Is IMAP on exchange really a HUGE security risk??

Discussion in 'iPhone' started by lom8104, Jul 3, 2007.

  1. lom8104 macrumors regular

    Joined:
    Feb 7, 2005
    #1
    our outside IT guys refuse to enable IMAP (or pop) on our 2003 exchange server on the basis that it is a quote "HUGE security risk" and "very hacker prone." For all you tech guys out there is this BS or is there some validity? I apologize if this isn't entirely iPhone specific but i don't know where else to ask this question and I'm sure there are other iPhone users in this situation.
     
  2. princealfie macrumors 68030

    princealfie

    Joined:
    Mar 7, 2006
    Location:
    Salt Lake City UT
    #2
    That's because they are using XP or Vista. Of course, anything Windows is going to be a huge security risk.
     
  3. lom8104 thread starter macrumors regular

    Joined:
    Feb 7, 2005
    #3
    Where is the risk? I couldn't find much info about it online other than a denial of service attack. We are a small company i doubt anyone tries to hack into our server.
     
  4. princealfie macrumors 68030

    princealfie

    Joined:
    Mar 7, 2006
    Location:
    Salt Lake City UT
    #4
    Indeed, I think that it's a M$ conspiracy to keep people to use their networks...
     
  5. avalys macrumors 6502

    Joined:
    Jun 4, 2004
    #5
    IMAP and POP transmit your username, password, and the contents of all your messages in plain text. This means they can be intercepted relatively easily.

    However, IMAP and POP can use SSL encryption, which is what is used on encrypted web pages, and is theoretically quite secure. The iPhone supports SSL as well.

    However, I'm not sure if Exchanges supports encrypted POP or IMAP. I would guess that it doesn't.
     
  6. paj macrumors regular

    paj

    Joined:
    Jun 14, 2003
    Location:
    USA
    #6
    It's not necessarily the enabling of IMAP that's the risk. It's allowing IMAP access to your corporate email servers from the outside world that's the problem. With OWA, you have only have a web server in the DMZ. all traffic from that web server to the mail servers on other side of the corporate firewall is secure. With IMAP, they'd have to open up the mail servers to be accessible directly from the outside.
     
  7. lom8104 thread starter macrumors regular

    Joined:
    Feb 7, 2005
    #7
    So would it help if we had a separate mail server from our file server or does SSL encription mitigate the risk?
     
  8. jettredmont macrumors 68030

    Joined:
    Jul 25, 2002
    #8
    You can have a firewalled IMAP server just like you'd have a firewalled Exchange server. If you want IMAP accessible to the outside world, then the only hole you poke through is the IMAP port, just like for Exchange or your web server. If you feel the need for a server to be sitting in a fully DMZ and accessing your back end from there, you can configure an IMAP forwarder just as easily as an OWA web server.

    The CORRECT answer is this:

    1. OWA or Exchange is already accessible through the firewall and is an accepted risk. Adding IMAP will not remove the existing risk (because you can not stop your existing users from using OWA/Exchange), so even though it is actually LESS risky than OWA or Exchange, the net risk increases.

    2. No one ever got fired for using Microsoft. If someone infiltrates the email system through OWA or Exchange all fingers point at MS and your competitors are running the same risk. If you have some non-MS software in the mix which gets compromised, the guy who bought it will be fired and blacklisted.

    3. Corporate IT is not about user convenience, responsiveness, or productivity. It is about protecting company assets, real or imagined, at all costs. The fact that you are unproductive because you have to use a slow and buggy OWA web page to see email is not their problem. You should have just come in to the office if email is so flippin' important to you! You not being able to do your job is not their problem, so long as there is some convoluted manner in which a theoretical super-employee could conceivably be somewhat theoretically productive.
     
  9. paj macrumors regular

    paj

    Joined:
    Jun 14, 2003
    Location:
    USA
    #9
    :rolleyes: There's always one!
    I gave the CORRECT answer. Allowing IMAP access is an increased security risk.
    You seem to be implying that IMAP is more secure than OWA? I'd love to see the sources that led you to that conclusion.
    What a ridiculous statement. IT is all about productivity. We can only hope you don't work in IT.

    In addition to the security issues and perhaps more importantly, there would be additional cost and resources involved that most companies would see as unnecessary. Especially as there is probably already support for BlackBerrys and other secure devices. For everyone else, there's OWA which also allows calendar and other PIM access.
     
