RE: OWA security

["Martin K. Lee - XML Consulting" <martin.lee () xmlconsulting com au>]

Hi Beverly,

If you are serious about security you shouldn't use HTTP for OWA access
in the first place. HTTPS would help in this case (Well be aware of DoS
though).

Well if you are adding a separate web server into the network, I would
suggest a firewall for separating the web server and the internal
network. You may like to consider removing the connection of the PIX to
the internal network and make a DMZ for the web server.

My 2 cents...

Martin K. Lee

-----Original Message-----
From: Beverly Kittens [mailto:beverlykittens () hotmail com] 
Sent: Wednesday, December 17, 2003 12:43 AM
To: MDunn () sscincorporated com
Cc: security-basics () securityfocus com
Subject: RE: OWA security



Thanks Mike

In fact we are using and ISA server.  Proposed config looks like this.

Internet
    |
+------+             +------------------+
| PIX  |-----+----- | OWA Server |
+------+     |       +------------------+
   |           |
   |     +---------------+
   |     | ISA Server |
   |     +---------------+
   |           |
----------------------------+---
internal network      |
                    +----------------------+
                    | Xchange server |
                    +----------------------+

I'm trying to determine if this is a sensible architecture, and I'm
still 
rather unclear about the function of the ISA server in this context.

On a somewhat related topic:  What stops an attacker compromising the
web 
server then using it to attack an internal system?  Port 80 is open from
the 
Internet to the web server, and from the web server to the internal
systems. 
  Isn't this a huge security hole?


> From: "Michael Dunn" <MDunn () sscincorporated com>
> To: "Beverly Kittens" <beverlykittens () hotmail com>
> CC: <security-basics () securityfocus com>
> Subject: RE: OWA security
> Date: Mon, 15 Dec 2003 14:38:40 -0500
>
>
> Check out isaserver.org.
>
> You may or may not be using ISA server as your firewall, but in either
> case, there are several articles on 'best practices' for securing an 
> IIS/OWA server.
>
> Regards,
>
> -Mike
>
> -----Original Message-----
> From: Beverly Kittens [mailto:beverlykittens () hotmail com]
> Sent: Monday, December 15, 2003 10:32 AM
> To: security-basics () securityfocus com
> Subject: OWA security
>
>
>
> Hello list
>
> My company is currently implementing OWA to provide users with access 
> to email from any Internet machine.  I'd like to see the OWA server in 
> a DMZ, but this is currently up for discussion.  Sometimes operational 
> stuff gets in the way of security....
>
> Can anyone point me at a paper that describes the security implications

> of OWA, particularly the network related issues please.  I'd also be 
> interested to learn the difference between OWA and POP architecture.
>
> Thank you
>
> _________________________________________________________________
> Use MSN Messenger to send music and pics to your friends 
> http://www.msn.co.uk/messenger
>
>
> -----------------------------------------------------------------------
> ----
> -----------------------------------------------------------------------
-----
> -----------------------------------------------------------------------
> ----
> -----------------------------------------------------------------------
-----
>

_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today! 
http://www.msn.co.uk/messenger


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------