RE: [FW1] somewhat off topic-opening outgoing high ports

[Chilton Tim <tim.chilton@FW1-NOSPAMcapco.com>]

Think it's the same for the rest of us too.
 
My 0.2c worth are in-line.
 
regards
 
Tim

--- --Original Message-----
From: Darrin Johansen [mailto:Darrin.Johansen@arup.com]
Sent: 01 February 2001 11:33
To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] somewhat off topic-opening outgoing high ports 



Hi, 

The security team at my company is coming under increasing pressure to start
opening all sorts of outgoing port numbers and protocols every time a
project manager decides to use a piece of software that needs internet
access. This is becoming a real problem for us, and I would imagine it is
for many people? A lot  of this software is client/server that has been
'adapted' for use over the internet etc

We need to gather some 'ammunition' to back up our case for insisting
software uses internet standards (i.e. html or java and uses port 80 etc)
rather than being written in something like Cobra (port 15000 - 150015) and
Netstore (16384)

If anybody has any links or info it would be gratefully received. Opinions
obviously welcome, but please state the type of company or situation your
firewalls are used in if possible etc

Sort of questions we get is: (all referring to outgoing ports, most are tcp,
not all)  

 
"We let browsing happen on port 80, why not other applications on other
ports?"  

>>But you probably have a proxy server to ensure it's HTTP over 80 and an
anti-virus tool doing content >>scanning for anti-virus to ensure your
security

 
"We use http on port 80, why not http on port 16384? Or indeed any
protocol?"  

>>You can do this via the firewall - just need to duplicate the setup for
the special port, except two different >>products can't both talk on the
same port as there is only one listener active on any given port. This gets
>>fun when two conflicting sides of the business try to "own" a port number
:->


"What's so bad about using just any old port, surely they are all the same"


>>There are Internet standards to conform to - see the RFC's
>> Don't forget that standards are a good thing - this is why there are so
many of them :->

 
"What are the security concerns or implications then?"  

>>Any of a couple of thousand back-doors and trojans all waiting to see
whats protected by your >>firewalls and share this with your competition.

 >> Lots of bandwidth sucking protocols that use the same ports, Instant
Messenger, streaming video etc.

>>It may also be worth asking why these products need to use non-standard
ports in the first place.

Any help appreciated etc 

Cheers, dj 



************************************************************************
The information in this email is confidential and is intended solely
for the addressee(s).
Access to this email by anyone else is unauthorised. If you are not
an intended recipient, you must not read, use or disseminate the
information contained in the email.
Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of
The Capital Markets Company.

http://www.capco.com
***********************************************************************

Title: somewhat off topic-opening outgoing high ports

Think it's the same for the rest of us too.

 

My 0.2c worth are in-line.

 

regards

 

Tim

--- --Original Message-----
From: Darrin Johansen [mailto:Darrin.Johansen@arup.com]
Sent: 01 February 2001 11:33
To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] somewhat off topic-opening outgoing high ports

Hi,

The security team at my company is coming under increasing pressure to start opening all sorts of outgoing port numbers and protocols every time a project manager decides to use a piece of software that needs internet access. This is becoming a real problem for us, and I would imagine it is for many people? A lot  of this software is client/server that has been 'adapted' for use over the internet etc

We need to gather some 'ammunition' to back up our case for insisting software uses internet standards (i.e. html or java and uses port 80 etc) rather than being written in something like Cobra (port 15000 - 150015) and Netstore (16384)

If anybody has any links or info it would be gratefully received. Opinions obviously welcome, but please state the type of company or situation your firewalls are used in if possible etc

Sort of questions we get is: (all referring to outgoing ports, most are tcp, not all)  

 
"We let browsing happen on port 80, why not other applications on other ports?"  

>>But you probably have a proxy server to ensure it's HTTP over 80 and an anti-virus tool doing content >>scanning for anti-virus to ensure your security

 
"We use http on port 80, why not http on port 16384? Or indeed any protocol?"  

>>You can do this via the firewall - just need to duplicate the setup for the special port, except two different >>products can't both talk on the same port as there is only one listener active on any given port. This gets >>fun when two conflicting sides of the business try to "own" a port number :->

"What's so bad about using just any old port, surely they are all the same"  

>>There are Internet standards to conform to - see the RFC's
>> Don't forget that standards are a good thing - this is why there are so many of them :->

 
"What are the security concerns or implications then?"  

>>Any of a couple of thousand back-doors and trojans all waiting to see whats protected by your >>firewalls and share this with your competition.

 >> Lots of bandwidth sucking protocols that use the same ports, Instant Messenger, streaming video etc.

>>It may also be worth asking why these products need to use non-standard ports in the first place.

Any help appreciated etc

Cheers, dj