Penetration Testing mailing list archives
RE: publications concerning port forwarding
From: "Jason Rahl" <rahlj () cooley edu>
Date: Wed, 11 Apr 2007 09:38:37 -0400
You should have them place an OWA server in the DMZ and use IPSec policies between the OWA front end server and the backend exchange servers on the internal network. That way you only have to open 2(or 3) ports for ipsec between the servers from internal to dmz. It limits the exposure as you only need to open 443 and 80 to the server from the Internet. If they are trying to have users access directly to the Exchange servers from a remote site or the Internet I would get the exact IPs and open only to the defined IP range or make them use a VPN. If they are asking to open to the Exchange server directly from the Internet I would get them to sign off on this with something that spells out the risk of indiscriminately opening up MS ports to the entire Internet. Jason
"Wiedemann, Adrian" <Adrian.Wiedemann () rz uni-karlsruhe de> 04/11/07 3:52 AM >>>
Hi,
to forward ports on the PIX from the Internet to internal servers. I have explained that port forwarding is very risky but they don't seem to understand. Are there any publications that can be used to show the
It boils down to the Exchange-Server setup. If he is using a frontend-backend Exchange configuration and requests port 443 to be forwarded, I see no inherent security concerns about this. In general, I see no security implications about forwarding ports. I just depends on the servers, on which these ports are forwarded to. Regards, Adrian Ret ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- publications concerning port forwarding Jason L. Ellison (Apr 10)
- Re: publications concerning port forwarding Ben Nell (Apr 10)
- Re: publications concerning port forwarding vtlists (Apr 11)
- Re: publications concerning port forwarding Brendan Murray (Apr 10)
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
- RE: publications concerning port forwarding Jason L. Ellison (Apr 11)
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
- Message not available
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
- RE: publications concerning port forwarding Jason L. Ellison (Apr 13)
- RE: publications concerning port forwarding Jason L. Ellison (Apr 11)
- Re: publications concerning port forwarding Ben Nell (Apr 10)
- <Possible follow-ups>
- RE: publications concerning port forwarding Jason Rahl (Apr 11)
- RE: publications concerning port forwarding Thomas W Shinder (Apr 13)
- Re: publications concerning port forwarding vtlists (Apr 13)
- Re: publications concerning port forwarding Thor (Hammer of God) (Apr 13)