Firewall Wizards mailing list archives
Re: Outlook Web Access - Paranoid?
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Mon, 2 Dec 2002 08:57:58 +0100 (CET)
Hi Wizards!
We're trying to come up with the least dangerous method of allowing our users to check their email on MS Exchange. We currently allow them to use POP3 only. Our management would like to use Outlook Web Access. I have followed the issue on several mailing lists. I know it's a bad idea to use Exchange at all but management thinks I am too paranoid on this issue. It seems the best method is a reverse proxy using squid on a DMZ machine and then into the IIS server on the inside over SSL. What are your opinions/suggestions on this issue? Do you have any other methods that are more secure?
Possibly this has been stated before and I missed that particular mail. Sorry, if this is indeed the case. IMHO the only reasonably secure way to allow external users to access their email and calendars while keeping all (well, most) of Exchange's features is establishing a VPN tunnel to the Exchange server. Then it's up to the user to choose from accessing Exchange directly with Outlook or using OWA - depending on the performance of his/her Internet/VPN connection. I can't think of any other method that adds _any_ security to the application. If you suspect that OWA is susceptible to all kinds of buffer overflows etc. it doesn't matter if you use SSL or some kind of DMZ setup or else. You need to establish a secure channel first, with strong authentication, then allow the authenticated insider to access the insecure application. Note that this is completely ignoring the threat posed by malvolent insiders. ;-) Regards, Patrick M. Hausen Technical Director -- punkt.de GmbH Internet - Dienstleistungen - Beratung Scheffelstr. 17 a Tel. 0721 9109 -0 Fax: -100 76135 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Outlook Web Access - Paranoid? Matt Wilbur (Nov 30)
- Re: Outlook Web Access - Paranoid? Devdas Bhagat (Dec 01)
- Re: Outlook Web Access - Paranoid? Mikael Olsson (Dec 01)
- IP/HTTP from the internet to internal network Shimon Silberschlag (Dec 02)
- Re: IP/HTTP from the internet to internal network Paul D. Robertson (Dec 02)
- Message not available
- Re: IP/HTTP from the internet to internal network Dave Piscitello (Dec 04)
- Re: Outlook Web Access - Paranoid? Mikael Olsson (Dec 01)
- Re: Outlook Web Access - Paranoid? Luca Berra (Dec 02)
- Re: Outlook Web Access - Paranoid? Devdas Bhagat (Dec 01)
- <Possible follow-ups>
- RE: Outlook Web Access - Paranoid? Stefan Norberg (Dec 03)
- RE: Outlook Web Access - Paranoid? Joseph Steinberg (Dec 05)