RE: [fw-wiz] Outlook Web Access - Paranoid?

From: Christopher Lee (complexity@bigfoot.com)
Date: 11/28/02


From: Christopher Lee <complexity@bigfoot.com>
To: Steve Evans <sevans@foundation.sdsu.edu>
Date: Thu Nov 28 18:33:01 2002

I will probably get flamed for this... But here it is...

While the number of RPC ports one must open to allow OWA(or any MS DCOM apps)
to work is insane, that doesn't mean you have open them manually. Check Point
firewall (for example) has the smarts to be able to open them dynamically as
needed. This way, unless the intruder is able to forge the same DCOM/RPC
communications, the exposure is not all that bad...

I am sure other "smart" proxy firewalls probably have similar DCOM/RPC proxies
that will do the same.

Now, that being said, for those intruder who know what they are doing, any open-
port is a potential point of entry... :-(

Okay, flame shield up....

p/s, DCOM is different from RPC (though similar).

Christopher Lee
PGP Fingerprint: 15C1 65D0 E051 C64D 5246 89FC 5AE3 DE2C 8F1E 89A7
Personal Web Page: http://complexity.webhop.net

Quoting Steve Evans <sevans@foundation.sdsu.edu>:

> Since I'm an Exchange 2000 systems administrator I thought I'd clear up
> some of the technical requirements of OWA. I've heard quite a few
> things that are impossible/wrong. I'm not going to argue about whether
> or not Exchange is a worthy product. Just going to present the facts of
> what is required.
>
> An OWA server needs access to the GC's and the backend servers.
>
> GC's (domain controllers)
> 389 TCP/UDP (LDAP to Directory Server)
> 3268 TCP (LDAP to Global Catalog)
> 88 TCP/UDP (Kerberos)
> 135 TCP (RPC)
> 1024 and greater/TCP (more RPC)
>
> And only 80 to the Back-End Server
>
>
> SQL server is not required (they are talking about using the SQL server
> engine for the database in future versions) and you the OWA server has
> to be an Exchange server. Not just a box running IIS. And it has to be
> part of the domain.
>
>
> One opinion I will express is that if you're going to use OWA (which I
> have no opinion on) putting it in the DMZ is useless. The reason you
> put things in the DMZ is so if they are compromised they still have a
> firewall to go through to get to the good stuff. Let me tell you, the
> ports you have to open are the good stuff.
>
> And one more opinion. Exchange security isn't as bad as everyone is
> making it out to be. Is it good, no, it's a Microsoft product. But
> Exchange 2000 is really one of Microsofts more secure products. Proper
> planning can mitigate most of the risk. Really it's a decision for the
> suits to make, not us. If the security is good enough though, is a
> question that only you can answer.
>
> Steve Evans
> SDSU Foundation
> (619) 594-0653
>
> -----Original Message-----
> From: Paul D. Robertson [mailto:proberts@patriot.net]
> Sent: Tuesday, November 26, 2002 4:43 PM
> To: Mark L. Evans
> Cc: 'Firewall-Wizards (E-mail)
> Subject: Re: [fw-wiz] Outlook Web Access - Paranoid?
>
>
> On Tue, 26 Nov 2002, Paul Robertson wrote:
>
> > Let's not forget that you're now putting this server in the critical
> > update path for every IIS, SQL and Exchange patch- can your mail users
>
>
> Both Wes Noonan and Frank Knobbe have pointed out to me that I'm
> hallucinating about SQL server being burried in Exchange. I still stand
>
> by the rest of the rant...
>
> Paul
> ------------------------------------------------------------------------
> -----
> Paul D. Robertson "My statements in this message are personal
> opinions
> proberts@patriot.net which may have no basis whatsoever in fact."
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>