is this method safe?
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: is this method safe?

  1. #1
    Senior Member
    Join Date
    Aug 2002
    Posts
    123

    Question is this method safe?

    Hello World, I have a couple of software vendors that would like to support our software remotely using PCAnywhere. They would like me to open a couple of custom ports and forward their connections to the servers. Is this safe? All feedback is appreciated!

  2. #2
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Posts
    912
    In a nutshell, IF you TRUST the vendors then it is safe, IF you DON'T then its not ....
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

  3. #3
    Senior Member
    Join Date
    Aug 2002
    Posts
    123
    Yes i trust the vendors. But is it safe to open up these ports on the firewall? I mean, can anybody do a port scan and try to pick at the ports?

  4. #4
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    Sure. Setup rules if you can so that only trusted ips are allowed to access certain ports. Thats a start.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  5. #5
    Senior Member
    Join Date
    Aug 2002
    Posts
    123
    is this usually a typical setup?


    Here is another example: Should the mail relay server be internal or in the dmz?

  6. #6
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    Very typical. If you have specific people or services that you want to access, limiting public access is very essential.

    For the mail server, thats up to you, you could put it internal and only allow access to users also on the internel network, or you could port forward so that it is accessible on the internet as well. Lots of ways to do it.

    If you are going to make the relay available to the public, I woudl setup some sort of authentication on the mail server itself , so it still only allows certain users to relay messages. This can be done a number of ways depending on what mail server packagae you go with.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  7. #7
    Senior Member
    Join Date
    Aug 2002
    Posts
    123
    thanks!!! all this information is great :0)

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    By relay I am assuming you mean the server that accepts the mail from the outside and relays it in to the trusted network.... That being the case:-

    What is the point of putting it in the trusted network to forward it to the trusted network. Put it in the DMZ and have it forward the mail from the DMZ in to the trusted. That way, if it is compromised it is in the DMZ rather than in the trusted network.

    As to PCAnywhere directly... I prefer to make them create a VPN tunnel then fire up their terminal program and connect through the tunnel. That way you are using a double authentication and it prevents an automated work that can exlploit the terminal apps server from direct access to it. If the VPN is vulnerable then the attacker can't be a worm, (well, it could but the tunnel should prevent unneeded traffic anyway), because it would have to know what the internal target is going to be.... Too difficult to predict so it won't be written.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Why do you need e-mail in the internal network at all? I dont see why users cant pop/imap/etc to a server in the DMZ, services on the internal network should establish a connection from the trusted to the DMZ, not vice versa. You should have as little or no connections (if possible, sometimes its a necessary to the business model) allowed to connect back into the internal net from the DMZ. What goes in the DMZ can stay in the DMZ. As for PCAnywhere, I believe it is a fairly secure app (these days) and as someone mentioned, if you only allow connections from specifc addresses it should be fine, but as a matter of good practice I would not leave these open all the time, as in the case with the DMZ, you should not maintain routes that allow incoming connections from the outside world into to your trusted network. Open them when you need them, close them when you are done.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  10. #10
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Originally posted here by Maestr0
    Why do you need e-mail in the internal network at all? I dont see why users cant pop/imap/etc to a server in the DMZ, services on the internal network should establish a connection from the trusted to the DMZ, not vice versa. You should have as little or no connections (if possible, sometimes its a necessary to the business model) allowed to connect back into the internal net from the DMZ. What goes in the DMZ can stay in the DMZ. As for PCAnywhere, I believe it is a fairly secure app (these days) and as someone mentioned, if you only allow connections from specifc addresses it should be fine, but as a matter of good practice I would not leave these open all the time, as in the case with the DMZ, you should not maintain routes that allow incoming connections from the outside world into to your trusted network. Open them when you need them, close them when you are done.

    -Maestr0
    Typical reasons on that could be that the internal e-mail server is an exchange server, which requires nasty msrcp/dce connections hard to firewall, that you don't want users sending potentially cleartext passwords in the dmz, that if the mail server/relay in the dmz, you don't want the attacker to be able to capture the users passwords...


    Ammo
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •