Penetration Testing mailing list archives

Fwd: Inaccessible Port 80 - Pentest

From: "arvind doraiswamy" <arvind.doraiswamy () gmail com>
Date: Fri, 8 Aug 2008 23:06:37 +0530

Forwarding all received replies to the list...thnx
--------------------------------------------------------
Hi,

Since in my company we have such a situation i will explain to you why
 we have it like this. We have a webserver port 80 open firewall and
ACL block all the IP's except those of our client. This is only to
have more security.

Kyprianos


---

I have actually seen this a few times over the years.

Company A has an internal Web Site that they want to allow some
external users to access. Now the web site does have some access
control but it's very basic and has shared access. Because of this
they don't want the whole Internet to have access. At the same time
there are some remote offices and other client's that need access and
due to company politics they can't use vpn hardware or other changes.
They use the IP filter on the dmz firewall to limit who can get access
to the web application.

In most these cases it would be nice to have an SSL proxy or some
other second level defense but I have seen a few cases where this was
the only real way to complete the task.

Now at the same time I have also seen this because of
mis-configuration of a firewall as well. So that is always a
possibility.

Your third option is a honeypot. When only one IP and port answer on a
subnet I start to think honeypot.


Derrick
---

Hi Arvind,

maybe for sales reps who use to connect with their terminals to that
application ?

Regards,
Johan
---

What about a B2B applications. What if you are providing a service to a
third party + you don't wanna give them vpn acces or anything but you
want them to access the web application which provides certains services
+  and because there are limited number of clients accessing the system,
you are doing IP filtering additionally to secure that system. I think
that is a reasonable thing to do.

Adnan Baykal
--------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Current thread:

Inaccessible Port 80 - Pentest arvind doraiswamy (Aug 08)
- Re: Inaccessible Port 80 - Pentest Matthew Leeds (Aug 08)
- RE: Inaccessible Port 80 - Pentest Shenk, Jerry A (Aug 08)
- Message not available
  - Fwd: Inaccessible Port 80 - Pentest arvind doraiswamy (Aug 08)
- Re: Inaccessible Port 80 - Pentest kevin horvath (Aug 09)
  - Re: Inaccessible Port 80 - Pentest arvind doraiswamy (Aug 09)
- Re: Inaccessible Port 80 - Pentest Steve Armstrong (Aug 09)
  - Re: Inaccessible Port 80 - Pentest ॐ aditya mukadam ॐ (Aug 11)