Warning - the following is tainted by opinion and bias.
It's not only the port that has to be opened but also what is on the other
side listening at that port. IMNSHO there should be no port open unless
you have a "hardened", "trusted" proxy listening and responding at that
port. Exceptions to this hard rule should be made only under duress and
threat of physical or financial damage, and even then you should require
official recognition of the increased risks presented by opening the port.
Your security policy (and mileage) may vary.
Response to second question - please see first paragraph. The assigned
port numbers are assigned so that the owners have some assurance that the
application they are writing to use that port will be able to have that
port free on other systems and networks. That is all - there is nothing
magic which prevents you from using "port 740 NETscout Control Protocol" as
"port 740 obfuscated http" instead.
If you must open a port without a proxy behind it, at least set up your
rules so that traffic to that port is only "routed" to hosts which are
actively listening on that port _and_ have something controlled and "safe"
doing that listening.
Golden questions:
Does opening the port violate your security policy? Our policy says ports
are only opened if they have a proxy behind them or if network security,
firewall administration, and business process owners agree.
Is there a business reason why you can't get along without this port?
Listening to .mp3, streaming the "Victoria's Secret" show, doing a "Network
Neighborhood" on the company next door, or running NetMeeting may not be
justified by a business need at your site - they aren't at mine.
Can you tell if someone is misusing the traffic through the port? Around
here, this question prevents us from using ssh through our firewall gateway
- it can't be proxied and I can't tell what you are using it for, so it
doesn't happen.
Hope this helps.
"Brian J. Dyrehauge" <[EMAIL PROTECTED]> on 08/23/2000 07:26:34 AM
To: "Firewalls" <[EMAIL PROTECTED]>
cc:
Subject: Newbie - Golden questions
Hi there,
I'm unfortunately yet another of these newbies in the security field, but I
have a question.
If I was to ask some golden questions when someone asks if I can open a
port in the firewall, what would they be?
What would I ask myself, and what would I ask the other person interested
in opening the ports?
Another question: I know there are many well-known ports and that they're
described, but how can I ever figure out what eg. port 740 NETscout Control
Protocol is being used for, and where might I be able to find out which
security risks there would be when opening such a port?
TIA,
Yours sincerely
Brian J. Dyrehauge
IT Security Consultant (And still a newbie)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
