Penetration Testing mailing list archives
RE: publications concerning port forwarding
From: "Thomas W Shinder" <tshinder () tacteam net>
Date: Wed, 11 Apr 2007 18:44:30 -0500
This is WRONG. If you have a true application layer inspection firewall like the ISA firewall, a single "port" is required. You're thinking of unsecure "hardware" boxes like PIX or Netscreen, that's why we don't use them. This is for the most part an ABMer list, but something should make the list aware that some firewalls are much more sophisticated as the app layer than others and thus don't require you "open ports" in a haphazed fashion -- a single port is all that is required for an intelligent firewall. Disinformation is not better than no information at all -- in contrast to the fact that encephalopathy is better than no lopathy at all ;) HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA)
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Wiedemann, Adrian Sent: Wednesday, April 11, 2007 2:03 PM To: pen-test () securityfocus com Subject: RE: publications concerning port forwarding Hi,outlook to connect to exchange externally you are justasking for the boxto be owned.That's what I wrote.Exchange requires many ports to be opened if you are goingto expose it tothe Internet and I'm not even sure you can find an articleon how to do itanymore because it's such a bad idea.Not only because it is a bad idea. More because it's using RPC for direct access. And since RPC is using dynamic ports, you have to open up a complete port range. Even more, because Outlook ask the Global Catalog Servers for the Offline-Addressbook .. Ret Regards, Adrian
------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Re: publications concerning port forwarding, (continued)
- Re: publications concerning port forwarding Ben Nell (Apr 10)
- Re: publications concerning port forwarding vtlists (Apr 11)
- Re: publications concerning port forwarding Brendan Murray (Apr 10)
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
- RE: publications concerning port forwarding Jason L. Ellison (Apr 11)
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
- Message not available
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
- RE: publications concerning port forwarding Jason L. Ellison (Apr 13)
- RE: publications concerning port forwarding Jason L. Ellison (Apr 11)
- Re: publications concerning port forwarding Ben Nell (Apr 10)
- Re: publications concerning port forwarding vtlists (Apr 13)