Firewall Wizards mailing list archives

RE: NTLM authentication from DMZ

From: Steffen Kluge <kluge () fujitsu com au>
Date: 27 Sep 2002 11:54:30 +1000

On Wed, 2002-09-25 at 23:04, Paul D. Robertson wrote:

internal network, and a simple reverse proxy that can also act as SSL 
wrapper onto the DMZ. Authentication is done by OWA. The firewall allows
only 443/tcp from Internet to reverse proxy, and 80/tcp from reverse 
proxy to OWA. The proxy software I'm using is pound. Still beta and with
some stability issues but very promising.


You're exposing OWA via a proxy, and since the historical attacks against 
it have been in-band, the proxy really isn't buying all that much 
security-wise.


That is true. However, I forget to mention that we use URL filtering on 
the pound proxy, allowing us to strip attack URLs by re. Things like 
series of ../ or names of system files and directories guaranteed not to
be required for OWA.

Cheers
Steffen.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: NTLM authentication from DMZ, (continued)
- - RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ Dawes, Rogan (ZA - Johannesburg) (Sep 20)
  - RE: NTLM authentication from DMZ Bill Royds (Sep 21)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ manatworkyes moderator (Sep 22)
- RE: NTLM authentication from DMZ Reckhard, Tobias (Sep 23)
  - RE: NTLM authentication from DMZ Peter Robinson (Sep 23)
  - RE: NTLM authentication from DMZ Steffen Kluge (Sep 25)
    - RE: NTLM authentication from DMZ Paul D. Robertson (Sep 25)
    - RE: NTLM authentication from DMZ Steffen Kluge (Sep 26)