If you wanted to save money (without compromising security) you could put a linux box using Apache's mod_proxy in place of the ISA box. You need to use the mod_ssl with apache in this case to ensure the traffic is encrypted between the user and theapache box ... This works well in the NT/Exchange 5.5 environment - not sure about win2k/Exchange 2k environment ...
There's a good page at:
http://www.whalecomm.com/owa_security.htm
which describes some of the other security issues with OWA. The issue that has always floored me is the last one entitled "Insecure logoff capabilities". They describe a scenario which is a real eye-opener (See how easy it is to hack a CEO's mailbox) and for which Microsoft seems to have no good answer. Again, I'm not sure if this is still an issue with IIS 5.0/Exchange 2000 ... But simply telling users they have to close their browser to prevent unauthorized access (on a public computer) is not very secure ...
Discussion on:
View:
Show:
The truth about OWA, from a Hacker/security vendor's site read on.
The security threats present in most implementations of Microsoft Outlook? Web Access can be broken down into five main categories:
Web-server vulnerabilities - There are numerous security vulnerabilities discovered in web-server software every month, and web-based email systems are susceptible to the problems of their underlying web servers (i.e. Microsoft IIS); this poses a major problem for security conscious organizations. In the case of Exchange 2000, this problem is compounded by the fact that the OWA server is a full-blown Exchange server, and is subject to both IIS and Exchange vulnerabilities.
Network architecture issues - Typical architectures are designed in such a fashion that hackers may be able to access internal systems through network connections and opened firewall ports (including several ports opened for sensitive communications such as NetBIOS and RPC, as well as various UDP ports). A common misconception is that upgrading to Exchange 2000 will solve these network-connection issues, however upgrading may actually increase the risk of a successful penetration, since more ports may need to be opened from the Front End to the Back End Exchange servers, than from the OWA 5.5 server to its Exchange counterpart.
Authentication and encryption problems - Typical deployments of Outlook Web Access (2000 and 5.5) involve the storing of an SSL certificate and decryption key in the DMZ, where they are susceptible to hackers. Intruders could access the certificate and/or key and use them to impersonate the organization. They may also spoof a legitimate machine from the DMZ in order to communicate directly with internal back-end resources, and completely circumvent the authentication process. In addition, these deployments do not implement encryption from the DMZ to the back-end, so a hacker listening in on the DMZ ne
The security threats present in most implementations of Microsoft Outlook? Web Access can be broken down into five main categories:
Web-server vulnerabilities - There are numerous security vulnerabilities discovered in web-server software every month, and web-based email systems are susceptible to the problems of their underlying web servers (i.e. Microsoft IIS); this poses a major problem for security conscious organizations. In the case of Exchange 2000, this problem is compounded by the fact that the OWA server is a full-blown Exchange server, and is subject to both IIS and Exchange vulnerabilities.
Network architecture issues - Typical architectures are designed in such a fashion that hackers may be able to access internal systems through network connections and opened firewall ports (including several ports opened for sensitive communications such as NetBIOS and RPC, as well as various UDP ports). A common misconception is that upgrading to Exchange 2000 will solve these network-connection issues, however upgrading may actually increase the risk of a successful penetration, since more ports may need to be opened from the Front End to the Back End Exchange servers, than from the OWA 5.5 server to its Exchange counterpart.
Authentication and encryption problems - Typical deployments of Outlook Web Access (2000 and 5.5) involve the storing of an SSL certificate and decryption key in the DMZ, where they are susceptible to hackers. Intruders could access the certificate and/or key and use them to impersonate the organization. They may also spoof a legitimate machine from the DMZ in order to communicate directly with internal back-end resources, and completely circumvent the authentication process. In addition, these deployments do not implement encryption from the DMZ to the back-end, so a hacker listening in on the DMZ ne
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
