This is WRONG. If you have a true application layer inspection firewall
like the ISA firewall, a single "port" is required. You're thinking of
unsecure "hardware" boxes like PIX or Netscreen, that's why we don't use
them. This is for the most part an ABMer list, but something should make
the list aware that some firewalls are much more sophisticated as the
app layer than others and thus don't require you "open ports" in a
haphazed fashion -- a single port is all that is required for an
intelligent firewall.
Disinformation is not better than no information at all -- in contrast
to the fact that encephalopathy is better than no lopathy at all ;)
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of Wiedemann, Adrian
Sent: Wednesday, April 11, 2007 2:03 PM
To: pen-test@securityfocus.com
Subject: RE: publications concerning port forwarding
Hi,
outlook to connect to exchange externally you are just
asking for the box
to be owned.
That's what I wrote.
Exchange requires many ports to be opened if you are going
to expose it to
the Internet and I'm not even sure you can find an article
on how to do it
anymore because it's such a bad idea.
Not only because it is a bad idea. More because it's using
RPC for direct
access. And since RPC is using dynamic ports, you have to
open up a complete
port range. Even more, because Outlook ask the Global Catalog
Servers for the
Offline-Addressbook ..
Ret
Regards, Adrian
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
