> The security team at my company is coming under increasing pressure to
> start opening all sorts of outgoing port numbers every time a project
> manager decides to use a piece of software that needs internet access.
> This is becoming a real problem for us, and I would imagine it is for many
> people?
>
I imagine so..
> We need to gather some 'ammunition' to back up our case for insisting
> software uses internet standards (i.e. html or java and uses port 80 etc)
> rather than being written in something like Cobra (port 15000 - 150015)
> and Netstore (16384)
>
Actually, you should be glad they don't use port 80 or other 'standard'
ports. The considerable motion to 'tunnel everything over HTTP' ((c) Paul D.
Robertson ;-)) is generally viewed as not being welcome in security circles.
Come to think of it, there was a thread about the very topic of 'new
protocols and firewalls' on this list a couple of months ago..
> Sort of questions we get is:
> "We let browsing happen on port 80, why not other applications on other
> ports?"
>
A valid question, really. Your problem is actually that you are being
consulted too late in the game. You as the security people should be in the
project from the start and advise on ways to perform whatever business tasks
there are in a secure manner. As it is, I'd rather open up one port than
have people flinging everything at port 80 and me not knowing what is
traversing the borders.. Of course, many people here prefer to use
application-specific proxies where they can and that would force the
'uncooperative developers' to use HTTP instead of their own protocol.
Thinking about that a second, though, that's probably the way quite a few
will work anyhow, since libraries with HTTP communication are already
available to them..
> "What's so bad about using just any old port, surely they are all the
> same"
>
Which is perfectly true.
Regards,
Tobias
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
