RE: Updates from the Least Privilege Front

  • From: "Thor \(Hammer of God\)" <thor@xxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 6 Dec 2005 23:42:26 -0800

Pardon the delay in response-- I had to hike down to my mailbox on the perimeter to place an envelope for postal pickup in the morning. Took a while to make it back.

Responses inline:

GMT: Two or three or five factor auth would make it a better sell, agreed. But it is true that even the hosts on the auth'ed DMZ are Internet facing, >which makes them de facto, de jure, and Deus Attontibus part of a less trusted/secure/wholesome security zone that the "internal" hosts. So, you >could make an argument that you still need to filter between the auth'd DMZ and the "internal" Network. I've accounted for that in my schema, so I'm >good there.
I also agree that the traffic sourcing from the anonymous DMZ is not trusted at all, and some kind of inspection should be done between it and the >"internal" Network. That's why we have the Server Publishing Rule. I also agree that the traffic from the anonymous SMTP server is unauthenticated, >since its actually the "internal" mail server that's auth'ing -- but the auth'ing is just what we do to trigger the delivery "over an established" channel, >and that's where the security wankers get their jollies from, since a new connection is never established from the anonymous SMTP server to the >"internal" SMTP server. But you like pointed out, and like I pointed out in my Web boards posting, the actual, accrued benefits would be nominal, but >then you could fantasized situations where this would be advantageous, just as one would fantasize that the box would be completely own, and >hence not very advertageous. So we agree there again.
What would be Panglossian Solution would be to ATRN *and* have app inspection for that connection.

OK- I'm going to pretend that you didn't say "advertageous" in the last bit there. ;) All I would point out is that the "accounting for in your schema" does not, nor cannot, include ATRN traffic sourced from the internal network to the DMZ in regard to the SMTP filter. It is, therefore, a moot point. In the absence of an application layer filter for outbound SMTP that can insure protocol compliance, the whole ATRN utilization is obviated.

Regarding Voltaire, I would have to say that the consideration of an outbound SMTP filter would be far from Panglossian. It would be an intelligent, considered, and informed implementation.

GMT: Flashbang to distract you. 

Didn't work ;)


GMT: You sure about that? In my early testing "internal" DNS server is an Exchange 2003 server and the anonymous SMTP server is an IIS 6 SMTP >server. I've configured a user account on the IIS server for the Exchange Server to use, and I've enabled *only* Integrated authentication. So it >looks like this: 

<capture snipped>


So, I don't think its in clear text, since it looks like GSSAPI is using NTLM and it doesn't look very clear texty to me :) So I win this one unless you can >show me where I'm wrong.

Did you show the entire capture? GSSAPI is a Kerberos implementation. I'm wondering how that made it through an outbound SMTP rule. Not to mention that ATRN is not even a valid SMTP filter command in the first place-- nor are the other commands you captured (like chunking, etc) You wouldn't be cheating a bit with your captures, would you Doctor? Or do you have a proprietary "Kerberos via SMTP" tunnel I don't know about?

GMT: Well, I think it's a tie, depending on the "clear text" assessment of the authentication used in my ATRN configuration. 

Tie my ass!  You're pegged.  Gimme my damn shirt!!!

t




Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 12-2005