I will make some assumptions.
1) You have allowed the port forwarding through the firewall ( therefore no inspection into the traffic to truly determine if it is what it proports to be) 2) If I can compromise the box in the DMZ, then I can use this to push into the Internal network based on the trust you have established via port forwarding. ( Evil hat on, setup a Netcat shell or Cryptcat shell to do the same thing and then sell the bandwidth and access to your compromised DMZ box to participate in global botnet fun, serve up malware, etc etc) (Ok evil hat off) 3) Leverage this trust on port forwarding to explore your internal network, or to compromise your internal network and have another system to leap frog to other systems and establish foothold, after this its game over... ( I just use your outbound bandwith with multiple compromised boxes, to attack other networks, etc etc) I hope this opens the window to the dark side of thinking in hacker methodology :) Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org Work:401-444-9081 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: David Lum [mailto:david....@nwea.org] Sent: Thursday, March 14, 2013 11:22 AM To: NT System Admin Issues Subject: Difference between port forwarding and DMZ What's the risk difference between a server in a DMZ (firewalls on each end) and port forwarding from the Internet to a machine inside a network perimeter? Scenario : I have PC's that use port xxxx to talk to a management server, I'm wondering of that server needs to be in the DMZ (with that port opened), or if forwarding that port through is functionally the same thing? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>