  10. hanschien macrumors 6502

    hanschien

    Joined:
    Oct 2, 2006
    Location:
    Houston, TX
    #10
    Would a solution to IMAP security be as simple as utilizing our current VPN? I'm not sure which VPN we're using, but will the built-in VPN client on the iPhone be sufficient?
     
  11. paj macrumors regular

    paj

    Joined:
    Jun 14, 2003
    Location:
    USA
    #11
    VPN will allow you on the internal corporate network, but IMAP would still need to be enabled on the Exchange server. But yes, it should solve most security concerns.
     
  12. gauchogolfer macrumors 603

    gauchogolfer

    Joined:
    Jan 28, 2005
    Location:
    American Riviera
    #12
    Here at work we aren't allowed to use iPhones for business, due to some perceived security issues. If some form of encryption can be worked out, then I hope their position will change.
     
  13. lom8104 thread starter macrumors regular

    Joined:
    Feb 7, 2005
    #13
    I'm not to familiar with the performance of VPNs--would setting up my iPhone to connect to my companies VPN slow down the performance of safari/youtube/mail? Is my iPhones internet connection essentially always routed through my companies network?
     
  14. paj macrumors regular

    paj

    Joined:
    Jun 14, 2003
    Location:
    USA
    #14
    Some VPN clients will route all traffic through the VPN, others will only route specified net blocks such as 10.*

    I don't know how the iPhone VPN client works, but my guess is that all traffic would route through the VPN.
     
  15. jettredmont macrumors 68030

    Joined:
    Jul 25, 2002
    #15
    The first question is: will iPhone's VPN work with your company's VPN. If you have a Mac, the answer is "yes" if and only if you are able to use the Internet Connect application to manage the VPN connection. If you need a separate client (like a Cisco VPN Client) to get a VPN connection, your iPhone will not be able to do that. If you don't have a Mac, you can ask your IT guy if they support IPSec or PPTP VPN. Those are the two mechanisms Apple supports; all others (including SSL-based VPNs) are not natively supported in OS X nor, so far as I can tell, on the iPhone.
     
  16. jettredmont macrumors 68030

    Joined:
    Jul 25, 2002
    #16
    Do you have any sources saying otherwise? Honestly, I see no documentation of IMAP as a security risk. Anywhere. Granted, I might just not have access to the super-secret IT administrator club where all the IMAP exploits have been hidden for the past decade or so.

    On the other hand, I see lots of articles out there about security risks in IIS and Exchange. I'm not an OWA expert, and so assumed it runs on IIS and inherits those security flaws; perhaps that is a bad assumption.

    In any case, there are three considerations to be had here:

    1. Security of the email system's data. Can someone get someone else's emails.
    2. Authentication of the email system. Can someone send mail pretending to be someone else (obviously not an IMAP issue because IMAP doesn't send mail, but your SMTP server bears this concern).
    3. Intranet exposure. Can someone use a bug in the implementation to gain access to other resources of the intranet.

    I don't see how OWA would be any better than IMAP on the first or SMTP on the second, and unless OWA isn't really running atop IIS, I can't imagine IMAP having a worse track record here than IIS! In any case, a sensible installation where (3) is a concern would place the IMAP server outside the firewall, just like a sensible OWA implementation places the frontend server outside the firewall.

    Ah, seems I poked you where it hurts. No, I don't work in IT. I work in a company (and have worked in various companies) with IT. Re-reading, I missed an "also"; I meant that those things that we corporate peons (the software engineers and managers) see as crucial are secondary in the IT mission statement, not the full picture we'd like them to be.

    Obviously your IT mission statement has all sorts of happy talk about making the company run smoothly and people productive and happy. But when push comes to shove, if making things run smoothly and productive means exposing the company's "crown jewels" (which the email archives tend to include) then IT will always (and RIGHTLY) choose to protect assets and make the rest of us just work harder.

    Case in point: who has worked in a corporate environment for more than a few years and not seen all .zip attachments filtered out for at least a period of time. That certainly hits productivity for a huge portion of the company, in the name of security.


    Yes, let them eat cake.

    OWA is worse than a second-class interface for email, much less calendaring. Even on a Windows box running the "premium" version of it, it's akin to walking around with toothpicks inserted under your toenails. IMAP is still a second-class interface, but given no one in their right mind will expose Exchange outside their firewall it's as close as one can get to a "real" mail server interface.


