Most debates center around the ports usually assuming that a certain
protocol or service is using that port. It seems that the security policy
should dictate the allowed protocols as well as which port. The protocols
are of more importance than the ports. When you block or permit a certain
port, you are usually thinking of the protocol that you are trying to deny,
right? Are you safer having 10 different ports open with 10 different
protocols or have 10 protocols tunneled over one port? Most of the work
(design and setup) on firewalls seems to be centered around packet filtering
based on ports. Is this going to start changing as more and more protocols
are tunneled? Are protocol proxies going to start becoming more widely
used? Or are they a used a lot more than my impressions lead me to believe?
Just thinking out loud,
Mike
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Reckhard, Tobias
Sent: Thursday, February 01, 2001 5:06 AM
To: 'Darrin Johansen'; '[EMAIL PROTECTED]'
Subject: RE: opening outgoing ports - standards?
> The security team at my company is coming under increasing pressure to
> start opening all sorts of outgoing port numbers every time a project
> manager decides to use a piece of software that needs internet access.
> This is becoming a real problem for us, and I would imagine it is for many
> people?
>
I imagine so..
> We need to gather some 'ammunition' to back up our case for insisting
> software uses internet standards (i.e. html or java and uses port 80 etc)
> rather than being written in something like Cobra (port 15000 - 150015)
> and Netstore (16384)
>
Actually, you should be glad they don't use port 80 or other 'standard'
ports. The considerable motion to 'tunnel everything over HTTP' ((c) Paul D.
Robertson ;-)) is generally viewed as not being welcome in security circles.
Come to think of it, there was a thread about the very topic of 'new
protocols and firewalls' on this list a couple of months ago..
> Sort of questions we get is:
> "We let browsing happen on port 80, why not other applications on other
> ports?"
>
A valid question, really. Your problem is actually that you are being
consulted too late in the game. You as the security people should be in the
project from the start and advise on ways to perform whatever business tasks
there are in a secure manner. As it is, I'd rather open up one port than
have people flinging everything at port 80 and me not knowing what is
traversing the borders.. Of course, many people here prefer to use
application-specific proxies where they can and that would force the
'uncooperative developers' to use HTTP instead of their own protocol.
Thinking about that a second, though, that's probably the way quite a few
will work anyhow, since libraries with HTTP communication are already
available to them..
> "What's so bad about using just any old port, surely they are all the
> same"
>
Which is perfectly true.
Regards,
Tobias
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
