RE: NTLM authentication from DMZ

["Paul D. Robertson" <proberts () patriot net>]

On 25 Sep 2002, Steffen Kluge wrote:

> > Heh, that's exactly what I'm about to have to implement here. I'm planning
> > to use Apache+mod_proxy+mod_ssl and RSA SecurID in front of an OWA server.
> > Does anyone by chance have any pointers to hints on how to set up such a
> > baby?
>
> That's what I had planned at first, too, but I seemed to big and complex
> for a simple task. I ended up putting the Exchange and OWA boxes on the

That depends on your level of trust in two things:  OWA/IIS and your 
user's credentials...

> internal network, and a simple reverse proxy that can also act as SSL 
> wrapper onto the DMZ. Authentication is done by OWA. The firewall allows
> only 443/tcp from Internet to reverse proxy, and 80/tcp from reverse 
> proxy to OWA. The proxy software I'm using is pound. Still beta and with
> some stability issues but very promising.

You're exposing OWA via a proxy, and since the historical attacks against 
it have been in-band, the proxy really isn't buying all that much 
security-wise.

Unless you're handing out client-side certs (and we've had the SSL 
complexity discussion here even before the last SSL worm,) the 
authentication is going to be username/password for your user's accounts.  
If those are guessable/derivable, then you're going to get a compromise 
not only of the user's e-mail, but of their credentials.  Obviously, if 
you're using SecureID, then your only worry is OWA/IIS's code up to the 
authentication, and the risk assessment there probably depends on your 
comfort level with exposing MS' code (and your proxy implementation's SSL 
layer.)

I *really* like mod_proxy with authentication, and I _really_ like 
Secure-ID to ensure that credentials aren't exposed unnecessarily.  It's 
always been a pain to do both at the same time because the code doesn't 
easily allow authentication credentials to be cached/cookied and that 
sub-credential re-presented for each "hit."  Not sure if you can do any 
auth with the ACE module and mod_proxy- I'm not sure if a proxy can even 
issue a cookie, though I'm sure with some frames and proxypass, it 
wouldn't be all that much work to code up a solution...

I've used mod_proxy with RADIUS auth for internal firewalling before, but 
it's been with static name/password values.

This is probably one of those scenerios where I'd be tempted to punt to a 
VPNish solution just because you introduce enough complexity and mail 
tends to be important enough that there are few downsides (but I also 
think building historical precedents for extending access costing money is 
a relatively good thing in most organizations.)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards