Danger of opening ports - Firewalls

This is a discussion on Danger of opening ports - Firewalls ; Hi all, I was wondering if someone could give me a bit of advice. We have a NAT firewall on our Internet connection. There are a couple of servers behind this that provide services to users from the Internet. These ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Danger of opening ports

  1. Danger of opening ports

    Hi all,

    I was wondering if someone could give me a bit of advice. We have a
    NAT firewall on our Internet connection. There are a couple of servers
    behind this that provide services to users from the Internet. These
    are connected to with HTTPS connections on ports 81 and 443.

    These ports are obviously open on the firewall.

    Is there any danger in opening up further ports? If I open up port 80,
    will I be at any more risk than having the other ports open? As long
    as the servers are patched and have AV will I be ok?

    Is there any greater risk involved in having port 80 open than any
    other port?

    Thanks,

    Gary.


  2. Re: Danger of opening ports

    "Gary" wrote:

    > Is there any danger in opening up further ports? If I open up port 80,
    > will I be at any more risk than having the other ports open? As long
    > as the servers are patched and have AV will I be ok?
    >
    > Is there any greater risk involved in having port 80 open than any
    > other port?


    Just opening a port or not doesn't determine the risk - the risk is
    determined by the service LISTENING on that port, and the machine it
    runs on.

    Juergen Nieveler
    --
    24Bit-colour?!? But it's only an organizer!!!!

  3. Re: Danger of opening ports

    On 13 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in article
    <1176472542.298503.18410@o5g2000hsb.googlegroups.co m>, Gary wrote:

    >There are a couple of servers behind this that provide services to
    >users from the Internet. These are connected to with HTTPS
    >connections on ports 81 and 443.
    >
    >These ports are obviously open on the firewall.


    Yes, but they don't lead TO the firewall, but to some other boxes
    behind the firewall.

    >Is there any danger in opening up further ports?


    "That depends". You are offering greater _opportunities_ for dangers,
    but the order of magnitude depends on the skill of the person who
    programs those servers - what is allowed, what is not - as well as
    the quality of the server software and any dependencies it may have.
    For example, if the extra port leads to a server that returns files
    from read-only media, you are at substantial less risk than if the
    request generates interactive data responses based on files that
    are located on another server that really shouldn't even have
    Internet access, or from a workstation run by a user who always
    clicks the OK button without reading anything.

    >If I open up port 80, will I be at any more risk than having the
    >other ports open?


    Above. If you are concerned about a "drive by attack", then it is much
    more likely that port 80 will be attacked than port 81 or 79 - merely
    because less people will be looking at random port numbers compared to
    those looking at ports where they can _expect_ to find a server.

    >As long as the servers are patched and have AV will I be ok?


    No. Most risk occurs because of totally incompetent programmers
    setting up servers and not having the first clue as to how to do so
    in a secure manner. Why do you need AV? Are you allowing outsiders
    to install or upload stuff on your server? Probably not the most
    secure method. Worried that the server may catch something from the
    crap on the programmers system? Fire that idiot, and get someone less
    incompetent. There is no such thing as a "Mal-Ware Fairy" that sneaks
    up while you aren't watching, waves a magic wand, and installs bad
    stuff - that's done by the people you trust doing something stupid.

    >Is there any greater risk involved in having port 80 open than any
    >other port?


    Only because your average Internet luser expects every computer they
    can connect to to be running a web server. There are other ports
    that are exploited on servers not correctly configured.

    Old guy

+ Reply to Thread