[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Outlook Web Access - Best pracice with FW-1
Do not allow HTTP, require clients to use SSL. Get a Certificate (strong if you can), and use HTTPS/SSL. Treat it like a bastion host, lock it down, strip away all the IIS admin stuff and exploitable dlls etc etc. On the rule base, only allow the ports you need for it to talk to your exchange server. Don't use the default ports on the exch server, you can change them via a registry change. There isn't any real need for periodic backup of the server, so take a ghost image and keep it on a diff partition/hd. (usefull for taking back to a known state in case of compromise. You could also install something like tripwire, intact, or ISS OSSensor on the owa svr and monitor it for unusual activity. Having out-of-band IDS and sniffer on all legs of firewall can be handy too. Because OWA requires domain authentication, you should be carefull with this one. rules might look something like: any, owa-bastion, http/s, accept owa-bastion, xch-svr, owa-rpc-dir/owa-rpc-info/epmap-tcp/epmap-udp, accept owa-bastion, dom-ctl, dns-udp, nbt, echo-request, accept xch-svr, owa-bastion, tcp-high-ports,epmap-tcp,epmap-udp, accept dom-ctl, owa-bastion, echo-reply, accept ----- Original Message ----- From: "Adrian Wilson" <[email protected]> To: <[email protected]> Sent: Thursday, January 18, 2001 6:22 AM Subject: [FW1] Outlook Web Access - Best pracice with FW-1 > > I am intending to implement Outlook Web Access through to the Internet. I am > concerned that the implementation should be as secure as possible and would > like to gather information regarding best practice. Any help would be much > appreciated. > > Adrian J G Wilson > VEGA Group PLC > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|