Ports and Paranoia

by Scot Hacker


I run an intranet and a staging server on non-standard ports (8000 and 8080). This works great for our internal purposes, but every now and then a student will want to show a work-in-progress to an external organization. And every now and then, that organization turns out to be living behind one of those Stalinist corporate firewalls that blocks everything but port 80, which means they can't access the content, which means the student comes to me baffled, I explain the situation, and no one understands what I'm talking about. Somehow it always comes off as if I'm the one blocking the traffic. Ports are hard to explain to non-tech people. If I ask them to ask their sysadmins to back off a bit and open up traffic on these ports, I always get the same "we don't do that for security reasons."





Does it really make security sense for organizations to blindly block everything but port 80? The internet runs on ports. It's all about ports. There's got to be a more sensible way to accomplish your security goals than to slam the door in the face of other services. Are they being paranoid or am I expecting too much?



How have you dealt with this situation?


6 Comments

cybrhippy
2003-04-16 14:04:22
There are reasons why they are called "Well Known Ports"
I am sorry, but I don't feel that companies are being stalinistic when they block ports going out from their networks, especially corp networks. I can also under stand why you do what you do, but as you said, it is for staging and testing not for general consumption. If you what your website to be accessable, then use a well known port (ie 80). If you really need to set this up, you can always use a reverse proxy that listens on port 80 and just redirects to the web instance on the none-standard port.


The company I work for does have a process in place where if a web site is operating on a non-standard port and can be justified as being needed for work we can open them for our proxy server farm.


There are a million reasons why you block all ports and only allow certain ones, but as someone who claims to understand ports I don't think you realize what kind of problems/security issues that can cause. By blocking companies stop their employees from using IM's (security reason's), playing network games (duh), slammer type virus from getting out, setting up their own spam cannons and any number of other reasons.


Sorry if I sound harse, but I am stalinistic when it comes to using standards in the type of work I do :p

jafager
2003-04-16 14:08:24
Egress Filtering
The rationale for default deny when doing egress filtering is the same as that for ingress filtering; it makes it a lot harder to screw up and leave yourself with security holes.


That said, it's a lot less convenient, it's harder to justify, and it generates more resentment from your users. Having a fairly liberal approval process and a fast turnaround time helps.


One goal is to prevent internal users from circumventing the firewall by initiating connections to outside machines (i.e. the sendmail trojan, certain forms of SSH tunneling, VPNs).


Another goal is to prevent or discourage internal users from leaking sensitive information. Protocols that are known to be unsecure (i.e. telnet, POP, IMAP, IM clients) are often blocked for this reason. I have always been skeptical of this line of thinking; it's a technical band-aid put on a user education problem.


You should also consider that a lot of companies, particularly banks and other financial institutions, have an extremely conservative culture and are subject to a lot of security and privacy regulations. There are CYA benefits in adopting a fascist approach to security, especially when the company has a dedicated security department. There are few incentives to make things easy for users and lots of incentives to avoid taking the blame for a security breach.


jafager

anonymous2
2003-04-16 14:13:00
you said it yourself
most none tech people don't understand ports


In my experience a large number of tech people don't understand ports either.


I suspect you'll find that a fair number of firewalls are being administered by people that don't understand ports, and I would imagine a fair few would get nervous when Mr Hacker asks them to relax their firewall rules ;)


(sorry, couldn't resist)

shack
2003-04-16 14:35:07
There are reasons why they are called "Well Known Ports"
"I am sorry, but I don't feel that companies are being stalinistic when they block ports going out from their networks, especially corp networks."


Ah - I would agree with you on ports going out from their networks. But the question here is about accessing those ports on other networks. I'm not asking them to run something on port 8000 - I'm asking them not to assume that external services on 8000 are dangerous. Why should a site on 8000 be more of a risk than a site on the standard 80?


But lots of good points there, thanks for you .02.

anonymous2
2003-04-17 05:11:45
ports and protocols
Usually the reason ports are restricted on egress is a desire to restrict protocols. Sometimes the people doing so don't realize that any tcp/udp protocol can run on any tcp/udp port. Sometimes they do. The ones who do usually are in organizations that can't afford application-level firewalls or whose management doesn't understand the need for them.
cybrhippy
2003-04-18 07:57:18
There are reasons why they are called "Well Known Ports"
You are right, Port 8000 isn't any more/less dangerous than 80. But for the most part port 80 is the port that most web traffic is on.


I do abuse a few other ports that are opened for things like telnet/ssh/ftp so I can get to my home network so I do understand that blocking is pointless to some extent. For the most part, it will keep 99% of your user population under control.