RE: [fw-wiz] Outlook Web Access - Paranoid?

From: Paul D. Robertson (proberts@patriot.net)
Date: 11/28/02 

From: "Paul D. Robertson" <proberts@patriot.net>
To: Steve Evans <sevans@foundation.sdsu.edu>
Date: Thu Nov 28 09:57:01 2002

On Wed, 27 Nov 2002, Steve Evans wrote:

> One opinion I will express is that if you're going to use OWA (which I
> have no opinion on) putting it in the DMZ is useless. The reason you
> put things in the DMZ is so if they are compromised they still have a
> firewall to go through to get to the good stuff. Let me tell you, the
> ports you have to open are the good stuff.

Deploying Internet-facing systems that sit on the internal can nullify the
firewall. Do that with either the wrong product at the wrong time, or too
many products, and there's no point in _having_ the firewall.

> And one more opinion. Exchange security isn't as bad as everyone is
> making it out to be. Is it good, no, it's a Microsoft product. But

From an MTA perspective, it's certainly worse than qmail or postfix. I
can find at least half a dozen security bulletins on Exhcange 2k and OWA-
and while most of them are DoS issues, it doesn't give me any
confidence at all that these systems were engineered to be placed where
external users could potentially attack them.

If you're going to provide the sorts of services that, say an ISP provides
on the open Internet, it's really worth the time to look at systems which
have stood the test of time, the real-world attacks and scalability that
goes with lots of users and lots of attackers.

> Exchange 2000 is really one of Microsofts more secure products. Proper
> planning can mitigate most of the risk. Really it's a decision for the
> suits to make, not us. If the security is good enough though, is a
> question that only you can answer.

This is exactly what puts people into positions they can't get out of.
"The suits" should *not* be making product decisions- they should be
providing business requirements. Implementation details are best left to
_technical_ people, who should know better than to build architectures
which allow direct access to their core networks. Everyone's been
focusing on the unknown remote attacker here- and it's a valid concern,
but probably half of the cases I've investigated this year are of the
"internal user, or former user with access to lots of credentials goes
bad" variety. Recovering from thost attacks normally averages several
hundred thousand dollars (Last FBI figure I heard was ~$1.4M USD)- even if
catching the bad guy is easy, there's no way you're going to recover
costs, let alone data- the attacker normally just got unemployed.

The worst network compromise I've ever seen was a site where "the suits"
made the decisions about firewall rules. External attackers took
advantage of that in a major and big way. I've never seen so many
compromised machines.

I've done a fair ammount of computer crime investigation, and there are
two categories of badness that come into play more than others- 1.
Management making what should be technical decisions, and 2. Inexperienced
technical people dealing with risk factors they don't understand. Even
with insider abuse, those and people who "just don't have time" to do the
right thing come down to 99.9% of badness.

My boss isn't even close to stupid- knows a fair ammount about security,
and has access to more security experts than most- I still wouldn't let
him make an implementation decision about what product to deploy for a
particular requirement.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

Relevant Pages

  • Re: Pelosi & Reid Will Not Like Progress Cited in Iraq Quarterly Report
    ... This is from 4 pages, less than 10 percent, of the report. ... Reid has called General Petraeus a liar for saying progress had been made in Iraq, and more recently he has called Petraeus and outgoing chairman of the Joint Chiefs,Marine Gen. ... Assessment of the Security Environment— ... the frequency and intensity of attacks on the ...
    (soc.retirement)
  • Re: Pelosi & Reid Will Not Like Progress Cited in Iraq Quarterly Report
    ... This is from 4 pages, less than 10 percent, of the report. ... Reid has called General Petraeus a liar for saying progress had been made in Iraq, and more recently he has called Petraeus and outgoing chairman of the Joint Chiefs,Marine Gen. ... Assessment of the Security Environment— ... the frequency and intensity of attacks on the ...
    (soc.retirement)
  • Re: Cracking WEP and WPA keys
    ... SecurityFocus wi-fi security mailing list. ... >>802.11G PCMCIA card, and the Linux server was running Samba to talk to ... >>Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • RE: Vulnerabilites in new laws on computer hacking
    ... This damages all security professionals. ... Vulnerabilites in new laws on computer hacking ... "advanced societies" will have no clue about how remote computer attacks ...
    (Bugtraq)
  • [Full-Disclosure] Security & Obscurity: First-time attacks and lawyer jokes
    ... I've taught semester courses on the Law of Cybersecurity twice in ... the people in OMB who were responsible for computer security for the ... where the secrecy approach holds true in a networked world. ... emphasize is the number of attacks. ...
    (Full-Disclosure)