Security concerns of port forwarding and remote access
Posted on 2010-11-20
I have a question about a recent trend that I have seen. I am interested in any relevant comments or resources. There really isn't a "yes or no" answer to this, but I am interesting in how people will respond. This question is about port forwarding. I have noticed that for many small business, it is very common to port forward certain ports to internal servers. By port forwarding I mean a firewall configuration that says (for example) "if a https request comes to the outside address of my firewall, forward that request to an internal server". My question is really aimed at forwarding https to internal exchange servers for OWA, outlook anywhere, and smartphone/activesync purposes. However, I think this conversation would also apply to RDP, SMTP, and sometimes for FTP.
I would view this as running against best practices. Especially when that internal server is a domain controller or supports other business critical processes. I think there is no question that in a highly sensitive enviornment it is unacceptable, and in a very small, 10 employee business it probably would be acceptable. But, somewhere in the middle of that lies the mid size enviornment. We have to be serious about security, but we may not be able to put exchange servers in DMZs to support remote access. In fact, for many "mid sized" companies, that exchange server is also 1 of only 2 domain controllers and performs all exchange roles.
Having said all that, there is a real need for remote access to email that tradiitonal VPN clients don't always meet. There is a demand to put email and other exchange/outlook content on iPhones, Windows Phones, and Droid phones. Not to mention the iPads and assortment of other tablets emerging.
So, from a mid sized business perspective, how do you weigh these security concerns against the demands for remote access needs? Are these legitimate security concerns? Do you think and advanced "IPS enabled" firewall can mitigate these concerns and to what degree?
At any rate, I would be very interested in any input that anyone might provide. I am really just trying to look at this as a business running their own servers (as opposed to a hosted or cloud solution).