Firewall Wizards mailing list archives
RE: NTLM authentication from DMZ
From: "Paul D. Robertson" <proberts () patriot net>
Date: Wed, 25 Sep 2002 09:04:38 -0400 (EDT)
On 25 Sep 2002, Steffen Kluge wrote:
Heh, that's exactly what I'm about to have to implement here. I'm planning to use Apache+mod_proxy+mod_ssl and RSA SecurID in front of an OWA server. Does anyone by chance have any pointers to hints on how to set up such a baby?That's what I had planned at first, too, but I seemed to big and complex for a simple task. I ended up putting the Exchange and OWA boxes on the
That depends on your level of trust in two things: OWA/IIS and your user's credentials...
internal network, and a simple reverse proxy that can also act as SSL wrapper onto the DMZ. Authentication is done by OWA. The firewall allows only 443/tcp from Internet to reverse proxy, and 80/tcp from reverse proxy to OWA. The proxy software I'm using is pound. Still beta and with some stability issues but very promising.
You're exposing OWA via a proxy, and since the historical attacks against it have been in-band, the proxy really isn't buying all that much security-wise. Unless you're handing out client-side certs (and we've had the SSL complexity discussion here even before the last SSL worm,) the authentication is going to be username/password for your user's accounts. If those are guessable/derivable, then you're going to get a compromise not only of the user's e-mail, but of their credentials. Obviously, if you're using SecureID, then your only worry is OWA/IIS's code up to the authentication, and the risk assessment there probably depends on your comfort level with exposing MS' code (and your proxy implementation's SSL layer.) I *really* like mod_proxy with authentication, and I _really_ like Secure-ID to ensure that credentials aren't exposed unnecessarily. It's always been a pain to do both at the same time because the code doesn't easily allow authentication credentials to be cached/cookied and that sub-credential re-presented for each "hit." Not sure if you can do any auth with the ACE module and mod_proxy- I'm not sure if a proxy can even issue a cookie, though I'm sure with some frames and proxypass, it wouldn't be all that much work to code up a solution... I've used mod_proxy with RADIUS auth for internal firewalling before, but it's been with static name/password values. This is probably one of those scenerios where I'd be tempted to punt to a VPNish solution just because you introduce enough complexity and mail tends to be important enough that there are few downsides (but I also think building historical precedents for extending access costing money is a relatively good thing in most organizations.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: NTLM authentication from DMZ, (continued)
- Re: NTLM authentication from DMZ Mikael Olsson (Sep 20)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ Dawes, Rogan (ZA - Johannesburg) (Sep 20)
- RE: NTLM authentication from DMZ Bill Royds (Sep 21)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ manatworkyes moderator (Sep 22)
- RE: NTLM authentication from DMZ Reckhard, Tobias (Sep 23)
- RE: NTLM authentication from DMZ Peter Robinson (Sep 23)
- RE: NTLM authentication from DMZ Steffen Kluge (Sep 25)
- RE: NTLM authentication from DMZ Paul D. Robertson (Sep 25)
- RE: NTLM authentication from DMZ Steffen Kluge (Sep 26)