Danger of opening ports

Hi all,

I was wondering if someone could give me a bit of advice. We have a
NAT firewall on our Internet connection. There are a couple of servers
behind this that provide services to users from the Internet. These
are connected to with HTTPS connections on ports 81 and 443.

These ports are obviously open on the firewall.

Is there any danger in opening up further ports? If I open up port 80,
will I be at any more risk than having the other ports open? As long
as the servers are patched and have AV will I be ok?

Is there any greater risk involved in having port 80 open than any
other port?

Thanks,

Gary.

Re: Danger of opening ports

Post removed (X-No-Archive: yes)

Re: Danger of opening ports

On 13 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1176472542.298503.18410@o5g2000hsb.googlegroups.com>, Gary wrote:

>There are a couple of servers behind this that provide services to
>users from the Internet. These are connected to with HTTPS
>connections on ports 81 and 443.
>
>These ports are obviously open on the firewall.

Yes, but they don't lead TO the firewall, but to some other boxes
behind the firewall.

>Is there any danger in opening up further ports?

"That depends". You are offering greater _opportunities_ for dangers,
but the order of magnitude depends on the skill of the person who
programs those servers - what is allowed, what is not - as well as
the quality of the server software and any dependencies it may have.
For example, if the extra port leads to a server that returns files
from read-only media, you are at substantial less risk than if the
request generates interactive data responses based on files that
are located on another server that really shouldn't even have
Internet access, or from a workstation run by a user who always
clicks the OK button without reading anything.

>If I open up port 80, will I be at any more risk than having the
>other ports open?

Above. If you are concerned about a "drive by attack", then it is much
more likely that port 80 will be attacked than port 81 or 79 - merely
because less people will be looking at random port numbers compared to
those looking at ports where they can _expect_ to find a server.

>As long as the servers are patched and have AV will I be ok?

No. Most risk occurs because of totally incompetent programmers
setting up servers and not having the first clue as to how to do so
in a secure manner. Why do you need AV? Are you allowing outsiders
to install or upload stuff on your server? Probably not the most
secure method. Worried that the server may catch something from the
crap on the programmers system? Fire that idiot, and get someone less
incompetent. There is no such thing as a "Mal-Ware Fairy" that sneaks
up while you aren't watching, waves a magic wand, and installs bad
stuff - that's done by the people you trust doing something stupid.

>Is there any greater risk involved in having port 80 open than any
>other port?

Only because your average Internet luser expects every computer they
can connect to to be running a web server. There are other ports
that are exploited on servers not correctly configured.

Old guy