RE: Outlook Web Access - Paranoid?

[Christopher Lee <complexity () bigfoot com>]

I will probably get flamed for this...   But here it is...

While the number of RPC ports one must open to allow OWA(or any MS DCOM apps) 
to work is insane, that doesn't mean you have open them manually.  Check Point 
firewall (for example) has the smarts to be able to open them dynamically as 
needed.  This way, unless the intruder is able to forge the same DCOM/RPC 
communications, the exposure is not all that bad...

I am sure other "smart" proxy firewalls probably have similar DCOM/RPC proxies 
that will do the same.

Now, that being said, for those intruder who know what they are doing, any open-
port is a potential point of entry...  :-(

Okay, flame shield up....

p/s, DCOM is different from RPC (though similar).

Christopher Lee 
PGP Fingerprint: 15C1 65D0 E051 C64D 5246  89FC 5AE3 DE2C 8F1E 89A7 
Personal Web Page: http://complexity.webhop.net


Quoting Steve Evans <sevans () foundation sdsu edu>:

> Since I'm an Exchange 2000 systems administrator I thought I'd clear up
> some of the technical requirements of OWA.  I've heard quite a few
> things that are impossible/wrong.  I'm not going to argue about whether
> or not Exchange is a worthy product.  Just going to present the facts of
> what is required.
>
> An OWA server needs access to the GC's and the backend servers.
>
> GC's (domain controllers)
> 389 TCP/UDP (LDAP to Directory Server)
> 3268 TCP (LDAP to Global Catalog)
> 88 TCP/UDP (Kerberos)
> 135 TCP (RPC)
> 1024 and greater/TCP (more RPC)
>
> And only 80 to the Back-End Server
>
>
> SQL server is not required (they are talking about using the SQL server
> engine for the database in future versions) and you the OWA server has
> to be an Exchange server.  Not just a box running IIS.  And it has to be
> part of the domain.
>
>
> One opinion I will express is that if you're going to use OWA (which I
> have no opinion on) putting it in the DMZ is useless.  The reason you
> put things in the DMZ is so if they are compromised they still have a
> firewall to go through to get to the good stuff.  Let me tell you, the
> ports you have to open are the good stuff.
>
> And one more opinion.  Exchange security isn't as bad as everyone is
> making it out to be.  Is it good, no, it's a Microsoft product.  But
> Exchange 2000 is really one of Microsofts more secure products.  Proper
> planning can mitigate most of the risk.  Really it's a decision for the
> suits to make, not us.  If the security is good enough though, is a
> question that only you can answer.
>
> Steve Evans
> SDSU Foundation
> (619) 594-0653 
>
> -----Original Message-----
> From: Paul D. Robertson [mailto:proberts () patriot net] 
> Sent: Tuesday, November 26, 2002 4:43 PM
> To: Mark L. Evans
> Cc: 'Firewall-Wizards (E-mail)
> Subject: Re: [fw-wiz] Outlook Web Access - Paranoid?
>
>
> On Tue, 26 Nov 2002, Paul Robertson wrote:
>
> > Let's not forget that you're now putting this server in the critical
> > update path for every IIS, SQL and Exchange patch- can your mail users
>
>
> Both Wes Noonan and Frank Knobbe have pointed out to me that I'm 
> hallucinating about SQL server being burried in Exchange.  I still stand
>
> by the rest of the rant...
>
> Paul
> ------------------------------------------------------------------------
> -----
> Paul D. Robertson      "My statements in this message are personal
> opinions
> proberts () patriot net      which may have no basis whatsoever in fact."
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards