Re: Inaccessible Port 80 - Pentest

["Matthew Leeds" <mleeds () theleeds net>]

How about:

Demo of a service restricted to a specific customer or set of customers.

Live service restricted to a specific customer or set of customers.

This is not uncommon, just not well known. It's easy to set up, put a server in a DMZ, static it to a public IP, and 
use the firewall ACLs to restrict access to those allowed to access it via source IP. Not perfect security, but fairly 
effective.

I'm not clear where this scanning was done from
> > Had an IP block which on scanning
> > revealed only port 80 open which sounded ok.
since firewall ACLs would of blocked your scan.

----------
---Matthew
*********** REPLY SEPARATOR  ***********

On 8/8/2008 at 9:15 AM arvind doraiswamy wrote:

> Hey Guys,
> Very recently we did a PenTest for a client where we came across a
> strange(atleast to me) situation. Had an IP block which on scanning
> revealed only port 80 open which sounded ok. Any kind of requests
> though from the external world - I tried from multiple IP's and even
> through TOR were blocked by a firewall which kept displaying its
> custom "Access denied" page. So obviously there was some kind of IP
> based restriction in  place which said -- Only these IP's can connect
> to whatever is running on port 80. No problems till here.
>
> My question is: Why would anyone want to  have a live server on the
> Internet, open one port on it and then block it from public use?
> Obvious answers that sprung to mind were:
> a) Maybe its an internal server running a web app to be accessed only
> internally
>           ----- So why is it public , in the DMZ then? Shouldnt it be
> on the internal network?
> b) Maybe some hosts/apps on the internal network needed to connect to
> port 80 of a DMZ server before going out?
>          ------ Then again why is it public. These servers could be
> placed on an internal segment and the traffic could be NATTEd before
> it goes out like all other Internet destined traffic. And Secondly I
> am not able to think of a situation like this --- What traffic apart
> from a proxy could behave this way --- where I have -- Internal IP
> -------> DMZIP:80 ---------> Internet ? And mind you this wasnt just 1
> IP - there were many, so I'm quite sure I've missed something.
>
> What are your thoughts?
>
> Thnx
> Arvind
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------