Re: [fw-wiz] Outlook Web Access - Paranoid?

From: Patrick M. Hausen (hausen@punkt.de)
Date: 12/02/02 

From: "Patrick M. Hausen" <hausen@punkt.de>
To: Matt Wilbur <matt@efs.org>
Date: Mon Dec  2 07:30:17 2002

Hi Wizards!

> > We're trying to come up with the least dangerous method of
> > allowing our
> > users to check their email on MS Exchange. We currently allow
> > them to use
> > POP3 only. Our management would like to use Outlook Web Access. I have
> > followed the issue on several mailing lists. I know it's a
> > bad idea to use
> > Exchange at all but management thinks I am too paranoid on
> > this issue.
> >
> > It seems the best method is a reverse proxy using squid on a
> > DMZ machine and
> > then into the IIS server on the inside over SSL. What are your
> > opinions/suggestions on this issue? Do you have any other
> > methods that are
> > more secure?

Possibly this has been stated before and I missed that particular mail.
Sorry, if this is indeed the case.

IMHO the only reasonably secure way to allow external users
to access their email and calendars while keeping all (well, most)
of Exchange's features is establishing a VPN tunnel to the Exchange
server.

Then it's up to the user to choose from accessing Exchange directly
with Outlook or using OWA - depending on the performance of his/her
Internet/VPN connection.

I can't think of any other method that adds _any_ security to the
application. If you suspect that OWA is susceptible to all kinds
of buffer overflows etc. it doesn't matter if you use SSL or
some kind of DMZ setup or else. You need to establish a secure
channel first, with strong authentication, then allow the authenticated
insider to access the insecure application.

Note that this is completely ignoring the threat posed by malvolent
insiders. ;-)

Regards,

Patrick M. Hausen
Technical Director 

-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Scheffelstr. 17 a     Tel. 0721 9109 -0 Fax: -100
76135 Karlsruhe       http://punkt.de

Relevant Pages

  • Re: Exchange Security and Administration: Small/Tiny Site
    ... Setting up Outlook Anywhere (which is the "HTTP connector" you mentioned) isn't very difficult. ... As for security, Exchange is very secure out of the box and is not hard to maintain from a security standpoint. ... Microsoft offers a tool called the Exchange Best Practices Analyzer that can scan your Exchange servers and identify many configuration and security issues and issues that don't conform to the recommended best practices. ...
    (microsoft.public.exchange.setup)
  • RE: Email Encryption Between Servers
    ... It allows you to have a secure File and Messaging system. ... Subject: Email Encryption Between Servers ... Are the doctors going to have separate keys for each provider, doctor, ... manage key exchange, staff training, ...
    (Security-Basics)
  • Re: Question
    ... but I am new to cryptography and wish to know ... "Foolproof" is a hard term to define. ... A perfectly secure code can be made ... Plus it is very difficult to exchange these long keys ...
    (sci.crypt)
  • Re: How to configure IMAP -SMTP securely for remote users tg
    ... Exchange config. ... So these connections are secure. ... > My problem is with the SMTP part. ... > this smtp virtual server. ...
    (microsoft.public.exchange.connectivity)
  • Re: is secure email possible with exchange?
    ... > It's possible to create secure email for Exchange. ... but if you're looking at ways to encrype all the ... > This will allow you to send secure encrypted email between your Exchange ... > Please do not send email directly to this alias. ...
    (microsoft.public.exchange.admin)