Re: Danger to having Port 80 open on hardware firewall

From: Kevin Weilbacher [SBS-MVP] (kweilbacMVP_at_gte.net)
Date: 03/22/04 

Date: Sun, 21 Mar 2004 21:40:03 -0500

I was simply replying to the issue of getting http://fqdn/remote to redirect
to https://fqdn/remote - and that in my case, as well as the orignal poster,
it doesn't just happen "by design" (out of the box). And, Yes, I am running
ISA. 

-- 
Kevin Weilbacher [SBS-MVP]
"The days pass by so quickly now, the nights are seldom long"
"Tony Su" <anonymous@discussions.microsoft.com> wrote in message
news:1130501c40f7d$41708bc0$a101280a@phx.gbl...
> If you are particularly concerned about HTTP attacks over
> port 80, consider upgrading to ISA.
>
> URL redirections and Port Address Translation isn't going
> to do much to protect you against HTTP attacks and there
> are very products out there which can do anything about it.
>
> ISA is one product which can, provided you configure
> properly. Instead of simply forwarding the original
> content and request, the original request is <terminated>
> at ISA and never touches the webserver. Mal-formed
> requests never go any further. Well-formed requests are
> <re-created> and passed to the webserver on behalf of the
> original User... but, as I've described even well-formed
> requests are never passed directly to the webserver.
>
> I describe this further in my "Web Publishing Companyweb"
> recommendation, click on the first link at
>
> www.su-networking.com/faq/
>
> Tony Su
>
>
>
>
>
> >-----Original Message-----
> >Thanks to both of you.  I will look into both options in
> the next day or so.
> >
> >John
> >
> >
> >
> >
> >"Javier Gomez [SBS MVP]"
> <javier_gomez@remove.this.engineer.com> wrote in
> >message news:ee5JeQ1DEHA.2652@TK2MSFTNGP10.phx.gbl...
> >> If your ISP (or whomever is hosting your public DNS
> records) supports URL
> >> redirection... you could close port 80 and still keep
> the convinience of
> >> using http. I usually redirect
> http://webmail.domain.com to
> >> https://mail.domain.com/exchange and so on.
> >>
> >> -- 
> >> Javier [SBS MVP]
> >>
> >> << SBS ROCKS !!! >>
> >>
> >> "Steven Banks [SBS MVP]" <steve@newsonline.banksnw.com>
> wrote in message
> >> news:OdW2aXxDEHA.548@TK2MSFTNGP10.phx.gbl...
> >> > John,
> >> >
> >> > By design, when you type in http://fqdn/remote it
> should connect and
> >> > immediately switch to https://fqdn/remote.  Is this
> happening for you?
> >If
> >> > not, ensure port 443 is enabled as the SSL port for
> the default Website
> >> and
> >> > that you have your server's cert showing under the
> Directory Security
> >> > Properties of Remote.  If it is still not switching
> to SSL, then re-run
> >> the
> >> > CEICW.
> >> >
> >> > To answer your first question, If port 80 is really
> bugging you, you can
> >> > always take it out.  If your server is patched up to
> date and running
> >> > current AV software and is behind your firewall, your
> exposure on port
> >80
> >> is
> >> > a low risk in my opinion.  If you don't patch and
> keep current AV
> >software
> >> > running, then you'll be hit over port 25 from email
> based worm/virus
> >> attacks
> >> > long before port 80 becomes an issue most likely.
> >> >
> >> > Steve
> >> >
> >> > -- 
> >> > Banks Consulting Northwest
> >> > http://www.banksnw.com
> >> >
> >> >
> >> > "John" <jk@rt.com> wrote in message
> >> > news:OqCdyhwDEHA.2908@TK2MSFTNGP09.phx.gbl...
> >> > I am running SBS2003 standard with a dual NIC
> configuration and Linksys
> >> > firewall.  I do NOT have the root setup to publish a
> website.  I have
> >> found
> >> > that if I have port 80 forwarded to my WAN nic I am
> able to access RWW
> >by
> >> > typing fqdn/remote  instead of https://fqdn/remote.
> I have closed the
> >> port
> >> > for now but am curious if this is a bad idea just to
> gain some
> >> convenience.
> >> >
> >> > TIA
> >> >
> >> > John
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >
> >
> >.
> >

Relevant Pages

  • Re: Wierd 301 Moved Loop in OWA
    ... appears to be some sort of endless redirect loop. ... The server responds with a 301 ... a non standard port for regular HTTP and then the usual 443 port for ... redirects all requests to HTTPS. ...
    (microsoft.public.exchange.admin)
  • Re: Danger to having Port 80 open on hardware firewall
    ... Seems to me that if you don't port forward 80, then you are not going to get ... the ssl redirection <http <> https>. ... >> requests never go any further. ... I usually redirect ...
    (microsoft.public.windows.server.sbs)
  • Re: HTTP redirect using iptables
    ... I'm sure the redirect is not getting to my other host. ... even a port scan will generate an email to me. ... > the redirected requests are getting to hostb. ...
    (comp.os.linux.security)
  • Re: For the experienced - stunnel and port 80
    ... > me to that side of life;) ... port 80) requests to your SSL site. ... "Redirect" directive are what you're after. ...
    (freebsd-questions)
  • Firewall for more than one static IP address DSL (was Re: Dual port dual subnet question)
    ... I had originally thought of connecting the DSL modem to a hub then ... this configured the single Ethernet port xl0 with 2 IP ... requests from each of these 2 IP addresses ... interface would be redirected to the webserver. ...
    (comp.unix.bsd.openbsd.misc)