Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: publications concerning port forwarding

from [vtlists] Network Security [Permanent Link]
Subject: Re: publications concerning port forwarding
Date: Wed, 11 Apr 2007 09:51:31 +0200 
Ben Nell writes:

Could you please explain your reasoning behind the inherent flaws in
port forwarding?
[...]
security practices would warrant port forwarding only to DMZ subnets. 

I think that's the problem here: port forwarding from internet directly to
internal core systems. I don't see many problems in port-forwarding towards
DMZ systems.

With a direct connection to the internet (regardless wether via routing, NAT
or port forwarding) the target system has to be able to withstand the usual
internet attacks - known exploits, DoS (at least to some extent e.g. through
intensive use), fuzzing. Applications (especially web-applications) have to
be resistant against XSS, XSRF, etc.

Usually internal systems are not as hardened or programmed with security in
mind as the ones which are intended from the beginning to be placed in the
internet.

And if these systems were taken over, they had direct access to your core
internal network. Systems set up for direct internet exposure in a DMZ
should be harder to crack - and then an attacker still is behind a
firewall...


I'm currently doing work for a large company as a consultant. Another
consultant is installing a MS Exchange server and is now requesting for me
to forward ports on the PIX from the Internet to internal servers. 

Which ports/services? While SMTP and HTTPS (for OWA) could be okay-ish,
opening MS RPCs ("naked" MS-Exchange) to the internet quite probably is not
such a great idea.
;-)

Even if you were asked to forward SMTP (incoming) only: with Exchange you
sometimes need to shut down the MSX server for maintenance work. And during
this time mail will bounce as undeliverable as the MSX SMTP connector will
be unavailable, too. Plus the MSX SMTP connector is not as forgiving to SMTP
protocol misuse as e.g. a Postfix server. Thus placing a plain SMTP server
simply as cacheing proxy between MSX and the internet will catch both flies:
no direct connection between the internet and MSX, bette SMTP compatibility,
better spam control and filtering, a cache for MSX maintenance downtimes,
plus (optionally) a border virus scan (e.g. using the free ClamAV).


Bye

Volker

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Boot floppy, Zed Qyves
Next by Date:  RE: publications concerning port forwarding, Wiedemann, Adrian
Previous by Thread:  Re: publications concerning port forwarding, Ben Nell
Next by Thread:  Re: publications concerning port forwarding, Brendan Murray
Indexes:  [Date] [Thread] [Top] [All Lists]