    If I may, your two arguments seem to boil down to:

    1. It's all about security when exposed outside the firewall. While I don't see any documentation that IMAP is any less secure than OWA, this is still the #1 claim stopping IMAP exposure. For good reason, when IT says "Security" about the corporate email system, all else goes quiet. I'd really like to see why people keep screaming security risk here, though.

    2. It's more work for the IT staff. Well, boo hoo! This is a surmountable "issue". This is something that will disappear as a reason when one or two people in the executive office find out they can't get their email on their shiny new iPhones.


    So, Paj, three questions:

    1. Where are these IMAP security risks. Do you have any documentation of them? There are many Exchange security risks (obviously), and IIS is a cesspool of security problems depending on how well you stay patched. Is the MS IMAP implementation likewise so buggy? I don't see any articles on it.

    2. Does OWA front-end server not run on IIS and thus inherit its many security issues?

    3. How much more work is it to expose IMAP versus OWA? Seems like about the same amount of work from my perspective, but I don't work in IT. It is really a big deal?
     
  17. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    First university coding class = 46 years ago
    #17
    Sorry, I'm with jettredmont on this.

    Either you don't work for a large company, or you're IT yourself ;)

    IT departments *always* fall back on only what they know is safe. To do anything else is to risk their job.

    I can't count the number of cool projects I've worked on for various organizations, that were beaten down to junk because of IT's security and support concerns.
     
  18. paj macrumors regular

    paj

    Joined:
    Jun 14, 2003
    Location:
    USA
    #18
    OWA is most likely already in place. The infrastructure and security measures are in place and tested. There will will be a separate server that talks securely to the internal network and the internal network is not exposed to the outside world. It's not a case of IMAP being insecure. IMAP is simply a protocol that is supported by Exchange. It's still Exchange server but using IMAP instead of MAPI. As I said in my first post, it's not the enabling of IMAP that's the problem, it's allowing the corporate mail system to be accessed directly from the outside.

    I do not work in IT either. I work in merchandising and planing for a large retailer. However, our IT department really does provide solutions that improve business processes thus increasing productivity. My guess is that your IT folks probably do the same. Perhaps you are not in a position to see the benefits? By the way, the IT department includes software engineers and managers.


    But opening IMAP up to the outside is the same as opening Exchange. Whether you expose to MAPI or IMAP to the outside, the risk is the same. OWA provides more functionality and is more secure. The only server with access to the corporate Exchange server is the OWA server. IMAP or MAPI would require direct access from hundreds or thousands of individual PCs or iPhones.

    See above. and my original post.
    Yes, but the only thing at risk is the OWA server. The corporate Exchange servers are safe.

    Possibly. But given that 99% of companies already have a secure mobile email solution in place. Probably BlackBerrys or a Windows Mobile device that supports secure OTA management. For those that do not have or need a handheld, OWA provides access to all Exchange functionality. No responsible manager is going to justify expending money and resources on enabling IMAP when there is no need.
     
  19. paj macrumors regular

    paj

    Joined:
    Jun 14, 2003
    Location:
    USA
    #19
    Actually I'm not in IT and I do work for a large corporation. Maybe our IT people are just rarity. :)
    That's not necessarily a bad thing.

    I'm sure you will only take certain risks. You will go as far as you deem safe based on your knowledge and expertise. Same goes for me in my job. I'm not going to approve a million dollar purchase on some hot new fashion item that we have not carried before. I might be willing to risk a couple of hundred thousand however. If it all goes wrong, I haven't blown the seasons budget and my job is still safe. ;) The same thing applies for anyone that needs to make decisions in a corporate environment.
     
  20. jettredmont macrumors 68030

    Joined:
    Jul 25, 2002
    #20
    And the OWA solution is to break this into a "front end server" (exposing OWA) and a "back end server" (supporting MAPI/Exchange protocols).

    Wouldn't the logical IMAP solution be topologically identical, placing an IMAP interface on the front end server instead of OWA? I'm no Exchange admin, but this seems to say you can do that:

    http://technet.microsoft.com/en-us/library/bb124804.aspx

    Specifically, in paragraph 3:

    Seems to be talking about putting IMAP (or POP or OWA) on the front-end server which might be interfacing with an array of back-end servers.

