RE: [fw-wiz] NTLM authentication from DMZ
From: Paul D. Robertson (proberts@patriot.net)
Date: 09/25/02
- Next message: Ames, Neil: "[fw-wiz] Personal/Host-based Firewalls"
- Previous message: Steffen Kluge: "RE: [fw-wiz] NTLM authentication from DMZ"
- In reply to: Steffen Kluge: "RE: [fw-wiz] NTLM authentication from DMZ"
- Next in thread: Steffen Kluge: "RE: [fw-wiz] NTLM authentication from DMZ"
- Reply: Steffen Kluge: "RE: [fw-wiz] NTLM authentication from DMZ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Paul D. Robertson" <proberts@patriot.net> To: Steffen Kluge <kluge@fujitsu.com.au> Date: Wed Sep 25 08:52:01 2002
On 25 Sep 2002, Steffen Kluge wrote:
> > Heh, that's exactly what I'm about to have to implement here. I'm planning
> > to use Apache+mod_proxy+mod_ssl and RSA SecurID in front of an OWA server.
> > Does anyone by chance have any pointers to hints on how to set up such a
> > baby?
>
> That's what I had planned at first, too, but I seemed to big and complex
> for a simple task. I ended up putting the Exchange and OWA boxes on the
That depends on your level of trust in two things: OWA/IIS and your
user's credentials...
> internal network, and a simple reverse proxy that can also act as SSL
> wrapper onto the DMZ. Authentication is done by OWA. The firewall allows
> only 443/tcp from Internet to reverse proxy, and 80/tcp from reverse
> proxy to OWA. The proxy software I'm using is pound. Still beta and with
> some stability issues but very promising.
You're exposing OWA via a proxy, and since the historical attacks against
it have been in-band, the proxy really isn't buying all that much
security-wise.
Unless you're handing out client-side certs (and we've had the SSL
complexity discussion here even before the last SSL worm,) the
authentication is going to be username/password for your user's accounts.
If those are guessable/derivable, then you're going to get a compromise
not only of the user's e-mail, but of their credentials. Obviously, if
you're using SecureID, then your only worry is OWA/IIS's code up to the
authentication, and the risk assessment there probably depends on your
comfort level with exposing MS' code (and your proxy implementation's SSL
layer.)
I *really* like mod_proxy with authentication, and I _really_ like
Secure-ID to ensure that credentials aren't exposed unnecessarily. It's
always been a pain to do both at the same time because the code doesn't
easily allow authentication credentials to be cached/cookied and that
sub-credential re-presented for each "hit." Not sure if you can do any
auth with the ACE module and mod_proxy- I'm not sure if a proxy can even
issue a cookie, though I'm sure with some frames and proxypass, it
wouldn't be all that much work to code up a solution...
I've used mod_proxy with RADIUS auth for internal firewalling before, but
it's been with static name/password values.
This is probably one of those scenerios where I'd be tempted to punt to a
VPNish solution just because you introduce enough complexity and mail
tends to be important enough that there are few downsides (but I also
think building historical precedents for extending access costing money is
a relatively good thing in most organizations.)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
- Next message: Ames, Neil: "[fw-wiz] Personal/Host-based Firewalls"
- Previous message: Steffen Kluge: "RE: [fw-wiz] NTLM authentication from DMZ"
- In reply to: Steffen Kluge: "RE: [fw-wiz] NTLM authentication from DMZ"
- Next in thread: Steffen Kluge: "RE: [fw-wiz] NTLM authentication from DMZ"
- Reply: Steffen Kluge: "RE: [fw-wiz] NTLM authentication from DMZ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
