Keeping up with O365 EOP Rules.

icecream-guy · September 26, 2018, 09:49:27 AM

How do you all keep up with the ever changing unannounced MS O365 Exchange Online Protection IP's found here?

https://docs.microsoft.com/en-us/office365/SecurityCompliance/eop/exchange-online-protection-ip-addresses

We got into a dig over the weekend where the IP's were not updated in rule sets for about a year, and firewalls were denying legit traffic

Dieselboy · October 05, 2018, 12:13:54 AM

Watched a Cisco webinar on this sort of thing yesterday. Need a firewall that can update itself via a feed. Or you'll need to whitelist urls. OR employ someone to do this periodically at a cost of effort.

deanwebb · October 19, 2018, 01:45:42 PM

HOW TO WORK WITH MICROSOFT ONLINE SERVICES

1. Create a rule on the firewall that will permit all traffic between all hosts. This is known as "permit any any all" in firewall parlance.
2. If you are concerned about security, turn on logging for that rule.
3. Your Microsoft online services will now work smoothly, without interruption.

icecream-guy · October 20, 2018, 05:55:07 AM

Quote from: deanwebb on October 19, 2018, 01:45:42 PM
HOW TO WORK WITH MICROSOFT ONLINE SERVICES

1. Create a rule on the firewall that will permit all traffic between all hosts. This is known as "permit any any all" in firewall parlance.
2. If you are concerned about security, turn on logging for that rule.
3. Your Microsoft online services will now work smoothly, without interruption.

I'd should plug that firewall into a hub? and at least get some security benefit.

deanwebb · October 20, 2018, 06:10:39 PM

Quote from: ristau5741 on October 20, 2018, 05:55:07 AM
Quote from: deanwebb on October 19, 2018, 01:45:42 PM
HOW TO WORK WITH MICROSOFT ONLINE SERVICES

1. Create a rule on the firewall that will permit all traffic between all hosts. This is known as "permit any any all" in firewall parlance.
2. If you are concerned about security, turn on logging for that rule.
3. Your Microsoft online services will now work smoothly, without interruption.

I'd should plug that firewall into a hub? and at least get some security benefit.

Best practice calls for a Belkin hub.

SimonV · October 22, 2018, 04:42:48 PM

Not sure about Exchange Online specifically but for general O365 URLs and prefixes, most firewall vendors are starting to move to dynamic feeds.

Juniper has an O365 feed via Sky ATP: https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/concept/sky-atp-integrated-feeds.html
Palo Alto has Minemeld: https://live.paloaltonetworks.com/t5/MineMeld-Articles/How-to-Safely-Enable-access-to-Office-365-using-MineMeld/ta-p/120280
Checkpoint also has something but as always, it involves complicated hacks.

I'm sure the others have it too. Maybe not Cisco, duh.

You can also consider an AppFW and look at L7 (look for HTTP hostname, or SSL Server Name Indication when encrypted) and just allow that to 'any'.

Dieselboy · October 28, 2018, 08:53:13 PM

Cisco has it, man

Keeping up with O365 EOP Rules.

icecream-guy

Dieselboy

deanwebb

icecream-guy

deanwebb

SimonV

Dieselboy