On 4/11/07, Jason L. Ellison <infotek@datasync.com> wrote:
List,
I'm currently doing work for a large company as a consultant. Another
consultant is installing a MS Exchange server and is now requesting for me
to forward ports on the PIX from the Internet to internal servers. I have
explained that port forwarding is very risky but they don't seem to
understand. Are there any publications that can be used to show the link
between port forwarding and bad security posture. I've scoured and found
nothing (maybe its to obvious to document?)...
I must be misunderstanding what you're asking.
Without port forwarding then there will be no network facing services.
So port forwarding isn't bad in and of itself.
Indiscriminate port forwarding would be a bad thing.
If you're asking about forwarding from the internet through your dmz
to an internal network, then that's an issue of firewall placement and
routing, and most any good firewall book will cover the issues there.
As usual, refer to the implementation plan and the site security
policy. The PIX is there to implement policy. And since its a large
company it will have robust policies. Right?
Brendan
-Jason Ellison
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
