You're probably not going to get a whole lot of sympathy from the firewall
crowd. As described your architecture is not going to fit into most
people's security policies.
I can see why the guy is resisting opening 250 ports to inbound
traffic. The danger is that with that large a number it is really easy to
misconfigure something and allow traffic into the protected network
inadvertently. From a theoretical standpoint, ports are just an
abstraction that makes programming easier -- 250 open ports (properly
configured) are no more of a risk than one open port. You could use a
tunnelling protocol to encapsulate those 250 ports into one.
Which gets us to my next point: most people on this list would have issue
with even one open port exposed to the Internet. With one port open
directly to the Internet, a computer is effectively directly connected to
the Internet. Most security policies require that there be a firewall
between their internal network and all computers directly connected to the
Internet.
The way that most people run FTP through a firewall is to use an
application proxy on the firewall. This is an application that acts like
an FTP server to the outside world, and communicates with your FTP server
on the other side of the firewall. The reason this can work is that FTP is
a well-known protocol, so you can get an FTP proxy that is independent of
your FTP server. Security flaws in one product will not cause problems
with the other. Note that not everyone accepts this logic, as there have
been successful attacks of hosts through proxy servers. Many people
require that hosts be isolated from internal networks by firewalls even
when they are separated from the Internet by proxies.
The best solution is going to depend upon the details of your architecture,
and how valuable the information you're trying to protect is.
>My company sells a client-server library automation application. In order
>to operate the clients behind a firewall, we require that 1 inbound port
>plus one inbound port per client and 250 outbound ports (total) be opened at
>the firewall. The 2 inbound ports are for the logon and control connections
>and the outbound ports are to allow for up to 250 concurrent connections to
>the server.
>
>Now, here's the rub. We have a client who believes that the design is
>flawed. In fact his response was why even have a firewall if you have to
>open that many ports? He insists that it is impossible to open that many
>ports on his firewall and also that he cannot open a range of ports, only
>individual ones. I am no firewall expert, but this doesn't sound right to
>me. If he wants to allow ftp, he has to open all outbound ports above 1024,
>right? I would assume that other client-server applications also require
>opening ports - you can't communicate without them. Am I missing something
>here? Any enlightenment (or ammunition) would be greatly appreciated.
>Thanks.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
