Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Out of Continent Access Control

We have recently migrated to an exchange environment, from a not so widely popular email server.  Since we migrated to this new environment we have had 10+ users comprimised by very simple spear phishing campaigns.  While I know user education is paramount in these situations,  we would like to devise a plan to thwart being used as a spam source  by restricting Access to owa to North America.

There is some hesitation in this, as  we do have a large multi national population of staff, and many travel overseas for both work and pleasure and would still like to have access to there email. 

We thought that are best approach would be to go the way of facebook, and if a user were to attempt to login from outisde of North America, we would ask them a security question.  The only personal identifying information that we know to be pretty accurate is Department.  So We thought that we would ask them "Which Department do you Belong to?", along side a capture, giving them 2 attempts to answer correctly prior to having out of country access denied.  If they did answer correctly, we would store the continent they logged in a session table and have it expire in a week.

 

So for the most part, without putting pen to paper, I believe the above is possible with the access policies.  The only thing that might be difficult will be the dropdown box of Departments on the login page, but I can probably create that with the customization.

 

What I would really be interested in hearing is if anyone else is doing something similar, or completely different to control access from unauthorized parties.

 

Also I would love to know from someone in the know if this kind of policy would actually twart these spear phishing campaigns, or is someone in Africa manually accessing OWA to send the emails and setup the email rules.

 

 

Hopefully that made sense and I can strir up a good conversation on the topic.

 

Terry

 

 

 

 

 

 

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
242 views and 0 replies.

I guess I was not able to stir up any good conversation. Anyways here is what we did.

Captcha wasnt the answer, there is a live being on the other end.

http://www.digitaloffensive.com/2013/05/four-of-the-most-helpful-outlook-web-access-rules-you-will-want-for-your-web-application-firewall/

All of these rules were implemented using irules on the apm

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Terry,

Did you limit the number of senders OWA could send to based on GEO-IP? Or just a broad limiter?

Another option I always like is a forced 2 factor authentication when logging in from a new/unauth'd GEO-IP location. (IE: Bob is based in seattle, then trys to log in while on vacation in tahiti ). Could even use the google auth integration for cheap 2 factor auth:

https://devcentral.f5.com/tech-tips/articles/two-factor-authentication-with-google-authenticator-and-ldap

-Josh
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Yes we used geoip for most of the rules mentioned in the article, less crazybrowser which is blocked everywhere. We also added a 2 hour blacklist to any ips/users that trigger any of the aformentioned rules, and subsequent ips/users are also blocked. We allow the attacker to log in prior to blocking so that we may harvest the users that he managed to exploit.

two factor authentication will probably not fly in our environment(higher education).

0