> On one single server you either allow access to a port or you > don't. If you don't then don't have a service running at that > port. If you do then the weak point is the application that > serves this port and a firewall doesn't help.
Getting people to understand that is just...amazingly difficult. I work for a software company that produces server software that must communicate over at two ports at a time, and often through a dynamically assigned range of ports. Yet it amazes me how many people will angrily demand to know why more than one port must be opened on their firewall to that server's IP, since opening a port on the firewall is a security risk. People, it's not the fact that a port is open that opens you up to attack, but the SOFTWARE that RESPONDS on that port. If you already have that software responding on one or two ports, then why kick and scream when you realize you're going to have to open a range of ports TO THE SAME SOFTWARE. Nothing has changed in your security policy. That software can communicate through the firewall. Whether through one port or one hundred ports, it's only that software that'll be responding on those ports. You are not any more or less secure opening port #100 than you were at port #1. It's amazing how people--talented, intelligent, experienced people--can have such a tremendous mental block on this issue. -- Eric (the Deacon remix) _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
