Educause Security Discussion mailing list archives
Re: Ports/applications permitted for Guest Access
From: Shannon Roddy <sroddy () LIGO-LA CALTECH EDU>
Date: Sun, 11 Sep 2011 14:27:01 -0500
On Sep 11, 2011, at 12:11 PM, Dave Koontz wrote:
As you've discovered, port based firewalls are no longer adequate in today's world. Any application can disguise itself as web traffic (http or https), and many "bad" things do.
Many good, legitimate things do too. I have been known to run a kdc or two on port 443 because of port based blocking so that users can kinit even when they can't get a VPN connection. Nothing aggravates me more than an outbound port based firewall that won't even let one establish a VPN connection. In many ways, poorly managed or overly paranoid port based firewalls are why we have a port 80/443 world.
You need a firewall that can understand applications regardless of ports used. Take a look at Palo Alto networks solutions or any other next generation firewalls. I really believe Palo Alto has a huge lead currently in this market. I am sure that Cisco, Foundry, Juniper and others will catch up in a couple of years, but for now Palo Alto has a clear lead. Take a look at the last Gartner's Firewall report to see what I mean. -- Dave Koontz Mary Baldwin College Staunton, Virginia On 9/11/2011 10:39 AM, Robert Lau wrote:Is anybody doing protocol/application inspection? Once ports 80/443/22/etc are allowed, an app can pump any data through; it does not have to be http/https/ssh/etc. In olden days, this would probably only be done by a clueful user, but many applications do this automatically now specifically to handle port restrictions. -robert
Current thread:
- Ports/applications permitted for Guest Access Roger A Safian (Sep 09)
- Re: Ports/applications permitted for Guest Access Kevin Wilcox (Sep 09)
- Re: Ports/applications permitted for Guest Access Derek Diget (Sep 09)
- Re: Ports/applications permitted for Guest Access Rowe, Ken (Sep 09)
- Re: Ports/applications permitted for Guest Access Robert Lau (Sep 11)
- Re: Ports/applications permitted for Guest Access Dave Koontz (Sep 11)
- Re: Ports/applications permitted for Guest Access Shannon Roddy (Sep 11)
- Re: Ports/applications permitted for Guest Access Valdis Kletnieks (Sep 11)
- Re: Ports/applications permitted for Guest Access David Gillett (Sep 12)
- Re: Ports/applications permitted for Guest Access Robert Lau (Sep 11)
- Re: Ports/applications permitted for Guest Access Robert Lau (Sep 11)
- Re: Ports/applications permitted for Guest Access Kevin Wilcox (Sep 16)
- Re: Ports/applications permitted for Guest Access Kevin Wilcox (Sep 09)
- Re: Ports/applications permitted for Guest Access (deep packet inspection) Barron Hulver (Sep 11)
- Re: Ports/applications permitted for Guest Access Matthew Gracie (Sep 19)
- Re: Ports/applications permitted for Guest Access Ed Zawacki (Sep 20)
- Re: Ports/applications permitted for Guest Access Roger A Safian (Sep 20)