Re: publications concerning port forwarding

From: vtlists@wyae.de
Date: Wed Apr 11 2007 - 03:51:31 EDT

• Next message: Wiedemann, Adrian: "RE: publications concerning port forwarding"
• Previous message: Anders Thulin: "Re: Boot floppy"
• In reply to: Ben Nell: "Re: publications concerning port forwarding"
• Next in thread: Wiedemann, Adrian: "RE: publications concerning port forwarding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ben Nell writes:

> Could you please explain your reasoning behind the inherent flaws in
> port forwarding?
[...]
> security practices would warrant port forwarding only to DMZ subnets.

I think that's the problem here: port forwarding from internet directly to
internal core systems. I don't see many problems in port-forwarding towards
DMZ systems.

With a direct connection to the internet (regardless wether via routing, NAT
or port forwarding) the target system has to be able to withstand the usual
internet attacks - known exploits, DoS (at least to some extent e.g. through
intensive use), fuzzing. Applications (especially web-applications) have to
be resistant against XSS, XSRF, etc.

Usually internal systems are not as hardened or programmed with security in
mind as the ones which are intended from the beginning to be placed in the
internet.

And if these systems were taken over, they had direct access to your core
internal network. Systems set up for direct internet exposure in a DMZ
should be harder to crack - and then an attacker still is behind a
firewall...

>> I'm currently doing work for a large company as a consultant. Another
>> consultant is installing a MS Exchange server and is now requesting for me
>> to forward ports on the PIX from the Internet to internal servers.

Which ports/services? While SMTP and HTTPS (for OWA) could be okay-ish,
opening MS RPCs ("naked" MS-Exchange) to the internet quite probably is not
such a great idea.
;-)

Even if you were asked to forward SMTP (incoming) only: with Exchange you
sometimes need to shut down the MSX server for maintenance work. And during
this time mail will bounce as undeliverable as the MSX SMTP connector will
be unavailable, too. Plus the MSX SMTP connector is not as forgiving to SMTP
protocol misuse as e.g. a Postfix server. Thus placing a plain SMTP server
simply as cacheing proxy between MSX and the internet will catch both flies:
no direct connection between the internet and MSX, bette SMTP compatibility,
better spam control and filtering, a cache for MSX maintenance downtimes,
plus (optionally) a border virus scan (e.g. using the free ClamAV).

Bye

Volker

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Wiedemann, Adrian: "RE: publications concerning port forwarding"
• Previous message: Anders Thulin: "Re: Boot floppy"
• In reply to: Ben Nell: "Re: publications concerning port forwarding"
• Next in thread: Wiedemann, Adrian: "RE: publications concerning port forwarding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:43 EDT