Could you please explain your reasoning behind the inherent flaws in
port forwarding? It seems to me that port forwarding is both common
and effective in limiting access to internal NATed hosts. Obviously
security practices would warrant port forwarding only to DMZ subnets.
How else do you design your firewall rules to allow traffic into your
network (unless of course you're using a proxy-based firewall) when
using NAT?
Maybe I'm misinterpreting your statement.
Thanks,
BN
On 4/10/07, Jason L. Ellison <infotek@datasync.com> wrote:
List,
I'm currently doing work for a large company as a consultant. Another
consultant is installing a MS Exchange server and is now requesting for me
to forward ports on the PIX from the Internet to internal servers. I have
explained that port forwarding is very risky but they don't seem to
understand. Are there any publications that can be used to show the link
between port forwarding and bad security posture. I've scoured and found
nothing (maybe its to obvious to document?)...
-Jason Ellison
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
