I have a few clarifications on scanning via LB. I have read a few other threads in this community which says that scanning through LB is not recommended and suggests to place the scanner in same network or deploy cloud agent.
However, Considering a setup like this
Amazon Hosting network -> Target Host (a web server running web application) -> LB -> Internet / Public access
I would like to have some clarification:
- If the target host sitting behind LB has some 20 ports open and LB forwards only https traffic on 443 port alone to the target host, will the remaining 19 ports on the target host still be accessible via LB for an external user ? Can someone coming in from the internet connect to the target host on the 19 ports which is not open on LB (or LB doesn't forward that traffic)
- If we are assessing security vulnerabilities from an external attacker's view, will scanning via the LB not suffice ? Since other ports are not open in LB and any such requests to ports other than 443 will be dropped by the LB
- If there is a missing patch for a vulnerability and that vulnerability affects only RDP service (port 3389), and considering the fact that LB will forward only https (port 443) traffic to the target host and not any other ports traffic, do we still need to worry about that (Lets exclude insider attack for this discussion)
Could some one clarify this ?