Firewall Wizards mailing list archives
RE: NTLM authentication from DMZ
From: Steffen Kluge <kluge () fujitsu com au>
Date: 27 Sep 2002 11:54:30 +1000
On Wed, 2002-09-25 at 23:04, Paul D. Robertson wrote:
internal network, and a simple reverse proxy that can also act as SSL wrapper onto the DMZ. Authentication is done by OWA. The firewall allows only 443/tcp from Internet to reverse proxy, and 80/tcp from reverse proxy to OWA. The proxy software I'm using is pound. Still beta and with some stability issues but very promising.You're exposing OWA via a proxy, and since the historical attacks against it have been in-band, the proxy really isn't buying all that much security-wise.
That is true. However, I forget to mention that we use URL filtering on the pound proxy, allowing us to strip attack URLs by re. Things like series of ../ or names of system files and directories guaranteed not to be required for OWA. Cheers Steffen. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: NTLM authentication from DMZ, (continued)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ Dawes, Rogan (ZA - Johannesburg) (Sep 20)
- RE: NTLM authentication from DMZ Bill Royds (Sep 21)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ manatworkyes moderator (Sep 22)
- RE: NTLM authentication from DMZ Reckhard, Tobias (Sep 23)
- RE: NTLM authentication from DMZ Peter Robinson (Sep 23)
- RE: NTLM authentication from DMZ Steffen Kluge (Sep 25)
- RE: NTLM authentication from DMZ Paul D. Robertson (Sep 25)
- RE: NTLM authentication from DMZ Steffen Kluge (Sep 26)