Firewall Wizards mailing list archives

Re: Outlook Web Access - Paranoid?

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Mon, 2 Dec 2002 08:57:58 +0100 (CET)

Hi Wizards!

We're trying to come up with the least dangerous method of 
allowing our
users to check their email on MS Exchange. We currently allow 
them to use
POP3 only. Our management would like to use Outlook Web Access. I have
followed the issue on several mailing lists. I know it's a 
bad idea to use
Exchange at all but management thinks I am too paranoid on 
this issue.  

It seems the best method is a reverse proxy using squid on a 
DMZ machine and
then into the IIS server on the inside over SSL. What are your
opinions/suggestions on this issue? Do you have any other 
methods that are
more secure?


Possibly this has been stated before and I missed that particular mail.
Sorry, if this is indeed the case.

IMHO the only reasonably secure way to allow external users
to access their email and calendars while keeping all (well, most)
of Exchange's features is establishing a VPN tunnel to the Exchange
server.

Then it's up to the user to choose from accessing Exchange directly
with Outlook or using OWA - depending on the performance of his/her
Internet/VPN connection.

I can't think of any other method that adds _any_ security to the
application. If you suspect that OWA is susceptible to all kinds
of buffer overflows etc. it doesn't matter if you use SSL or
some kind of DMZ setup or else. You need to establish a secure
channel first, with strong authentication, then allow the authenticated
insider to access the insecure application.

Note that this is completely ignoring the threat posed by malvolent
insiders. ;-)


Regards,

Patrick M. Hausen
Technical Director
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Scheffelstr. 17 a     Tel. 0721 9109 -0 Fax: -100
76135 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Outlook Web Access - Paranoid? Matt Wilbur (Nov 30)
- Re: Outlook Web Access - Paranoid? Devdas Bhagat (Dec 01)
  - Re: Outlook Web Access - Paranoid? Mikael Olsson (Dec 01)
    - IP/HTTP from the internet to internal network Shimon Silberschlag (Dec 02)
    - Re: IP/HTTP from the internet to internal network Paul D. Robertson (Dec 02)
    - Message not available
    - Re: IP/HTTP from the internet to internal network Dave Piscitello (Dec 04)
    - Re: Outlook Web Access - Paranoid? Luca Berra (Dec 02)
- Re: Outlook Web Access - Paranoid? Patrick M. Hausen (Dec 02)
- <Possible follow-ups>
- RE: Outlook Web Access - Paranoid? Stefan Norberg (Dec 03)
- RE: Outlook Web Access - Paranoid? Joseph Steinberg (Dec 05)