss isn't even close to stupid- knows a fair ammount about security, and has access to more security experts than most- I still wouldn't let him make an implementation decision about what product to deploy for a particular requirement. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Outlook Web Access - Paranoid? Mark L. Evans (Nov 26)
- Re: Outlook Web Access - Paranoid? Paul Robertson (Nov 26)
- Re: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 26)
- <Possible follow-ups>
- RE: Outlook Web Access - Paranoid? Symon Thurlow (Nov 26)
- RE: Outlook Web Access - Paranoid? Steve Evans (Nov 28)
- RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)
- RE: Outlook Web Access - Paranoid? Frank Knobbe (Nov 28)
- RE: Outlook Web Access - Paranoid? Christopher Lee (Nov 28)
- Re: Outlook Web Access - Paranoid? Mikael Olsson (Nov 28)
- RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)
- RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)
- Re: Outlook Web Access - Paranoid? Paul Robertson (Nov 26)