RE: publications concerning port forwarding

From: "Jason Rahl" <rahlj@xxxxxxxxxx>
Date: Wed, 11 Apr 2007 09:38:37 -0400

You should have them place an OWA server in the DMZ and use IPSec policies between the OWA front end server and the backend exchange servers on the internal network. That way you only have to open 2(or 3) ports for ipsec between the servers from internal to dmz. It limits the exposure as you only need to open 443 and 80 to the server from the Internet. If they are trying to have users access directly to the Exchange servers from a remote site or the Internet I would get the exact IPs and open only to the defined IP range or make them use a VPN. If they are asking to open to the Exchange server directly from the Internet I would get them to sign off on this with something that spells out the risk of indiscriminately opening up MS ports to the entire Internet.

Jason

"Wiedemann, Adrian" <Adrian.Wiedemann@xxxxxxxxxxxxxxxxxxx> 04/11/07 3:52 AM >>>

Hi,

to forward ports on the PIX from the Internet to internal servers. I
have
explained that port forwarding is very risky but they don't seem to
understand. Are there any publications that can be used to show the

It boils down to the Exchange-Server setup. If he is using a
frontend-backend Exchange configuration and requests port 443 to be
forwarded, I see no inherent security concerns about this. In general, I see
no security implications about forwarding ports. I just depends on the
servers, on which these ports are forwarded to.

Regards, Adrian

Ret

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Prev by Date: Re: publications concerning port forwarding
Next by Date: Re: Boot floppy
Previous by thread: Re: publications concerning port forwarding
Next by thread: RE: publications concerning port forwarding
Index(es):
- Date
- Thread

Relevant Pages

Re: How did they get behind my NAT?
... Not having experience with that router, I can't be sure what limits it ... "default forwarding IP", although it is an option on many. ... I understand that exposing a port exposes any service ... Always remember - only download files from Trusted Sites. ...
(alt.computer.security)
Re: How did they get behind my NAT?
... Not having experience with that router, I can't be sure what limits it ... "default forwarding IP", although it is an option on many. ... that listens on that port. ... Always remember - only download files from Trusted Sites. ...
(alt.computer.security)
Re: Openssh Port Forwarding Confusion
... >Now for my Port forwarding question. ... So far what I have extracted about ssh port ... You connect to a port on the SSH client. ...
(comp.security.ssh)
Re: OpenSSH 3.4p1 port forwarding problem
... > I am attempting to setup port forwarding of port 1680 over the SSH ... The connection has been closed." ... > debug: Entering interactive session. ...
(comp.unix.sco.misc)
Re: simple Network Bridge?
... > 1) port forwarding is telling your server which service is being delivered ... Bridging is to connect two Ethernet Segments of the same LAN. ...
(comp.os.linux.networking)