RE: publications concerning port forwarding

From: Thomas W Shinder (tshinder@tacteam.net)
Date: Wed Apr 11 2007 - 19:44:30 EDT

• Next message: Curt Purdy: "Re: Boot floppy"
• Previous message: Paul Sebastian Ziegler: "Paros alternative"
• Maybe in reply to: Jason L. Ellison: "publications concerning port forwarding"
• Next in thread: vtlists@wyae.de: "Re: publications concerning port forwarding"
• Reply: vtlists@wyae.de: "Re: publications concerning port forwarding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This is WRONG. If you have a true application layer inspection firewall
like the ISA firewall, a single "port" is required. You're thinking of
unsecure "hardware" boxes like PIX or Netscreen, that's why we don't use
them. This is for the most part an ABMer list, but something should make
the list aware that some firewalls are much more sophisticated as the
app layer than others and thus don't require you "open ports" in a
haphazed fashion -- a single port is all that is required for an
intelligent firewall.

Disinformation is not better than no information at all -- in contrast
to the fact that encephalopathy is better than no lopathy at all ;)

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of Wiedemann, Adrian
> Sent: Wednesday, April 11, 2007 2:03 PM
> To: pen-test@securityfocus.com
> Subject: RE: publications concerning port forwarding
>
> Hi,
>
> > outlook to connect to exchange externally you are just
> asking for the box
> > to be owned.
>
> That's what I wrote.
>
> > Exchange requires many ports to be opened if you are going
> to expose it to
> > the Internet and I'm not even sure you can find an article
> on how to do it
> > anymore because it's such a bad idea.
>
> Not only because it is a bad idea. More because it's using
> RPC for direct
> access. And since RPC is using dynamic ports, you have to
> open up a complete
> port range. Even more, because Outlook ask the Global Catalog
> Servers for the
> Offline-Addressbook ..
>
> Ret
>
> Regards, Adrian
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

• Next message: Curt Purdy: "Re: Boot floppy"
• Previous message: Paul Sebastian Ziegler: "Paros alternative"
• Maybe in reply to: Jason L. Ellison: "publications concerning port forwarding"
• Next in thread: vtlists@wyae.de: "Re: publications concerning port forwarding"
• Reply: vtlists@wyae.de: "Re: publications concerning port forwarding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:43 EDT