Security concerns of port forwarding and remote access

Hello,
I have a question about a recent trend that I have seen. I am interested in any relevant comments or resources. There really isn't a "yes or no" answer to this, but I am interesting in how people will respond. This question is about port forwarding. I have noticed that for many small business, it is very common to port forward certain ports to internal servers. By port forwarding I mean a firewall configuration that says (for example)  "if a https request comes to the outside address of my firewall, forward that request to an internal server". My question is really aimed at forwarding https to internal exchange servers for OWA, outlook anywhere, and smartphone/activesync purposes. However, I think this conversation would also apply to RDP, SMTP, and sometimes for FTP.

I would view this as running against best practices. Especially when that internal server is a domain controller or supports other business critical processes. I think there is no question that in a highly sensitive enviornment it is unacceptable, and in a very small, 10 employee business it probably would be acceptable. But, somewhere in the middle of that lies the mid size enviornment. We have to be serious about security, but we may not be able to put exchange servers in DMZs to support remote access. In fact, for many "mid sized" companies, that exchange server is also 1 of only 2 domain controllers and performs all exchange roles.

Having said all that, there is a real need for remote access to email that tradiitonal VPN clients don't always meet. There is a demand to put email and other exchange/outlook content on iPhones, Windows Phones, and Droid phones. Not to mention the iPads and assortment of other tablets emerging.

So, from a mid sized business perspective, how do you weigh these security concerns against the demands for remote access needs? Are these legitimate security concerns? Do you think and advanced "IPS enabled" firewall can mitigate these concerns and to what degree?

At any rate, I would be very interested in any input that anyone might provide. I am really just trying to look at this as a business running their own servers (as opposed to a hosted or cloud solution).

Thanks,
Ben
Jack5BackAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
dacaseyConnect With a Mentor Commented:
Jack5back,

You got it.  It's a matter of acceptable risk and the tough question is who determines what is acceptable.  

A DMZ is a good answer but needs proper setup.  For OWA you could but a front end server in the DMZ, it's the web server part of exchange without the data base, the front end passes requests back to the exchange server; if the front end server is comprimised your exchange server MIGHT not be affected.  This requires some hardware; at least a machine and some licensing so this is more expensive and complex.

I would think about the specific site; is the security generally tight (IT and physical security) if it is port forwarding is a good answer.  If the security on the inside of the network is LAX port forwarding is too risky.

0
 
Jack5BackAuthor Commented:
I think another important aspect of this conversation is that, with the these needs, we can't really define a specific range of addresses to allow this port from. This is opposed to SMTP (and maybe RDP) where you might be able to restrict it to specific public IP addresses.
0
 
WolfhereCommented:
WebAccess not acceptable? Data resides on the exchange server (which I believe should be on the DMZ). We have an ASA to handle the port forwarding (firewall).  Outlook Web Access works pretty much like the local client. So perhaps the Web Access on the outside and exchange on the inside.

0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
dacaseyCommented:
Port forwarding is a security risk but so is browsing a web site!  In a perfect world no one would port forward but if you're a small shop you might port forward your Web to one machine VPN to another and email to yet another.  I see this sort of swiss cheese security quite often.  This is all about acceptable risk.  If you were a firm with all of your value tied up in IP that some could just copy off a server I would suggest that port forwarding would be to great a risk.  
0
 
Jack5BackAuthor Commented:
Wolfhere,
It's not so much that web access is not acceptable, but the issue is the port forwarding necessary to make the web access necessary. Which for many mid-sized organizations might be their only exchange server and might also be a domain controller.
0
 
Jack5BackAuthor Commented:
Dacasey,I agree that it's a question of acceptable risk. But, I think that you are confirming that it is a valid security concern. Whether the operational value is worth the security risk is something that has to be determined on a case by case basis.

Having said that, if you wanted both, what would you do? Run a client access server in a DMZ?

Wolfhere,Are you runing the IPS on the ASA?
How you saying that you are able to port forward because you have an ASA or you are comfortable with port forwarding becuase you have an ASA?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.