Corporate Network Security question

[Galaril]

I know we have a bunch of network engineer types on here and had a question related to something my organization is doing on our Firewall:

Our firewall appears to only be letting 443 through for webmail. We recently moved our physical Data Center and in the move the contractors hired to help replicate our network made some changes apparently. We use to allow traffic through both ports 443 and 80 on the FW. But now we only have 443 open and are automatically redirecting 80 to 443 whenever anyone hits the server with 80. Microsoft said redirecting is pretty common practice.
One of our Network engineers mentioned that he thinks we should open up 80 as a convenience to users who forget the "S" in https. Personally, I have not run across this and wonder what some others at the "field level" thought about the redirecting through 443 to 80. I understand the benefit but wonder if it is really that much of a risk ?

[jeff061]

Not quite following, are you still redirecting now that 80 is closed or are port 80 requests just dying at the firewall?

I've always allowed 443 and 80, all request through 80 are redirected to 443. Unless you have a user base that uses a link/bookmark, they will never be savvy enough to remember the S and will likely just call helpdesk everytime it fails.

[jeff061]

In this setup I believe any security risk that appies to 80 also applies to 443.

Edit: You need to make sure HTTPS requests are required on the Exchange virtual directory in IIS, very important. Otherwise people could manually type the entire URL, bypass the redirect and still load their mail over 80.

[CraigSca]

If you're using an ADC (application delivery controller), you don't have to open up port 80, too - you can just have it automatically change the protocol to HTTPS while it's re-directing.

Really, if your corporate data center doesn't mind man-in-the-middle attacks and eavesdropping, then port 80 should be fine. I'm not saying HTTPS is going to prevent that 100%, but it's pretty standard now that apps like corporate email will use port 443.

[Alan T]

It is common practice to open up both tcp/80 and tcp/443 at the firewall for user convenience as your contractor said. The reason to redirect http to https is in order to have whatever logon information or sensitive date transfered to be passed inside of SSL and not clear text on plublc networks. Users however often forget to type https though for some sites.

If you block port 80 and only leave 443 open, then users who type https in will get there fine, but users who type http in will end up getting an unable to connect to server error message in their browser as the traffic would be dropped at the firewall prior to server redirection.

So allow 80 through as well, and make sure no content on the server is actually offered up on the port 80, only the redirect to https.

So I guess to summarize, you don't have to open up 80, but you'll likely have users who don't understand what is not working correctly for them when they don't type the URL correctly.

[Galaril]

Quote:

Originally Posted by jeff061

Not quite following, are you still redirecting now that 80 is closed or are port 80 requests just dying at the firewall?

I've always allowed 443 and 80, all request through 80 are redirected to 443. Unless you have a user base that uses a link/bookmark, they will never be savvy enough to remember the S and will likely just call helpdesk everytime it fails.

We have done same as you guys allowed both 80 and 443 but currently we are only allowing 443 and any traffic going to 80 gets redirected through 443 . I did not see why the contractor made the change and was curius if anyone knew another reason for it other than the obvious.Thanks for your response.

[Galaril]

Quote:

Originally Posted by Alan T

It is common practice to open up both tcp/80 and tcp/443 at the firewall for user convenience as your contractor said. The reason to redirect http to https is in order to have whatever logon information or sensitive date transfered to be passed inside of SSL and not clear text on plublc networks. Users however often forget to type https though for some sites.

If you block port 80 and only leave 443 open, then users who type https in will get there fine, but users who type http in will end up getting an unable to connect to server error message in their browser as the traffic would be dropped at the firewall prior to server redirection.

So allow 80 through as well, and make sure no content on the server is actually offered up on the port 80, only the redirect to https.

So I guess to summarize, you don't have to open up 80, but you'll likely have users who don't understand what is not working correctly for them when they don't type the URL correctly.

That makes sense and is what I thought as well.

[jeff061]

Yeah. Just make sure you don't allow http connections through to the exchange directory, the redirect can be done at the root. I forget if https is required by default.

[Galaril]

Quote:

Originally Posted by jeff061

Yeah. Just make sure you don't allow http connections through to the exchange directory, the redirect can be done at the root. I forget if https is required by default.

Thanks.