Penetration Testing mailing list archives
Fwd: Inaccessible Port 80 - Pentest
From: "arvind doraiswamy" <arvind.doraiswamy () gmail com>
Date: Fri, 8 Aug 2008 23:06:37 +0530
Forwarding all received replies to the list...thnx -------------------------------------------------------- Hi, Since in my company we have such a situation i will explain to you why we have it like this. We have a webserver port 80 open firewall and ACL block all the IP's except those of our client. This is only to have more security. Kyprianos --- I have actually seen this a few times over the years. Company A has an internal Web Site that they want to allow some external users to access. Now the web site does have some access control but it's very basic and has shared access. Because of this they don't want the whole Internet to have access. At the same time there are some remote offices and other client's that need access and due to company politics they can't use vpn hardware or other changes. They use the IP filter on the dmz firewall to limit who can get access to the web application. In most these cases it would be nice to have an SSL proxy or some other second level defense but I have seen a few cases where this was the only real way to complete the task. Now at the same time I have also seen this because of mis-configuration of a firewall as well. So that is always a possibility. Your third option is a honeypot. When only one IP and port answer on a subnet I start to think honeypot. Derrick --- Hi Arvind, maybe for sales reps who use to connect with their terminals to that application ? Regards, Johan --- What about a B2B applications. What if you are providing a service to a third party + you don't wanna give them vpn acces or anything but you want them to access the web application which provides certains services + and because there are limited number of clients accessing the system, you are doing IP filtering additionally to secure that system. I think that is a reasonable thing to do. Adnan Baykal -------------------------------------- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Inaccessible Port 80 - Pentest arvind doraiswamy (Aug 08)
- Re: Inaccessible Port 80 - Pentest Matthew Leeds (Aug 08)
- RE: Inaccessible Port 80 - Pentest Shenk, Jerry A (Aug 08)
- Message not available
- Fwd: Inaccessible Port 80 - Pentest arvind doraiswamy (Aug 08)
- Re: Inaccessible Port 80 - Pentest kevin horvath (Aug 09)
- Re: Inaccessible Port 80 - Pentest arvind doraiswamy (Aug 09)
- Re: Inaccessible Port 80 - Pentest Steve Armstrong (Aug 09)
- Re: Inaccessible Port 80 - Pentest ॐ aditya mukadam ॐ (Aug 11)