opening outbound 443 port is safe?

Hello,

We are about to implement a new application, and one of the
requirements is opening outbound port 443 from the firewall. (no need
to open inbound)
And it uses SSL using that port.

My concern here is security.
Is it safe opening outbound 443 port?

For example, is there any posibility that unauthorized outsiders break
into my network thru open 443 port from this environment?
How would you rate the security of this environment?

What methods are available to break this sucurity, and what could be my
plans to stop them?


Thanks.

Re: opening outbound 443 port is safe?

Post removed (X-No-Archive: yes)

Re: opening outbound 443 port is safe?

In article ,
Leythos wrote:
>In article <1142471770.581239.297040@p10g2000cwp.googlegroups.com>,
>hellur@gmail.com says...
>> We are about to implement a new application, and one of the
>> requirements is opening outbound port 443 from the firewall.

>> And it uses SSL using that port.


>> Is it safe opening outbound 443 port?

>If you create a 1-Way rule, allowing outbound 443, then nothing should
>be able to reach inbound.

It depends on which threats the OP is trying to contain.

As is the case for every other port, anything could be tunneled
over https. There was a posting a few weeks ago in which one of the
regular posters mentioned using the hack that port 443 on his
home network is connected to ssh, so that when the person is at a
hotel etc. that blocks most things but allows 443, the person is
able to ssh in to his network.


It also depends upon the firewall. When an inside user makes a
connection to an outside system, the better firewalls allow only
return traffic from that one remote IP and port back to the
one local IP and port [except for the firewall automatically
making adjustments to allow for other traffic, such as the
connections needed in response to an FTP PORT command.] Lesser
firewalls, though, sometimes allow -any- remote host and port to
connect that one local IP and port. Also, even with better firewalls,
in some configurations in which one-to-one IP mapping is being
used and ports are going through unmodified, that remote host may
be allowed to connect back to -any- port on the local IP.

The OP did not happen to mention which kind of firewall or which
software version, so we don't know as yet how restrictive the OP's
firewall usually is, nor whether the OP has happened to
configure one of the "drive a truck through" exemptions to
that firewall.


On the better firewalls, configured without any Doh!, opening port
443 outbound should be safe against random outside systems opening
new connections inward. But if the random intruder can get a
program activated on the inside (e.g., trojan carried on email;
via one of the HTML attacks; stupid user; user determined to
evade standard access policies), then the activated program can
potentially connect to arbitrary sites and provide an extensive
back-channel.

Re: opening outbound 443 port is safe?

hellur wrote:
> We are about to implement a new application, and one of the
> requirements is opening outbound port 443 from the firewall. (no need
> to open inbound)
> And it uses SSL using that port.
> My concern here is security.
> Is it safe opening outbound 443 port?

If you know so less about the TCP/IP protocol family, I'm frightening from
the application this will result in.

Don't you think, it could be a good idea to mandate someone, who has
clue of such things? Or are you a hobby programmer and just want to learn?

Or write your application with keeping in mind, that you don't understand
anything of security - and just use it in a controlled environment like
an encrypted VPN.

To understand what a port is and how the TCP/IP network protocol family
works, you could read Richard Stevens "UNIX Network Programming", and just
start here: http://de.wikipedia.org/wiki/TCP/IP

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: opening outbound 443 port is safe?

My advice is your likely going to be fine opening outbound 443,
assuming you have configured CA correctly and you trust the third party
authenticating. I'm going to exclude the conversation about
defense-in-depth as I'm sure you have heard all this. My advice would
be to be mindful of the connection you are making. So, if you are
connecting to a system to download data, I would find a way to verify
that what is being downloaded is authentic. I'm starting to see
attacks more and more where the attack vector is to infect a system
that serves up data and wait for slap happy users like me to connect
and download into a trusted zone (like a db) and then have the malcode
start doing what it does. But I'm sure the vendor already has that
covered, just verify in the SLA docs.

Best,

W

Re: opening outbound 443 port is safe?

"hellur" wrote in message
news:1142471770.581239.297040@p10g2000cwp.googlegroups.com.. .
> Hello,
>
> We are about to implement a new application, and one of the
> requirements is opening outbound port 443 from the firewall. (no need
> to open inbound)
> And it uses SSL using that port.
>
> My concern here is security.
> Is it safe opening outbound 443 port?
>
> For example, is there any posibility that unauthorized outsiders break
> into my network thru open 443 port from this environment?
> How would you rate the security of this environment?
>
> What methods are available to break this sucurity, and what could be my
> plans to stop them?
>
>
> Thanks.
>


For use of your application, allowing outbound connections to a *specific*
IP address and to TCP port 443 is perfectly secure. Of course this
additionally assumes you're using a quality firewall solution.

--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".

Re: opening outbound 443 port is safe?

Walter Roberson wrote:

>>If you create a 1-Way rule, allowing outbound 443, then nothing should
>>be able to reach inbound.
>
>
> It depends on which threats the OP is trying to contain.
>
> As is the case for every other port, anything could be tunneled
> over https. There was a posting a few weeks ago in which one of the
> regular posters mentioned using the hack that port 443 on his
> home network is connected to ssh, so that when the person is at a
> hotel etc. that blocks most things but allows 443, the person is
> able to ssh in to his network.

I did that when I worked for a commercial company. They had all these
rules about what could not be done, so I opened an ssh server on my own
box on port 443, on the assumption nobody could see what I was or was
not doing.

Re: opening outbound 443 port is safe?

Post removed (X-No-Archive: yes)

Re: opening outbound 443 port is safe?

"Leythos" wrote in message
news:P6BTf.29059$g91.13826@tornado.ohiordc.rr.com...
> In article <441ed92a@212.67.96.135>, unknown@nowhere.com says...
>> Walter Roberson wrote:
>>
>> >>If you create a 1-Way rule, allowing outbound 443, then nothing should
>> >>be able to reach inbound.
>> >
>> >
>> > It depends on which threats the OP is trying to contain.
>> >
>> > As is the case for every other port, anything could be tunneled
>> > over https. There was a posting a few weeks ago in which one of the
>> > regular posters mentioned using the hack that port 443 on his
>> > home network is connected to ssh, so that when the person is at a
>> > hotel etc. that blocks most things but allows 443, the person is
>> > able to ssh in to his network.
>>
>> I did that when I worked for a commercial company. They had all these
>> rules about what could not be done, so I opened an ssh server on my own
>> box on port 443, on the assumption nobody could see what I was or was
>> not doing.
>
> they can see your SSL connection to your computer - it's easy to watch
> all the people try and tunnel out to their home computers. When you make
> the connections it sticks out like a sore-thumb in the real-time
> monitoring software.
>


With the content filtering software I use, it'll decode the SSL traffic,
view the contents, and take whatever action deemed necessary.

--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".