Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Outlook Web Access - Best pracice with FW-1

To: "Adrian Wilson" <[email protected]>, <[email protected]>
Subject: Re: [FW1] Outlook Web Access - Best pracice with FW-1
From: [email protected] (Carl E. Mankinen)
Date: Thu, 18 Jan 2001 10:48:03 -0500
References: <[email protected]>
Sender: [email protected]

Do not allow HTTP, require clients to use SSL.
Get a Certificate (strong if you can), and use HTTPS/SSL.

Treat it like a bastion host, lock it down, strip away all the IIS admin stuff
and exploitable dlls etc etc. On the rule base, only allow the ports you need
for it to talk to your exchange server. Don't use the default ports on the exch
server, you can change them via a registry change. There isn't any real need
for periodic backup of the server, so take a ghost image and keep it on a diff
partition/hd. (usefull for taking back to a known state in case of compromise.

You could also install something like tripwire, intact, or ISS OSSensor on
the owa svr and monitor it for unusual activity. 

Having out-of-band IDS and sniffer on all legs of firewall can be handy too.

Because OWA requires domain authentication, you should be carefull with this one.
rules might look something like:
any,    owa-bastion,    http/s,    accept
owa-bastion,    xch-svr,    owa-rpc-dir/owa-rpc-info/epmap-tcp/epmap-udp,    accept
owa-bastion,    dom-ctl,    dns-udp, nbt, echo-request,    accept
xch-svr,    owa-bastion,    tcp-high-ports,epmap-tcp,epmap-udp,    accept
dom-ctl,    owa-bastion,    echo-reply, accept

----- Original Message ----- 
From: "Adrian Wilson" <[email protected]>
To: <[email protected]>
Sent: Thursday, January 18, 2001 6:22 AM
Subject: [FW1] Outlook Web Access - Best pracice with FW-1


> 
> I am intending to implement Outlook Web Access through to the Internet. I am
> concerned that the implementation should be as secure as possible and would
> like to gather information regarding best practice. Any help would be much
> appreciated.
> 
> Adrian J G Wilson
> VEGA Group PLC
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Outlook Web Access - Best pracice with FW-1
  - From: Adrian Wilson <[email protected]>

Prev by Date: Re: [FW1] inspect code
Next by Date: [FW1] accept outgoing packets
Previous by thread: [FW1] Outlook Web Access - Best pracice with FW-1
Next by thread: RE: [FW1] Outlook Web Access - Best pracice with FW-1
Index(es):
- Date
- Thread