Penetration Testing mailing list archives

Re: publications concerning port forwarding

From: vtlists () wyae de
Date: Fri, 13 Apr 2007 11:58:34 +0200

Thomas W Shinder writes:

This is WRONG. If you  have a true application layer inspection firewall
like the ISA firewall, a single "port" is required.


Leaving lots of trollbait aside:

Portfiltering SMTP, POP3, IMAP, HTTP, HTTPS is a no-brainer. Thus we'll
leave that as home exercise for the student.  ;-)


The tricky part of portfiltering MSX is to allow MS-RPC port (tcp/135) and
the according "high ports". This can be done

1.) by using a firewall that has a state engine for MS-RPCs.This applies for the newer MS-ISAs, CheckPoint and experimentalLinux netfilter extensions. Please add if you know more.2.) by allowing tcp/1024-65535 in both directions.This is not really recommended as that "hole" is a quite big

3.) by allowing a few selected high ports.
   MSX can be limited to which port range to use. That requires a few
   registry settings:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters

        Name: TCP/IP port
        Value: REG_DWORD   (the port number > 1023)
        
        Name: TCP/IP NSPI port
        Value: REG_DWORD   (the port number > 1023)

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
        Name: TCP/IP port
        Value: REG_DWORD   (the port number > 1023)

You may also need to add

   * UDP/TCP 53 (DNS)
   * UDP/TCP 88 (Kerberos authentication)
   * UDP/TCP 389 (LDAP Access)
   * TCP 445 (Microsoft Directory Service)
   * TCP 3268 (LDAP to global catalog servers)


This is for generic access. For newer MSX installations you can try to use
Microsoft's RPC-over-HTTP proxy instead - which will obviously needs HTTP(S)

i.e. tcp/80 (443).


Bye

Volker



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

Current thread:

Re: publications concerning port forwarding, (continued)
- - Re: publications concerning port forwarding vtlists (Apr 11)
- Re: publications concerning port forwarding Brendan Murray (Apr 10)
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
  - RE: publications concerning port forwarding Jason L. Ellison (Apr 11)
    - RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
    - Message not available
    - RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
    - RE: publications concerning port forwarding Jason L. Ellison (Apr 13)
- Re: publications concerning port forwarding Jamie Riden (Apr 11)
- RE: publications concerning port forwarding Jason Rahl (Apr 11)
- RE: publications concerning port forwarding Thomas W Shinder (Apr 13)
  - Re: publications concerning port forwarding vtlists (Apr 13)
- Re: publications concerning port forwarding Thor (Hammer of God) (Apr 13)