Penetration Testing mailing list archives

RE: publications concerning port forwarding

From: "Thomas W Shinder" <tshinder () tacteam net>
Date: Wed, 11 Apr 2007 18:44:30 -0500

This is WRONG. If you  have a true application layer inspection firewall
like the ISA firewall, a single "port" is required. You're thinking of
unsecure "hardware" boxes like PIX or Netscreen, that's why we don't use
them. This is for the most part an ABMer list, but something should make
the list aware that some firewalls are much more sophisticated as the
app layer than others and thus don't require you "open ports" in a
haphazed fashion -- a single port is all that is required for an
intelligent firewall.

Disinformation is not better than no information at all -- in contrast
to the fact that encephalopathy is better than no lopathy at all ;)

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of Wiedemann, Adrian
Sent: Wednesday, April 11, 2007 2:03 PM
To: pen-test () securityfocus com
Subject: RE: publications concerning port forwarding

Hi,

outlook to connect to exchange externally you are just

asking for the box

to be owned.


That's what I wrote.

Exchange requires many ports to be opened if you are going

to expose it to

the Internet and I'm not even sure you can find an article

on how to do it

anymore because it's such a bad idea.


Not only because it is a bad idea. More because it's using 
RPC for direct
access. And since RPC is using dynamic ports, you have to 
open up a complete
port range. Even more, because Outlook ask the Global Catalog 
Servers for the
Offline-Addressbook ..

Ret

Regards, Adrian


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

Current thread:

Re: publications concerning port forwarding, (continued)
- Re: publications concerning port forwarding Ben Nell (Apr 10)
  - Re: publications concerning port forwarding vtlists (Apr 11)
- Re: publications concerning port forwarding Brendan Murray (Apr 10)
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
  - RE: publications concerning port forwarding Jason L. Ellison (Apr 11)
    - RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
    - Message not available
    - RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
    - RE: publications concerning port forwarding Jason L. Ellison (Apr 13)
- Re: publications concerning port forwarding Jamie Riden (Apr 11)
- RE: publications concerning port forwarding Jason Rahl (Apr 11)
- RE: publications concerning port forwarding Thomas W Shinder (Apr 13)
  - Re: publications concerning port forwarding vtlists (Apr 13)
- Re: publications concerning port forwarding Thor (Hammer of God) (Apr 13)