Penetration Testing mailing list archives
Re: publications concerning port forwarding
From: vtlists () wyae de
Date: Wed, 11 Apr 2007 09:51:31 +0200
Ben Nell writes:
Could you please explain your reasoning behind the inherent flaws inport forwarding?
[...]
security practices would warrant port forwarding only to DMZ subnets.
I think that's the problem here: port forwarding from internet directly to internal core systems. I don't see many problems in port-forwarding towards DMZ systems. With a direct connection to the internet (regardless wether via routing, NAT or port forwarding) the target system has to be able to withstand the usual internet attacks - known exploits, DoS (at least to some extent e.g. through intensive use), fuzzing. Applications (especially web-applications) have tobe resistant against XSS, XSRF, etc.
Usually internal systems are not as hardened or programmed with security in mind as the ones which are intended from the beginning to be placed in theinternet.
And if these systems were taken over, they had direct access to your core internal network. Systems set up for direct internet exposure in a DMZ should be harder to crack - and then an attacker still is behind afirewall...
I'm currently doing work for a large company as a consultant. Another consultant is installing a MS Exchange server and is now requesting for meto forward ports on the PIX from the Internet to internal servers.
Which ports/services? While SMTP and HTTPS (for OWA) could be okay-ish, opening MS RPCs ("naked" MS-Exchange) to the internet quite probably is not such a great idea. ;-) Even if you were asked to forward SMTP (incoming) only: with Exchange you sometimes need to shut down the MSX server for maintenance work. And during this time mail will bounce as undeliverable as the MSX SMTP connector will be unavailable, too. Plus the MSX SMTP connector is not as forgiving to SMTP protocol misuse as e.g. a Postfix server. Thus placing a plain SMTP server simply as cacheing proxy between MSX and the internet will catch both flies: no direct connection between the internet and MSX, bette SMTP compatibility, better spam control and filtering, a cache for MSX maintenance downtimes, plus (optionally) a border virus scan (e.g. using the free ClamAV). Bye Volker ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- publications concerning port forwarding Jason L. Ellison (Apr 10)
- Re: publications concerning port forwarding Ben Nell (Apr 10)
- Re: publications concerning port forwarding vtlists (Apr 11)
- Re: publications concerning port forwarding Brendan Murray (Apr 10)
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
- RE: publications concerning port forwarding Jason L. Ellison (Apr 11)
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
- Message not available
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
- RE: publications concerning port forwarding Jason L. Ellison (Apr 13)
- RE: publications concerning port forwarding Jason L. Ellison (Apr 11)
- Re: publications concerning port forwarding Ben Nell (Apr 10)
- <Possible follow-ups>
- RE: publications concerning port forwarding Jason Rahl (Apr 11)
- RE: publications concerning port forwarding Thomas W Shinder (Apr 13)
- Re: publications concerning port forwarding vtlists (Apr 13)