Solved

Security concerns of port forwarding and remote access

Posted on 2010-11-20
6
766 Views
Last Modified: 2012-05-10
Hello,
I have a question about a recent trend that I have seen. I am interested in any relevant comments or resources. There really isn't a "yes or no" answer to this, but I am interesting in how people will respond. This question is about port forwarding. I have noticed that for many small business, it is very common to port forward certain ports to internal servers. By port forwarding I mean a firewall configuration that says (for example)  "if a https request comes to the outside address of my firewall, forward that request to an internal server". My question is really aimed at forwarding https to internal exchange servers for OWA, outlook anywhere, and smartphone/activesync purposes. However, I think this conversation would also apply to RDP, SMTP, and sometimes for FTP.

I would view this as running against best practices. Especially when that internal server is a domain controller or supports other business critical processes. I think there is no question that in a highly sensitive enviornment it is unacceptable, and in a very small, 10 employee business it probably would be acceptable. But, somewhere in the middle of that lies the mid size enviornment. We have to be serious about security, but we may not be able to put exchange servers in DMZs to support remote access. In fact, for many "mid sized" companies, that exchange server is also 1 of only 2 domain controllers and performs all exchange roles.

Having said all that, there is a real need for remote access to email that tradiitonal VPN clients don't always meet. There is a demand to put email and other exchange/outlook content on iPhones, Windows Phones, and Droid phones. Not to mention the iPads and assortment of other tablets emerging.

So, from a mid sized business perspective, how do you weigh these security concerns against the demands for remote access needs? Are these legitimate security concerns? Do you think and advanced "IPS enabled" firewall can mitigate these concerns and to what degree?

At any rate, I would be very interested in any input that anyone might provide. I am really just trying to look at this as a business running their own servers (as opposed to a hosted or cloud solution).

Thanks,
Ben
0
Comment
Question by:Jack5Back
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Author Comment

by:Jack5Back
ID: 34181255
I think another important aspect of this conversation is that, with the these needs, we can't really define a specific range of addresses to allow this port from. This is opposed to SMTP (and maybe RDP) where you might be able to restrict it to specific public IP addresses.
0
 
LVL 10

Expert Comment

by:Wolfhere
ID: 34181318
WebAccess not acceptable? Data resides on the exchange server (which I believe should be on the DMZ). We have an ASA to handle the port forwarding (firewall).  Outlook Web Access works pretty much like the local client. So perhaps the Web Access on the outside and exchange on the inside.

0
 
LVL 5

Expert Comment

by:dacasey
ID: 34181349
Port forwarding is a security risk but so is browsing a web site!  In a perfect world no one would port forward but if you're a small shop you might port forward your Web to one machine VPN to another and email to yet another.  I see this sort of swiss cheese security quite often.  This is all about acceptable risk.  If you were a firm with all of your value tied up in IP that some could just copy off a server I would suggest that port forwarding would be to great a risk.  
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:Jack5Back
ID: 34181387
Wolfhere,
It's not so much that web access is not acceptable, but the issue is the port forwarding necessary to make the web access necessary. Which for many mid-sized organizations might be their only exchange server and might also be a domain controller.
0
 

Author Comment

by:Jack5Back
ID: 34181447
Dacasey,I agree that it's a question of acceptable risk. But, I think that you are confirming that it is a valid security concern. Whether the operational value is worth the security risk is something that has to be determined on a case by case basis.

Having said that, if you wanted both, what would you do? Run a client access server in a DMZ?

Wolfhere,Are you runing the IPS on the ASA?
How you saying that you are able to port forward because you have an ASA or you are comfortable with port forwarding becuase you have an ASA?
0
 
LVL 5

Accepted Solution

by:
dacasey earned 500 total points
ID: 34194619
Jack5back,

You got it.  It's a matter of acceptable risk and the tough question is who determines what is acceptable.  

A DMZ is a good answer but needs proper setup.  For OWA you could but a front end server in the DMZ, it's the web server part of exchange without the data base, the front end passes requests back to the exchange server; if the front end server is comprimised your exchange server MIGHT not be affected.  This requires some hardware; at least a machine and some licensing so this is more expensive and complex.

I would think about the specific site; is the security generally tight (IT and physical security) if it is port forwarding is a good answer.  If the security on the inside of the network is LAX port forwarding is too risky.

0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Website and email setup 4 60
Web Fraud scenarios to PoC F5  web fraud prevention 7 64
Scan to Gmail emails never arrive 12 46
igmp snooping in layer 2 switch 4 26
Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
Easy CSR creation in Exchange 2007,2010 and 2013
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question