Anil,
Firstly, it is not true that there are "many" sites that use HTTP ports
other then port 80.
The two standard ports used by almost anyone who wishes anyone else to
browse to them, are either 80 for HTTP, or 439 for HTTPS/SSL for secure
connections.
It is in no big cororations interest to have a different port access then
the standard if they want the rest of the world to be able to access their
web site. So you can tell you peers this.
There is no relevence to the fact that you are allready preventing inbound
access. What has the one to do with the other ?
As far as security goes, the less allowed out AND in, the better.
We too allow only HTTP or HTTPS on standard ports. Anyone needing anything
else had better have a good reason for it or they won't get it, and to be
honest, if a site uses a different port, I am already wary of why, unless
it's an Intrantet site and then I know about it.
Your users will allways be able to get feedback from someone who tells them
how silly it is to restrict access, for various reasons, but there is only
one consideration you should take into account, and that is your own sites
security. Remember that if you open all ports, you are also opening
youreself up for a multitude of trojans, back doors, napster, yahoo
messenger, icq, aol, aim and many many others.
It won't take long for a user to find this out if they are in any way
inquisitive, and then your in for it.
So I'd say your answer of "for security reasons" is the right answer, you
just need to back your statements up stronger, and prove to them how easy it
would be to hack your site if all the ports are open.
And finally in regard to your restricting inbound.....if you open ports for
http other then 80, those same ports can be used to return on, and who said
http sites can't steal or leach information from you ?
Mike
> -----Original Message-----
> From: Anil Bhelkar [SMTP:[EMAIL PROTECTED]]
> Sent: a eaie 17 2000 12:59
> To: FireWall-1 Mailing List (E-mail)
> Subject: [FW1] http ports for outbound traffic
>
>
> Hi everybody,
>
> i would like to have your views and comments on this. we have implemented
> FW-1 wherein the outbound http traffic is allowed on port 80 (standard).
> there are some users who wanted to browse a specific site implemented on a
> different port no. though i have opened the port on the FW-1 to enble
> them,
> there was a specific query as to why we are restricting outbound access on
> specific port only. "security reasons" was not sufficient for the
> explanation.
>
> the counter argument was that u are anyway preventing all inbound access,
> then why restrict outbound on a specific port. the vulnerabilities are
> same
> as if when the port 80 is open.
>
> request your views on this and what is the normal way of implementing. is
> it
> specific ports open or all open. users had feedback from outside that it
> is
> ridiculous on FW implementation to restrict http on specific port. as per
> them there are worldwide so many sites on different ports for public
> viewing.
>
> your expert opinions sought for.
> regards
>
> anil bhelkar
> [EMAIL PROTECTED]
>
> This communication is for the exclusive use of the intended receipient/s
> and shall not attach any liability on the originator. It may contain
> information which is confidential and legally priviledged and the same
> shall
> not be used or dealt with by any third party in whatsover manner.
>
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
