Solved

Security concerns of port forwarding and remote access

Posted on 2010-11-20
6
756 Views
Last Modified: 2012-05-10
Hello,
I have a question about a recent trend that I have seen. I am interested in any relevant comments or resources. There really isn't a "yes or no" answer to this, but I am interesting in how people will respond. This question is about port forwarding. I have noticed that for many small business, it is very common to port forward certain ports to internal servers. By port forwarding I mean a firewall configuration that says (for example)  "if a https request comes to the outside address of my firewall, forward that request to an internal server". My question is really aimed at forwarding https to internal exchange servers for OWA, outlook anywhere, and smartphone/activesync purposes. However, I think this conversation would also apply to RDP, SMTP, and sometimes for FTP.

I would view this as running against best practices. Especially when that internal server is a domain controller or supports other business critical processes. I think there is no question that in a highly sensitive enviornment it is unacceptable, and in a very small, 10 employee business it probably would be acceptable. But, somewhere in the middle of that lies the mid size enviornment. We have to be serious about security, but we may not be able to put exchange servers in DMZs to support remote access. In fact, for many "mid sized" companies, that exchange server is also 1 of only 2 domain controllers and performs all exchange roles.

Having said all that, there is a real need for remote access to email that tradiitonal VPN clients don't always meet. There is a demand to put email and other exchange/outlook content on iPhones, Windows Phones, and Droid phones. Not to mention the iPads and assortment of other tablets emerging.

So, from a mid sized business perspective, how do you weigh these security concerns against the demands for remote access needs? Are these legitimate security concerns? Do you think and advanced "IPS enabled" firewall can mitigate these concerns and to what degree?

At any rate, I would be very interested in any input that anyone might provide. I am really just trying to look at this as a business running their own servers (as opposed to a hosted or cloud solution).

Thanks,
Ben
0
Comment
Question by:Jack5Back
  • 3
  • 2
6 Comments
 

Author Comment

by:Jack5Back
ID: 34181255
I think another important aspect of this conversation is that, with the these needs, we can't really define a specific range of addresses to allow this port from. This is opposed to SMTP (and maybe RDP) where you might be able to restrict it to specific public IP addresses.
0
 
LVL 10

Expert Comment

by:Wolfhere
ID: 34181318
WebAccess not acceptable? Data resides on the exchange server (which I believe should be on the DMZ). We have an ASA to handle the port forwarding (firewall).  Outlook Web Access works pretty much like the local client. So perhaps the Web Access on the outside and exchange on the inside.

0
 
LVL 5

Expert Comment

by:dacasey
ID: 34181349
Port forwarding is a security risk but so is browsing a web site!  In a perfect world no one would port forward but if you're a small shop you might port forward your Web to one machine VPN to another and email to yet another.  I see this sort of swiss cheese security quite often.  This is all about acceptable risk.  If you were a firm with all of your value tied up in IP that some could just copy off a server I would suggest that port forwarding would be to great a risk.  
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:Jack5Back
ID: 34181387
Wolfhere,
It's not so much that web access is not acceptable, but the issue is the port forwarding necessary to make the web access necessary. Which for many mid-sized organizations might be their only exchange server and might also be a domain controller.
0
 

Author Comment

by:Jack5Back
ID: 34181447
Dacasey,I agree that it's a question of acceptable risk. But, I think that you are confirming that it is a valid security concern. Whether the operational value is worth the security risk is something that has to be determined on a case by case basis.

Having said that, if you wanted both, what would you do? Run a client access server in a DMZ?

Wolfhere,Are you runing the IPS on the ASA?
How you saying that you are able to port forward because you have an ASA or you are comfortable with port forwarding becuase you have an ASA?
0
 
LVL 5

Accepted Solution

by:
dacasey earned 500 total points
ID: 34194619
Jack5back,

You got it.  It's a matter of acceptable risk and the tough question is who determines what is acceptable.  

A DMZ is a good answer but needs proper setup.  For OWA you could but a front end server in the DMZ, it's the web server part of exchange without the data base, the front end passes requests back to the exchange server; if the front end server is comprimised your exchange server MIGHT not be affected.  This requires some hardware; at least a machine and some licensing so this is more expensive and complex.

I would think about the specific site; is the security generally tight (IT and physical security) if it is port forwarding is a good answer.  If the security on the inside of the network is LAX port forwarding is too risky.

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Import PST to Exchange using Power Shell new-mailboximportrequest command, you can simply import the PST file into Exchange mailbox or archived. To know How to import PST into Exchange  2013 read the complete article.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now