Secure access to Office365 from an on-premise environment

%3CLINGO-SUB%20id%3D%22lingo-sub-352086%22%20slang%3D%22en-US%22%3ESecure%20access%20to%20Office365%20from%20an%20on-premise%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352086%22%20slang%3D%22en-US%22%3E%3CP%3Ethoughts%20on%20this%20one%20greatly%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20challenge%20comes%20from%20information%20as%20provided%20by%20articles%20such%20as%20this%20one%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FOffice-365-Blog%2FGetting-the-best-connectivity-and-performance-in-Office-365%2Fba-p%2F124694%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FOffice-365-Blog%2FGetting-the-best-connectivity-and-performance-in-Office-365%2Fba-p%2F124694%3C%2FA%3E%3C%2FP%3E%3CP%3EThe%20step%20-%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EAssess%20bypassing%20proxies%2C%20traffic%20inspection%20devices%20and%20duplicate%20security%20which%20is%20available%20in%20Office%20365%20is%20the%20concerning%20one%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20if%20we%20take%20a%20step%20back%20and%20analyse%20how%20this%20is%20reviewed%20by%20security%20architects.%3C%2FP%3E%3CP%3EThe%20recommendation%20is%20that%20we%20bypass%20proxies%20and%20traffic%20inspection%20devices%20creates%20challenges%20around%20tenancy%20restriction%3C%2FP%3E%3CUL%3E%3CLI%3EThis%20requires%20that%20we%20only%20allow%20from%20within%20the%20organisation%20access%20to%20their%20specific%20tenancy.%20The%20Microsoft%20way%20of%20handling%20this%20is%20to%20route%20the%20login%20page%20through%20a%20proxy%20which%20can%20perform%20the%20tenancy%20restriction%20and%20then%20the%20rest%20of%20the%20traffic%20can%20bypass%20the%20proxy%20(the%20pages%20that%20need%20to%20go%20direct%20however%20needs%20to%20be%20defined%20in%20a%20proxy%20PAC%20file%20which%20is%20considered%20by%20a%20lot%20of%20large%20orgs%20as%20onerous%20to%20manage).%3C%2FLI%3E%3CLI%3EFor%20the%20direct%20access%20piece%20%2C%20Microsoft%20supply%20a%20list%20of%20IP%20addresses%20that%20basically%20includes%20half%20of%20Azure%20that%20organisations%20are%20advised%20to%20allow%20all%20internal%20IPs%20access%20on%20a%20specified%20list%20of%20ports.%20Should%20an%20individual%20be%20able%20to%20bypass%20the%20proxy%20(hardly%20rocket%20science)%20they%20can%20then%20just%20go%20direct%20to%20whatever%20tenancy%20they%20want.%20This%20is%20a%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CU%3Ehuge%20risk%3C%2FU%3E%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eas%20many%20of%20these%20organisations%20have%203rd%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eparties%20working%20on%20site%20that%20can%20now%20(should%20SSL%20inspection%20not%20be%20enabled)%20upload%20documents%20etc.%20out%20of%20the%20organisation%20bypassing%20all%20traffic%20inspection%20devices.%26nbsp%3B%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThe%20crux%20of%20the%20matter%20is%20that%20going%20direct%20and%20not%20performing%20ANY%20inspection%20on%20traffic%20allowed%20go%20direct%20creates%20a%20massive%20hole%20and%20avenue%20for%20data%20leakage%20for%20any%20organisation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAn%20NGFW%20is%20typically%20an%20inline%20device%20that%20can%20operate%20as%20firewall%2C%20IPS%2C%20application%20control%2C%20url%20filtering%20etc.%20It%20can%20perform%20the%20SSL%20inspection%20inline%20in%20a%20way%20that%20cannot%20be%20bypassed.%20They%20can%20also%20have%20an%20integration%20with%20the%20Microsoft%20web%20service%20that%20provides%20all%20of%20the%20IP%20address%20updates%20automatically%20so%20that%20the%20gateways%20do%20not%20need%20to%20be%20manually%20updated%20whenever%20Microsoft%20changes%2Fupdated%20the%20IP%20addresses.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20performing%20this%20inspection%20goes%20against%20what%20Microsoft%20recommends%20which%20means%20a%20possible%20large%20security%20hole%20will%20be%20created.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20right%20thing%20to%20do%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352232%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20access%20to%20Office365%20from%20an%20on-premise%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352232%22%20slang%3D%22en-US%22%3E%3CP%3ERecommendations%20are%20just%20that%2C%20they%20are%20not%20mandatory%2C%20neither%20they%20are%20designed%20to%20apply%20to%20100%25%20of%20the%20customers%20out%20there.%20Follow%20them%20as%20closely%20as%20possible%20but%20don't%20let%20them%20be%20a%20restriction%26nbsp%3Band%20make%20the%20best%20decision%20for%20your%20specific%20requirements.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

thoughts on this one greatly appreciated.

 

The challenge comes from information as provided by articles such as this one https://techcommunity.microsoft.com/t5/Office-365-Blog/Getting-the-best-connectivity-and-performance...

The step - Assess bypassing proxies, traffic inspection devices and duplicate security which is available in Office 365 is the concerning one.

 

So if we take a step back and analyse how this is reviewed by security architects.

The recommendation is that we bypass proxies and traffic inspection devices creates challenges around tenancy restriction

  • This requires that we only allow from within the organisation access to their specific tenancy. The Microsoft way of handling this is to route the login page through a proxy which can perform the tenancy restriction and then the rest of the traffic can bypass the proxy (the pages that need to go direct however needs to be defined in a proxy PAC file which is considered by a lot of large orgs as onerous to manage).
  • For the direct access piece , Microsoft supply a list of IP addresses that basically includes half of Azure that organisations are advised to allow all internal IPs access on a specified list of ports. Should an individual be able to bypass the proxy (hardly rocket science) they can then just go direct to whatever tenancy they want. This is a huge risk as many of these organisations have 3rd parties working on site that can now (should SSL inspection not be enabled) upload documents etc. out of the organisation bypassing all traffic inspection devices. 

The crux of the matter is that going direct and not performing ANY inspection on traffic allowed go direct creates a massive hole and avenue for data leakage for any organisation.

 

An NGFW is typically an inline device that can operate as firewall, IPS, application control, url filtering etc. It can perform the SSL inspection inline in a way that cannot be bypassed. They can also have an integration with the Microsoft web service that provides all of the IP address updates automatically so that the gateways do not need to be manually updated whenever Microsoft changes/updated the IP addresses.

 

However, performing this inspection goes against what Microsoft recommends which means a possible large security hole will be created.

 

What is the right thing to do?

1 Reply
Highlighted

Recommendations are just that, they are not mandatory, neither they are designed to apply to 100% of the customers out there. Follow them as closely as possible but don't let them be a restriction and make the best decision for your specific requirements.