Penetration Testing mailing list archives

Re: publications concerning port forwarding

From: "Brendan Murray" <xasperated () gmail com>
Date: Wed, 11 Apr 2007 16:24:48 +1200

On 4/11/07, Jason L. Ellison <infotek () datasync com> wrote:

List,

  I'm currently doing work for a large company as a consultant.  Another
consultant is installing a MS Exchange server and is now requesting for me
to forward ports on the PIX from the Internet to internal servers.  I have
explained that port forwarding is very risky but they don't seem to
understand.  Are there any publications that can be used to show the link
between port forwarding and bad security posture.  I've scoured and found
nothing (maybe its to obvious to document?)...



I must be misunderstanding what you're asking.

Without port forwarding then there will be no network facing services.
So port forwarding isn't bad in and of itself.

Indiscriminate port forwarding would be a bad thing.

If you're asking about forwarding from the internet through your dmz
to an internal network, then that's an issue of firewall placement and
routing, and most any good firewall book will cover the issues there.


As usual, refer to the implementation plan and the site security
policy. The PIX is there to implement policy. And since its a large
company it will have robust policies. Right?

Brendan


-Jason Ellison

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Current thread:

publications concerning port forwarding Jason L. Ellison (Apr 10)
- Re: publications concerning port forwarding Ben Nell (Apr 10)
  - Re: publications concerning port forwarding vtlists (Apr 11)
- Re: publications concerning port forwarding Brendan Murray (Apr 10)
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
  - RE: publications concerning port forwarding Jason L. Ellison (Apr 11)
    - RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
    - Message not available
    - RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
    - RE: publications concerning port forwarding Jason L. Ellison (Apr 13)
- Re: publications concerning port forwarding Jamie Riden (Apr 11)
- <Possible follow-ups>
- RE: publications concerning port forwarding Jason Rahl (Apr 11)
- RE: publications concerning port forwarding Thomas W Shinder (Apr 13)
  - Re: publications concerning port forwarding vtlists (Apr 13)
- Re: publications concerning port forwarding Thor (Hammer of God) (Apr 13)