[FW1] somewhat off topic-opening outgoing high ports

[Darrin Johansen <Darrin.Johansen@FW1-NOSPAMarup.com>]

Title: somewhat off topic-opening outgoing high ports

Hi,

The security team at my company is coming under increasing pressure to start opening all sorts of outgoing port numbers and protocols every time a project manager decides to use a piece of software that needs internet access. This is becoming a real problem for us, and I would imagine it is for many people? A lot  of this software is client/server that has been 'adapted' for use over the internet etc

We need to gather some 'ammunition' to back up our case for insisting software uses internet standards (i.e. html or java and uses port 80 etc) rather than being written in something like Cobra (port 15000 - 150015) and Netstore (16384)

If anybody has any links or info it would be gratefully received. Opinions obviously welcome, but please state the type of company or situation your firewalls are used in if possible etc

Sort of questions we get is: (all referring to outgoing ports, most are tcp, not all)
"We let browsing happen on port 80, why not other applications on other ports?"
"We use http on port 80, why not http on port 16384? Or indeed any protocol?"
"What's so bad about using just any old port, surely they are all the same"
"What are the security concerns or implications then?"

Any help appreciated etc

Cheers, dj