RE: [fw-wiz] RE: In defense of non standard ports



Not to just 'Hear! Hear!' Jeff's response but I just thought of this in regards to having multiple hosts 'using' a single Internet address:

The URL references :12345 but the firewall does a nice little translation and forwards it onto the appropriate inbound system to the correct :443.

I know the PIX is more than capable of performing such feats of TCP-ology.

Just $.02
Brandon

-----Original Message-----
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx]On Behalf Of Behm,
Jeffrey L.
Sent: Monday, January 23, 2006 9:25 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] RE: In defense of non standard ports


On Friday, January 20, 2006 8:02 PM, Hawkins, Michael so spake:
>
>Using non standard ports actually makes it easier to control
>and maintain a strong security policy.

For perhaps a few/limited number of instances...see below

>
>Let's face it, port 80 is now one of the most insecure holes
>that you punch through your firewall.

How does running the same traffic across another port automatically make
it more secure? Also, we don't just have it punched through...one must
go through a proxy, and they do not have
direct-through-the-firewall-port-80-access. Explaining the reasoning
behind that to most vendors is many times an exercise in futility.

>All those hard earned dollars needed to control content and you
>are never able to get completely on top of it.
>
>Along comes a real time trading application. Financial services
>company X wants to use financial services company Y's application.
>
>It's so much easier to have a registered port, a short list
>of host IP's A,B and C and a strong security policy document
>and X is now much happier opening up registered port to
>hosts A,B and C.

Again, why is traffic on port 12345 automatically more secure than going
across port 80? I'd argue that since we block *direct* port 80/443
access (you have to go through the proxy) that port 80/443 web traffic
is more secure than running on some other port that doesn't go through
the proxy. It also makes it more difficult to know how much actual web
traffic is going on, if it is now running across multiple (non-standard)
ports.

Additionally, if it's only one company connecting to one other company,
than running traffic on a different port could be manageable. But,
extrapolate that out to thousands of companies connecting to thousands
of companies and how do I effectively manage that? What if two (or
twenty, or two hundred) external companies that I want to connect to all
choose to run their web app across the same non-standard port? Then, I'm
right back to the port 80/443 scenario again. It's only a matter of
time...why not just use port 80/443, since it's all just web traffic
anyways...Aren't those the registered ports for web traffic?

>No content filtering needed. No megabucks involved. No content
>filtering overloading your http processes.

It's web traffic...I'm still content filtering it. Perhaps my OP wasn't
clear. I'm talking about developers moving *web* traffic off the
standard 80/443 ports.

>I am NOT defending shoddy developers that don't know a port
>from a dock.
A port? Someone going on a cruise? Sign me up...

>
>But ports are part of IP and I'm glad there are 65535 of 'em!
>
>Mike H

Hopefully, I've made my question of *web* traffic being moved off the
standard ports a bit more clear ...I'm still interested to hear what
wording you use when you talk to vendors about why they chose to run web
traffic off these ports. Oh, yeah, and I'd like to hear what their
responses are, too.

Jeff

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: SSO fails when machine is connected to network
    ... I added an entry to both the hosts and lmhosts files and I ... (this message came when I tried to delete the receive port to add it again) ... I have a named workgroup using the name of the machine. ... network adapter or add another explicit loopback) that is not 127.0.0.1. ...
    (microsoft.public.biztalk.server)
  • Re: Question on keeping Fedora 7 secure while connected to Internet
    ... to disable relaying from untrusted hosts). ... Telnet is available to two specific hosts only, ... The password guessing programs all ... attack port 22 so using a different port makes you invisible to them. ...
    (comp.os.linux.security)
  • Re: Should I configure a firewall to allow multicast?
    ... firewall is blocking various hosts to 192.168.1.255 port 138. ... but I know for certain there are no hosts with an address of 192.168.1.255. ... inet 192.168.1.9 netmask ffffff00 broadcast 192.168.1.255 ...
    (comp.security.firewalls)
  • Re: Discovering Live Hosts
    ... 1)You hint that your targets may be behind a firewall. ... until you actually connect to each and every port. ... Some hosts support no ... initial target pool is large. ...
    (Pen-Test)
  • RE: Subseven Scans
    ... A Sequentially Distributed RECON probe for SubSeven V 2.1 port 27374 started ... The analyses proved that 23 seperate hosts were used for the attack. ... >RK> For more information on this free incident handling, management ...
    (Incidents)