Need for SSL?

[Coop]

I'm having a debate with a co-worker about the need for SSL. The debate
originates from our need to provide external access to our SharePoint 2007
farm. We agree that we need to put the outfacing SharePoint farm in a DMZ to
isolate it from our intranet.

I say that we also need to make SSL part of the solution (using an SSL VPN
or ISA Server box with an SSL cert) if for no other reason than to encrypt
logon credentials.

He says that we can just create a NAT to the SharePoint server and allow
HTTP through port 80 and be done with it because "man-in-the-middle" attacks
are pretty much a thing of the past. He says further that the greater risk
with exposing resources to the Internet these days is from trojans and the
like on external PCs.

All the Microsoft best practices and model topologies for exposing
SharePoint include SSL. What do you think? Am I overstating the need?

 

[rounner]

I'd counter him with:

-SSL isn't that hard to implement and administer given the benefits.
-Man in the middle attacks are not the only reason you want SSL, suggest
phishing, where the user types their user name and password into a phony
website. The SSL cert proves that they are on the right web site.
-Also ask him where he heard man in the middle didnt matter anymore. I
suppose relative to some newer attacks it may seem less of a problem, but I
haven't seen any statements from NIST or any of the vulnerability watchdogs
about that. Dont forget man in the middle doesnt just mean internet, it can
include IT staff sitting on a router or server for example.

 

[Coop]

Thanks for your comments reinforcing what I thought. I agree. I don't want
to force security to the extreme, especially since we're not talking about
highly sensitive data. But for a modest effort and cost, it is totally worth
it to implement SSL.

"rounner" wrote:

> I'd counter him with:
>
> -SSL isn't that hard to implement and administer given the benefits.
> -Man in the middle attacks are not the only reason you want SSL, suggest
> phishing, where the user types their user name and password into a phony
> website. The SSL cert proves that they are on the right web site.
> -Also ask him where he heard man in the middle didnt matter anymore. I
> suppose relative to some newer attacks it may seem less of a problem, but I
> haven't seen any statements from NIST or any of the vulnerability watchdogs
> about that. Dont forget man in the middle doesnt just mean internet, it can
> include IT staff sitting on a router or server for example.
>

 

[Alun Jones]

"Coop" <Coop@discussions.microsoft.com> wrote in message
news:2DFFE544-91CD-4146-AD3D-711C629E2247@microsoft.com...
> He says that we can just create a NAT to the SharePoint server and allow
> HTTP through port 80 and be done with it because "man-in-the-middle"
> attacks
> are pretty much a thing of the past. He says further that the greater
> risk
> with exposing resources to the Internet these days is from trojans and the
> like on external PCs.

If MITM attacks are irrelevant, it's because they've been replaced by MITCS
attacks - Man-in-the-coffee-shop.

Intercepting Internet traffic at routers is hard - grabbing it out of the
air at a poorly-secured wireless provider is dead easy!

A VPN would be a great solution, but many coffee shops I've been to don't
support the protocols required for PPTP or L2TP, and SSL satisfies, as
others have pointed out, the requirement that authentication not be sniffed,
as well as that the remote server is identified correctly.

Alun.
~~~~