Re: publications concerning port forwarding

["Ben Nell" <enemy.cow () gmail com>]

Could you please explain your reasoning behind the inherent flaws in
port forwarding?  It seems to me that port forwarding is both common
and effective in limiting access to internal NATed hosts.  Obviously
security practices would warrant port forwarding only to DMZ subnets.
How else do you design your firewall rules to allow traffic into your
network (unless of course you're using a proxy-based firewall) when
using NAT?

Maybe I'm misinterpreting your statement.

Thanks,
BN


On 4/10/07, Jason L. Ellison <infotek () datasync com> wrote:
> List,
>
>   I'm currently doing work for a large company as a consultant.  Another
> consultant is installing a MS Exchange server and is now requesting for me
> to forward ports on the PIX from the Internet to internal servers.  I have
> explained that port forwarding is very risky but they don't seem to
> understand.  Are there any publications that can be used to show the link
> between port forwarding and bad security posture.  I've scoured and found
> nothing (maybe its to obvious to document?)...
>
> -Jason Ellison
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------