[mdlug] Here's my idea and rough sketch plan, is it feasible?

Joseph C. Bender jcbender at bendorius.com
Wed Oct 3 15:24:27 EDT 2007 

Robert Adkins wrote:
> Hey All,
> 
[SNIP]
>  	So, here's my thoughts:
> 
> 	1. Setup an SSL certificate on our in-house webserver
> 
> 	2. Put a forwarder for HTTPS traffic in our firewall to the server
> 
> 	3. Change over our main website to something using a Content
> Management System with secure logins setup for the management team. 
> 
> 	4. They browse to our website, login, go to the secure page which
> will have a link to our in-house webserver using SSL, click on that and
> since they are referred from a secure location, the in-house server would be
> setup to accept their connection and allow them to check their email using
> the web-browser email application. Any attempted connections that isn't
> referred from the secure web page would be denied by the web server, which
> would hopefully put a good block against most hacking attempts.
> 
	I have doubts about it making it any more secure.  You're just adding a 
hop to the process.  Unless you're sharing login session data from the 
portal page to the webmail server, it would be fairly trivial to fake a 
HTTP referrer in the request, if one wanted to take on the webmail 
server directly.

	The time would be better spent looking into a SSL VPN device that 
allows for proxying/gatewaying into the application, where it presents a 
far different set of session variables to the end-user, and filters the 
requests heading to the webserver.  They often include IDS/IPS 
functionality to detect for vunerability attempts against the device.

> ---
> 
> 	I also understand that some of these phones may allow the use of an
> SSH application, which means they MIGHT also be able to do port forwarding
> for other webapps on the phone. If that's the case, then all they'd need to
> do is pull up their SSH client, login and then possibly use the built-in
> Mobile Outlook application and read their email or use the web browser to
> connect as they currently do, with their latops, on the road.
> 

	Rove (nee Idokorro) Mobile SSH doesn't do port forwarding.  Can't say 
about the free mobile SSH client either (can't recall the name of it).

	You'd also have the problem of making sure the device would run both 
apps in a true multitasking mode as well.  Many phones make the 
background app sleep most of the time, if not outright pausing it.


> 	I'd like to know if either idea is feasible. I'd like the first idea
> to work nicely, as that means I would have very little work to do if they
> decide to switch devices or want to just check email on their nephew's
> computer in Botswana and don't have service on their cell phone. (Plus, it
> would go along with the whole, "Lazy Thing" we UNIX guys are into: "Do a lot
> of work up front so that you do less work over time.")
> 
	If this is a corporate mandate, there needs to be a corporate standard. 
  Anything that's outside of the standard doesn't get supported. 
Otherwise you'll run into phones that don't display the webmail 
correctly, and it becomes much much more of a support nightmare than you 
ever suspected.

	Honestly, if they're going to do this, the Blackberry Internet service 
and their push email system works wonderfully.  Compatible with IMAP and 
POP3, including syncronization with IMAP folders.  Managers love 
Blackberries.  *grin*



-- 
Joseph Bender
Bendorius Consulting
P: 248-434-5580
F: 248-434-5581
jcbender at bendorius com

More information about the mdlug mailing list