    [Edit]

    And another: http://technet.microsoft.com/en-us/library/aa996067.aspx

    And if you didn't want MS technology fluttering in the wind to the world, you could use a non-MS front end like this one: http://cyrusimap.web.cmu.edu/ag.html

    [/Edit]

    The choices here are, does the front-end, DMZ'd server expose OWA/HTTPS, IMAP/SSL, or MAPI (presumably also over SSL?). I understand the last to be out of the question as it is inherently insecure from various types of attacks.

    But, again, IMAP/SSL appears to both be just as secure as OWA/HTTPS. So, why is IMAP a security issue?
     
  21. paj macrumors regular

    paj

    Joined:
    Jun 14, 2003
    Location:
    USA
    #21
    There's no doubt that there are solutions out there (if the infrastructure is set up correctly). I imagine most companies are reluctant to commit the necessary resources and hardware to implement it in this way and allowing direct IMAP access is obviously out of the question. Unfortunately, even if done correctly, it could still be seen as a security risk. A quick search turned up a couple of Exchange/IMAP issues:
    http://tools.cisco.com/security/center/getDocument.x?id=314
    http://ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35298
    I'm sure there's dozens of others.

    Maybe a third party IMAP server would help, but that introduces a bunch of other problems such as cost, resources and supportability. If your in-house expertise is with Microsoft solutions, trying to implement a third party IMAP server could end up being even more of a security risk.

    Whichever way you cut it, OWA is the best solution from a corporate standpoint. Wanting your email delivered to your iPhone probably won't be enough to justify an IMAP implementation project. ;)
     
  22. BWhaler macrumors 68020

    BWhaler

    Joined:
    Jan 8, 2003
    #22
    It is total bull****.

    Part of the MS campaign about 2-3 weeks back. All of the usual paid shills, zdnet, etc., starting complaining about it.

    Where MS screwed up with the smear campaign is the bloggers all started complaining about, in exactly the same way, on exactly the same day.

    MS can't do anything correctly anymore...
     
  23. diamond.g macrumors 603

    diamond.g

    Joined:
    Mar 20, 2007
    Location:
    Virginia
    #23
    Is Exchange 2000 even supported by MS still? I would have figured they have prodded everyone along to 2003 by now.

    My take? Just like plugging iPods into government systems be prepared to lose your iPhone if email gets put on it that isn't supposed to be. And when you leave (get fired or quit) there is a good change you lose your iPhone then as well. So it is up to you, take the free BB or quite possibly lose your iPhone (that the governemt is under no obligation to reimburse you for).
     
  24. jettredmont macrumors 68030

    Joined:
    Jul 25, 2002
    #24
    Umm, but wait. Didn't those above quotes say that setting up an IMAP front end is essentially identical to setting up an OWA front end? You just check the "IMAP" checkbox on the frontend Exchange server instead of, or - shock! - in addition to the "OWA" checkbox. Obviously there's a little more to it than that (you have to configure the firewall and worry about a different service being exposed), but I still fail to see how/why OWA would be any easier or more secure than IMAP.


    At last! A link to a real live security problem with Exchange's IMAP service! That's what was asked for at the beginning of the thread!

    And two of them!

    Oh. But they're the same issue. And with an old version of Exchange. And which has already been patched. And they were discovered after the "IMAP is security risk" meme resurfaced for the iPhone launch (it's been around for years).

    Any others in your "quick search"?

    IMHO, iPhone is just another straw going on the camel's back. I've been pushing for IMAP exposure of corporate Exchange servers for years. There are many more reasons than just iPhone. However, iPhone is a pretty heavy straw. It just might do some damage!

    Still, I haven't seen a single way to "cut it" where OWA is clearly the best solution from a corporate standpoint. I've seen a lot of draws. Which ends up favoring inertia, of course. But, it also shows that a few little nudges like iPhone usage and desirability amongst the executive offices might flip the momentum back towards IMAP and open standards rather than MS's dysfunctional little walled garden.
     
  25. diamond.g macrumors 603

    diamond.g

    Joined:
    Mar 20, 2007
    Location:
    Virginia
    #25
    I think OWA support is more natural due to being so much like Outlook. IMAP doesn't give you the calendar support which is like half of the point behind the whole exchange "platform". I can see IT guys not wanting to hear users complain about not being able to have meetings sent to them and put in their calendar automatically.

    That is why Apple sould have to come up with something like BES or Activesync for the iPhone to truley take off.
     

Share This Page