Re: publications concerning port forwarding
- From: vtlists@xxxxxxx
- Date: Wed, 11 Apr 2007 09:51:31 +0200
Ben Nell writes:
Could you please explain your reasoning behind the inherent flaws in[...]
port forwarding?
security practices would warrant port forwarding only to DMZ subnets.
I think that's the problem here: port forwarding from internet directly to
internal core systems. I don't see many problems in port-forwarding towards
DMZ systems.
With a direct connection to the internet (regardless wether via routing, NAT
or port forwarding) the target system has to be able to withstand the usual
internet attacks - known exploits, DoS (at least to some extent e.g. through
intensive use), fuzzing. Applications (especially web-applications) have to
be resistant against XSS, XSRF, etc.
Usually internal systems are not as hardened or programmed with security in
mind as the ones which are intended from the beginning to be placed in the
internet.
And if these systems were taken over, they had direct access to your core
internal network. Systems set up for direct internet exposure in a DMZ
should be harder to crack - and then an attacker still is behind a
firewall...
I'm currently doing work for a large company as a consultant. Another
consultant is installing a MS Exchange server and is now requesting for me
to forward ports on the PIX from the Internet to internal servers.
Which ports/services? While SMTP and HTTPS (for OWA) could be okay-ish,
opening MS RPCs ("naked" MS-Exchange) to the internet quite probably is not
such a great idea.
;-)
Even if you were asked to forward SMTP (incoming) only: with Exchange you
sometimes need to shut down the MSX server for maintenance work. And during
this time mail will bounce as undeliverable as the MSX SMTP connector will
be unavailable, too. Plus the MSX SMTP connector is not as forgiving to SMTP
protocol misuse as e.g. a Postfix server. Thus placing a plain SMTP server
simply as cacheing proxy between MSX and the internet will catch both flies:
no direct connection between the internet and MSX, bette SMTP compatibility,
better spam control and filtering, a cache for MSX maintenance downtimes,
plus (optionally) a border virus scan (e.g. using the free ClamAV).
Bye
Volker
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
- References:
- publications concerning port forwarding
- From: Jason L. Ellison
- Re: publications concerning port forwarding
- From: Ben Nell
- publications concerning port forwarding
- Prev by Date: Re: Boot floppy
- Next by Date: RE: publications concerning port forwarding
- Previous by thread: Re: publications concerning port forwarding
- Next by thread: Re: publications concerning port forwarding
- Index(es):
Relevant Pages
|
|
