Open Firewall ports – FUD – Fear, Uncertainty and Doubt


There seems to be some FUD (Fear Uncertainty and Doubt) being circulated by some of our competitors in the Mobile Email space. 


The FUD is really in two areas:


1) We require lots of firewall ports open


2) This is ‘insecure’


Both the areas are actually a huge mis-understanding:


For Windows Mobile/MSFP you do need to allow inbound access somehow to the Exchange server, but that can be done securely by using an ISA Server as the firewall to sit in front of Exchange and terminating the SSL connection on the ISA box, pre-authenticating the user (so nothing anonymous ever hits the real Exchange server), inspecting the protocol for attempts to subvert it, and then ultimately re-encrypting the stream and forwarding it on to Exchange.


The only firewall port that needs to be opened is port 443 which is SSL.  A large majority of our customers already have this firewall port opened for the use of Outlook Web Access. 


All traffic is encrypted using SSL (128 bit encryption).


Microsoft itself uses this exact approach and we have over 40,000 users using this environment securely:


http://www.microsoft.com/windowsmobile/business/strategy/scalability.mspx
 
If you wish to go one step further by enforcing two factor authentication above and beyond the protection that our Firewall is providing then you can add any of the following:


1) Certificate based user authentication
2) Secure ID authentication
3) Private APN services in the GPRS world where only specific devices can connect over a secure APN to a specific Server.


Comments (10)
  1. Leigh says:

    This is to be expected. We got the same sort of FUD when rpc over http(s) first came out.

  2. Fergus says:

    Oh guys, please stop talking about fud, you’re cracking me up!! 😉 Do you know what that means north of the border?

  3. MSDNArchive says:

    Fergus – please enlighten us 🙂 (obviously via email if it’s really rude!)

  4. Fergus says:

    It’s a bit of a kid’s word referring to particular female organs, Jason. the kind of purile word you rediscover when you’re 30-something… 🙂

  5. cjck says:

    Jason – Can you confirm that if you are using ‘other’ firewall – not ISA server,  that you can still terminate SSL connection on exchange with two factor authentication (certificate) and identify user?

  6. MSDNArchive says:

    cjck – absolutely – ISA just has many benefits over other firewalls in this scenario however any firewall where you can publish via port 443 is fine

  7. kgs says:

    (Excellent site by the way)

    Question: If you were a highly security conscious enterprise though, which would  consider less of a risk then:

    a) One outbound port open to a specified range of trusted IP addresses

    b) An inbound port open to access from any IP address (unless as you point out, you want to go with the expensive option of a private APN)

    I don’t think anything can be proven 100% secure otherwise Microsoft would release so many patches. Surely it is a question of reducing risk where possible?

  8. kgs says:

    (sorry for the terrible grammar – should have read):

    Question: If you were a highly security conscious enterprise, which would you consider less of a risk?

    a) One outbound port open to a specified range of trusted IP addresses

    b) An inbound port open to access from any IP address (unless as you point out, you want to go with the expensive option of a private APN)

    I don’t think anything can be proven 100% secure otherwise Microsoft wouldn’t need to release so many patches. Surely it is a question of reducing risk where possible?

  9. kgs says:

    Another quick question:

    You say ‘The ISA box…re-encrypt[s] the stream and forwarding it on to Exchange. ‘

    Doesn’t this produce a ‘WAP gap’ as it is sometimes called, unencrypting the stream at the front end and then re-encrypting it before passing it on to exchange? How much of the stream is unencrypted?

  10. Nino.Mobile says:

     

    Software / Hardware 

    infoSync World has a review of the Samgung SGH-i300 (you know,…

Comments are closed.